redline | 824cda0b6d2eff37d08b6e1a0da512642ede16546f56f6806e85fed07863a093

Analysis

max time kernel
146s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2023, 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

824cda0b6d2eff37d08b6e1a0da512642ede16546f56f6806e85fed07863a093.exe
Size

641KB
MD5

74c2198a75d6399b5c7b4d7aa6d3d100
SHA1

ce9e35f09709605f1e165763b79472ba0c1ff590
SHA256

824cda0b6d2eff37d08b6e1a0da512642ede16546f56f6806e85fed07863a093
SHA512

e2e2bf73f3626beded0b7145b52f60cafa88757edec865b4606ecf09308fb6d268584ae2383017f75ea57a5c08c065be481286c0f2bedc65dfaa009bda26aeeb
SSDEEP

12288:5MrHy90ORS1RxvNH1g48OTuVbQksWksFtesDqpAdKkPBhrK0NFGhH3:+yrRSnxvx1hSV8kssle+KwoQm

Score

10^/10

redline darm discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

darm

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	h4442539.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	h4442539.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	h4442539.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	h4442539.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	h4442539.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	h4442539.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	i2227930.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 7 IoCs

pid	Process
1944	x6917861.exe
1332	g2989547.exe
3932	h4442539.exe
3312	i2227930.exe
4604	oneetx.exe
1356	oneetx.exe
1684	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
2096	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	h4442539.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	h4442539.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	824cda0b6d2eff37d08b6e1a0da512642ede16546f56f6806e85fed07863a093.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	824cda0b6d2eff37d08b6e1a0da512642ede16546f56f6806e85fed07863a093.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x6917861.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6917861.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 30 IoCs

pid	pid_target	Process	procid_target
636	3932	WerFault.exe	89
3380	3312	WerFault.exe	95
952	3312	WerFault.exe	95
5064	3312	WerFault.exe	95
4820	3312	WerFault.exe	95
3532	3312	WerFault.exe	95
4040	3312	WerFault.exe	95
4808	3312	WerFault.exe	95
3848	3312	WerFault.exe	95
4404	3312	WerFault.exe	95
4384	3312	WerFault.exe	95
2224	4604	WerFault.exe	115
2188	4604	WerFault.exe	115
3184	4604	WerFault.exe	115
3352	4604	WerFault.exe	115
4528	4604	WerFault.exe	115
3788	4604	WerFault.exe	115
2000	4604	WerFault.exe	115
2032	4604	WerFault.exe	115
828	4604	WerFault.exe	115
32	4604	WerFault.exe	115
2612	4604	WerFault.exe	115
3696	4604	WerFault.exe	115
1360	4604	WerFault.exe	115
2260	1356	WerFault.exe	154
4880	4604	WerFault.exe	115
1288	4604	WerFault.exe	115
4872	4604	WerFault.exe	115
1808	1684	WerFault.exe	164
5100	4604	WerFault.exe	115

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1332	g2989547.exe
1332	g2989547.exe
3932	h4442539.exe
3932	h4442539.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1332	g2989547.exe
Token: SeDebugPrivilege	3932	h4442539.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3312	i2227930.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 1944	2068	824cda0b6d2eff37d08b6e1a0da512642ede16546f56f6806e85fed07863a093.exe	84
PID 2068 wrote to memory of 1944	2068	824cda0b6d2eff37d08b6e1a0da512642ede16546f56f6806e85fed07863a093.exe	84
PID 2068 wrote to memory of 1944	2068	824cda0b6d2eff37d08b6e1a0da512642ede16546f56f6806e85fed07863a093.exe	84
PID 1944 wrote to memory of 1332	1944	x6917861.exe	85
PID 1944 wrote to memory of 1332	1944	x6917861.exe	85
PID 1944 wrote to memory of 1332	1944	x6917861.exe	85
PID 1944 wrote to memory of 3932	1944	x6917861.exe	89
PID 1944 wrote to memory of 3932	1944	x6917861.exe	89
PID 1944 wrote to memory of 3932	1944	x6917861.exe	89
PID 2068 wrote to memory of 3312	2068	824cda0b6d2eff37d08b6e1a0da512642ede16546f56f6806e85fed07863a093.exe	95
PID 2068 wrote to memory of 3312	2068	824cda0b6d2eff37d08b6e1a0da512642ede16546f56f6806e85fed07863a093.exe	95
PID 2068 wrote to memory of 3312	2068	824cda0b6d2eff37d08b6e1a0da512642ede16546f56f6806e85fed07863a093.exe	95
PID 3312 wrote to memory of 4604	3312	i2227930.exe	115
PID 3312 wrote to memory of 4604	3312	i2227930.exe	115
PID 3312 wrote to memory of 4604	3312	i2227930.exe	115
PID 4604 wrote to memory of 1780	4604	oneetx.exe	132
PID 4604 wrote to memory of 1780	4604	oneetx.exe	132
PID 4604 wrote to memory of 1780	4604	oneetx.exe	132
PID 4604 wrote to memory of 448	4604	oneetx.exe	138
PID 4604 wrote to memory of 448	4604	oneetx.exe	138
PID 4604 wrote to memory of 448	4604	oneetx.exe	138
PID 448 wrote to memory of 212	448	cmd.exe	142
PID 448 wrote to memory of 212	448	cmd.exe	142
PID 448 wrote to memory of 212	448	cmd.exe	142
PID 448 wrote to memory of 2196	448	cmd.exe	143
PID 448 wrote to memory of 2196	448	cmd.exe	143
PID 448 wrote to memory of 2196	448	cmd.exe	143
PID 448 wrote to memory of 4844	448	cmd.exe	144
PID 448 wrote to memory of 4844	448	cmd.exe	144
PID 448 wrote to memory of 4844	448	cmd.exe	144
PID 448 wrote to memory of 2148	448	cmd.exe	146
PID 448 wrote to memory of 2148	448	cmd.exe	146
PID 448 wrote to memory of 2148	448	cmd.exe	146
PID 448 wrote to memory of 2672	448	cmd.exe	145
PID 448 wrote to memory of 2672	448	cmd.exe	145
PID 448 wrote to memory of 2672	448	cmd.exe	145
PID 448 wrote to memory of 1272	448	cmd.exe	147
PID 448 wrote to memory of 1272	448	cmd.exe	147
PID 448 wrote to memory of 1272	448	cmd.exe	147
PID 4604 wrote to memory of 2096	4604	oneetx.exe	161
PID 4604 wrote to memory of 2096	4604	oneetx.exe	161
PID 4604 wrote to memory of 2096	4604	oneetx.exe	161

C:\Users\Admin\AppData\Local\Temp\824cda0b6d2eff37d08b6e1a0da512642ede16546f56f6806e85fed07863a093.exe
"C:\Users\Admin\AppData\Local\Temp\824cda0b6d2eff37d08b6e1a0da512642ede16546f56f6806e85fed07863a093.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6917861.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6917861.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2989547.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2989547.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1332
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4442539.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4442539.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3932
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 1080
      4⤵
      Program crash
      PID:636
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i2227930.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i2227930.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 696
    3⤵
    - Program crash
    PID:3380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 780
    3⤵
    - Program crash
    PID:952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 812
    3⤵
    - Program crash
    PID:5064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 952
    3⤵
    - Program crash
    PID:4820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 980
    3⤵
    - Program crash
    PID:3532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 980
    3⤵
    - Program crash
    PID:4040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 1216
    3⤵
    - Program crash
    PID:4808
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 1232
    3⤵
    - Program crash
    PID:3848
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 1312
    3⤵
    - Program crash
    PID:4404
- - C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 692
      4⤵
      Program crash
      PID:2224
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 848
      4⤵
      Program crash
      PID:2188
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 892
      4⤵
      Program crash
      PID:3184
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1052
      4⤵
      Program crash
      PID:3352
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1096
      4⤵
      Program crash
      PID:4528
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1052
      4⤵
      Program crash
      PID:3788
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1088
      4⤵
      Program crash
      PID:2000
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:1780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 864
      4⤵
      Program crash
      PID:2032
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 728
      4⤵
      Program crash
      PID:828
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:448
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:212
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:2196
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:4844
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c3912af058" /P "Admin:N"
        5⤵
        
        PID:2672
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2148
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c3912af058" /P "Admin:R" /E
        5⤵
        
        PID:1272
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1300
      4⤵
      Program crash
      PID:32
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1280
      4⤵
      Program crash
      PID:2612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 788
      4⤵
      Program crash
      PID:3696
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 132
      4⤵
      Program crash
      PID:1360
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1064
      4⤵
      Program crash
      PID:4880
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1612
      4⤵
      Program crash
      PID:1288
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:2096
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1536
      4⤵
      Program crash
      PID:4872
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1628
      4⤵
      Program crash
      PID:5100
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 748
    3⤵
    - Program crash
    PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3932 -ip 3932
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3312 -ip 3312
1⤵
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3312 -ip 3312
1⤵
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3312 -ip 3312
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3312 -ip 3312
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3312 -ip 3312
1⤵
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3312 -ip 3312
1⤵
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3312 -ip 3312
1⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3312 -ip 3312
1⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3312 -ip 3312
1⤵
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3312 -ip 3312
1⤵
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4604 -ip 4604
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4604 -ip 4604
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4604 -ip 4604
1⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4604 -ip 4604
1⤵
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4604 -ip 4604
1⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4604 -ip 4604
1⤵
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4604 -ip 4604
1⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4604 -ip 4604
1⤵
PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4604 -ip 4604
1⤵
PID:800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4604 -ip 4604
1⤵
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4604 -ip 4604
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4604 -ip 4604
1⤵
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4604 -ip 4604
1⤵
PID:4128

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
- Executes dropped EXE
PID:1356
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 312
  2⤵
  - Program crash
  PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1356 -ip 1356
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4604 -ip 4604
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4604 -ip 4604
1⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4604 -ip 4604
1⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
- Executes dropped EXE
PID:1684
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 320
  2⤵
  - Program crash
  PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1684 -ip 1684
1⤵
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4604 -ip 4604
1⤵
PID:5092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i2227930.exe

Filesize
268KB

MD5
3af215b69957d33c29f99174e7267878

SHA1
a00cbfe16b6b549534d95b8955e963e0557bffd5

SHA256
15015303ea064e855908fd860c5a6e7625d122590ee8668a8ac252ca533e23db

SHA512
ffbf89aeb5ce7a16fb910e3e98c1a7a180f6a0e337e2970db59d2be080612e0f98b62b21fe0d226e88cbe25ecddb734d27ddfcbb87ea6a98179df988f9221ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i2227930.exe

Filesize
268KB

MD5
3af215b69957d33c29f99174e7267878

SHA1
a00cbfe16b6b549534d95b8955e963e0557bffd5

SHA256
15015303ea064e855908fd860c5a6e7625d122590ee8668a8ac252ca533e23db

SHA512
ffbf89aeb5ce7a16fb910e3e98c1a7a180f6a0e337e2970db59d2be080612e0f98b62b21fe0d226e88cbe25ecddb734d27ddfcbb87ea6a98179df988f9221ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6917861.exe

Filesize
383KB

MD5
d31f99738ed96fd80497d155675d312f

SHA1
61ade787e8a85691455d29a584458038559bd3d4

SHA256
7b0c0bd3f43c45d8b80479787cff4fdbc2a596e66e477a88acd5533e9d9d6e55

SHA512
e970729757274bcc872574e3fdff0a498b289dfd68bfaa7cdaea57677b608433c0e4d273bfab8cb9d89500b725ef840cd58066d3988a335e51c51bfbe5c175fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6917861.exe

Filesize
383KB

MD5
d31f99738ed96fd80497d155675d312f

SHA1
61ade787e8a85691455d29a584458038559bd3d4

SHA256
7b0c0bd3f43c45d8b80479787cff4fdbc2a596e66e477a88acd5533e9d9d6e55

SHA512
e970729757274bcc872574e3fdff0a498b289dfd68bfaa7cdaea57677b608433c0e4d273bfab8cb9d89500b725ef840cd58066d3988a335e51c51bfbe5c175fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2989547.exe

