amadey | a0e14764f2820c1f6051af17cbc7b1fc4cd3d4d8ab5405861f995aeec6deba3f

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2023, 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0e14764f2820c1f6051af17cbc7b1fc4cd3d4d8ab5405861f995aeec6deba3f.exe
Size

945KB
MD5

d9814fd6524ee3fa8dcde52f36b6d3e5
SHA1

d8ed30fe1273b815ff054b853ec64c5c892125f5
SHA256

a0e14764f2820c1f6051af17cbc7b1fc4cd3d4d8ab5405861f995aeec6deba3f
SHA512

9a783d9496f2a2dd32a905f0465b5d0fe77f18af1d77a96bdb5c5c8d506079c03f0d427f23eb2880f20a4f12b0fb7ba6edbe97859d05bc74c8b8ce335b67d027
SSDEEP

12288:hy90S+Ws9CxQm8a7NulyDkly/r+6I4Mfor78adCKWSJuSO6hs93NNWc6maa:hyB1KJm8xsQwq6dMAr1tWS7Hs4c6maa

Score

10^/10

amadey discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr143154.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr143154.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr143154.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr143154.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr143154.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr143154.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	si139198.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

pid	Process
3980	un364983.exe
1268	un191946.exe
544	pr143154.exe
2100	qu130712.exe
2480	qu130712.exe
340	rk368925.exe
2064	si139198.exe
3436	oneetx.exe
1604	oneetx.exe
2312	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
4636	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr143154.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr143154.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un364983.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un191946.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un191946.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a0e14764f2820c1f6051af17cbc7b1fc4cd3d4d8ab5405861f995aeec6deba3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a0e14764f2820c1f6051af17cbc7b1fc4cd3d4d8ab5405861f995aeec6deba3f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un364983.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2100 set thread context of 2480	2100	qu130712.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 28 IoCs

pid	pid_target	Process	procid_target
2232	544	WerFault.exe	85
2328	2064	WerFault.exe	94
1276	2064	WerFault.exe	94
2552	2064	WerFault.exe	94
1712	2064	WerFault.exe	94
2856	2064	WerFault.exe	94
3172	2064	WerFault.exe	94
2068	2064	WerFault.exe	94
2728	2064	WerFault.exe	94
1720	2064	WerFault.exe	94
1300	2064	WerFault.exe	94
5020	3436	WerFault.exe	114
2456	3436	WerFault.exe	114
1684	3436	WerFault.exe	114
4124	3436	WerFault.exe	114
3696	3436	WerFault.exe	114
1192	3436	WerFault.exe	114
2956	3436	WerFault.exe	114
3112	3436	WerFault.exe	114
3728	3436	WerFault.exe	114
2264	3436	WerFault.exe	114
4796	3436	WerFault.exe	114
760	3436	WerFault.exe	114
4756	1604	WerFault.exe	147
3172	3436	WerFault.exe	114
2560	3436	WerFault.exe	114
2260	3436	WerFault.exe	114
3460	2312	WerFault.exe	157

