2aa497303adc8506db4e00ad40562304ca8bb45c8f44857cb01662be5bb8c3f7

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2023, 03:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2aa497303adc8506db4e00ad40562304ca8bb45c8f44857cb01662be5bb8c3f7.exe
Size

922KB
MD5

5f732ad0d212d262ae871aafde23b16a
SHA1

e2ff984f29a59ebb3b532fba7cff553b4eb200ae
SHA256

2aa497303adc8506db4e00ad40562304ca8bb45c8f44857cb01662be5bb8c3f7
SHA512

b68969bdcab8f61c4e4fa768e63036eb029eb6a639690e67e89d2fa7d25c6b20fb1b273d2651a49e7e5b89e63b6e125fcb62140b01219726c8d824b4a96d0aab
SSDEEP

12288:Fy90ffFAsrsfFhXYHNeZqCsmVuI2Bz8voj5HM3KO8G5UAN1RNOQIIqfnQ4pJ38f+:FyaFAokPXYHNWvLgIxvsGy8bNVfMrp/

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it370630.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it370630.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it370630.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it370630.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it370630.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it370630.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	lr820677.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 8 IoCs

pid	Process
3488	ziBa4465.exe
972	zipA6066.exe
5052	it370630.exe
2228	jr313210.exe
1076	kp165266.exe
4408	lr820677.exe
3576	oneetx.exe
1400	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
1796	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it370630.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziBa4465.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziBa4465.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zipA6066.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zipA6066.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2aa497303adc8506db4e00ad40562304ca8bb45c8f44857cb01662be5bb8c3f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2aa497303adc8506db4e00ad40562304ca8bb45c8f44857cb01662be5bb8c3f7.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 30 IoCs

pid	pid_target	Process	procid_target
1240	2228	WerFault.exe	94
1956	4408	WerFault.exe	100
4332	4408	WerFault.exe	100
3416	4408	WerFault.exe	100
2612	4408	WerFault.exe	100
2360	4408	WerFault.exe	100
1224	4408	WerFault.exe	100
1840	4408	WerFault.exe	100
4312	4408	WerFault.exe	100
3800	4408	WerFault.exe	100
4944	4408	WerFault.exe	100
2312	3576	WerFault.exe	120
5020	3576	WerFault.exe	120
2552	3576	WerFault.exe	120
3656	3576	WerFault.exe	120
1444	3576	WerFault.exe	120
3736	3576	WerFault.exe	120
3536	3576	WerFault.exe	120
4904	3576	WerFault.exe	120
3208	3576	WerFault.exe	120
2228	3576	WerFault.exe	120
1572	3576	WerFault.exe	120
3612	3576	WerFault.exe	120
3740	3576	WerFault.exe	120
1100	3576	WerFault.exe	120
4852	3576	WerFault.exe	120
4460	3576	WerFault.exe	120
3824	3576	WerFault.exe	120
4088	1400	WerFault.exe	168
3312	3576	WerFault.exe	120

