1e8f4350a04074978a7075ce6f6da54aae063dee96273b9817b6eefa9dc33bab

Analysis

max time kernel
146s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2023, 08:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1e8f4350a04074978a7075ce6f6da54aae063dee96273b9817b6eefa9dc33bab.exe
Size

827KB
MD5

87e925ed06e6a5d7d749dc60426213be
SHA1

6ce1307d0c51afdbab78ddce983cbcf47fe0b123
SHA256

1e8f4350a04074978a7075ce6f6da54aae063dee96273b9817b6eefa9dc33bab
SHA512

545e4b469720d0d22e1501d35b7dc1b0163cc2c15143f2d8baa048a085b0b2c34649e7cb118a3f57062dad10c87bc4fa8dfcd8ebab8ceff887e272d9518fa706
SSDEEP

12288:Fy905QbTyUkNpa+Hg+mqmpKYpXR37UEbFHwhGd7sayOr9WUL54E:FyqQbT1kjG+XERrBbKazHl4E

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it613455.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it613455.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it613455.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it613455.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it613455.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it613455.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	lr277244.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

pid	Process
4232	ziQC4119.exe
1508	zisu0856.exe
1464	it613455.exe
4944	jr027047.exe
2912	kp905509.exe
3992	lr277244.exe
2336	oneetx.exe
4428	oneetx.exe
3824	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
5036	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it613455.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziQC4119.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zisu0856.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zisu0856.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1e8f4350a04074978a7075ce6f6da54aae063dee96273b9817b6eefa9dc33bab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1e8f4350a04074978a7075ce6f6da54aae063dee96273b9817b6eefa9dc33bab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziQC4119.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 31 IoCs

pid	pid_target	Process	procid_target
1500	4944	WerFault.exe	91
4408	3992	WerFault.exe	96
4456	3992	WerFault.exe	96
3168	3992	WerFault.exe	96
3496	3992	WerFault.exe	96
1844	3992	WerFault.exe	96
5016	3992	WerFault.exe	96
4432	3992	WerFault.exe	96
4804	3992	WerFault.exe	96
1016	3992	WerFault.exe	96
4632	3992	WerFault.exe	96
1652	2336	WerFault.exe	116
2604	2336	WerFault.exe	116
1664	2336	WerFault.exe	116
4340	2336	WerFault.exe	116
4900	2336	WerFault.exe	116
1908	2336	WerFault.exe	116
2972	2336	WerFault.exe	116
4720	2336	WerFault.exe	116
1076	2336	WerFault.exe	116
4584	2336	WerFault.exe	116
1492	2336	WerFault.exe	116
2036	2336	WerFault.exe	116
1508	2336	WerFault.exe	116
2092	2336	WerFault.exe	116
2392	2336	WerFault.exe	116
3392	4428	WerFault.exe	159
4000	2336	WerFault.exe	116
4200	2336	WerFault.exe	116
4804	2336	WerFault.exe	116
4076	3824	WerFault.exe	169

