Analysis Overview
SHA256
1d0853e75493b553ef3bb9c05b1b87036e07a8a29a812df6334c4c150444ddfc
Threat Level: Known bad
The file c80864ec4f40c15a4589d19a1e6cd3ca.exe was found to be: Known bad.
Malicious Activity Summary
Amadey
SystemBC
Downloads MZ/PE file
Blocklisted process makes network request
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-02 10:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-02 10:35
Reported
2023-05-02 10:37
Platform
win7-20230220-en
Max time kernel
148s
Max time network
133s
Command Line
Signatures
Amadey
SystemBC
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2C5B5b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2C5B5b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000020050\\rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\sc64.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000021061\\sc64.dll, rundll" | C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2C5B5b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe
"C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe"
C:\Users\Admin\AppData\Local\Temp\u2C5B5b.exe
"C:\Users\Admin\AppData\Local\Temp\u2C5B5b.exe"
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe" /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 1540
C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
"C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll, rundll
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll, rundll
C:\Windows\system32\taskeng.exe
taskeng.exe {D0BBD124-83AA-4680-9545-A4F647D737FE} S-1-5-21-3430344531-3702557399-3004411149-1000:WFSTZEPN\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nftday.art | udp |
| US | 172.67.151.248:443 | nftday.art | tcp |
| US | 8.8.8.8:53 | tadogem.com | udp |
| US | 172.67.183.249:80 | tadogem.com | tcp |
| US | 172.67.151.248:443 | nftday.art | tcp |
| FI | 65.21.119.52:4277 | tcp |
Files
memory/1136-54-0x0000000000DC0000-0x0000000000E54000-memory.dmp
memory/1136-55-0x0000000000330000-0x0000000000331000-memory.dmp
memory/1136-56-0x00000000092E0000-0x0000000009320000-memory.dmp
\Users\Admin\AppData\Local\Temp\u2C5B5b.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Local\Temp\u2C5B5b.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
memory/980-62-0x0000000000300000-0x0000000000301000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u2C5B5b.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Local\Temp\430344531370
| MD5 | 3fc68dc3ec5acbfd35646aa2644ae98e |
| SHA1 | 30056771d952b69cfdcd8fbd14d4528d6e0b5964 |
| SHA256 | 1f3456dfeb1893bba52b6e088a0c9b807ab568a69fb4e33a56782c2aee9ce3ce |
| SHA512 | f70eed1ce6da0e705c3e56dca70403e167aefadb6b3a68ad41979423bb0d220b01ef8ba04e39d379d031b544b0d90d625c1ee66f2f9dfc590c13c7b95d1f0228 |
C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
| MD5 | 1d81057710dc737ffee88f7f8b0ef90c |
| SHA1 | 8a13b1fe68d5010e5e9b14719a279c4037d7c446 |
| SHA256 | c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc |
| SHA512 | a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49 |
memory/1136-106-0x00000000092E0000-0x0000000009320000-memory.dmp
\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
| MD5 | 1d81057710dc737ffee88f7f8b0ef90c |
| SHA1 | 8a13b1fe68d5010e5e9b14719a279c4037d7c446 |
| SHA256 | c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc |
| SHA512 | a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49 |
C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
| MD5 | 1d81057710dc737ffee88f7f8b0ef90c |
| SHA1 | 8a13b1fe68d5010e5e9b14719a279c4037d7c446 |
| SHA256 | c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc |
| SHA512 | a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49 |
C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
| MD5 | 1d81057710dc737ffee88f7f8b0ef90c |
| SHA1 | 8a13b1fe68d5010e5e9b14719a279c4037d7c446 |
| SHA256 | c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc |
| SHA512 | a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49 |
memory/1700-113-0x0000000000080000-0x00000000000C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll
| MD5 | 4c09e8e3a1d837f125ea9f9c0c2c5380 |
| SHA1 | 0221f489cdef441afad424b5954d07b432d0b8e8 |
| SHA256 | 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace |
| SHA512 | d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0 |
C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll
| MD5 | 4c09e8e3a1d837f125ea9f9c0c2c5380 |
| SHA1 | 0221f489cdef441afad424b5954d07b432d0b8e8 |
| SHA256 | 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace |
| SHA512 | d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0 |
\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll
| MD5 | 4c09e8e3a1d837f125ea9f9c0c2c5380 |
| SHA1 | 0221f489cdef441afad424b5954d07b432d0b8e8 |
| SHA256 | 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace |
| SHA512 | d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0 |
\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll
| MD5 | 4c09e8e3a1d837f125ea9f9c0c2c5380 |
| SHA1 | 0221f489cdef441afad424b5954d07b432d0b8e8 |
| SHA256 | 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace |
| SHA512 | d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0 |
\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll
| MD5 | 4c09e8e3a1d837f125ea9f9c0c2c5380 |
| SHA1 | 0221f489cdef441afad424b5954d07b432d0b8e8 |
| SHA256 | 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace |
| SHA512 | d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0 |
\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll
| MD5 | 4c09e8e3a1d837f125ea9f9c0c2c5380 |
| SHA1 | 0221f489cdef441afad424b5954d07b432d0b8e8 |
| SHA256 | 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace |
| SHA512 | d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0 |
\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll
| MD5 | 4c09e8e3a1d837f125ea9f9c0c2c5380 |
| SHA1 | 0221f489cdef441afad424b5954d07b432d0b8e8 |
| SHA256 | 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace |
| SHA512 | d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0 |
\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll
| MD5 | 4c09e8e3a1d837f125ea9f9c0c2c5380 |
