redline | f6c780adc75536375ae7637169b0c0c3f71ef6e6acbdc3a3a0b00de362137714

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2023, 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6c780adc75536375ae7637169b0c0c3f71ef6e6acbdc3a3a0b00de362137714.exe
Size

642KB
MD5

2f60adf506c995474eca423d1cb4fa44
SHA1

d5fee7b5640fb85743967a48bbb9392956b9f81c
SHA256

f6c780adc75536375ae7637169b0c0c3f71ef6e6acbdc3a3a0b00de362137714
SHA512

27f20daf3606f1f3befaf6fafc5ed4345bcde1f8a05219788b96872b0bf98bf7e02630152d079288ffa567794eb76590c2e7a0f5f67dcceda1b1afd77266b5b2
SSDEEP

12288:eMriy906FiXBPGmb+a6CGiQs9HtDNjt60xYKsDxlklKFl:8yTCJGmaazjHVOYsxlzl

Score

10^/10

redline darm discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

darm

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	h9644065.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	h9644065.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	h9644065.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	h9644065.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	h9644065.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	h9644065.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	i1449774.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 7 IoCs

pid	Process
1444	x0507876.exe
4208	g2828564.exe
1524	h9644065.exe
2468	i1449774.exe
3920	oneetx.exe
4664	oneetx.exe
2988	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
3788	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	h9644065.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	h9644065.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f6c780adc75536375ae7637169b0c0c3f71ef6e6acbdc3a3a0b00de362137714.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f6c780adc75536375ae7637169b0c0c3f71ef6e6acbdc3a3a0b00de362137714.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x0507876.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0507876.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 30 IoCs

pid	pid_target	Process	procid_target
4888	1524	WerFault.exe	90
4116	2468	WerFault.exe	96
4196	2468	WerFault.exe	96
4072	2468	WerFault.exe	96
4400	2468	WerFault.exe	96
4816	2468	WerFault.exe	96
2560	2468	WerFault.exe	96
3824	2468	WerFault.exe	96
3844	2468	WerFault.exe	96
2220	2468	WerFault.exe	96
3868	2468	WerFault.exe	96
3572	3920	WerFault.exe	116
2176	3920	WerFault.exe	116
3836	3920	WerFault.exe	116
1584	3920	WerFault.exe	116
1204	3920	WerFault.exe	116
2884	3920	WerFault.exe	116
1316	3920	WerFault.exe	116
1920	3920	WerFault.exe	116
4160	3920	WerFault.exe	116
228	3920	WerFault.exe	116
4464	3920	WerFault.exe	116
4856	3920	WerFault.exe	116
2312	3920	WerFault.exe	116
4060	4664	WerFault.exe	155
4144	3920	WerFault.exe	116
3776	3920	WerFault.exe	116
1864	3920	WerFault.exe	116
2504	3920	WerFault.exe	116
3844	2988	WerFault.exe	167