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4452	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5052	it370630.exe
5052	it370630.exe
2228	jr313210.exe
2228	jr313210.exe
1076	kp165266.exe
1076	kp165266.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5052	it370630.exe
Token: SeDebugPrivilege	2228	jr313210.exe
Token: SeDebugPrivilege	1076	kp165266.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4408	lr820677.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 3820 wrote to memory of 3488	3820	2aa497303adc8506db4e00ad40562304ca8bb45c8f44857cb01662be5bb8c3f7.exe	84
PID 3820 wrote to memory of 3488	3820	2aa497303adc8506db4e00ad40562304ca8bb45c8f44857cb01662be5bb8c3f7.exe	84
PID 3820 wrote to memory of 3488	3820	2aa497303adc8506db4e00ad40562304ca8bb45c8f44857cb01662be5bb8c3f7.exe	84
PID 3488 wrote to memory of 972	3488	ziBa4465.exe	85
PID 3488 wrote to memory of 972	3488	ziBa4465.exe	85
PID 3488 wrote to memory of 972	3488	ziBa4465.exe	85
PID 972 wrote to memory of 5052	972	zipA6066.exe	86
PID 972 wrote to memory of 5052	972	zipA6066.exe	86
PID 972 wrote to memory of 2228	972	zipA6066.exe	94
PID 972 wrote to memory of 2228	972	zipA6066.exe	94
PID 972 wrote to memory of 2228	972	zipA6066.exe	94
PID 3488 wrote to memory of 1076	3488	ziBa4465.exe	99
PID 3488 wrote to memory of 1076	3488	ziBa4465.exe	99
PID 3488 wrote to memory of 1076	3488	ziBa4465.exe	99
PID 3820 wrote to memory of 4408	3820	2aa497303adc8506db4e00ad40562304ca8bb45c8f44857cb01662be5bb8c3f7.exe	100
PID 3820 wrote to memory of 4408	3820	2aa497303adc8506db4e00ad40562304ca8bb45c8f44857cb01662be5bb8c3f7.exe	100
PID 3820 wrote to memory of 4408	3820	2aa497303adc8506db4e00ad40562304ca8bb45c8f44857cb01662be5bb8c3f7.exe	100
PID 4408 wrote to memory of 3576	4408	lr820677.exe	120
PID 4408 wrote to memory of 3576	4408	lr820677.exe	120
PID 4408 wrote to memory of 3576	4408	lr820677.exe	120
PID 3576 wrote to memory of 4452	3576	oneetx.exe	137
PID 3576 wrote to memory of 4452	3576	oneetx.exe	137
PID 3576 wrote to memory of 4452	3576	oneetx.exe	137
PID 3576 wrote to memory of 2292	3576	oneetx.exe	143
PID 3576 wrote to memory of 2292	3576	oneetx.exe	143
PID 3576 wrote to memory of 2292	3576	oneetx.exe	143
PID 2292 wrote to memory of 1164	2292	cmd.exe	147
PID 2292 wrote to memory of 1164	2292	cmd.exe	147
PID 2292 wrote to memory of 1164	2292	cmd.exe	147
PID 2292 wrote to memory of 972	2292	cmd.exe	148
PID 2292 wrote to memory of 972	2292	cmd.exe	148
PID 2292 wrote to memory of 972	2292	cmd.exe	148
PID 2292 wrote to memory of 396	2292	cmd.exe	149
PID 2292 wrote to memory of 396	2292	cmd.exe	149
PID 2292 wrote to memory of 396	2292	cmd.exe	149
PID 2292 wrote to memory of 3572	2292	cmd.exe	151
PID 2292 wrote to memory of 3572	2292	cmd.exe	151
PID 2292 wrote to memory of 3572	2292	cmd.exe	151
PID 2292 wrote to memory of 4240	2292	cmd.exe	150
PID 2292 wrote to memory of 4240	2292	cmd.exe	150
PID 2292 wrote to memory of 4240	2292	cmd.exe	150
PID 2292 wrote to memory of 2296	2292	cmd.exe	152
PID 2292 wrote to memory of 2296	2292	cmd.exe	152
PID 2292 wrote to memory of 2296	2292	cmd.exe	152
PID 3576 wrote to memory of 1796	3576	oneetx.exe	165
PID 3576 wrote to memory of 1796	3576	oneetx.exe	165
PID 3576 wrote to memory of 1796	3576	oneetx.exe	165

C:\Users\Admin\AppData\Local\Temp\2aa497303adc8506db4e00ad40562304ca8bb45c8f44857cb01662be5bb8c3f7.exe
"C:\Users\Admin\AppData\Local\Temp\2aa497303adc8506db4e00ad40562304ca8bb45c8f44857cb01662be5bb8c3f7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3820
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBa4465.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBa4465.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zipA6066.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zipA6066.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:972
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it370630.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it370630.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5052
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr313210.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr313210.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2228
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 1320
        5⤵
        Program crash
        