| SHA1 | 0221f489cdef441afad424b5954d07b432d0b8e8 |
| SHA256 | 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace |
| SHA512 | d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0 |
\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll
| MD5 | 4c09e8e3a1d837f125ea9f9c0c2c5380 |
| SHA1 | 0221f489cdef441afad424b5954d07b432d0b8e8 |
| SHA256 | 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace |
| SHA512 | d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0 |
\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll
| MD5 | 4c09e8e3a1d837f125ea9f9c0c2c5380 |
| SHA1 | 0221f489cdef441afad424b5954d07b432d0b8e8 |
| SHA256 | 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace |
| SHA512 | d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0 |
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Roaming\d3ed71f752c04f\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
memory/1700-151-0x0000000006E90000-0x0000000006ED0000-memory.dmp
memory/1700-152-0x0000000006E90000-0x0000000006ED0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-02 10:35
Reported
2023-05-02 10:37
Platform
win10v2004-20230220-en
Max time kernel
135s
Max time network
153s
Command Line
Signatures
Amadey
SystemBC
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\LBnHfOPmk.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LBnHfOPmk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000020050\\rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sc64.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000021061\\sc64.dll, rundll" | C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LBnHfOPmk.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe
"C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe"
C:\Users\Admin\AppData\Local\Temp\LBnHfOPmk.exe
"C:\Users\Admin\AppData\Local\Temp\LBnHfOPmk.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3196 -ip 3196
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1848
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe" /F
C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
"C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll, rundll
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll, rundll
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.103.197.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nftday.art | udp |
| US | 172.67.151.248:443 | nftday.art | tcp |
| US | 8.8.8.8:53 | 248.151.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.150.43.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tadogem.com | udp |
| US | 172.67.183.249:80 | tadogem.com | tcp |
| US | 172.67.183.249:80 | tadogem.com | tcp |
| US | 172.67.151.248:443 | nftday.art | tcp |
| US | 8.8.8.8:53 | 249.183.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.36.251.142.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| FI | 65.21.119.52:4277 | tcp | |
| US | 8.8.8.8:53 | 52.119.21.65.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp |
Files
memory/3196-133-0x0000000000280000-0x0000000000314000-memory.dmp
memory/3196-134-0x00000000026D0000-0x00000000026D1000-memory.dmp
memory/3196-135-0x0000000009250000-0x0000000009260000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LBnHfOPmk.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Local\Temp\LBnHfOPmk.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
| MD5 | 1d81057710dc737ffee88f7f8b0ef90c |
| SHA1 | 8a13b1fe68d5010e5e9b14719a279c4037d7c446 |
| SHA256 | c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc |
| SHA512 | a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49 |
C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
| MD5 | 1d81057710dc737ffee88f7f8b0ef90c |
| SHA1 | 8a13b1fe68d5010e5e9b14719a279c4037d7c446 |
| SHA256 | c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc |
| SHA512 | a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49 |
C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
| MD5 | 1d81057710dc737ffee88f7f8b0ef90c |
| SHA1 | 8a13b1fe68d5010e5e9b14719a279c4037d7c446 |
| SHA256 | c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc |
| SHA512 | a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49 |
memory/3544-181-0x0000000000A60000-0x0000000000AA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll
| MD5 | 4c09e8e3a1d837f125ea9f9c0c2c5380 |
| SHA1 | 0221f489cdef441afad424b5954d07b432d0b8e8 |
| SHA256 | 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace |
| SHA512 | d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0 |
C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll
| MD5 | 4c09e8e3a1d837f125ea9f9c0c2c5380 |
| SHA1 | 0221f489cdef441afad424b5954d07b432d0b8e8 |
| SHA256 | 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace |
| SHA512 | d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0 |
C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll
| MD5 | 4c09e8e3a1d837f125ea9f9c0c2c5380 |
| SHA1 | 0221f489cdef441afad424b5954d07b432d0b8e8 |
| SHA256 | 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace |
| SHA512 | d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0 |
C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll
| MD5 | 4c09e8e3a1d837f125ea9f9c0c2c5380 |
| SHA1 | 0221f489cdef441afad424b5954d07b432d0b8e8 |
| SHA256 | 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace |
| SHA512 | d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0 |
C:\Users\Admin\AppData\Local\Temp\443549032550
| MD5 | f9a17c8e93eb0838490e4c81a2d074a4 |
| SHA1 | 5d0dabbc2a7b6a2d5fbe9ef6318f90827d8e17d1 |
| SHA256 | 1e17ebce9ba3bb2a24b78d15f09141da98b7666aa7b31481595e9721e17a9e14 |
| SHA512 | 7c04660b27dd35eceac2a9ab0f7b080802036a61fde403350b7be3a73938b935d1f4b22a4e0b10b2b6d1cb3014f4a9091540af991fd038581ecc4d3bb4950e62 |
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Roaming\d3ed71f752c04f\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
memory/3544-217-0x0000000009E00000-0x000000000A3A4000-memory.dmp
memory/3544-218-0x0000000005410000-0x00000000054A2000-memory.dmp
memory/3544-219-0x0000000009840000-0x0000000009850000-memory.dmp
memory/3544-220-0x0000000009840000-0x0000000009850000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |