redline | c3b726c31b8ce90b906ffa18d439103b1eeaf15ef2e108769e56ddfba15cd211

Analysis

max time kernel
146s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2023, 22:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c3b726c31b8ce90b906ffa18d439103b1eeaf15ef2e108769e56ddfba15cd211.exe
Size

565KB
MD5

8d9e8c09c47a1c6f37e6a1da04f464d3
SHA1

d43233a2aa1a42043b25f2e6059a21fb83040087
SHA256

c3b726c31b8ce90b906ffa18d439103b1eeaf15ef2e108769e56ddfba15cd211
SHA512

9f64423b92d795dfdc98dcbf71fd88da066e23571ecebc6ea35e77cd6fabbb0da4a58c9447c71c500d3842e783dc675aa07a7241f2ea93a0207588dc51ce064b
SSDEEP

12288:BMrny90vV0sYHAgFHozo4TRwD1x0km1hGyjN0WF4:GyU0sQAuozofU13Gyp0WF4

Score

10^/10

redline darm discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

darm

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	l0249756.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	l0249756.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	l0249756.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	l0249756.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	l0249756.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	l0249756.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	m4188515.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 6 IoCs

pid	Process
892	y4480294.exe
2652	k9233319.exe
3768	l0249756.exe
4348	m4188515.exe
2020	oneetx.exe
4968	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
2632	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	l0249756.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	l0249756.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c3b726c31b8ce90b906ffa18d439103b1eeaf15ef2e108769e56ddfba15cd211.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y4480294.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y4480294.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c3b726c31b8ce90b906ffa18d439103b1eeaf15ef2e108769e56ddfba15cd211.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 30 IoCs

pid	pid_target	Process	procid_target
3788	4348	WerFault.exe	92
432	4348	WerFault.exe	92
4328	4348	WerFault.exe	92
528	4348	WerFault.exe	92
4244	4348	WerFault.exe	92
3060	4348	WerFault.exe	92
4416	4348	WerFault.exe	92
1432	4348	WerFault.exe	92
3956	4348	WerFault.exe	92
4072	4348	WerFault.exe	92
3988	4348	WerFault.exe	92
4292	2020	WerFault.exe	116
3780	2020	WerFault.exe	116
4984	2020	WerFault.exe	116
1012	2020	WerFault.exe	116
2288	2020	WerFault.exe	116
1304	2020	WerFault.exe	116
2184	2020	WerFault.exe	116
4188	2020	WerFault.exe	116
4424	2020	WerFault.exe	116
2680	2020	WerFault.exe	116
1656	2020	WerFault.exe	116
1740	2020	WerFault.exe	116
4304	2020	WerFault.exe	116
452	2020	WerFault.exe	116
4308	2020	WerFault.exe	116
3380	2020	WerFault.exe	116
4996	2020	WerFault.exe	116
5032	4968	WerFault.exe	164
2736	2020	WerFault.exe	116

