redline | 759aa53d2eb60b3b4931ba156b5f43893468567db2bdc65f3c0419b36e3aae7f

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

759aa53d2eb60b3b4931ba156b5f43893468567db2bdc65f3c0419b36e3aae7f.exe
Size

566KB
MD5

a6377434b1719c4ea3ffcd8c60ef78f3
SHA1

49eceeb4d7b25bb0005cdc964e7d0a73c924f49a
SHA256

759aa53d2eb60b3b4931ba156b5f43893468567db2bdc65f3c0419b36e3aae7f
SHA512

eb10d8f495fcc931f0700f0d05e6f528317eb84e55ce7be148405d059b3b0153ebda971ef5f166903b24c2f3770fcb26c4d40f82ec06d641fc1bf1c516ff9d1e
SSDEEP

12288:GMrSy90lO7xCcHMgtfMSFkzlii9bd2yHMfFkZr:EyIyxCUM6UbzLbd26iFkx

Score

10^/10

redline darm discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

darm

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

Detects Redline Stealer samples 3 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3936-148-0x000000000B030000-0x000000000B648000-memory.dmp	redline_stealer
behavioral2/memory/3936-155-0x000000000AEA0000-0x000000000AF06000-memory.dmp	redline_stealer
behavioral2/memory/3936-157-0x000000000C5B0000-0x000000000C772000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	l0681982.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	l0681982.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	l0681982.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	l0681982.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	l0681982.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	l0681982.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	m5482529.exe

Executes dropped EXE 7 IoCs

pid	Process
4256	y3521641.exe
3936	k6469637.exe
2796	l0681982.exe
228	m5482529.exe
3868	oneetx.exe
4352	oneetx.exe
4840	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
4344	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	l0681982.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	l0681982.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	759aa53d2eb60b3b4931ba156b5f43893468567db2bdc65f3c0419b36e3aae7f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y3521641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y3521641.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	759aa53d2eb60b3b4931ba156b5f43893468567db2bdc65f3c0419b36e3aae7f.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 29 IoCs

pid	pid_target	Process	procid_target
4704	228	WerFault.exe	86
3912	228	WerFault.exe	86
4192	228	WerFault.exe	86
4012	228	WerFault.exe	86
2132	228	WerFault.exe	86
2400	228	WerFault.exe	86
4924	228	WerFault.exe	86
3336	228	WerFault.exe	86
968	228	WerFault.exe	86
2316	228	WerFault.exe	86
3632	3868	WerFault.exe	106
4328	3868	WerFault.exe	106
5068	3868	WerFault.exe	106
3740	3868	WerFault.exe	106
3688	3868	WerFault.exe	106
2480	3868	WerFault.exe	106
4804	3868	WerFault.exe	106
2820	3868	WerFault.exe	106
4824	3868	WerFault.exe	106
2836	3868	WerFault.exe	106
372	3868	WerFault.exe	106
4608	3868	WerFault.exe	106
4008	3868	WerFault.exe	106
4348	3868	WerFault.exe	106
2792	4352	WerFault.exe	147
768	3868	WerFault.exe	106
4196	3868	WerFault.exe	106
1964	3868	WerFault.exe	106
3352	4840	WerFault.exe	157

