58bf169a128013b7c156210b57fa096dc14e60bcc0e01304cdc310a3aaf1131f

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2023, 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58bf169a128013b7c156210b57fa096dc14e60bcc0e01304cdc310a3aaf1131f.exe
Size

599KB
MD5

6ab69335d6e1340b620d99a71ad76254
SHA1

0711e780552f60c1ba0e2c749e140a404781d751
SHA256

58bf169a128013b7c156210b57fa096dc14e60bcc0e01304cdc310a3aaf1131f
SHA512

fb2e273787a7a073cd75374fdc3718031178c1af5178538c6c115616912c8cfbded317f8ae2fbb225ce9c0503559aee317d37a7ac9df56cdbeeefb54561b2c71
SSDEEP

12288:+Mryy90EbJnhnMNrYDmVGYOaysZ3uzz5WG4Zn/hJpRKLmPNKPWpIIBLNSg:Yy7bphMNrYmVGYOanuzz5WG4Zn/mLCNZ

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	l7721269.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	l7721269.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	l7721269.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	l7721269.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	l7721269.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	l7721269.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	m6182356.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 7 IoCs

pid	Process
768	y3883083.exe
4128	k0589761.exe
1952	l7721269.exe
1072	m6182356.exe
4692	oneetx.exe
1176	oneetx.exe
3396	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
5100	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	l7721269.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	l7721269.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	58bf169a128013b7c156210b57fa096dc14e60bcc0e01304cdc310a3aaf1131f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y3883083.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y3883083.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	58bf169a128013b7c156210b57fa096dc14e60bcc0e01304cdc310a3aaf1131f.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 29 IoCs

pid	pid_target	Process	procid_target
3864	1072	WerFault.exe	85
2212	1072	WerFault.exe	85
4488	1072	WerFault.exe	85
100	1072	WerFault.exe	85
2700	1072	WerFault.exe	85
3408	1072	WerFault.exe	85
4584	1072	WerFault.exe	85
3224	1072	WerFault.exe	85
3960	1072	WerFault.exe	85
4532	1072	WerFault.exe	85
1360	4692	WerFault.exe	105
4624	4692	WerFault.exe	105
3780	4692	WerFault.exe	105
1540	4692	WerFault.exe	105
3640	4692	WerFault.exe	105
960	4692	WerFault.exe	105
4808	4692	WerFault.exe	105
3548	4692	WerFault.exe	105
1492	4692	WerFault.exe	105
4300	4692	WerFault.exe	105
3428	4692	WerFault.exe	105
4704	4692	WerFault.exe	105
2280	4692	WerFault.exe	105
5016	4692	WerFault.exe	105
768	1176	WerFault.exe	147
3372	4692	WerFault.exe	105
840	4692	WerFault.exe	105
3220	4692	WerFault.exe	105
2160	3396	WerFault.exe	157