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3328	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
544	pr143154.exe
544	pr143154.exe
340	rk368925.exe
340	rk368925.exe
2480	qu130712.exe
2480	qu130712.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	544	pr143154.exe
Token: SeDebugPrivilege	2480	qu130712.exe
Token: SeDebugPrivilege	340	rk368925.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2064	si139198.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 3980	4980	a0e14764f2820c1f6051af17cbc7b1fc4cd3d4d8ab5405861f995aeec6deba3f.exe	83
PID 4980 wrote to memory of 3980	4980	a0e14764f2820c1f6051af17cbc7b1fc4cd3d4d8ab5405861f995aeec6deba3f.exe	83
PID 4980 wrote to memory of 3980	4980	a0e14764f2820c1f6051af17cbc7b1fc4cd3d4d8ab5405861f995aeec6deba3f.exe	83
PID 3980 wrote to memory of 1268	3980	un364983.exe	84
PID 3980 wrote to memory of 1268	3980	un364983.exe	84
PID 3980 wrote to memory of 1268	3980	un364983.exe	84
PID 1268 wrote to memory of 544	1268	un191946.exe	85
PID 1268 wrote to memory of 544	1268	un191946.exe	85
PID 1268 wrote to memory of 544	1268	un191946.exe	85
PID 1268 wrote to memory of 2100	1268	un191946.exe	91
PID 1268 wrote to memory of 2100	1268	un191946.exe	91
PID 1268 wrote to memory of 2100	1268	un191946.exe	91
PID 2100 wrote to memory of 2480	2100	qu130712.exe	92
PID 2100 wrote to memory of 2480	2100	qu130712.exe	92
PID 2100 wrote to memory of 2480	2100	qu130712.exe	92
PID 2100 wrote to memory of 2480	2100	qu130712.exe	92
PID 2100 wrote to memory of 2480	2100	qu130712.exe	92
PID 2100 wrote to memory of 2480	2100	qu130712.exe	92
PID 2100 wrote to memory of 2480	2100	qu130712.exe	92
PID 2100 wrote to memory of 2480	2100	qu130712.exe	92
PID 2100 wrote to memory of 2480	2100	qu130712.exe	92
PID 3980 wrote to memory of 340	3980	un364983.exe	93
PID 3980 wrote to memory of 340	3980	un364983.exe	93
PID 3980 wrote to memory of 340	3980	un364983.exe	93
PID 4980 wrote to memory of 2064	4980	a0e14764f2820c1f6051af17cbc7b1fc4cd3d4d8ab5405861f995aeec6deba3f.exe	94
PID 4980 wrote to memory of 2064	4980	a0e14764f2820c1f6051af17cbc7b1fc4cd3d4d8ab5405861f995aeec6deba3f.exe	94
PID 4980 wrote to memory of 2064	4980	a0e14764f2820c1f6051af17cbc7b1fc4cd3d4d8ab5405861f995aeec6deba3f.exe	94
PID 2064 wrote to memory of 3436	2064	si139198.exe	114
PID 2064 wrote to memory of 3436	2064	si139198.exe	114
PID 2064 wrote to memory of 3436	2064	si139198.exe	114
PID 3436 wrote to memory of 3328	3436	oneetx.exe	131
PID 3436 wrote to memory of 3328	3436	oneetx.exe	131
PID 3436 wrote to memory of 3328	3436	oneetx.exe	131
PID 3436 wrote to memory of 4636	3436	oneetx.exe	152
PID 3436 wrote to memory of 4636	3436	oneetx.exe	152
PID 3436 wrote to memory of 4636	3436	oneetx.exe	152

C:\Users\Admin\AppData\Local\Temp\a0e14764f2820c1f6051af17cbc7b1fc4cd3d4d8ab5405861f995aeec6deba3f.exe
"C:\Users\Admin\AppData\Local\Temp\a0e14764f2820c1f6051af17cbc7b1fc4cd3d4d8ab5405861f995aeec6deba3f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un364983.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un364983.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un191946.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un191946.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1268
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr143154.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr143154.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:544
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 1004
        5⤵
        Program crash
        