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4208	g2828564.exe
4208	g2828564.exe
1524	h9644065.exe
1524	h9644065.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4208	g2828564.exe
Token: SeDebugPrivilege	1524	h9644065.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2468	i1449774.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 1444	1156	f6c780adc75536375ae7637169b0c0c3f71ef6e6acbdc3a3a0b00de362137714.exe	85
PID 1156 wrote to memory of 1444	1156	f6c780adc75536375ae7637169b0c0c3f71ef6e6acbdc3a3a0b00de362137714.exe	85
PID 1156 wrote to memory of 1444	1156	f6c780adc75536375ae7637169b0c0c3f71ef6e6acbdc3a3a0b00de362137714.exe	85
PID 1444 wrote to memory of 4208	1444	x0507876.exe	86
PID 1444 wrote to memory of 4208	1444	x0507876.exe	86
PID 1444 wrote to memory of 4208	1444	x0507876.exe	86
PID 1444 wrote to memory of 1524	1444	x0507876.exe	90
PID 1444 wrote to memory of 1524	1444	x0507876.exe	90
PID 1444 wrote to memory of 1524	1444	x0507876.exe	90
PID 1156 wrote to memory of 2468	1156	f6c780adc75536375ae7637169b0c0c3f71ef6e6acbdc3a3a0b00de362137714.exe	96
PID 1156 wrote to memory of 2468	1156	f6c780adc75536375ae7637169b0c0c3f71ef6e6acbdc3a3a0b00de362137714.exe	96
PID 1156 wrote to memory of 2468	1156	f6c780adc75536375ae7637169b0c0c3f71ef6e6acbdc3a3a0b00de362137714.exe	96
PID 2468 wrote to memory of 3920	2468	i1449774.exe	116
PID 2468 wrote to memory of 3920	2468	i1449774.exe	116
PID 2468 wrote to memory of 3920	2468	i1449774.exe	116
PID 3920 wrote to memory of 3780	3920	oneetx.exe	133
PID 3920 wrote to memory of 3780	3920	oneetx.exe	133
PID 3920 wrote to memory of 3780	3920	oneetx.exe	133
PID 3920 wrote to memory of 1976	3920	oneetx.exe	139
PID 3920 wrote to memory of 1976	3920	oneetx.exe	139
PID 3920 wrote to memory of 1976	3920	oneetx.exe	139
PID 1976 wrote to memory of 4788	1976	cmd.exe	143
PID 1976 wrote to memory of 4788	1976	cmd.exe	143
PID 1976 wrote to memory of 4788	1976	cmd.exe	143
PID 1976 wrote to memory of 4648	1976	cmd.exe	144
PID 1976 wrote to memory of 4648	1976	cmd.exe	144
PID 1976 wrote to memory of 4648	1976	cmd.exe	144
PID 1976 wrote to memory of 3860	1976	cmd.exe	145
PID 1976 wrote to memory of 3860	1976	cmd.exe	145
PID 1976 wrote to memory of 3860	1976	cmd.exe	145
PID 1976 wrote to memory of 5088	1976	cmd.exe	146
PID 1976 wrote to memory of 5088	1976	cmd.exe	146
PID 1976 wrote to memory of 5088	1976	cmd.exe	146
PID 1976 wrote to memory of 1916	1976	cmd.exe	147
PID 1976 wrote to memory of 1916	1976	cmd.exe	147
PID 1976 wrote to memory of 1916	1976	cmd.exe	147
PID 1976 wrote to memory of 2232	1976	cmd.exe	148
PID 1976 wrote to memory of 2232	1976	cmd.exe	148
PID 1976 wrote to memory of 2232	1976	cmd.exe	148
PID 3920 wrote to memory of 3788	3920	oneetx.exe	162
PID 3920 wrote to memory of 3788	3920	oneetx.exe	162
PID 3920 wrote to memory of 3788	3920	oneetx.exe	162

C:\Users\Admin\AppData\Local\Temp\f6c780adc75536375ae7637169b0c0c3f71ef6e6acbdc3a3a0b00de362137714.exe
"C:\Users\Admin\AppData\Local\Temp\f6c780adc75536375ae7637169b0c0c3f71ef6e6acbdc3a3a0b00de362137714.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0507876.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0507876.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2828564.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2828564.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4208
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9644065.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9644065.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 1080
      4⤵
      Program crash
      PID:4888
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i1449774.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i1449774.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 696
    3⤵
    - Program crash
    PID:4116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 780
    3⤵
    - Program crash
    PID:4196
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 804
    3⤵
    - Program crash
    PID:4072
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 812
    3⤵
    - Program crash
    PID:4400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 988
    3⤵
    - Program crash
    PID:4816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 988
    3⤵
    - Program crash
    PID:2560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 1216
    3⤵
    - Program crash
    PID:3824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 1236
    3⤵
    - Program crash
    PID:3844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 1316
    3⤵
    - Program crash
    PID:2220
- - C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3920
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 692
      4⤵
      Program crash
      PID:3572
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 788
      4⤵
      Program crash
      PID:2176
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 904
      4⤵
      Program crash
      PID:3836
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 1052
      4⤵
      Program crash
      PID:1584
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 1076
      4⤵
      Program crash
      PID:1204
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 1104
      4⤵
      Program crash
      PID:2884
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 1112
      4⤵
      Program crash
      PID:1316
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:3780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 992
      4⤵
      Program crash
      PID:1920
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 776
      4⤵
      Program crash
      PID:4160
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1976
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4788
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:4648
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:3860
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:5088
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c3912af058" /P "Admin:N"
        5⤵
        