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1260	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4128	k0589761.exe
4128	k0589761.exe
1952	l7721269.exe
1952	l7721269.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4128	k0589761.exe
Token: SeDebugPrivilege	1952	l7721269.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1072	m6182356.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 768	4420	58bf169a128013b7c156210b57fa096dc14e60bcc0e01304cdc310a3aaf1131f.exe	79
PID 4420 wrote to memory of 768	4420	58bf169a128013b7c156210b57fa096dc14e60bcc0e01304cdc310a3aaf1131f.exe	79
PID 4420 wrote to memory of 768	4420	58bf169a128013b7c156210b57fa096dc14e60bcc0e01304cdc310a3aaf1131f.exe	79
PID 768 wrote to memory of 4128	768	y3883083.exe	80
PID 768 wrote to memory of 4128	768	y3883083.exe	80
PID 768 wrote to memory of 4128	768	y3883083.exe	80
PID 768 wrote to memory of 1952	768	y3883083.exe	82
PID 768 wrote to memory of 1952	768	y3883083.exe	82
PID 768 wrote to memory of 1952	768	y3883083.exe	82
PID 4420 wrote to memory of 1072	4420	58bf169a128013b7c156210b57fa096dc14e60bcc0e01304cdc310a3aaf1131f.exe	85
PID 4420 wrote to memory of 1072	4420	58bf169a128013b7c156210b57fa096dc14e60bcc0e01304cdc310a3aaf1131f.exe	85
PID 4420 wrote to memory of 1072	4420	58bf169a128013b7c156210b57fa096dc14e60bcc0e01304cdc310a3aaf1131f.exe	85
PID 1072 wrote to memory of 4692	1072	m6182356.exe	105
PID 1072 wrote to memory of 4692	1072	m6182356.exe	105
PID 1072 wrote to memory of 4692	1072	m6182356.exe	105
PID 4692 wrote to memory of 1260	4692	oneetx.exe	123
PID 4692 wrote to memory of 1260	4692	oneetx.exe	123
PID 4692 wrote to memory of 1260	4692	oneetx.exe	123
PID 4692 wrote to memory of 3300	4692	oneetx.exe	129
PID 4692 wrote to memory of 3300	4692	oneetx.exe	129
PID 4692 wrote to memory of 3300	4692	oneetx.exe	129
PID 3300 wrote to memory of 4596	3300	cmd.exe	132
PID 3300 wrote to memory of 4596	3300	cmd.exe	132
PID 3300 wrote to memory of 4596	3300	cmd.exe	132
PID 3300 wrote to memory of 1604	3300	cmd.exe	134
PID 3300 wrote to memory of 1604	3300	cmd.exe	134
PID 3300 wrote to memory of 1604	3300	cmd.exe	134
PID 3300 wrote to memory of 624	3300	cmd.exe	135
PID 3300 wrote to memory of 624	3300	cmd.exe	135
PID 3300 wrote to memory of 624	3300	cmd.exe	135
PID 3300 wrote to memory of 1676	3300	cmd.exe	136
PID 3300 wrote to memory of 1676	3300	cmd.exe	136
PID 3300 wrote to memory of 1676	3300	cmd.exe	136
PID 3300 wrote to memory of 1416	3300	cmd.exe	137
PID 3300 wrote to memory of 1416	3300	cmd.exe	137
PID 3300 wrote to memory of 1416	3300	cmd.exe	137
PID 3300 wrote to memory of 4964	3300	cmd.exe	138
PID 3300 wrote to memory of 4964	3300	cmd.exe	138
PID 3300 wrote to memory of 4964	3300	cmd.exe	138
PID 4692 wrote to memory of 5100	4692	oneetx.exe	152
PID 4692 wrote to memory of 5100	4692	oneetx.exe	152
PID 4692 wrote to memory of 5100	4692	oneetx.exe	152

C:\Users\Admin\AppData\Local\Temp\58bf169a128013b7c156210b57fa096dc14e60bcc0e01304cdc310a3aaf1131f.exe
"C:\Users\Admin\AppData\Local\Temp\58bf169a128013b7c156210b57fa096dc14e60bcc0e01304cdc310a3aaf1131f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3883083.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3883083.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0589761.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0589761.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4128
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7721269.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7721269.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m6182356.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m6182356.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 696
    3⤵
    - Program crash
    PID:3864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 772
    3⤵
    - Program crash
    PID:2212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 796
    3⤵
    - Program crash
    PID:4488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 804
    3⤵
    - Program crash
    PID:100
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 800
    3⤵
    - Program crash
    PID:2700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 800
    3⤵
    - Program crash
    PID:3408
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 1220
    3⤵
    - Program crash
    PID:4584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 1212
    3⤵
    - Program crash
    PID:3224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 1320
    3⤵
    - Program crash
    PID:3960
- - C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4692
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 692
      4⤵
      Program crash
      PID:1360
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 836
      4⤵
      Program crash
      PID:4624
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 920
      4⤵
      Program crash
      PID:3780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 1060
      4⤵
      Program crash
      PID:1540
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 1092
      4⤵
      Program crash
      PID:3640
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 1080
      4⤵
      Program crash
      PID:960
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 1108
      4⤵
      Program crash
      PID:4808
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:1260
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 992
      4⤵
      Program crash
      PID:3548
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 780
      4⤵
      Program crash
      PID:1492
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3300
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4596
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:1604
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:624
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1676
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c3912af058" /P "Admin:N"
        5⤵
        