        PID:1240
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp165266.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp165266.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1076
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr820677.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr820677.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 696
    3⤵
    - Program crash
    PID:1956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 780
    3⤵
    - Program crash
    PID:4332
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 800
    3⤵
    - Program crash
    PID:3416
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 952
    3⤵
    - Program crash
    PID:2612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 812
    3⤵
    - Program crash
    PID:2360
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 812
    3⤵
    - Program crash
    PID:1224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 1208
    3⤵
    - Program crash
    PID:1840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 1232
    3⤵
    - Program crash
    PID:4312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 1312
    3⤵
    - Program crash
    PID:3800
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3576
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 692
      4⤵
      Program crash
      PID:2312
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 864
      4⤵
      Program crash
      PID:5020
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 872
      4⤵
      Program crash
      PID:2552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1052
      4⤵
      Program crash
      PID:3656
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1072
      4⤵
      Program crash
      PID:1444
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1052
      4⤵
      Program crash
      PID:3736
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1088
      4⤵
      Program crash
      PID:3536
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:4452
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 992
      4⤵
      Program crash
      PID:4904
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 752
      4⤵
      Program crash
      PID:3208
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2292
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1164
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:972
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:396
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        5⤵
        
        PID:4240
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:3572
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        5⤵
        
        PID:2296
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1292
      4⤵
      Program crash
      PID:2228
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1248
      4⤵
      Program crash
      PID:1572
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 756
      4⤵
      Program crash
      PID:3612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 760
      4⤵
      Program crash
      PID:3740
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1432
      4⤵
      Program crash
      PID:1100
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1108
      4⤵
      Program crash
      PID:4852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1636
      4⤵
      Program crash
      PID:4460
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:1796
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1052
      4⤵
      Program crash
      PID:3824
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1652
      4⤵
      Program crash
      PID:3312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 1352
    3⤵
    - Program crash
    PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2228 -ip 2228
1⤵
PID:528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4408 -ip 4408
1⤵
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4408 -ip 4408
1⤵
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4408 -ip 4408
1⤵
PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4408 -ip 4408
1⤵
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4408 -ip 4408
1⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4408 -ip 4408
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4408 -ip 4408
1⤵
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4408 -ip 4408
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4408 -ip 4408
1⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4408 -ip 4408
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3576 -ip 3576
1⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3576 -ip 3576
1⤵
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3576 -ip 3576
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3576 -ip 3576
1⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3576 -ip 3576
1⤵
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3576 -ip 3576
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3576 -ip 3576
1⤵
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3576 -ip 3576
1⤵
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3576 -ip 3576
1⤵
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3576 -ip 3576
1⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3576 -ip 3576
1⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3576 -ip 3576
1⤵
PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3576 -ip 3576
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3576 -ip 3576
1⤵
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3576 -ip 3576
1⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3576 -ip 3576
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3576 -ip 3576
1⤵
PID:64

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:1400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 316
  2⤵
  - Program crash
  PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1400 -ip 1400
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3576 -ip 3576
1⤵
PID:400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr820677.exe

Filesize
370KB

MD5
162e5aa87937abbb271b229916c222a4

SHA1
d49ccf3301a0d3df0b47d401448b5d170982268c

SHA256
3ed14e64ebbb0a705a8eeb87e4129f8d7fd225ce8be4efeb30599a1ffe466641

SHA512
022d9741318158ec9ea5bd00797d88cd0e6e2aacd1e45d3d0fcf9760d882fccb307076872a5dd232ddf605cd1337b96f47bd3786c5f2a33866923966468b596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr820677.exe

Filesize
370KB

MD5
162e5aa87937abbb271b229916c222a4

SHA1
d49ccf3301a0d3df0b47d401448b5d170982268c

SHA256
3ed14e64ebbb0a705a8eeb87e4129f8d7fd225ce8be4efeb30599a1ffe466641

SHA512
022d9741318158ec9ea5bd00797d88cd0e6e2aacd1e45d3d0fcf9760d882fccb307076872a5dd232ddf605cd1337b96f47bd3786c5f2a33866923966468b596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBa4465.exe

Filesize
616KB

MD5
a188f06c0fa4c611562963d951b22b22

SHA1
dfab1ac1ad80f605f66d5f43a2ca71fcadecc7d9

SHA256
a72143475ea276330370c113f4d512713789cf4ee6fb303dabfd4731405bcb5d

SHA512
036c2e432c6a167bbedd73d9a4c9dfd442e92d860d29e02be18c2de13b428feabaaf018ec034583f15e2af24ac2b88c38180f1e24e2b515093fd690b85510bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBa4465.exe

