49f526ce4c641388635284dd6f302683a94f710e61bf2400bc447b4e499529d0

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2023, 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49f526ce4c641388635284dd6f302683a94f710e61bf2400bc447b4e499529d0.exe
Size

599KB
MD5

8636d6eee03563f5c4ae50840e22d0fa
SHA1

f7dfa11e9cd9f42ec5a269a6d4e28278fa2bfd84
SHA256

49f526ce4c641388635284dd6f302683a94f710e61bf2400bc447b4e499529d0
SHA512

4009cdf485545c7f4dd614516e58681f7a46d93b2d214eff18e2f5f60faadf04650ed1d0480533d63176be9f1b275c7b108b0df946b33f208ad4c2b51a22647b
SSDEEP

12288:dMrey90NYYsHkEd6SooERFxgu3PyLxCYYdngBjbZiLfK0:/ySHGZUS6iu3PgMdgBJiL1

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	l4873944.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	l4873944.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	l4873944.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	l4873944.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	l4873944.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	l4873944.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	m7721107.exe

Executes dropped EXE 7 IoCs

pid	Process
5068	y4907012.exe
1800	k3163294.exe
3676	l4873944.exe
2572	m7721107.exe
5032	oneetx.exe
3432	oneetx.exe
1916	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
844	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	l4873944.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	l4873944.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	49f526ce4c641388635284dd6f302683a94f710e61bf2400bc447b4e499529d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	49f526ce4c641388635284dd6f302683a94f710e61bf2400bc447b4e499529d0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y4907012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y4907012.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 30 IoCs

pid	pid_target	Process	procid_target
2696	2572	WerFault.exe	92
4092	2572	WerFault.exe	92
1148	2572	WerFault.exe	92
4772	2572	WerFault.exe	92
2028	2572	WerFault.exe	92
3412	2572	WerFault.exe	92
3744	2572	WerFault.exe	92
376	2572	WerFault.exe	92
4940	2572	WerFault.exe	92
4036	2572	WerFault.exe	92
932	5032	WerFault.exe	112
1428	5032	WerFault.exe	112
3204	5032	WerFault.exe	112
1800	5032	WerFault.exe	112
2032	5032	WerFault.exe	112
3648	5032	WerFault.exe	112
2708	5032	WerFault.exe	112
3668	5032	WerFault.exe	112
232	5032	WerFault.exe	112
4436	5032	WerFault.exe	112
4828	5032	WerFault.exe	112
3600	5032	WerFault.exe	112
1696	5032	WerFault.exe	112
4092	5032	WerFault.exe	112
4788	5032	WerFault.exe	112
1884	3432	WerFault.exe	157
2500	5032	WerFault.exe	112
3596	5032	WerFault.exe	112
1948	5032	WerFault.exe	112
452	1916	WerFault.exe	167

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1812	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1800	k3163294.exe
1800	k3163294.exe
3676	l4873944.exe
3676	l4873944.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1800	k3163294.exe
Token: SeDebugPrivilege	3676	l4873944.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2572	m7721107.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 5068	2364	49f526ce4c641388635284dd6f302683a94f710e61bf2400bc447b4e499529d0.exe	83
PID 2364 wrote to memory of 5068	2364	49f526ce4c641388635284dd6f302683a94f710e61bf2400bc447b4e499529d0.exe	83
PID 2364 wrote to memory of 5068	2364	49f526ce4c641388635284dd6f302683a94f710e61bf2400bc447b4e499529d0.exe	83
PID 5068 wrote to memory of 1800	5068	y4907012.exe	84
PID 5068 wrote to memory of 1800	5068	y4907012.exe	84
PID 5068 wrote to memory of 1800	5068	y4907012.exe	84
PID 5068 wrote to memory of 3676	5068	y4907012.exe	88
PID 5068 wrote to memory of 3676	5068	y4907012.exe	88
PID 5068 wrote to memory of 3676	5068	y4907012.exe	88
PID 2364 wrote to memory of 2572	2364	49f526ce4c641388635284dd6f302683a94f710e61bf2400bc447b4e499529d0.exe	92
PID 2364 wrote to memory of 2572	2364	49f526ce4c641388635284dd6f302683a94f710e61bf2400bc447b4e499529d0.exe	92
PID 2364 wrote to memory of 2572	2364	49f526ce4c641388635284dd6f302683a94f710e61bf2400bc447b4e499529d0.exe	92
PID 2572 wrote to memory of 5032	2572	m7721107.exe	112
PID 2572 wrote to memory of 5032	2572	m7721107.exe	112
PID 2572 wrote to memory of 5032	2572	m7721107.exe	112
PID 5032 wrote to memory of 1812	5032	oneetx.exe	131
PID 5032 wrote to memory of 1812	5032	oneetx.exe	131
PID 5032 wrote to memory of 1812	5032	oneetx.exe	131
PID 5032 wrote to memory of 2480	5032	oneetx.exe	137
PID 5032 wrote to memory of 2480	5032	oneetx.exe	137
PID 5032 wrote to memory of 2480	5032	oneetx.exe	137
PID 2480 wrote to memory of 1996	2480	cmd.exe	140
PID 2480 wrote to memory of 1996	2480	cmd.exe	140
PID 2480 wrote to memory of 1996	2480	cmd.exe	140
PID 2480 wrote to memory of 2036	2480	cmd.exe	142
PID 2480 wrote to memory of 2036	2480	cmd.exe	142
PID 2480 wrote to memory of 2036	2480	cmd.exe	142
PID 2480 wrote to memory of 2804	2480	cmd.exe	143
PID 2480 wrote to memory of 2804	2480	cmd.exe	143
PID 2480 wrote to memory of 2804	2480	cmd.exe	143
PID 2480 wrote to memory of 2764	2480	cmd.exe	145
PID 2480 wrote to memory of 2764	2480	cmd.exe	145
PID 2480 wrote to memory of 2764	2480	cmd.exe	145
PID 2480 wrote to memory of 4728	2480	cmd.exe	144
PID 2480 wrote to memory of 4728	2480	cmd.exe	144
PID 2480 wrote to memory of 4728	2480	cmd.exe	144
PID 2480 wrote to memory of 2292	2480	cmd.exe	146
PID 2480 wrote to memory of 2292	2480	cmd.exe	146
PID 2480 wrote to memory of 2292	2480	cmd.exe	146
PID 5032 wrote to memory of 844	5032	oneetx.exe	162
PID 5032 wrote to memory of 844	5032	oneetx.exe	162
PID 5032 wrote to memory of 844	5032	oneetx.exe	162