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3596	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2652	k9233319.exe
2652	k9233319.exe
3768	l0249756.exe
3768	l0249756.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2652	k9233319.exe
Token: SeDebugPrivilege	3768	l0249756.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4348	m4188515.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 892	5036	c3b726c31b8ce90b906ffa18d439103b1eeaf15ef2e108769e56ddfba15cd211.exe	83
PID 5036 wrote to memory of 892	5036	c3b726c31b8ce90b906ffa18d439103b1eeaf15ef2e108769e56ddfba15cd211.exe	83
PID 5036 wrote to memory of 892	5036	c3b726c31b8ce90b906ffa18d439103b1eeaf15ef2e108769e56ddfba15cd211.exe	83
PID 892 wrote to memory of 2652	892	y4480294.exe	84
PID 892 wrote to memory of 2652	892	y4480294.exe	84
PID 892 wrote to memory of 2652	892	y4480294.exe	84
PID 892 wrote to memory of 3768	892	y4480294.exe	87
PID 892 wrote to memory of 3768	892	y4480294.exe	87
PID 892 wrote to memory of 3768	892	y4480294.exe	87
PID 5036 wrote to memory of 4348	5036	c3b726c31b8ce90b906ffa18d439103b1eeaf15ef2e108769e56ddfba15cd211.exe	92
PID 5036 wrote to memory of 4348	5036	c3b726c31b8ce90b906ffa18d439103b1eeaf15ef2e108769e56ddfba15cd211.exe	92
PID 5036 wrote to memory of 4348	5036	c3b726c31b8ce90b906ffa18d439103b1eeaf15ef2e108769e56ddfba15cd211.exe	92
PID 4348 wrote to memory of 2020	4348	m4188515.exe	116
PID 4348 wrote to memory of 2020	4348	m4188515.exe	116
PID 4348 wrote to memory of 2020	4348	m4188515.exe	116
PID 2020 wrote to memory of 3596	2020	oneetx.exe	133
PID 2020 wrote to memory of 3596	2020	oneetx.exe	133
PID 2020 wrote to memory of 3596	2020	oneetx.exe	133
PID 2020 wrote to memory of 2144	2020	oneetx.exe	139
PID 2020 wrote to memory of 2144	2020	oneetx.exe	139
PID 2020 wrote to memory of 2144	2020	oneetx.exe	139
PID 2144 wrote to memory of 4892	2144	cmd.exe	142
PID 2144 wrote to memory of 4892	2144	cmd.exe	142
PID 2144 wrote to memory of 4892	2144	cmd.exe	142
PID 2144 wrote to memory of 1800	2144	cmd.exe	143
PID 2144 wrote to memory of 1800	2144	cmd.exe	143
PID 2144 wrote to memory of 1800	2144	cmd.exe	143
PID 2144 wrote to memory of 4688	2144	cmd.exe	145
PID 2144 wrote to memory of 4688	2144	cmd.exe	145
PID 2144 wrote to memory of 4688	2144	cmd.exe	145
PID 2144 wrote to memory of 4736	2144	cmd.exe	146
PID 2144 wrote to memory of 4736	2144	cmd.exe	146
PID 2144 wrote to memory of 4736	2144	cmd.exe	146
PID 2144 wrote to memory of 2312	2144	cmd.exe	147
PID 2144 wrote to memory of 2312	2144	cmd.exe	147
PID 2144 wrote to memory of 2312	2144	cmd.exe	147
PID 2144 wrote to memory of 4368	2144	cmd.exe	148
PID 2144 wrote to memory of 4368	2144	cmd.exe	148
PID 2144 wrote to memory of 4368	2144	cmd.exe	148
PID 2020 wrote to memory of 2632	2020	oneetx.exe	161
PID 2020 wrote to memory of 2632	2020	oneetx.exe	161
PID 2020 wrote to memory of 2632	2020	oneetx.exe	161

C:\Users\Admin\AppData\Local\Temp\c3b726c31b8ce90b906ffa18d439103b1eeaf15ef2e108769e56ddfba15cd211.exe
"C:\Users\Admin\AppData\Local\Temp\c3b726c31b8ce90b906ffa18d439103b1eeaf15ef2e108769e56ddfba15cd211.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4480294.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4480294.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9233319.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9233319.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0249756.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0249756.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3768
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m4188515.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m4188515.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 696
    3⤵
    - Program crash
    PID:3788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 780
    3⤵
    - Program crash
    PID:432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 812
    3⤵
    - Program crash
    PID:4328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 960
    3⤵
    - Program crash
    PID:528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 960
    3⤵
    - Program crash
    PID:4244
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 960
    3⤵
    - Program crash
    PID:3060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1220
    3⤵
    - Program crash
    PID:4416
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1244
    3⤵
    - Program crash
    PID:1432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1288
    3⤵
    - Program crash
    PID:3956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1336
    3⤵
    - Program crash
    PID:4072
- - C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 692
      4⤵
      Program crash
      PID:4292
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 884
      4⤵
      Program crash
      PID:3780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 948
      4⤵
      Program crash
      PID:4984
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 956
      4⤵
      Program crash
      PID:1012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 1096
      4⤵
      Program crash
      PID:2288
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 1096
      4⤵
      Program crash
      PID:1304
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 1120
      4⤵
      Program crash
      PID:2184
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:3596
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 772
      4⤵
      Program crash
      PID:4188
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 768
      4⤵
      Program crash
      PID:4424
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4892
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:1800
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:4688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4736
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c3912af058" /P "Admin:N"
        5⤵
        
        PID:2312
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c3912af058" /P "Admin:R" /E
        5⤵
        
        PID:4368
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 1308
      4⤵
      Program crash
      PID:2680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 1272
      4⤵
      Program crash
      PID:1656
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 912
      4⤵
      Program crash
      PID:1740
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 756
      4⤵
      Program crash
      PID:4304
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 1536
      4⤵
      Program crash
      PID:452
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 1160
      4⤵
      Program crash
      PID:4308
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 1660
      4⤵
      Program crash
      PID:3380
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:2632
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 1080
      4⤵
      Program crash
      PID:4996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 1676
      4⤵
      Program crash
      PID:2736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1360
    3⤵
    - Program crash
    PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4348 -ip 4348
1⤵
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4348 -ip 4348
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4348 -ip 4348
1⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4348 -ip 4348
1⤵
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4348 -ip 4348
1⤵
PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4348 -ip 4348
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4348 -ip 4348
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4348 -ip 4348
1⤵
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4348 -ip 4348
1⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4348 -ip 4348
1⤵
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4348 -ip 4348
1⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2020 -ip 2020
1⤵
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2020 -ip 2020
1⤵
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2020 -ip 2020
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2020 -ip 2020
1⤵
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2020 -ip 2020
1⤵
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2020 -ip 2020
1⤵
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2020 -ip 2020
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2020 -ip 2020
1⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2020 -ip 2020
1⤵
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2020 -ip 2020
1⤵
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2020 -ip 2020
1⤵
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2020 -ip 2020
1⤵
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2020 -ip 2020
1⤵
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2020 -ip 2020
1⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2020 -ip 2020
1⤵
PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2020 -ip 2020
1⤵
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2020 -ip 2020
1⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
- Executes dropped EXE
PID:4968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 316
  2⤵
  - Program crash
  PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4968 -ip 4968
1⤵
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2020 -ip 2020
1⤵
PID:3904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m4188515.exe