Filesize
168KB

MD5
ef1a84358e6b4a02fed5ab0f440b3e4f

SHA1
1ce47309ec2ca78e0239209f8ed59aba09954413

SHA256
84033086f748d9e1b6a7d6733cb2b6284a9d58ebf5f82bfb6d1d1694b8ee3db2

SHA512
c24df40e2abc16430a42162138195604214f539a5cd25f08653c7ba5040eecf44d78fde52e0c778fdde07c0b40799d3424801d4b704c902b76c376a8891f0e38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2989547.exe

Filesize
168KB

MD5
ef1a84358e6b4a02fed5ab0f440b3e4f

SHA1
1ce47309ec2ca78e0239209f8ed59aba09954413

SHA256
84033086f748d9e1b6a7d6733cb2b6284a9d58ebf5f82bfb6d1d1694b8ee3db2

SHA512
c24df40e2abc16430a42162138195604214f539a5cd25f08653c7ba5040eecf44d78fde52e0c778fdde07c0b40799d3424801d4b704c902b76c376a8891f0e38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4442539.exe

Filesize
289KB

MD5
b801b55f5335b3b6635656ad1b02924d

SHA1
30152150cdcc09e3be80b2da4ea4f2b16223b2a4

SHA256
d3b3bda4ba78c83755ffb35c0d423bef72ba3656eb625c4b261c17cf9bf5dc41

SHA512
5a2f51f6598d0661d53a4d35e5f52cdc2a65f14d96ca9479b5513da0c9862574837b75cf5931b9c8ddae3781950cda1812ce4765a4f95557aa42c0dfdcf5d19a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4442539.exe

Filesize
289KB

MD5
b801b55f5335b3b6635656ad1b02924d

SHA1
30152150cdcc09e3be80b2da4ea4f2b16223b2a4

SHA256
d3b3bda4ba78c83755ffb35c0d423bef72ba3656eb625c4b261c17cf9bf5dc41

SHA512
5a2f51f6598d0661d53a4d35e5f52cdc2a65f14d96ca9479b5513da0c9862574837b75cf5931b9c8ddae3781950cda1812ce4765a4f95557aa42c0dfdcf5d19a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
268KB

MD5
3af215b69957d33c29f99174e7267878

SHA1
a00cbfe16b6b549534d95b8955e963e0557bffd5

SHA256
15015303ea064e855908fd860c5a6e7625d122590ee8668a8ac252ca533e23db

SHA512
ffbf89aeb5ce7a16fb910e3e98c1a7a180f6a0e337e2970db59d2be080612e0f98b62b21fe0d226e88cbe25ecddb734d27ddfcbb87ea6a98179df988f9221ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
268KB

MD5
3af215b69957d33c29f99174e7267878

SHA1
a00cbfe16b6b549534d95b8955e963e0557bffd5

SHA256
15015303ea064e855908fd860c5a6e7625d122590ee8668a8ac252ca533e23db

SHA512
ffbf89aeb5ce7a16fb910e3e98c1a7a180f6a0e337e2970db59d2be080612e0f98b62b21fe0d226e88cbe25ecddb734d27ddfcbb87ea6a98179df988f9221ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
268KB

MD5
3af215b69957d33c29f99174e7267878

SHA1
a00cbfe16b6b549534d95b8955e963e0557bffd5

SHA256
15015303ea064e855908fd860c5a6e7625d122590ee8668a8ac252ca533e23db

SHA512
ffbf89aeb5ce7a16fb910e3e98c1a7a180f6a0e337e2970db59d2be080612e0f98b62b21fe0d226e88cbe25ecddb734d27ddfcbb87ea6a98179df988f9221ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
268KB