        PID:1916
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c3912af058" /P "Admin:R" /E
        5⤵
        
        PID:2232
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 1288
      4⤵
      Program crash
      PID:228
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 1268
      4⤵
      Program crash
      PID:4464
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 744
      4⤵
      Program crash
      PID:4856
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 724
      4⤵
      Program crash
      PID:2312
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 1136
      4⤵
      Program crash
      PID:4144
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 1652
      4⤵
      Program crash
      PID:3776
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:3788
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 1588
      4⤵
      Program crash
      PID:1864
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 1668
      4⤵
      Program crash
      PID:2504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 788
    3⤵
    - Program crash
    PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1524 -ip 1524
1⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2468 -ip 2468
1⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2468 -ip 2468
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2468 -ip 2468
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2468 -ip 2468
1⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2468 -ip 2468
1⤵
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2468 -ip 2468
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2468 -ip 2468
1⤵
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2468 -ip 2468
1⤵
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2468 -ip 2468
1⤵
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2468 -ip 2468
1⤵
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3920 -ip 3920
1⤵
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3920 -ip 3920
1⤵
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3920 -ip 3920
1⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3920 -ip 3920
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3920 -ip 3920
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3920 -ip 3920
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3920 -ip 3920
1⤵
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3920 -ip 3920
1⤵
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3920 -ip 3920
1⤵
PID:992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3920 -ip 3920
1⤵
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3920 -ip 3920
1⤵
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3920 -ip 3920
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3920 -ip 3920
1⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
- Executes dropped EXE
PID:4664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 312
  2⤵
  - Program crash
  PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4664 -ip 4664
1⤵
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3920 -ip 3920
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3920 -ip 3920
1⤵
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3920 -ip 3920
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3920 -ip 3920
1⤵
PID:3056

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
- Executes dropped EXE
PID:2988
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 316
  2⤵
  - Program crash
  PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2988 -ip 2988
1⤵
PID:2856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i1449774.exe

Filesize
268KB

MD5
18e3c2981af1803045dd8010b2af04d3

SHA1
6ff387596e9bf44c00832f635c170488877ec1e4

SHA256
8a695186caf6bf269ee755b8d3853091d8b3ba61d4aa2f18496f526586a65369

SHA512
06f037f4e2076af5b1e1824d1a97b6adf39df3f2a649cc53929ae6fe1c2076543937090b70f779b677799b884a425c96a8a8244a93588191f243f258e30a255f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i1449774.exe

Filesize
268KB

MD5
18e3c2981af1803045dd8010b2af04d3

SHA1
6ff387596e9bf44c00832f635c170488877ec1e4

SHA256
8a695186caf6bf269ee755b8d3853091d8b3ba61d4aa2f18496f526586a65369

SHA512
06f037f4e2076af5b1e1824d1a97b6adf39df3f2a649cc53929ae6fe1c2076543937090b70f779b677799b884a425c96a8a8244a93588191f243f258e30a255f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0507876.exe

Filesize
384KB

MD5
493ae8b37e7aa972108b76e1da39ccce

SHA1
5b7d8396b3fe1dc731af4df818bff91a0c0d128f

SHA256
47c36f776af36e36d577dcbbbae3963f7335acb67cc155f83c4a8caec301e8a3

SHA512
ef32dac3472142debbb478b76d5aa972154f5003b51bfc17f359b4c6f4ed6248b3d99bbae100298a8a256c2b8e3bba20613f3ca8f857ffe75b7304a6137a6ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0507876.exe

Filesize
384KB

MD5
493ae8b37e7aa972108b76e1da39ccce

SHA1
5b7d8396b3fe1dc731af4df818bff91a0c0d128f

SHA256
47c36f776af36e36d577dcbbbae3963f7335acb67cc155f83c4a8caec301e8a3

SHA512
ef32dac3472142debbb478b76d5aa972154f5003b51bfc17f359b4c6f4ed6248b3d99bbae100298a8a256c2b8e3bba20613f3ca8f857ffe75b7304a6137a6ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2828564.exe