Filesize
616KB

MD5
a188f06c0fa4c611562963d951b22b22

SHA1
dfab1ac1ad80f605f66d5f43a2ca71fcadecc7d9

SHA256
a72143475ea276330370c113f4d512713789cf4ee6fb303dabfd4731405bcb5d

SHA512
036c2e432c6a167bbedd73d9a4c9dfd442e92d860d29e02be18c2de13b428feabaaf018ec034583f15e2af24ac2b88c38180f1e24e2b515093fd690b85510bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp165266.exe

Filesize
136KB

MD5
ac0ffc4fceebe7be421ae8fc8517d1bf

SHA1
fa6a6f1878e561b5401ae36422add3d34cfdf6dd

SHA256
fe0c2e45eda219cfb1d2bd132437d2412d84cbe8cc2787dd4ff710e1be5c9718

SHA512
23de94ab73fc8cf91d573870d7ac1fb6976eaed31d93e0619378ea93ac5feaf06967bc652525b584bba1b973a2c6e6075b8d7dbe3a8ddf5d569b4e80722bfb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp165266.exe

Filesize
136KB

MD5
ac0ffc4fceebe7be421ae8fc8517d1bf

SHA1
fa6a6f1878e561b5401ae36422add3d34cfdf6dd

SHA256
fe0c2e45eda219cfb1d2bd132437d2412d84cbe8cc2787dd4ff710e1be5c9718

SHA512
23de94ab73fc8cf91d573870d7ac1fb6976eaed31d93e0619378ea93ac5feaf06967bc652525b584bba1b973a2c6e6075b8d7dbe3a8ddf5d569b4e80722bfb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zipA6066.exe

Filesize
462KB

MD5
977a01f778c9540baa12b6a7935e4cbf

SHA1
8ad3256e46cbaa1b4d647af9514c1863881a4f8f

SHA256
e5dc27b0dedfeb8e4c7b82b8072809aa4807d680f43e81f0c18639afb0e92ce0

SHA512
a5b4542a256b45c5aab2fb0a3b7afe18c5f81345692de67dffbaea34cc507e307adb9a0680e4962ff8e6f4eb9146e4b862b0f63091d152e7ac591bf8be9c0c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zipA6066.exe

Filesize
462KB

MD5
977a01f778c9540baa12b6a7935e4cbf

SHA1
8ad3256e46cbaa1b4d647af9514c1863881a4f8f

SHA256
e5dc27b0dedfeb8e4c7b82b8072809aa4807d680f43e81f0c18639afb0e92ce0

SHA512
a5b4542a256b45c5aab2fb0a3b7afe18c5f81345692de67dffbaea34cc507e307adb9a0680e4962ff8e6f4eb9146e4b862b0f63091d152e7ac591bf8be9c0c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it370630.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it370630.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr313210.exe

Filesize
474KB

MD5
51a8040ec35984a5680a54d6ed80b5a2

SHA1
6bcc8a3d2cc837895190811762c782de5808d4aa

SHA256
9b3b8c70d29e75d19915d77f6b01eb0819448a9ae2ff2f4dca9e020c009f6a93

SHA512
19f4f6124cb77e16c24b9769991014f970165f448214fa14633d9edcae149700134dc8ac8dbd8404171adc1ed9e52d9f19f7f8c7f2dbc5516ff39dd0cbf37ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr313210.exe

Filesize
474KB

MD5
51a8040ec35984a5680a54d6ed80b5a2

SHA1
6bcc8a3d2cc837895190811762c782de5808d4aa

SHA256
9b3b8c70d29e75d19915d77f6b01eb0819448a9ae2ff2f4dca9e020c009f6a93

SHA512
19f4f6124cb77e16c24b9769991014f970165f448214fa14633d9edcae149700134dc8ac8dbd8404171adc1ed9e52d9f19f7f8c7f2dbc5516ff39dd0cbf37ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
370KB