        PID:2232
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu130712.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu130712.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu130712.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu130712.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk368925.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk368925.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:340
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si139198.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si139198.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 696
    3⤵
    - Program crash
    PID:2328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 780
    3⤵
    - Program crash
    PID:1276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 796
    3⤵
    - Program crash
    PID:2552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 804
    3⤵
    - Program crash
    PID:1712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 976
    3⤵
    - Program crash
    PID:2856
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 976
    3⤵
    - Program crash
    PID:3172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1216
    3⤵
    - Program crash
    PID:2068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1240
    3⤵
    - Program crash
    PID:2728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1312
    3⤵
    - Program crash
    PID:1720
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3436
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 692
      4⤵
      Program crash
      PID:5020
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 816
      4⤵
      Program crash
      PID:2456
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 828
      4⤵
      Program crash
      PID:1684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1052
      4⤵
      Program crash
      PID:4124
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1072
      4⤵
      Program crash
      PID:3696
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1108
      4⤵
      Program crash
      PID:1192
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1052
      4⤵
      Program crash
      PID:2956
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:3328
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 992
      4⤵
      Program crash
      PID:3112
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 828
      4⤵
      Program crash
      PID:3728
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1252
      4⤵
      Program crash
      PID:2264
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1312
      4⤵
      Program crash
      PID:4796
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1104
      4⤵
      Program crash
      PID:760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1624
      4⤵
      Program crash
      PID:3172
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:4636
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1144
      4⤵
      Program crash
      PID:2560
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1640
      4⤵
      Program crash
      PID:2260
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1344
    3⤵
    - Program crash
    PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 544 -ip 544
1⤵
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2064 -ip 2064
1⤵
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2064 -ip 2064
1⤵
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2064 -ip 2064
1⤵
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2064 -ip 2064
1⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2064 -ip 2064
1⤵
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2064 -ip 2064
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2064 -ip 2064
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2064 -ip 2064
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2064 -ip 2064
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2064 -ip 2064
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3436 -ip 3436
1⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3436 -ip 3436
1⤵
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3436 -ip 3436
1⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3436 -ip 3436
1⤵
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3436 -ip 3436
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3436 -ip 3436
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3436 -ip 3436
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3436 -ip 3436
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3436 -ip 3436
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3436 -ip 3436
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3436 -ip 3436
1⤵
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3436 -ip 3436
1⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:1604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 312
  2⤵
  - Program crash
  PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1604 -ip 1604
1⤵
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3436 -ip 3436
1⤵
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3436 -ip 3436
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3436 -ip 3436
1⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:2312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 312
  2⤵
  - Program crash
  PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2312 -ip 2312
1⤵
PID:4220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
258KB

MD5
41d6b7c631dfcfbe3420765fbcb70457

SHA1
f3e7bbe8492de90a71d86e5c960e5bd07a27e287

SHA256
228aab54d53ee6637288c4ec41aeb66bcde5e932bf62b567c6e762c1d6060c5e

SHA512
8393b465a7c05f25b8f21607f6e745a9a379b7d65b1ecd49110cec321da41ad9a1df3e64c8af815111c37cd7a74f866b163e2a3d5977e1e8f48d5cf16f398e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
258KB

MD5
41d6b7c631dfcfbe3420765fbcb70457

SHA1
f3e7bbe8492de90a71d86e5c960e5bd07a27e287

SHA256
228aab54d53ee6637288c4ec41aeb66bcde5e932bf62b567c6e762c1d6060c5e

SHA512
8393b465a7c05f25b8f21607f6e745a9a379b7d65b1ecd49110cec321da41ad9a1df3e64c8af815111c37cd7a74f866b163e2a3d5977e1e8f48d5cf16f398e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
258KB

MD5
41d6b7c631dfcfbe3420765fbcb70457

SHA1
f3e7bbe8492de90a71d86e5c960e5bd07a27e287

SHA256
228aab54d53ee6637288c4ec41aeb66bcde5e932bf62b567c6e762c1d6060c5e

SHA512
8393b465a7c05f25b8f21607f6e745a9a379b7d65b1ecd49110cec321da41ad9a1df3e64c8af815111c37cd7a74f866b163e2a3d5977e1e8f48d5cf16f398e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
258KB

MD5
41d6b7c631dfcfbe3420765fbcb70457

SHA1
f3e7bbe8492de90a71d86e5c960e5bd07a27e287

SHA256
228aab54d53ee6637288c4ec41aeb66bcde5e932bf62b567c6e762c1d6060c5e

SHA512
8393b465a7c05f25b8f21607f6e745a9a379b7d65b1ecd49110cec321da41ad9a1df3e64c8af815111c37cd7a74f866b163e2a3d5977e1e8f48d5cf16f398e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
258KB

MD5
41d6b7c631dfcfbe3420765fbcb70457

SHA1
f3e7bbe8492de90a71d86e5c960e5bd07a27e287

SHA256
228aab54d53ee6637288c4ec41aeb66bcde5e932bf62b567c6e762c1d6060c5e

SHA512
8393b465a7c05f25b8f21607f6e745a9a379b7d65b1ecd49110cec321da41ad9a1df3e64c8af815111c37cd7a74f866b163e2a3d5977e1e8f48d5cf16f398e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si139198.exe