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1348	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1464	it613455.exe
1464	it613455.exe
4944	jr027047.exe
4944	jr027047.exe
2912	kp905509.exe
2912	kp905509.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1464	it613455.exe
Token: SeDebugPrivilege	4944	jr027047.exe
Token: SeDebugPrivilege	2912	kp905509.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3992	lr277244.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 4232	2028	1e8f4350a04074978a7075ce6f6da54aae063dee96273b9817b6eefa9dc33bab.exe	82
PID 2028 wrote to memory of 4232	2028	1e8f4350a04074978a7075ce6f6da54aae063dee96273b9817b6eefa9dc33bab.exe	82
PID 2028 wrote to memory of 4232	2028	1e8f4350a04074978a7075ce6f6da54aae063dee96273b9817b6eefa9dc33bab.exe	82
PID 4232 wrote to memory of 1508	4232	ziQC4119.exe	83
PID 4232 wrote to memory of 1508	4232	ziQC4119.exe	83
PID 4232 wrote to memory of 1508	4232	ziQC4119.exe	83
PID 1508 wrote to memory of 1464	1508	zisu0856.exe	84
PID 1508 wrote to memory of 1464	1508	zisu0856.exe	84
PID 1508 wrote to memory of 4944	1508	zisu0856.exe	91
PID 1508 wrote to memory of 4944	1508	zisu0856.exe	91
PID 1508 wrote to memory of 4944	1508	zisu0856.exe	91
PID 4232 wrote to memory of 2912	4232	ziQC4119.exe	95
PID 4232 wrote to memory of 2912	4232	ziQC4119.exe	95
PID 4232 wrote to memory of 2912	4232	ziQC4119.exe	95
PID 2028 wrote to memory of 3992	2028	1e8f4350a04074978a7075ce6f6da54aae063dee96273b9817b6eefa9dc33bab.exe	96
PID 2028 wrote to memory of 3992	2028	1e8f4350a04074978a7075ce6f6da54aae063dee96273b9817b6eefa9dc33bab.exe	96
PID 2028 wrote to memory of 3992	2028	1e8f4350a04074978a7075ce6f6da54aae063dee96273b9817b6eefa9dc33bab.exe	96
PID 3992 wrote to memory of 2336	3992	lr277244.exe	116
PID 3992 wrote to memory of 2336	3992	lr277244.exe	116
PID 3992 wrote to memory of 2336	3992	lr277244.exe	116
PID 2336 wrote to memory of 1348	2336	oneetx.exe	135
PID 2336 wrote to memory of 1348	2336	oneetx.exe	135
PID 2336 wrote to memory of 1348	2336	oneetx.exe	135
PID 2336 wrote to memory of 4100	2336	oneetx.exe	141
PID 2336 wrote to memory of 4100	2336	oneetx.exe	141
PID 2336 wrote to memory of 4100	2336	oneetx.exe	141
PID 4100 wrote to memory of 2532	4100	cmd.exe	145
PID 4100 wrote to memory of 2532	4100	cmd.exe	145
PID 4100 wrote to memory of 2532	4100	cmd.exe	145
PID 4100 wrote to memory of 1376	4100	cmd.exe	146
PID 4100 wrote to memory of 1376	4100	cmd.exe	146
PID 4100 wrote to memory of 1376	4100	cmd.exe	146
PID 4100 wrote to memory of 964	4100	cmd.exe	147
PID 4100 wrote to memory of 964	4100	cmd.exe	147
PID 4100 wrote to memory of 964	4100	cmd.exe	147
PID 4100 wrote to memory of 3088	4100	cmd.exe	148
PID 4100 wrote to memory of 3088	4100	cmd.exe	148
PID 4100 wrote to memory of 3088	4100	cmd.exe	148
PID 4100 wrote to memory of 1836	4100	cmd.exe	149
PID 4100 wrote to memory of 1836	4100	cmd.exe	149
PID 4100 wrote to memory of 1836	4100	cmd.exe	149
PID 4100 wrote to memory of 5080	4100	cmd.exe	150
PID 4100 wrote to memory of 5080	4100	cmd.exe	150
PID 4100 wrote to memory of 5080	4100	cmd.exe	150
PID 2336 wrote to memory of 5036	2336	oneetx.exe	164
PID 2336 wrote to memory of 5036	2336	oneetx.exe	164
PID 2336 wrote to memory of 5036	2336	oneetx.exe	164

C:\Users\Admin\AppData\Local\Temp\1e8f4350a04074978a7075ce6f6da54aae063dee96273b9817b6eefa9dc33bab.exe
"C:\Users\Admin\AppData\Local\Temp\1e8f4350a04074978a7075ce6f6da54aae063dee96273b9817b6eefa9dc33bab.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQC4119.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQC4119.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zisu0856.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zisu0856.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it613455.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it613455.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1464
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr027047.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr027047.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4944
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1860
        5⤵
        Program crash
        