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5012	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3936	k6469637.exe
3936	k6469637.exe
2796	l0681982.exe
2796	l0681982.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3936	k6469637.exe
Token: SeDebugPrivilege	2796	l0681982.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
228	m5482529.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 4256	3680	759aa53d2eb60b3b4931ba156b5f43893468567db2bdc65f3c0419b36e3aae7f.exe	83
PID 3680 wrote to memory of 4256	3680	759aa53d2eb60b3b4931ba156b5f43893468567db2bdc65f3c0419b36e3aae7f.exe	83
PID 3680 wrote to memory of 4256	3680	759aa53d2eb60b3b4931ba156b5f43893468567db2bdc65f3c0419b36e3aae7f.exe	83
PID 4256 wrote to memory of 3936	4256	y3521641.exe	84
PID 4256 wrote to memory of 3936	4256	y3521641.exe	84
PID 4256 wrote to memory of 3936	4256	y3521641.exe	84
PID 4256 wrote to memory of 2796	4256	y3521641.exe	85
PID 4256 wrote to memory of 2796	4256	y3521641.exe	85
PID 4256 wrote to memory of 2796	4256	y3521641.exe	85
PID 3680 wrote to memory of 228	3680	759aa53d2eb60b3b4931ba156b5f43893468567db2bdc65f3c0419b36e3aae7f.exe	86
PID 3680 wrote to memory of 228	3680	759aa53d2eb60b3b4931ba156b5f43893468567db2bdc65f3c0419b36e3aae7f.exe	86
PID 3680 wrote to memory of 228	3680	759aa53d2eb60b3b4931ba156b5f43893468567db2bdc65f3c0419b36e3aae7f.exe	86
PID 228 wrote to memory of 3868	228	m5482529.exe	106
PID 228 wrote to memory of 3868	228	m5482529.exe	106
PID 228 wrote to memory of 3868	228	m5482529.exe	106
PID 3868 wrote to memory of 5012	3868	oneetx.exe	123
PID 3868 wrote to memory of 5012	3868	oneetx.exe	123
PID 3868 wrote to memory of 5012	3868	oneetx.exe	123
PID 3868 wrote to memory of 556	3868	oneetx.exe	129
PID 3868 wrote to memory of 556	3868	oneetx.exe	129
PID 3868 wrote to memory of 556	3868	oneetx.exe	129
PID 556 wrote to memory of 4000	556	cmd.exe	133
PID 556 wrote to memory of 4000	556	cmd.exe	133
PID 556 wrote to memory of 4000	556	cmd.exe	133
PID 556 wrote to memory of 2640	556	cmd.exe	134
PID 556 wrote to memory of 2640	556	cmd.exe	134
PID 556 wrote to memory of 2640	556	cmd.exe	134
PID 556 wrote to memory of 4552	556	cmd.exe	135
PID 556 wrote to memory of 4552	556	cmd.exe	135
PID 556 wrote to memory of 4552	556	cmd.exe	135
PID 556 wrote to memory of 4920	556	cmd.exe	136
PID 556 wrote to memory of 4920	556	cmd.exe	136
PID 556 wrote to memory of 4920	556	cmd.exe	136
PID 556 wrote to memory of 1944	556	cmd.exe	137
PID 556 wrote to memory of 1944	556	cmd.exe	137
PID 556 wrote to memory of 1944	556	cmd.exe	137
PID 556 wrote to memory of 1404	556	cmd.exe	138
PID 556 wrote to memory of 1404	556	cmd.exe	138
PID 556 wrote to memory of 1404	556	cmd.exe	138
PID 3868 wrote to memory of 4344	3868	oneetx.exe	152
PID 3868 wrote to memory of 4344	3868	oneetx.exe	152
PID 3868 wrote to memory of 4344	3868	oneetx.exe	152

C:\Users\Admin\AppData\Local\Temp\759aa53d2eb60b3b4931ba156b5f43893468567db2bdc65f3c0419b36e3aae7f.exe
"C:\Users\Admin\AppData\Local\Temp\759aa53d2eb60b3b4931ba156b5f43893468567db2bdc65f3c0419b36e3aae7f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3521641.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3521641.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4256
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6469637.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6469637.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3936
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0681982.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0681982.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2796
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m5482529.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m5482529.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 696
    3⤵
    - Program crash
    PID:4704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 764
    3⤵
    - Program crash
    PID:3912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 796
    3⤵
    - Program crash
    PID:4192
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 976
    3⤵
    - Program crash
    PID:4012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 808
    3⤵
    - Program crash
    PID:2132
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 968
    3⤵
    - Program crash
    PID:2400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 1216
    3⤵
    - Program crash
    PID:4924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 1228
    3⤵
    - Program crash
    PID:3336
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 1332
    3⤵
    - Program crash
    PID:968
- - C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 692
      4⤵
      Program crash
      PID:3632
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 840
      4⤵
      Program crash
      PID:4328
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 892
      4⤵
      Program crash
      PID:5068
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1052
      4⤵
      Program crash
      PID:3740
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1096
      4⤵
      Program crash
      PID:3688
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1104
      4⤵
      Program crash
      PID:2480
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1052
      4⤵
      Program crash
      PID:4804
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:5012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 840
      4⤵
      Program crash
      PID:2820
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 764
      4⤵
      Program crash
      PID:4824
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4000
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:2640
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:4552
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4920
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c3912af058" /P "Admin:N"
        5⤵
        
        PID:1944
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c3912af058" /P "Admin:R" /E
        5⤵
        