MD5
162e5aa87937abbb271b229916c222a4

SHA1
d49ccf3301a0d3df0b47d401448b5d170982268c

SHA256
3ed14e64ebbb0a705a8eeb87e4129f8d7fd225ce8be4efeb30599a1ffe466641

SHA512
022d9741318158ec9ea5bd00797d88cd0e6e2aacd1e45d3d0fcf9760d882fccb307076872a5dd232ddf605cd1337b96f47bd3786c5f2a33866923966468b596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
370KB

MD5
162e5aa87937abbb271b229916c222a4

SHA1
d49ccf3301a0d3df0b47d401448b5d170982268c

SHA256
3ed14e64ebbb0a705a8eeb87e4129f8d7fd225ce8be4efeb30599a1ffe466641

SHA512
022d9741318158ec9ea5bd00797d88cd0e6e2aacd1e45d3d0fcf9760d882fccb307076872a5dd232ddf605cd1337b96f47bd3786c5f2a33866923966468b596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
370KB

MD5
162e5aa87937abbb271b229916c222a4

SHA1
d49ccf3301a0d3df0b47d401448b5d170982268c

SHA256
3ed14e64ebbb0a705a8eeb87e4129f8d7fd225ce8be4efeb30599a1ffe466641

SHA512
022d9741318158ec9ea5bd00797d88cd0e6e2aacd1e45d3d0fcf9760d882fccb307076872a5dd232ddf605cd1337b96f47bd3786c5f2a33866923966468b596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
370KB

MD5
162e5aa87937abbb271b229916c222a4

SHA1
d49ccf3301a0d3df0b47d401448b5d170982268c

SHA256
3ed14e64ebbb0a705a8eeb87e4129f8d7fd225ce8be4efeb30599a1ffe466641

SHA512
022d9741318158ec9ea5bd00797d88cd0e6e2aacd1e45d3d0fcf9760d882fccb307076872a5dd232ddf605cd1337b96f47bd3786c5f2a33866923966468b596a

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1076-976-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/1076-975-0x0000000000450000-0x0000000000478000-memory.dmp

Filesize
160KB

Download
memory/2228-202-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-224-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-180-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-182-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-184-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-186-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-188-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-190-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-192-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-194-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-196-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-198-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-200-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-203-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/2228-176-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-205-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/2228-206-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-208-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-210-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-212-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-214-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-216-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-218-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-220-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-222-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-178-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-226-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-228-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-957-0x00000000078F0000-0x0000000007F08000-memory.dmp

Filesize
6.1MB

Download
memory/2228-958-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/2228-959-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/2228-960-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/2228-961-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/2228-962-0x00000000083B0000-0x0000000008416000-memory.dmp

Filesize
408KB

Download
memory/2228-963-0x0000000008A70000-0x0000000008B02000-memory.dmp

Filesize
584KB

Download
memory/2228-964-0x0000000008B30000-0x0000000008BA6000-memory.dmp

Filesize
472KB

Download
memory/2228-174-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-172-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-965-0x0000000008BE0000-0x0000000008BFE000-memory.dmp

Filesize
120KB

Download
memory/2228-966-0x0000000008E00000-0x0000000008FC2000-memory.dmp

Filesize
1.8MB

Download
memory/2228-967-0x0000000008FD0000-0x00000000094FC000-memory.dmp

Filesize
5.2MB

Download
memory/2228-968-0x0000000004870000-0x00000000048C0000-memory.dmp

Filesize
320KB

Download
memory/2228-160-0x0000000002450000-0x0000000002496000-memory.dmp

Filesize
280KB

Download
memory/2228-170-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-168-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-166-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-164-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-163-0x00000000053F0000-0x0000000005425000-memory.dmp

Filesize
212KB

Download
memory/2228-162-0x0000000004E40000-0x00000000053E4000-memory.dmp

Filesize
5.6MB

Download
memory/2228-161-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/4408-982-0x0000000002480000-0x00000000024B5000-memory.dmp

Filesize
212KB

Download
memory/5052-154-0x0000000000E60000-0x0000000000E6A000-memory.dmp

Filesize
40KB

Download