Filesize
268KB

MD5
82dc13f5729b1bf5657ae3be81e7e257

SHA1
d820d59fb0a7b9187c191ae62dbb7ba3f486e8fb

SHA256
b3cc5984b5421f8c27ef33bb4f19f688644328024c324e8f83720bd30cc7453a

SHA512
94ec78b9fe1b85c48a6d38249964fbaa61016b6bba66014580a49dc3e9450bf46ddd8711d52b216119cd9a8686accc7c5d587ef997fed3e59d8c2df64377c74a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m4188515.exe

Filesize
268KB

MD5
82dc13f5729b1bf5657ae3be81e7e257

SHA1
d820d59fb0a7b9187c191ae62dbb7ba3f486e8fb

SHA256
b3cc5984b5421f8c27ef33bb4f19f688644328024c324e8f83720bd30cc7453a

SHA512
94ec78b9fe1b85c48a6d38249964fbaa61016b6bba66014580a49dc3e9450bf46ddd8711d52b216119cd9a8686accc7c5d587ef997fed3e59d8c2df64377c74a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4480294.exe

Filesize
307KB

MD5
4dd515edca1c8e80745e0177a3b2a1b1

SHA1
6572e7e9aa4b90d32a416bd14ccd9efa86cf0514

SHA256
574ee10d7d6e65838c6ed4bf4eb2fb97bcc2cb4f9985a0fb48980de055070d62

SHA512
bc16eff88cf23654c1297c026701176b78e4583e330ee2ddf102e1b909a6af88d352de8978948129b603e8638e5f8a765bf1e486fdf6a1d17651cfb11f621471

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4480294.exe

Filesize
307KB

MD5
4dd515edca1c8e80745e0177a3b2a1b1

SHA1
6572e7e9aa4b90d32a416bd14ccd9efa86cf0514

SHA256
574ee10d7d6e65838c6ed4bf4eb2fb97bcc2cb4f9985a0fb48980de055070d62

SHA512
bc16eff88cf23654c1297c026701176b78e4583e330ee2ddf102e1b909a6af88d352de8978948129b603e8638e5f8a765bf1e486fdf6a1d17651cfb11f621471

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9233319.exe

Filesize
168KB

MD5
d5ed46bf2e8bcf7ea5288af451b0e143

SHA1
0f81ac64f83b9b1f8c326b0982b713eeff48c7e7

SHA256
ed94da0deb56cc31fc713be4f291ca0dbf5103142f14cc9d5a3a9851a829b1db

SHA512
021afe57a0a29ed6844d4fd1c9405f950407f5e9ca4a1be5e2717092de42a4e3912e64c45c7e59be3cc62b20620ad2d92e2dc8e4fbdb33fca2ff1a203161626c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9233319.exe

Filesize
168KB

MD5
d5ed46bf2e8bcf7ea5288af451b0e143

SHA1
0f81ac64f83b9b1f8c326b0982b713eeff48c7e7

SHA256
ed94da0deb56cc31fc713be4f291ca0dbf5103142f14cc9d5a3a9851a829b1db

SHA512
021afe57a0a29ed6844d4fd1c9405f950407f5e9ca4a1be5e2717092de42a4e3912e64c45c7e59be3cc62b20620ad2d92e2dc8e4fbdb33fca2ff1a203161626c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0249756.exe

Filesize
178KB

MD5
405d8fc8112d0d346a660a9ea82c1143

SHA1
635a88dcd66950bd513dda07e6342722e266e7d2

SHA256
eb0e4ed6f5610fddf77410cc9710ba399f13e6b86f9090b21dda049ac7b3db6e

SHA512
391908ab61ba71bf896eb5e28ebcb7202a060c2f2db09046ebc921a03de4ea3be58debfe319f81fc51b14469b95d45e647fddfbdf7d6f2563c78941fc2e47459

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0249756.exe

Filesize
178KB

MD5
405d8fc8112d0d346a660a9ea82c1143

SHA1
635a88dcd66950bd513dda07e6342722e266e7d2

SHA256
eb0e4ed6f5610fddf77410cc9710ba399f13e6b86f9090b21dda049ac7b3db6e

SHA512
391908ab61ba71bf896eb5e28ebcb7202a060c2f2db09046ebc921a03de4ea3be58debfe319f81fc51b14469b95d45e647fddfbdf7d6f2563c78941fc2e47459