        PID:1416
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c3912af058" /P "Admin:R" /E
        5⤵
        
        PID:4964
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 1264
      4⤵
      Program crash
      PID:4300
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 768
      4⤵
      Program crash
      PID:3428
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 720
      4⤵
      Program crash
      PID:4704
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 992
      4⤵
      Program crash
      PID:2280
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 1048
      4⤵
      Program crash
      PID:5016
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 1608
      4⤵
      Program crash
      PID:3372
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:5100
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 1128
      4⤵
      Program crash
      PID:840
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 1620
      4⤵
      Program crash
      PID:3220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 1360
    3⤵
    - Program crash
    PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1072 -ip 1072
1⤵
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1072 -ip 1072
1⤵
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1072 -ip 1072
1⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1072 -ip 1072
1⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1072 -ip 1072
1⤵
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1072 -ip 1072
1⤵
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1072 -ip 1072
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1072 -ip 1072
1⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1072 -ip 1072
1⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1072 -ip 1072
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4692 -ip 4692
1⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4692 -ip 4692
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4692 -ip 4692
1⤵
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4692 -ip 4692
1⤵
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4692 -ip 4692
1⤵
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4692 -ip 4692
1⤵
PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4692 -ip 4692
1⤵
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4692 -ip 4692
1⤵
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4692 -ip 4692
1⤵
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4692 -ip 4692
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4692 -ip 4692
1⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4692 -ip 4692
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4692 -ip 4692
1⤵
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4692 -ip 4692
1⤵
PID:4768

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
- Executes dropped EXE
PID:1176
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 312
  2⤵
  - Program crash
  PID:768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1176 -ip 1176
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4692 -ip 4692
1⤵
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4692 -ip 4692
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4692 -ip 4692
1⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
- Executes dropped EXE
PID:3396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 312
  2⤵
  - Program crash
  PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3396 -ip 3396
1⤵
PID:4184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m6182356.exe

Filesize
340KB

MD5
10e7f85daf82ae486bf260b04552294d

SHA1
da57fab58cca5cb8d880bf75d8c931dab7a69200

SHA256
6948634886258f45a45e7feea95cf50b2f1bd0ed6d3736482e48faadc8597b96

SHA512
cf79898a2409c7f2865ad73ac9837a97558efa315b734c1207a795bff0722e95ceb3612d995cd3e60591b86ab4c3efe645a2838e4d98e42150e1164a856ff0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m6182356.exe

Filesize
340KB

MD5
10e7f85daf82ae486bf260b04552294d

SHA1
da57fab58cca5cb8d880bf75d8c931dab7a69200

SHA256
6948634886258f45a45e7feea95cf50b2f1bd0ed6d3736482e48faadc8597b96

SHA512
cf79898a2409c7f2865ad73ac9837a97558efa315b734c1207a795bff0722e95ceb3612d995cd3e60591b86ab4c3efe645a2838e4d98e42150e1164a856ff0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3883083.exe

Filesize
307KB

MD5
a17a8104bb44f425177f10d5eebc4c44

SHA1
7b92bcd19d4d27e7190dd6f3ecc70583531e352a

SHA256
c50cdc7ae197e2a04626885f692e1a3e3c6594f296bdece2ae81476a55544def

SHA512
b836da8a1e9fb1b779e4bf9ac93f3d2fc3e5eb6bae0253b71c0f43416d81fd21c0e73a6423036970dfef44e084572775961fbff476a6ce9ee17a3be44aec254f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3883083.exe