        PID:1500
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp905509.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp905509.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr277244.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr277244.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 712
    3⤵
    - Program crash
    PID:4408
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 796
    3⤵
    - Program crash
    PID:4456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 860
    3⤵
    - Program crash
    PID:3168
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 976
    3⤵
    - Program crash
    PID:3496
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 980
    3⤵
    - Program crash
    PID:1844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 980
    3⤵
    - Program crash
    PID:5016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 1220
    3⤵
    - Program crash
    PID:4432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 1212
    3⤵
    - Program crash
    PID:4804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 1320
    3⤵
    - Program crash
    PID:1016
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 708
      4⤵
      Program crash
      PID:1652
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 1008
      4⤵
      Program crash
      PID:2604
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 1100
      4⤵
      Program crash
      PID:1664
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 1136
      4⤵
      Program crash
      PID:4340
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 1168
      4⤵
      Program crash
      PID:4900
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 1208
      4⤵
      Program crash
      PID:1908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 1188
      4⤵
      Program crash
      PID:2972
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 1016
      4⤵
      Program crash
      PID:4720
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:1348
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 996
      4⤵
      Program crash
      PID:1076
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 1292
      4⤵
      Program crash
      PID:4584
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4100
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2532
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:1376
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:3088
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        5⤵
        
        PID:1836
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        5⤵
        
        PID:5080
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 748
      4⤵
      Program crash
      PID:1492
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 1320
      4⤵
      Program crash
      PID:2036
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 132
      4⤵
      Program crash
      PID:1508
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 1348
      4⤵
      Program crash
      PID:2092
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 1216
      4⤵
      Program crash
      PID:2392
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 1616
      4⤵
      Program crash
      PID:4000
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:5036
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 1216
      4⤵
      Program crash
      PID:4200
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 1628
      4⤵
      Program crash
      PID:4804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 804
    3⤵
    - Program crash
    PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4944 -ip 4944
1⤵
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3992 -ip 3992
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3992 -ip 3992
1⤵
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3992 -ip 3992
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3992 -ip 3992
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3992 -ip 3992
1⤵
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3992 -ip 3992
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3992 -ip 3992
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3992 -ip 3992
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3992 -ip 3992
1⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3992 -ip 3992
1⤵
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2336 -ip 2336
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2336 -ip 2336
1⤵
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2336 -ip 2336
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2336 -ip 2336
1⤵
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2336 -ip 2336
1⤵
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 2336 -ip 2336
1⤵
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2336 -ip 2336
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2336 -ip 2336
1⤵
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2336 -ip 2336
1⤵
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2336 -ip 2336
1⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 2336 -ip 2336
1⤵
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2336 -ip 2336
1⤵
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2336 -ip 2336
1⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2336 -ip 2336
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 2336 -ip 2336
1⤵
PID:3228

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:4428
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 428
  2⤵
  - Program crash
  PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 4428 -ip 4428
1⤵
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2336 -ip 2336
1⤵
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2336 -ip 2336
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 2336 -ip 2336
1⤵
PID:776

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:3824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 432
  2⤵
  - Program crash
  PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 3824 -ip 3824
1⤵
PID:64

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr277244.exe

Filesize
256KB

MD5
5fa56bb415276b9ff4164f0a8d637cfd

SHA1
dd2f561cffd693ca9ffd3deb7ac7ce0ee10e0d94

SHA256
1c843bc63676d601e5e7a6038a0300a6f5315f8c0f246f588c3e1f8d25035ef7

SHA512
9f310655c33c0e38f5aeaf639522c9166a4096f500725d17721444e078cf5676d0cb3024006c7de700db0b2c95cc493d6c8d519a6a7266809a6a818e98bef6c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr277244.exe

Filesize
256KB

MD5
5fa56bb415276b9ff4164f0a8d637cfd

SHA1
dd2f561cffd693ca9ffd3deb7ac7ce0ee10e0d94

SHA256
1c843bc63676d601e5e7a6038a0300a6f5315f8c0f246f588c3e1f8d25035ef7

SHA512
9f310655c33c0e38f5aeaf639522c9166a4096f500725d17721444e078cf5676d0cb3024006c7de700db0b2c95cc493d6c8d519a6a7266809a6a818e98bef6c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQC4119.exe

Filesize
568KB

MD5
19ec71b7adedb6d7d1b9f59bfc6f61fb

SHA1
02550a2f632f4a1928dc9907445809f8e46b48f4

SHA256
ef60623f79706d6490b4a9e25fb0c7fcb8f4945430b075194f92299e1b234d4b

SHA512
f92a87a2df679f7e3f121619e638f099e6911d4f87be3b13056d824ff78615a6d318f01440715a33a31df4b9546506710959a1006bc38f60306dc5268301863c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQC4119.exe

Filesize
568KB

MD5
19ec71b7adedb6d7d1b9f59bfc6f61fb

SHA1
02550a2f632f4a1928dc9907445809f8e46b48f4

SHA256
ef60623f79706d6490b4a9e25fb0c7fcb8f4945430b075194f92299e1b234d4b

SHA512
f92a87a2df679f7e3f121619e638f099e6911d4f87be3b13056d824ff78615a6d318f01440715a33a31df4b9546506710959a1006bc38f60306dc5268301863c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp905509.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp905509.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zisu0856.exe

Filesize
414KB

MD5
4693814a2c7daba7cffff9827a1852e0

SHA1
8048e6a2128c37a8916c532b3bf7c896be0bae70

SHA256
bfe8d509404835cb1f9380e1febaa4aa53f704d889b0d7e2c8764b7007fbcfaa

SHA512
a3bb170c89769107664d2cabff1bc81e11aceaa882c9c1ee82a2b1f5ed5ab20f7307bb20749e00c65ec661d99e6757f22a0839cfca97b0c77a2b8fd4a37a15a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zisu0856.exe

Filesize
414KB

MD5
4693814a2c7daba7cffff9827a1852e0

SHA1
8048e6a2128c37a8916c532b3bf7c896be0bae70

SHA256
bfe8d509404835cb1f9380e1febaa4aa53f704d889b0d7e2c8764b7007fbcfaa

SHA512
a3bb170c89769107664d2cabff1bc81e11aceaa882c9c1ee82a2b1f5ed5ab20f7307bb20749e00c65ec661d99e6757f22a0839cfca97b0c77a2b8fd4a37a15a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it613455.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it613455.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr027047.exe

Filesize
359KB

MD5
144d45442598b78273fd57bc53d2cdca

SHA1
46a19a65882cf25b031847490fcfea1eacbf54e1

SHA256
6d6fe1afd6f981916f9b89ce1675b7ad1b1d3cba77eb181bdccfc2d10a126aae

SHA512
a64562bc11a1be58775dd65f79851c44bacf5df4cd8547de6ce39b066c99eaeed490c5c678e4e672190bb0175322f9f9d5a9dae1e3cd1ec07acd7181f9b75cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr027047.exe

Filesize
359KB

MD5
144d45442598b78273fd57bc53d2cdca

SHA1
46a19a65882cf25b031847490fcfea1eacbf54e1

SHA256
6d6fe1afd6f981916f9b89ce1675b7ad1b1d3cba77eb181bdccfc2d10a126aae

SHA512
a64562bc11a1be58775dd65f79851c44bacf5df4cd8547de6ce39b066c99eaeed490c5c678e4e672190bb0175322f9f9d5a9dae1e3cd1ec07acd7181f9b75cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
5fa56bb415276b9ff4164f0a8d637cfd

SHA1
dd2f561cffd693ca9ffd3deb7ac7ce0ee10e0d94

SHA256
1c843bc63676d601e5e7a6038a0300a6f5315f8c0f246f588c3e1f8d25035ef7

SHA512
9f310655c33c0e38f5aeaf639522c9166a4096f500725d17721444e078cf5676d0cb3024006c7de700db0b2c95cc493d6c8d519a6a7266809a6a818e98bef6c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
5fa56bb415276b9ff4164f0a8d637cfd

SHA1
dd2f561cffd693ca9ffd3deb7ac7ce0ee10e0d94

SHA256
1c843bc63676d601e5e7a6038a0300a6f5315f8c0f246f588c3e1f8d25035ef7

SHA512
9f310655c33c0e38f5aeaf639522c9166a4096f500725d17721444e078cf5676d0cb3024006c7de700db0b2c95cc493d6c8d519a6a7266809a6a818e98bef6c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
5fa56bb415276b9ff4164f0a8d637cfd