MD5
3af215b69957d33c29f99174e7267878

SHA1
a00cbfe16b6b549534d95b8955e963e0557bffd5

SHA256
15015303ea064e855908fd860c5a6e7625d122590ee8668a8ac252ca533e23db

SHA512
ffbf89aeb5ce7a16fb910e3e98c1a7a180f6a0e337e2970db59d2be080612e0f98b62b21fe0d226e88cbe25ecddb734d27ddfcbb87ea6a98179df988f9221ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
268KB

MD5
3af215b69957d33c29f99174e7267878

SHA1
a00cbfe16b6b549534d95b8955e963e0557bffd5

SHA256
15015303ea064e855908fd860c5a6e7625d122590ee8668a8ac252ca533e23db

SHA512
ffbf89aeb5ce7a16fb910e3e98c1a7a180f6a0e337e2970db59d2be080612e0f98b62b21fe0d226e88cbe25ecddb734d27ddfcbb87ea6a98179df988f9221ee0

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1332-158-0x000000000C3F0000-0x000000000C91C000-memory.dmp

Filesize
5.2MB

Download
memory/1332-153-0x000000000A750000-0x000000000A7C6000-memory.dmp

Filesize
472KB

Download
memory/1332-159-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/1332-156-0x000000000A910000-0x000000000A976000-memory.dmp

Filesize
408KB

Download
memory/1332-147-0x0000000000530000-0x0000000000560000-memory.dmp

Filesize
192KB

Download
memory/1332-148-0x000000000A9A0000-0x000000000AFB8000-memory.dmp

Filesize
6.1MB

Download
memory/1332-149-0x000000000A4B0000-0x000000000A5BA000-memory.dmp

Filesize
1.0MB

Download
memory/1332-150-0x000000000A3E0000-0x000000000A3F2000-memory.dmp

Filesize
72KB

Download
memory/1332-151-0x000000000A440000-0x000000000A47C000-memory.dmp

Filesize
240KB

Download
memory/1332-155-0x000000000B570000-0x000000000BB14000-memory.dmp

Filesize
5.6MB

Download
memory/1332-152-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/1332-160-0x000000000BB60000-0x000000000BBB0000-memory.dmp

Filesize
320KB

Download
memory/1332-154-0x000000000A870000-0x000000000A902000-memory.dmp

Filesize
584KB

Download
memory/1332-157-0x000000000BCF0000-0x000000000BEB2000-memory.dmp

Filesize
1.8MB

Download
memory/1356-227-0x0000000000400000-0x00000000006C4000-memory.dmp

Filesize
2.8MB

Download
memory/1684-255-0x0000000000400000-0x00000000006C4000-memory.dmp

Filesize
2.8MB

Download
memory/3312-221-0x0000000000400000-0x00000000006C4000-memory.dmp

Filesize
2.8MB

Download
memory/3312-207-0x00000000007B0000-0x00000000007E5000-memory.dmp

Filesize
212KB

Download
memory/3932-181-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/3932-185-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/3932-196-0x0000000004870000-0x0000000004880000-memory.dmp

Filesize
64KB

Download
memory/3932-197-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3932-200-0x0000000004870000-0x0000000004880000-memory.dmp

Filesize
64KB

Download
memory/3932-199-0x0000000004870000-0x0000000004880000-memory.dmp

Filesize
64KB

Download
memory/3932-201-0x0000000004870000-0x0000000004880000-memory.dmp

Filesize
64KB

Download
memory/3932-202-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3932-194-0x0000000001E20000-0x0000000001E4D000-memory.dmp

Filesize
180KB

Download
memory/3932-193-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/3932-191-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/3932-189-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/3932-187-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/3932-195-0x0000000004870000-0x0000000004880000-memory.dmp

Filesize
64KB

Download
memory/3932-183-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/3932-166-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/3932-179-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/3932-177-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/3932-175-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/3932-173-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/3932-171-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/3932-169-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/3932-167-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/4604-250-0x0000000000400000-0x00000000006C4000-memory.dmp

Filesize
2.8MB

Download
memory/4604-223-0x0000000000400000-0x00000000006C4000-memory.dmp

Filesize
2.8MB

Download