C:\Users\Admin\AppData\Local\Temp\49f526ce4c641388635284dd6f302683a94f710e61bf2400bc447b4e499529d0.exe
"C:\Users\Admin\AppData\Local\Temp\49f526ce4c641388635284dd6f302683a94f710e61bf2400bc447b4e499529d0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4907012.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4907012.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3163294.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3163294.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1800
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4873944.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4873944.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3676
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m7721107.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m7721107.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 696
    3⤵
    - Program crash
    PID:2696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 780
    3⤵
    - Program crash
    PID:4092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 808
    3⤵
    - Program crash
    PID:1148
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 968
    3⤵
    - Program crash
    PID:4772
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 976
    3⤵
    - Program crash
    PID:2028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 976
    3⤵
    - Program crash
    PID:3412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 1216
    3⤵
    - Program crash
    PID:3744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 1228
    3⤵
    - Program crash
    PID:376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 1312
    3⤵
    - Program crash
    PID:4940
- - C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5032
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 692
      4⤵
      Program crash
      PID:932
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 828
      4⤵
      Program crash
      PID:1428
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 836
      4⤵
      Program crash
      PID:3204
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1052
      4⤵
      Program crash
      PID:1800
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1088
      4⤵
      Program crash
      PID:2032
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1084
      4⤵
      Program crash
      PID:3648
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1080
      4⤵
      Program crash
      PID:2708
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:1812
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 992
      4⤵
      Program crash
      PID:3668
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 756
      4⤵
      Program crash
      PID:232
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1996
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:2036
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:2804
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c3912af058" /P "Admin:N"
        5⤵
        
        PID:4728
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2764
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c3912af058" /P "Admin:R" /E
        5⤵
        
        PID:2292
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 760
      4⤵
      Program crash
      PID:4436
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 692
      4⤵
      Program crash
      PID:4828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 776
      4⤵
      Program crash
      PID:3600
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1260
      4⤵
      Program crash
      PID:1696
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1348
      4⤵
      Program crash
      PID:4092
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1136
      4⤵
      Program crash
      PID:4788
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1628
      4⤵
      Program crash
      PID:2500
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1592
      4⤵
      Program crash
      PID:3596
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1648
      4⤵
      Program crash
      PID:1948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 1416
    3⤵
    - Program crash
    PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2572 -ip 2572
1⤵
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2572 -ip 2572
1⤵
PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2572 -ip 2572
1⤵
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2572 -ip 2572
1⤵
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2572 -ip 2572
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2572 -ip 2572
1⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2572 -ip 2572
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2572 -ip 2572
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2572 -ip 2572
1⤵
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2572 -ip 2572
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5032 -ip 5032
1⤵
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5032 -ip 5032
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5032 -ip 5032
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5032 -ip 5032
1⤵
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5032 -ip 5032
1⤵
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5032 -ip 5032
1⤵
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5032 -ip 5032
1⤵
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5032 -ip 5032
1⤵
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5032 -ip 5032
1⤵
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5032 -ip 5032
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5032 -ip 5032
1⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5032 -ip 5032
1⤵
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5032 -ip 5032
1⤵
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5032 -ip 5032
1⤵
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5032 -ip 5032
1⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
- Executes dropped EXE
PID:3432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 316
  2⤵
  - Program crash
  PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3432 -ip 3432
1⤵
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5032 -ip 5032
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5032 -ip 5032
1⤵
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5032 -ip 5032
1⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
- Executes dropped EXE
PID:1916
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 316
  2⤵
  - Program crash
  PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1916 -ip 1916
1⤵
PID:4036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m7721107.exe

Filesize
339KB

MD5
85b568a1212f66d788b66877bbdd21e9

SHA1
67d3b572141b73bea837a642426db983724cb4ae

SHA256
7a19e916cd2b430ac74b4b0ea26fb2fd835e4fdfc19cb38199125abaf5bee10a

SHA512
531d13d123e806b477622c17c719acd5f9933b34d0fd536e3be9755b8b80460546aef0a0fba60b155d1a123ffaa51fbee18dc441f1c0b40b86c77cbe131cfb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m7721107.exe

Filesize
339KB

MD5
85b568a1212f66d788b66877bbdd21e9

SHA1
67d3b572141b73bea837a642426db983724cb4ae

SHA256
7a19e916cd2b430ac74b4b0ea26fb2fd835e4fdfc19cb38199125abaf5bee10a

SHA512
531d13d123e806b477622c17c719acd5f9933b34d0fd536e3be9755b8b80460546aef0a0fba60b155d1a123ffaa51fbee18dc441f1c0b40b86c77cbe131cfb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4907012.exe

Filesize
307KB

MD5
796fce2a66e4d28b8cd34fe3a7b92467

SHA1
df728c62556629028700b8489cb32522eda751ed

SHA256
20754b69e53559123b64bc2bc46ad570017891432a4077159ad144c1030d7c49

SHA512
d4ce00881fbc6c9b338ff71cd330e864c4cf2262a9fc0eadeba9878601a01060bc6aef8818a257ab9734cb284b1d77841ce4ecfc054b3b4900d651844e51dc28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4907012.exe

Filesize
307KB

MD5
796fce2a66e4d28b8cd34fe3a7b92467

SHA1
df728c62556629028700b8489cb32522eda751ed

SHA256
20754b69e53559123b64bc2bc46ad570017891432a4077159ad144c1030d7c49

SHA512
d4ce00881fbc6c9b338ff71cd330e864c4cf2262a9fc0eadeba9878601a01060bc6aef8818a257ab9734cb284b1d77841ce4ecfc054b3b4900d651844e51dc28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3163294.exe

Filesize
137KB

MD5
1195d46bcb9b76c05a29d56202f99d79

SHA1
798daa58eb5a4d824d914c39eb28f4f28d763459

SHA256
c5fdd9a159634d2842f6cff68dde5eafd29fa4296004af9299afaa7bb69f621b

SHA512
34b506cc1a3decae0deaf61f5f60f01fe4c7de30e40013bbdc0e225033e9f77b70399e91f75ea6d108691142de808750bc19c16c65f93df7ec5cd8d33531058c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3163294.exe

Filesize
137KB

MD5
1195d46bcb9b76c05a29d56202f99d79

SHA1
798daa58eb5a4d824d914c39eb28f4f28d763459

SHA256
c5fdd9a159634d2842f6cff68dde5eafd29fa4296004af9299afaa7bb69f621b

SHA512
34b506cc1a3decae0deaf61f5f60f01fe4c7de30e40013bbdc0e225033e9f77b70399e91f75ea6d108691142de808750bc19c16c65f93df7ec5cd8d33531058c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4873944.exe

Filesize
175KB

MD5
98e489b5f3921bb3a1568068e0745f93

SHA1
cd00a08df70384df1c29901fe8e28da238e7e3b6

SHA256
04cb8718e6db2bcfbfcb3a72ab84992bc34f160cae487bf4ae8be6ae82019fd5

SHA512
dec95d78611491c7fce7b4bf95f8201e18ced095ea2941ba0a2beba9e5d7467ef156743244bb7f3c0c8f1423a257905f71925d9391d232d1e8391fdc57892ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4873944.exe

Filesize
175KB

MD5
98e489b5f3921bb3a1568068e0745f93

SHA1
cd00a08df70384df1c29901fe8e28da238e7e3b6

SHA256
04cb8718e6db2bcfbfcb3a72ab84992bc34f160cae487bf4ae8be6ae82019fd5

SHA512
dec95d78611491c7fce7b4bf95f8201e18ced095ea2941ba0a2beba9e5d7467ef156743244bb7f3c0c8f1423a257905f71925d9391d232d1e8391fdc57892ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
339KB