Filesize
168KB

MD5
63e0718a036e48ac7d74890f310713f4

SHA1
030a737830cc351829608c766351fae27b32c506

SHA256
7c8de34962c9cca48b9d10f7179a0817d93f9fc98ca3dd5038c2733f5d0efb4d

SHA512
fb47ad2a6db4d2aa45dfb5d865a199bf2e521deef60c5f18fadcbafa6d5eb60ff695471e2c24afde9ec9b9fe393659a54e4ca5b0e861ac52149a661efea345aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2828564.exe

Filesize
168KB

MD5
63e0718a036e48ac7d74890f310713f4

SHA1
030a737830cc351829608c766351fae27b32c506

SHA256
7c8de34962c9cca48b9d10f7179a0817d93f9fc98ca3dd5038c2733f5d0efb4d

SHA512
fb47ad2a6db4d2aa45dfb5d865a199bf2e521deef60c5f18fadcbafa6d5eb60ff695471e2c24afde9ec9b9fe393659a54e4ca5b0e861ac52149a661efea345aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9644065.exe

Filesize
289KB

MD5
c9ffed7141da7766e188aea6a5d81d81

SHA1
e4dec4130f67ceff5652c2961c19e0dbc016e26f

SHA256
1c6999fff7c745d32d8cfaa08e4d056baf4cf639c9aae5f6b7e1c1b198331d8a

SHA512
6eecca76fbf6865dc9abee6a21bd3b2afbe056f4be100759908943ab8a50398dd37975ef1eb87c1c3cbd4e78825ed2a0bd75cc1f28ac45f939e89e6f4b403b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9644065.exe

Filesize
289KB

MD5
c9ffed7141da7766e188aea6a5d81d81

SHA1
e4dec4130f67ceff5652c2961c19e0dbc016e26f

SHA256
1c6999fff7c745d32d8cfaa08e4d056baf4cf639c9aae5f6b7e1c1b198331d8a

SHA512
6eecca76fbf6865dc9abee6a21bd3b2afbe056f4be100759908943ab8a50398dd37975ef1eb87c1c3cbd4e78825ed2a0bd75cc1f28ac45f939e89e6f4b403b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
268KB

MD5
18e3c2981af1803045dd8010b2af04d3

SHA1
6ff387596e9bf44c00832f635c170488877ec1e4

SHA256
8a695186caf6bf269ee755b8d3853091d8b3ba61d4aa2f18496f526586a65369

SHA512
06f037f4e2076af5b1e1824d1a97b6adf39df3f2a649cc53929ae6fe1c2076543937090b70f779b677799b884a425c96a8a8244a93588191f243f258e30a255f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
268KB

MD5
18e3c2981af1803045dd8010b2af04d3

SHA1
6ff387596e9bf44c00832f635c170488877ec1e4

SHA256
8a695186caf6bf269ee755b8d3853091d8b3ba61d4aa2f18496f526586a65369

SHA512
06f037f4e2076af5b1e1824d1a97b6adf39df3f2a649cc53929ae6fe1c2076543937090b70f779b677799b884a425c96a8a8244a93588191f243f258e30a255f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
268KB

MD5
18e3c2981af1803045dd8010b2af04d3

SHA1
6ff387596e9bf44c00832f635c170488877ec1e4

SHA256
8a695186caf6bf269ee755b8d3853091d8b3ba61d4aa2f18496f526586a65369

SHA512
06f037f4e2076af5b1e1824d1a97b6adf39df3f2a649cc53929ae6fe1c2076543937090b70f779b677799b884a425c96a8a8244a93588191f243f258e30a255f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
268KB

MD5
18e3c2981af1803045dd8010b2af04d3

SHA1
6ff387596e9bf44c00832f635c170488877ec1e4

SHA256
8a695186caf6bf269ee755b8d3853091d8b3ba61d4aa2f18496f526586a65369

SHA512
06f037f4e2076af5b1e1824d1a97b6adf39df3f2a649cc53929ae6fe1c2076543937090b70f779b677799b884a425c96a8a8244a93588191f243f258e30a255f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
268KB

MD5
18e3c2981af1803045dd8010b2af04d3

SHA1
6ff387596e9bf44c00832f635c170488877ec1e4

SHA256
8a695186caf6bf269ee755b8d3853091d8b3ba61d4aa2f18496f526586a65369

SHA512
06f037f4e2076af5b1e1824d1a97b6adf39df3f2a649cc53929ae6fe1c2076543937090b70f779b677799b884a425c96a8a8244a93588191f243f258e30a255f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1524-181-0x0000000002290000-0x00000000022A2000-memory.dmp