SHA1
dd2f561cffd693ca9ffd3deb7ac7ce0ee10e0d94

SHA256
1c843bc63676d601e5e7a6038a0300a6f5315f8c0f246f588c3e1f8d25035ef7

SHA512
9f310655c33c0e38f5aeaf639522c9166a4096f500725d17721444e078cf5676d0cb3024006c7de700db0b2c95cc493d6c8d519a6a7266809a6a818e98bef6c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
5fa56bb415276b9ff4164f0a8d637cfd

SHA1
dd2f561cffd693ca9ffd3deb7ac7ce0ee10e0d94

SHA256
1c843bc63676d601e5e7a6038a0300a6f5315f8c0f246f588c3e1f8d25035ef7

SHA512
9f310655c33c0e38f5aeaf639522c9166a4096f500725d17721444e078cf5676d0cb3024006c7de700db0b2c95cc493d6c8d519a6a7266809a6a818e98bef6c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
5fa56bb415276b9ff4164f0a8d637cfd

SHA1
dd2f561cffd693ca9ffd3deb7ac7ce0ee10e0d94

SHA256
1c843bc63676d601e5e7a6038a0300a6f5315f8c0f246f588c3e1f8d25035ef7

SHA512
9f310655c33c0e38f5aeaf639522c9166a4096f500725d17721444e078cf5676d0cb3024006c7de700db0b2c95cc493d6c8d519a6a7266809a6a818e98bef6c0

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1464-154-0x0000000000670000-0x000000000067A000-memory.dmp

Filesize
40KB

Download
memory/2912-976-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/2912-975-0x00000000005F0000-0x0000000000618000-memory.dmp

Filesize
160KB

Download
memory/3992-982-0x00000000030D0000-0x0000000003105000-memory.dmp

Filesize
212KB

Download
memory/4944-200-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-228-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-182-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-184-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-186-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-188-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-190-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-192-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-194-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-196-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-198-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-178-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-202-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-204-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-206-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-208-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-210-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-212-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-214-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-216-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-218-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-220-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-222-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-224-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-226-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-180-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-957-0x0000000009DA0000-0x000000000A3B8000-memory.dmp

Filesize
6.1MB

Download
memory/4944-958-0x000000000A450000-0x000000000A462000-memory.dmp

Filesize
72KB

Download
memory/4944-959-0x000000000A470000-0x000000000A57A000-memory.dmp

Filesize
1.0MB

Download
memory/4944-960-0x000000000A590000-0x000000000A5CC000-memory.dmp

Filesize
240KB

Download
memory/4944-961-0x0000000007320000-0x0000000007330000-memory.dmp

Filesize
64KB

Download
memory/4944-962-0x000000000A890000-0x000000000A8F6000-memory.dmp

Filesize
408KB

Download
memory/4944-963-0x000000000AF60000-0x000000000AFF2000-memory.dmp

Filesize
584KB

Download
memory/4944-964-0x000000000B120000-0x000000000B196000-memory.dmp

Filesize
472KB

Download
memory/4944-176-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-175-0x0000000007320000-0x0000000007330000-memory.dmp

Filesize
64KB

Download
memory/4944-171-0x0000000007320000-0x0000000007330000-memory.dmp

Filesize
64KB

Download
memory/4944-173-0x0000000007320000-0x0000000007330000-memory.dmp

Filesize
64KB

Download
memory/4944-172-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-169-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-167-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-163-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-165-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-162-0x00000000072A0000-0x00000000072D5000-memory.dmp

Filesize
212KB

Download
memory/4944-161-0x0000000007330000-0x00000000078D4000-memory.dmp

Filesize
5.6MB

Download
memory/4944-160-0x00000000047F0000-0x0000000004836000-memory.dmp

Filesize
280KB

Download
memory/4944-965-0x000000000B1D0000-0x000000000B1EE000-memory.dmp

Filesize
120KB

Download
memory/4944-966-0x000000000B4F0000-0x000000000B6B2000-memory.dmp

Filesize
1.8MB

Download
memory/4944-967-0x000000000B6C0000-0x000000000BBEC000-memory.dmp

Filesize
5.2MB

Download
memory/4944-968-0x0000000006D40000-0x0000000006D90000-memory.dmp

Filesize
320KB

Download