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
268KB

MD5
82dc13f5729b1bf5657ae3be81e7e257

SHA1
d820d59fb0a7b9187c191ae62dbb7ba3f486e8fb

SHA256
b3cc5984b5421f8c27ef33bb4f19f688644328024c324e8f83720bd30cc7453a

SHA512
94ec78b9fe1b85c48a6d38249964fbaa61016b6bba66014580a49dc3e9450bf46ddd8711d52b216119cd9a8686accc7c5d587ef997fed3e59d8c2df64377c74a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
268KB

MD5
82dc13f5729b1bf5657ae3be81e7e257

SHA1
d820d59fb0a7b9187c191ae62dbb7ba3f486e8fb

SHA256
b3cc5984b5421f8c27ef33bb4f19f688644328024c324e8f83720bd30cc7453a

SHA512
94ec78b9fe1b85c48a6d38249964fbaa61016b6bba66014580a49dc3e9450bf46ddd8711d52b216119cd9a8686accc7c5d587ef997fed3e59d8c2df64377c74a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
268KB

MD5
82dc13f5729b1bf5657ae3be81e7e257

SHA1
d820d59fb0a7b9187c191ae62dbb7ba3f486e8fb

SHA256
b3cc5984b5421f8c27ef33bb4f19f688644328024c324e8f83720bd30cc7453a

SHA512
94ec78b9fe1b85c48a6d38249964fbaa61016b6bba66014580a49dc3e9450bf46ddd8711d52b216119cd9a8686accc7c5d587ef997fed3e59d8c2df64377c74a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
268KB

MD5
82dc13f5729b1bf5657ae3be81e7e257

SHA1
d820d59fb0a7b9187c191ae62dbb7ba3f486e8fb

SHA256
b3cc5984b5421f8c27ef33bb4f19f688644328024c324e8f83720bd30cc7453a

SHA512
94ec78b9fe1b85c48a6d38249964fbaa61016b6bba66014580a49dc3e9450bf46ddd8711d52b216119cd9a8686accc7c5d587ef997fed3e59d8c2df64377c74a

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/2020-245-0x0000000000400000-0x00000000006C4000-memory.dmp

Filesize
2.8MB

Download
memory/2020-221-0x0000000000400000-0x00000000006C4000-memory.dmp

Filesize
2.8MB

Download
memory/2652-154-0x000000000B000000-0x000000000B092000-memory.dmp

Filesize
584KB

Download
memory/2652-152-0x000000000ABD0000-0x000000000AC0C000-memory.dmp

Filesize
240KB

Download
memory/2652-158-0x000000000C510000-0x000000000C6D2000-memory.dmp

Filesize
1.8MB

Download
memory/2652-159-0x000000000CC10000-0x000000000D13C000-memory.dmp

Filesize
5.2MB

Download
memory/2652-160-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/2652-155-0x000000000BC90000-0x000000000C234000-memory.dmp

Filesize
5.6MB

Download
memory/2652-153-0x000000000AEE0000-0x000000000AF56000-memory.dmp

Filesize
472KB

Download
memory/2652-157-0x000000000BC30000-0x000000000BC80000-memory.dmp

Filesize
320KB

Download
memory/2652-151-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/2652-150-0x000000000AB70000-0x000000000AB82000-memory.dmp

Filesize
72KB

Download
memory/2652-149-0x000000000AC40000-0x000000000AD4A000-memory.dmp

Filesize
1.0MB

Download
memory/2652-148-0x000000000B0C0000-0x000000000B6D8000-memory.dmp

Filesize
6.1MB

Download
memory/2652-156-0x000000000B7E0000-0x000000000B846000-memory.dmp

Filesize
408KB

Download
memory/2652-147-0x0000000000E00000-0x0000000000E30000-memory.dmp

Filesize
192KB

Download
memory/3768-171-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3768-175-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3768-183-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3768-185-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3768-187-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3768-189-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3768-191-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3768-193-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3768-195-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3768-196-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/3768-197-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/3768-165-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/3768-179-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3768-177-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3768-166-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/3768-167-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/3768-181-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3768-173-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3768-169-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3768-168-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4348-220-0x0000000000400000-0x00000000006C4000-memory.dmp

Filesize
2.8MB

Download
memory/4348-204-0x0000000000400000-0x00000000006C4000-memory.dmp

Filesize
2.8MB

Download
memory/4348-203-0x00000000006D0000-0x0000000000705000-memory.dmp

Filesize
212KB

Download
memory/4968-248-0x0000000000400000-0x00000000006C4000-memory.dmp

Filesize
2.8MB

Download