MD5
85b568a1212f66d788b66877bbdd21e9

SHA1
67d3b572141b73bea837a642426db983724cb4ae

SHA256
7a19e916cd2b430ac74b4b0ea26fb2fd835e4fdfc19cb38199125abaf5bee10a

SHA512
531d13d123e806b477622c17c719acd5f9933b34d0fd536e3be9755b8b80460546aef0a0fba60b155d1a123ffaa51fbee18dc441f1c0b40b86c77cbe131cfb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
339KB

MD5
85b568a1212f66d788b66877bbdd21e9

SHA1
67d3b572141b73bea837a642426db983724cb4ae

SHA256
7a19e916cd2b430ac74b4b0ea26fb2fd835e4fdfc19cb38199125abaf5bee10a

SHA512
531d13d123e806b477622c17c719acd5f9933b34d0fd536e3be9755b8b80460546aef0a0fba60b155d1a123ffaa51fbee18dc441f1c0b40b86c77cbe131cfb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
339KB

MD5
85b568a1212f66d788b66877bbdd21e9

SHA1
67d3b572141b73bea837a642426db983724cb4ae

SHA256
7a19e916cd2b430ac74b4b0ea26fb2fd835e4fdfc19cb38199125abaf5bee10a

SHA512
531d13d123e806b477622c17c719acd5f9933b34d0fd536e3be9755b8b80460546aef0a0fba60b155d1a123ffaa51fbee18dc441f1c0b40b86c77cbe131cfb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
339KB

MD5
85b568a1212f66d788b66877bbdd21e9

SHA1
67d3b572141b73bea837a642426db983724cb4ae

SHA256
7a19e916cd2b430ac74b4b0ea26fb2fd835e4fdfc19cb38199125abaf5bee10a

SHA512
531d13d123e806b477622c17c719acd5f9933b34d0fd536e3be9755b8b80460546aef0a0fba60b155d1a123ffaa51fbee18dc441f1c0b40b86c77cbe131cfb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
339KB

MD5
85b568a1212f66d788b66877bbdd21e9

SHA1
67d3b572141b73bea837a642426db983724cb4ae

SHA256
7a19e916cd2b430ac74b4b0ea26fb2fd835e4fdfc19cb38199125abaf5bee10a

SHA512
531d13d123e806b477622c17c719acd5f9933b34d0fd536e3be9755b8b80460546aef0a0fba60b155d1a123ffaa51fbee18dc441f1c0b40b86c77cbe131cfb51

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1800-156-0x00000000089F0000-0x0000000008A66000-memory.dmp

Filesize
472KB

Download
memory/1800-154-0x0000000008D20000-0x00000000092C4000-memory.dmp

Filesize
5.6MB

Download
memory/1800-159-0x0000000008B70000-0x0000000008B8E000-memory.dmp

Filesize
120KB

Download
memory/1800-158-0x00000000099D0000-0x0000000009EFC000-memory.dmp

Filesize
5.2MB

Download
memory/1800-147-0x0000000000A50000-0x0000000000A78000-memory.dmp

Filesize
160KB

Download
memory/1800-148-0x0000000007E50000-0x0000000008468000-memory.dmp

Filesize
6.1MB

Download
memory/1800-149-0x00000000078A0000-0x00000000078B2000-memory.dmp

Filesize
72KB

Download
memory/1800-150-0x00000000079D0000-0x0000000007ADA000-memory.dmp

Filesize
1.0MB

Download
memory/1800-151-0x0000000007900000-0x000000000793C000-memory.dmp

Filesize
240KB

Download
memory/1800-157-0x00000000092D0000-0x0000000009492000-memory.dmp

Filesize
1.8MB

Download
memory/1800-152-0x0000000007990000-0x00000000079A0000-memory.dmp

Filesize
64KB

Download
memory/1800-155-0x0000000008850000-0x00000000088E2000-memory.dmp

Filesize
584KB

Download
memory/1800-153-0x0000000007C60000-0x0000000007CC6000-memory.dmp

Filesize
408KB

Download
memory/1800-160-0x0000000008BC0000-0x0000000008C10000-memory.dmp

Filesize
320KB

Download
memory/1916-251-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/2572-216-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/2572-201-0x0000000002330000-0x0000000002365000-memory.dmp

Filesize
212KB

Download
memory/3432-223-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/3676-194-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/3676-180-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/3676-195-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/3676-192-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/3676-190-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/3676-186-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/3676-188-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/3676-184-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/3676-182-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/3676-193-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/3676-166-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/3676-178-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/3676-176-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/3676-174-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/3676-172-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/3676-170-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/3676-168-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/3676-165-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/5032-244-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/5032-217-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download