Filesize
258KB

MD5
41d6b7c631dfcfbe3420765fbcb70457

SHA1
f3e7bbe8492de90a71d86e5c960e5bd07a27e287

SHA256
228aab54d53ee6637288c4ec41aeb66bcde5e932bf62b567c6e762c1d6060c5e

SHA512
8393b465a7c05f25b8f21607f6e745a9a379b7d65b1ecd49110cec321da41ad9a1df3e64c8af815111c37cd7a74f866b163e2a3d5977e1e8f48d5cf16f398e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si139198.exe

Filesize
258KB

MD5
41d6b7c631dfcfbe3420765fbcb70457

SHA1
f3e7bbe8492de90a71d86e5c960e5bd07a27e287

SHA256
228aab54d53ee6637288c4ec41aeb66bcde5e932bf62b567c6e762c1d6060c5e

SHA512
8393b465a7c05f25b8f21607f6e745a9a379b7d65b1ecd49110cec321da41ad9a1df3e64c8af815111c37cd7a74f866b163e2a3d5977e1e8f48d5cf16f398e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un364983.exe

Filesize
690KB

MD5
de0d2b09f4d3c2199171d1f8989efe6b

SHA1
a7cb3ee2fbceeca51fda4e4921d819b43c2d25e1

SHA256
a2ca47b69808a09fd25bc60eb02a547bf2285b791baccbb53126ba7cc3c8c120

SHA512
5c880195df99bc7f30e0454386991300495264625fddaddee2feca73bd195464092fd0cbb0e4a29b2e9aae41c13cbc3e70aad584063cbf4a0d3d0574b8dcb7d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un364983.exe

Filesize
690KB

MD5
de0d2b09f4d3c2199171d1f8989efe6b

SHA1
a7cb3ee2fbceeca51fda4e4921d819b43c2d25e1

SHA256
a2ca47b69808a09fd25bc60eb02a547bf2285b791baccbb53126ba7cc3c8c120

SHA512
5c880195df99bc7f30e0454386991300495264625fddaddee2feca73bd195464092fd0cbb0e4a29b2e9aae41c13cbc3e70aad584063cbf4a0d3d0574b8dcb7d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk368925.exe

Filesize
136KB

MD5
e48a471cb7bc4ff6a6b32ae6d192dbbb

SHA1
d38181853eccf41490641e35b9f2b13e1f6d1711

SHA256
ce0d0c494beb02432c1c208d73c07be71fefb4afd34e74a98f188417ca86d21c

SHA512
dffde20f58c233b543a9a5e5a4bbdf29767bfb80661541b36c52cd6d53debb6cb3a62d3f7aa76010d06c9b0d74e9b972231eae53cd539f648ec89a85bdc457f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk368925.exe

Filesize
136KB

MD5
e48a471cb7bc4ff6a6b32ae6d192dbbb

SHA1
d38181853eccf41490641e35b9f2b13e1f6d1711

SHA256
ce0d0c494beb02432c1c208d73c07be71fefb4afd34e74a98f188417ca86d21c

SHA512
dffde20f58c233b543a9a5e5a4bbdf29767bfb80661541b36c52cd6d53debb6cb3a62d3f7aa76010d06c9b0d74e9b972231eae53cd539f648ec89a85bdc457f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un191946.exe

Filesize
535KB

MD5
0909385cda0cb806ac63a4618154e0e5

SHA1
4641a8660c391f47880e09fc0ae1293d46dcb7fc

SHA256
5c08c73750a14d3c616f5e6f01a72fa7cf76ad3385b15dd5848c5209ded5e2d7

SHA512
8c0766a41d002f21242cc644bb690206b9c17a9bf6d4cb007a1a7fd31ed5a3d87241df9fe5da4aa4d257252eb0fc9c7e62f92e0359e9054fbbb850aee9e4f641

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un191946.exe

Filesize
535KB

MD5
0909385cda0cb806ac63a4618154e0e5

SHA1
4641a8660c391f47880e09fc0ae1293d46dcb7fc

SHA256
5c08c73750a14d3c616f5e6f01a72fa7cf76ad3385b15dd5848c5209ded5e2d7

SHA512
8c0766a41d002f21242cc644bb690206b9c17a9bf6d4cb007a1a7fd31ed5a3d87241df9fe5da4aa4d257252eb0fc9c7e62f92e0359e9054fbbb850aee9e4f641