Filesize
307KB

MD5
a17a8104bb44f425177f10d5eebc4c44

SHA1
7b92bcd19d4d27e7190dd6f3ecc70583531e352a

SHA256
c50cdc7ae197e2a04626885f692e1a3e3c6594f296bdece2ae81476a55544def

SHA512
b836da8a1e9fb1b779e4bf9ac93f3d2fc3e5eb6bae0253b71c0f43416d81fd21c0e73a6423036970dfef44e084572775961fbff476a6ce9ee17a3be44aec254f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0589761.exe

Filesize
136KB

MD5
8bfdff2cb716aae9ce623f321a8240fc

SHA1
70f2e5dbf2418cd0de5c6ecbbc36305c7fc4176a

SHA256
d70d7f0ef6b2f83afc8e02fa2536b8a5fcb44a8b3a16d64d644001d1f264ebb1

SHA512
07a0469099b082d88d6d8e4a2dccc417ea59f8ae5eaa185e7f621b380974e0b3436a217e806029c595dea66f7e13d0678323ae86df8aa8d48d6327fcb5baae89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0589761.exe

Filesize
136KB

MD5
8bfdff2cb716aae9ce623f321a8240fc

SHA1
70f2e5dbf2418cd0de5c6ecbbc36305c7fc4176a

SHA256
d70d7f0ef6b2f83afc8e02fa2536b8a5fcb44a8b3a16d64d644001d1f264ebb1

SHA512
07a0469099b082d88d6d8e4a2dccc417ea59f8ae5eaa185e7f621b380974e0b3436a217e806029c595dea66f7e13d0678323ae86df8aa8d48d6327fcb5baae89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7721269.exe

Filesize
175KB

MD5
ca5aa76d9f0ecb96d886843f2b0d5c9d

SHA1
3075f43b998e854b58d257d7f40b300adb84a7ea

SHA256
5ccdde50bf7b4d5dec3da04eae6366a57a49ff8af0a7b493665613601b054df4

SHA512
d930eeb2b80cdda997d8eda55a139a0d488d8194392db21a7e28e1573d273baf6d348ae22d6bb4cffede13790905b6522c398ddfbd09be1e9e1144895e5fcbeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7721269.exe

Filesize
175KB

MD5
ca5aa76d9f0ecb96d886843f2b0d5c9d

SHA1
3075f43b998e854b58d257d7f40b300adb84a7ea

SHA256
5ccdde50bf7b4d5dec3da04eae6366a57a49ff8af0a7b493665613601b054df4

SHA512
d930eeb2b80cdda997d8eda55a139a0d488d8194392db21a7e28e1573d273baf6d348ae22d6bb4cffede13790905b6522c398ddfbd09be1e9e1144895e5fcbeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
340KB

MD5
10e7f85daf82ae486bf260b04552294d

SHA1
da57fab58cca5cb8d880bf75d8c931dab7a69200

SHA256
6948634886258f45a45e7feea95cf50b2f1bd0ed6d3736482e48faadc8597b96

SHA512
cf79898a2409c7f2865ad73ac9837a97558efa315b734c1207a795bff0722e95ceb3612d995cd3e60591b86ab4c3efe645a2838e4d98e42150e1164a856ff0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
340KB

MD5
10e7f85daf82ae486bf260b04552294d

SHA1
da57fab58cca5cb8d880bf75d8c931dab7a69200

SHA256
6948634886258f45a45e7feea95cf50b2f1bd0ed6d3736482e48faadc8597b96

SHA512
cf79898a2409c7f2865ad73ac9837a97558efa315b734c1207a795bff0722e95ceb3612d995cd3e60591b86ab4c3efe645a2838e4d98e42150e1164a856ff0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
340KB