Filesize
72KB

Download
memory/1524-197-0x0000000002290000-0x00000000022A2000-memory.dmp

Filesize
72KB

Download
memory/1524-203-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1524-167-0x0000000002290000-0x00000000022A2000-memory.dmp

Filesize
72KB

Download
memory/1524-166-0x0000000002290000-0x00000000022A2000-memory.dmp

Filesize
72KB

Download
memory/1524-169-0x0000000002290000-0x00000000022A2000-memory.dmp

Filesize
72KB

Download
memory/1524-171-0x0000000002290000-0x00000000022A2000-memory.dmp

Filesize
72KB

Download
memory/1524-173-0x0000000000550000-0x000000000057D000-memory.dmp

Filesize
180KB

Download
memory/1524-174-0x0000000002290000-0x00000000022A2000-memory.dmp

Filesize
72KB

Download
memory/1524-175-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/1524-177-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/1524-179-0x0000000002290000-0x00000000022A2000-memory.dmp

Filesize
72KB

Download
memory/1524-178-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/1524-202-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/1524-183-0x0000000002290000-0x00000000022A2000-memory.dmp

Filesize
72KB

Download
memory/1524-185-0x0000000002290000-0x00000000022A2000-memory.dmp

Filesize
72KB

Download
memory/1524-187-0x0000000002290000-0x00000000022A2000-memory.dmp

Filesize
72KB

Download
memory/1524-189-0x0000000002290000-0x00000000022A2000-memory.dmp

Filesize
72KB

Download
memory/1524-191-0x0000000002290000-0x00000000022A2000-memory.dmp

Filesize
72KB

Download
memory/1524-193-0x0000000002290000-0x00000000022A2000-memory.dmp

Filesize
72KB

Download
memory/1524-195-0x0000000002290000-0x00000000022A2000-memory.dmp

Filesize
72KB

Download
memory/1524-201-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/1524-198-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1524-199-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/2468-208-0x00000000007A0000-0x00000000007D5000-memory.dmp

Filesize
212KB

Download
memory/2468-222-0x0000000000400000-0x00000000006C4000-memory.dmp

Filesize
2.8MB

Download
memory/2988-256-0x0000000000400000-0x00000000006C4000-memory.dmp

Filesize
2.8MB

Download
memory/3920-224-0x0000000000400000-0x00000000006C4000-memory.dmp

Filesize
2.8MB

Download
memory/3920-251-0x0000000000400000-0x00000000006C4000-memory.dmp

Filesize
2.8MB

Download
memory/4208-148-0x000000000AAF0000-0x000000000B108000-memory.dmp

Filesize
6.1MB

Download
memory/4208-149-0x000000000A630000-0x000000000A73A000-memory.dmp

Filesize
1.0MB

Download
memory/4208-154-0x000000000A9F0000-0x000000000AA82000-memory.dmp

Filesize
584KB

Download
memory/4208-153-0x000000000A8D0000-0x000000000A946000-memory.dmp

Filesize
472KB

Download
memory/4208-159-0x000000000BF40000-0x000000000C102000-memory.dmp

Filesize
1.8MB

Download
memory/4208-160-0x000000000C640000-0x000000000CB6C000-memory.dmp

Filesize
5.2MB

Download
memory/4208-155-0x000000000B6C0000-0x000000000BC64000-memory.dmp

Filesize
5.6MB

Download
memory/4208-151-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/4208-152-0x000000000A5C0000-0x000000000A5FC000-memory.dmp

Filesize
240KB

Download
memory/4208-150-0x000000000A560000-0x000000000A572000-memory.dmp

Filesize
72KB

Download
memory/4208-158-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/4208-156-0x000000000B210000-0x000000000B276000-memory.dmp

Filesize
408KB

Download
memory/4208-157-0x000000000B640000-0x000000000B690000-memory.dmp

Filesize
320KB

Download
memory/4208-147-0x00000000006B0000-0x00000000006E0000-memory.dmp

Filesize
192KB

Download
memory/4664-229-0x0000000000400000-0x00000000006C4000-memory.dmp

Filesize
2.8MB

Download