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr143154.exe

Filesize
266KB

MD5
14cc64c47b03e7f06725e3be7288ccba

SHA1
ef55c5aeae9a0dd43b676e2b4260d6838e4b7155

SHA256
35c4703a44174491ef38db1947db4ea57e30265e8c251cb59c6f8b6f3ee1ad31

SHA512
6940c31a966eb87dd9270ad8b731f740de1d5f9f2ff453766f05dd727a650f93a509333356e2ae58b4bb661fe4b5f6796f507deef029b1929feb365e9a08121d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr143154.exe

Filesize
266KB

MD5
14cc64c47b03e7f06725e3be7288ccba

SHA1
ef55c5aeae9a0dd43b676e2b4260d6838e4b7155

SHA256
35c4703a44174491ef38db1947db4ea57e30265e8c251cb59c6f8b6f3ee1ad31

SHA512
6940c31a966eb87dd9270ad8b731f740de1d5f9f2ff453766f05dd727a650f93a509333356e2ae58b4bb661fe4b5f6796f507deef029b1929feb365e9a08121d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu130712.exe

Filesize
350KB

MD5
84aa767832723fbe7879b6ce8afa3c4a

SHA1
a9af4aab0762ad3db3ee1998a293f702639d161a

SHA256
41c6ba09c3bae9170c32c1ed0436e58cd4f6666a181c29362226b468d99f3607

SHA512
592b61dfba19132bf50435b6b71de5b72621452fb216851bc730310b86dc53ba0e61093bc6e5c1becd1a816937672802017754d2ecbe5390cc316109381f42df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu130712.exe

Filesize
350KB

MD5
84aa767832723fbe7879b6ce8afa3c4a

SHA1
a9af4aab0762ad3db3ee1998a293f702639d161a

SHA256
41c6ba09c3bae9170c32c1ed0436e58cd4f6666a181c29362226b468d99f3607

SHA512
592b61dfba19132bf50435b6b71de5b72621452fb216851bc730310b86dc53ba0e61093bc6e5c1becd1a816937672802017754d2ecbe5390cc316109381f42df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu130712.exe

Filesize
350KB

MD5
84aa767832723fbe7879b6ce8afa3c4a

SHA1
a9af4aab0762ad3db3ee1998a293f702639d161a

SHA256
41c6ba09c3bae9170c32c1ed0436e58cd4f6666a181c29362226b468d99f3607

SHA512
592b61dfba19132bf50435b6b71de5b72621452fb216851bc730310b86dc53ba0e61093bc6e5c1becd1a816937672802017754d2ecbe5390cc316109381f42df

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
4061d8dd5006b99d06fa208c0063dfcf

SHA1
38e7df8d8e631f3e9b227df3b9326d187e18cce5

SHA256
b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0

SHA512
71de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/340-222-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/340-307-0x00000000086F0000-0x0000000008782000-memory.dmp

Filesize
584KB

Download
memory/340-330-0x0000000008890000-0x00000000088E0000-memory.dmp

Filesize
320KB

Download
memory/340-334-0x0000000008960000-0x00000000089D6000-memory.dmp

Filesize
472KB

Download
memory/340-214-0x00000000077C0000-0x00000000077FC000-memory.dmp

Filesize
240KB

Download
memory/340-212-0x0000000007880000-0x000000000798A000-memory.dmp

Filesize
1.0MB

Download
memory/340-209-0x0000000007750000-0x0000000007762000-memory.dmp

Filesize
72KB

Download
memory/340-358-0x0000000009870000-0x0000000009D9C000-memory.dmp

Filesize
5.2MB

Download
memory/340-352-0x0000000009170000-0x0000000009332000-memory.dmp

Filesize
1.8MB

Download
memory/340-259-0x0000000007B10000-0x0000000007B76000-memory.dmp

Filesize
408KB

Download
memory/340-369-0x0000000008AA0000-0x0000000008ABE000-memory.dmp

Filesize
120KB

Download
memory/340-208-0x0000000007CC0000-0x00000000082D8000-memory.dmp

Filesize
6.1MB

Download
memory/340-207-0x0000000000A40000-0x0000000000A68000-memory.dmp

Filesize
160KB

Download
memory/544-160-0x0000000007260000-0x0000000007272000-memory.dmp

Filesize
72KB

Download
memory/544-178-0x0000000007260000-0x0000000007272000-memory.dmp

Filesize
72KB

Download
memory/544-193-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/544-192-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/544-191-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/544-190-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/544-188-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/544-187-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/544-186-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/544-185-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/544-184-0x0000000007260000-0x0000000007272000-memory.dmp