MD5
10e7f85daf82ae486bf260b04552294d

SHA1
da57fab58cca5cb8d880bf75d8c931dab7a69200

SHA256
6948634886258f45a45e7feea95cf50b2f1bd0ed6d3736482e48faadc8597b96

SHA512
cf79898a2409c7f2865ad73ac9837a97558efa315b734c1207a795bff0722e95ceb3612d995cd3e60591b86ab4c3efe645a2838e4d98e42150e1164a856ff0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
340KB

MD5
10e7f85daf82ae486bf260b04552294d

SHA1
da57fab58cca5cb8d880bf75d8c931dab7a69200

SHA256
6948634886258f45a45e7feea95cf50b2f1bd0ed6d3736482e48faadc8597b96

SHA512
cf79898a2409c7f2865ad73ac9837a97558efa315b734c1207a795bff0722e95ceb3612d995cd3e60591b86ab4c3efe645a2838e4d98e42150e1164a856ff0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
340KB

MD5
10e7f85daf82ae486bf260b04552294d

SHA1
da57fab58cca5cb8d880bf75d8c931dab7a69200

SHA256
6948634886258f45a45e7feea95cf50b2f1bd0ed6d3736482e48faadc8597b96

SHA512
cf79898a2409c7f2865ad73ac9837a97558efa315b734c1207a795bff0722e95ceb3612d995cd3e60591b86ab4c3efe645a2838e4d98e42150e1164a856ff0a2

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1072-201-0x0000000002320000-0x0000000002355000-memory.dmp

Filesize
212KB

Download
memory/1072-216-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/1176-223-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/1952-176-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/1952-195-0x0000000002760000-0x0000000002770000-memory.dmp

Filesize
64KB

Download
memory/1952-168-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/1952-170-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/1952-172-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/1952-174-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/1952-166-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/1952-178-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/1952-180-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/1952-182-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/1952-184-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/1952-186-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/1952-188-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/1952-190-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/1952-192-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/1952-193-0x0000000002760000-0x0000000002770000-memory.dmp

Filesize
64KB

Download
memory/1952-194-0x0000000002760000-0x0000000002770000-memory.dmp

Filesize
64KB

Download
memory/1952-165-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/3396-251-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/4128-153-0x00000000080F0000-0x0000000008156000-memory.dmp

Filesize
408KB

Download
memory/4128-151-0x0000000007D60000-0x0000000007D9C000-memory.dmp

Filesize
240KB

Download
memory/4128-157-0x0000000008F40000-0x0000000008FB6000-memory.dmp

Filesize
472KB

Download
memory/4128-156-0x0000000008E40000-0x0000000008E90000-memory.dmp

Filesize
320KB

Download
memory/4128-155-0x0000000008CA0000-0x0000000008D32000-memory.dmp

Filesize
584KB

Download
memory/4128-154-0x0000000009170000-0x0000000009714000-memory.dmp

Filesize
5.6MB

Download
memory/4128-158-0x00000000098F0000-0x0000000009AB2000-memory.dmp

Filesize
1.8MB

Download
memory/4128-159-0x0000000009FF0000-0x000000000A51C000-memory.dmp

Filesize
5.2MB

Download
memory/4128-152-0x00000000080E0000-0x00000000080F0000-memory.dmp

Filesize
64KB

Download
memory/4128-160-0x0000000009060000-0x000000000907E000-memory.dmp

Filesize
120KB

Download
memory/4128-150-0x0000000007E30000-0x0000000007F3A000-memory.dmp

Filesize
1.0MB

Download
memory/4128-149-0x0000000007D00000-0x0000000007D12000-memory.dmp

Filesize
72KB

Download
memory/4128-148-0x0000000008280000-0x0000000008898000-memory.dmp

Filesize
6.1MB

Download
memory/4128-147-0x0000000000FF0000-0x0000000001018000-memory.dmp

Filesize
160KB

Download
memory/4692-244-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/4692-217-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download