Filesize
72KB

Download
memory/544-182-0x0000000007260000-0x0000000007272000-memory.dmp

Filesize
72KB

Download
memory/544-180-0x0000000007260000-0x0000000007272000-memory.dmp

Filesize
72KB

Download
memory/544-155-0x0000000002CF0000-0x0000000002D1D000-memory.dmp

Filesize
180KB

Download
memory/544-176-0x0000000007260000-0x0000000007272000-memory.dmp

Filesize
72KB

Download
memory/544-174-0x0000000007260000-0x0000000007272000-memory.dmp

Filesize
72KB

Download
memory/544-172-0x0000000007260000-0x0000000007272000-memory.dmp

Filesize
72KB

Download
memory/544-170-0x0000000007260000-0x0000000007272000-memory.dmp

Filesize
72KB

Download
memory/544-156-0x00000000072D0000-0x0000000007874000-memory.dmp

Filesize
5.6MB

Download
memory/544-168-0x0000000007260000-0x0000000007272000-memory.dmp

Filesize
72KB

Download
memory/544-166-0x0000000007260000-0x0000000007272000-memory.dmp

Filesize
72KB

Download
memory/544-164-0x0000000007260000-0x0000000007272000-memory.dmp

Filesize
72KB

Download
memory/544-162-0x0000000007260000-0x0000000007272000-memory.dmp

Filesize
72KB

Download
memory/544-158-0x0000000007260000-0x0000000007272000-memory.dmp

Filesize
72KB

Download
memory/544-157-0x0000000007260000-0x0000000007272000-memory.dmp

Filesize
72KB

Download
memory/2064-866-0x00000000047F0000-0x000000000482B000-memory.dmp

Filesize
236KB

Download
memory/2100-200-0x0000000002F30000-0x0000000002F77000-memory.dmp

Filesize
284KB

Download
memory/2480-210-0x0000000004F40000-0x0000000004F75000-memory.dmp

Filesize
212KB

Download
memory/2480-241-0x0000000004F40000-0x0000000004F75000-memory.dmp

Filesize
212KB

Download
memory/2480-245-0x0000000004F40000-0x0000000004F75000-memory.dmp

Filesize
212KB

Download
memory/2480-243-0x0000000004F40000-0x0000000004F75000-memory.dmp

Filesize
212KB

Download
memory/2480-239-0x0000000004F40000-0x0000000004F75000-memory.dmp

Filesize
212KB

Download
memory/2480-237-0x0000000004F40000-0x0000000004F75000-memory.dmp

Filesize
212KB

Download
memory/2480-235-0x0000000004F40000-0x0000000004F75000-memory.dmp

Filesize
212KB

Download
memory/2480-233-0x0000000004F40000-0x0000000004F75000-memory.dmp

Filesize
212KB

Download
memory/2480-231-0x0000000004F40000-0x0000000004F75000-memory.dmp

Filesize
212KB

Download
memory/2480-229-0x0000000004F40000-0x0000000004F75000-memory.dmp

Filesize
212KB

Download
memory/2480-227-0x0000000004F40000-0x0000000004F75000-memory.dmp

Filesize
212KB

Download
memory/2480-225-0x0000000004F40000-0x0000000004F75000-memory.dmp

Filesize
212KB

Download
memory/2480-223-0x0000000004F40000-0x0000000004F75000-memory.dmp

Filesize
212KB

Download
memory/2480-1021-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/2480-1026-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2480-220-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/2480-219-0x0000000004F40000-0x0000000004F75000-memory.dmp

Filesize
212KB

Download
memory/2480-218-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/2480-217-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2480-215-0x0000000004F40000-0x0000000004F75000-memory.dmp

Filesize
212KB

Download
memory/2480-211-0x0000000004F40000-0x0000000004F75000-memory.dmp

Filesize
212KB

Download
memory/2480-201-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2480-202-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2480-198-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download