        PID:1404
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1336
      4⤵
      Program crash
      PID:2836
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1312
      4⤵
      Program crash
      PID:372
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1292
      4⤵
      Program crash
      PID:4608
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 768
      4⤵
      Program crash
      PID:4008
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1136
      4⤵
      Program crash
      PID:4348
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1648
      4⤵
      Program crash
      PID:768
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:4344
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1580
      4⤵
      Program crash
      PID:4196
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1664
      4⤵
      Program crash
      PID:1964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 752
    3⤵
    - Program crash
    PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 228 -ip 228
1⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 228 -ip 228
1⤵
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 228 -ip 228
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 228 -ip 228
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 228 -ip 228
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 228 -ip 228
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 228 -ip 228
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 228 -ip 228
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 228 -ip 228
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 228 -ip 228
1⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3868 -ip 3868
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3868 -ip 3868
1⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3868 -ip 3868
1⤵
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3868 -ip 3868
1⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3868 -ip 3868
1⤵
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3868 -ip 3868
1⤵
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3868 -ip 3868
1⤵
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3868 -ip 3868
1⤵
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3868 -ip 3868
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3868 -ip 3868
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3868 -ip 3868
1⤵
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3868 -ip 3868
1⤵
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3868 -ip 3868
1⤵
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3868 -ip 3868
1⤵
PID:2796

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
- Executes dropped EXE
PID:4352
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 312
  2⤵
  - Program crash
  PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4352 -ip 4352
1⤵
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3868 -ip 3868
1⤵
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3868 -ip 3868
1⤵
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3868 -ip 3868
1⤵
PID:4100

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
- Executes dropped EXE
PID:4840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 324
  2⤵
  - Program crash
  PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4840 -ip 4840
1⤵
PID:1828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m5482529.exe

Filesize
268KB

MD5
12495987e79d7d1e6eb824352b458bd4

SHA1
5900c594a711e82b5dd3f8dbebc3cc0e9b71b97c

SHA256
351dd0da9a2925a453d0ca91e3414b4ee999c8315fe134a319206a62e7b3f051

SHA512
a495051f539e8c3c9e0b81b64c880c28d721c229b4dcafa2644686b4aff7268f17163ef5939c2edde6fc390a4aba45ee74b6554a16b22ca6f518089b8adcf0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m5482529.exe

Filesize
268KB

MD5
12495987e79d7d1e6eb824352b458bd4

SHA1
5900c594a711e82b5dd3f8dbebc3cc0e9b71b97c

SHA256
351dd0da9a2925a453d0ca91e3414b4ee999c8315fe134a319206a62e7b3f051

SHA512
a495051f539e8c3c9e0b81b64c880c28d721c229b4dcafa2644686b4aff7268f17163ef5939c2edde6fc390a4aba45ee74b6554a16b22ca6f518089b8adcf0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3521641.exe

Filesize
308KB

MD5
804a94a9eba2897e1cf8782f95ce4129

SHA1
8364112898b6c96d31db770141a972b4213b59ab

SHA256
6685f7ab0d0c3d70dfa715665f01707e70ad2af4344a37c133569bff765d061e

SHA512
cfe179b16d0ffda0e50dbf3f4f9e43ce6e2ef5d88682e8d524d97f181f428dc410c5a72ef54bfbbbd4dbea868ccca253da55be9991ac0aaa570c9a80bcf14f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3521641.exe

Filesize
308KB

MD5
804a94a9eba2897e1cf8782f95ce4129

SHA1
8364112898b6c96d31db770141a972b4213b59ab

SHA256
6685f7ab0d0c3d70dfa715665f01707e70ad2af4344a37c133569bff765d061e

SHA512
cfe179b16d0ffda0e50dbf3f4f9e43ce6e2ef5d88682e8d524d97f181f428dc410c5a72ef54bfbbbd4dbea868ccca253da55be9991ac0aaa570c9a80bcf14f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6469637.exe

Filesize
168KB

MD5
a29d65f05d530bfa0f83d075884aab31

SHA1
cfa891bd85f334f09476182c855710180738f2bc

SHA256
712f88570df72daa7e6046907855be639b21f157d8f876ff8e43aa154f55a3e0

SHA512
ddcdf6798211ecf9129fff6e7ca464d7bcdf02ac39ac2af3edf1b7a825435a16e1adf0ea52e9abbb55f08eb36f6fa6f4164b63d6d784cf0c6dc77b4f6ad2a59a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6469637.exe

Filesize
168KB

MD5
a29d65f05d530bfa0f83d075884aab31

SHA1
cfa891bd85f334f09476182c855710180738f2bc

SHA256
712f88570df72daa7e6046907855be639b21f157d8f876ff8e43aa154f55a3e0

SHA512
ddcdf6798211ecf9129fff6e7ca464d7bcdf02ac39ac2af3edf1b7a825435a16e1adf0ea52e9abbb55f08eb36f6fa6f4164b63d6d784cf0c6dc77b4f6ad2a59a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0681982.exe

Filesize
178KB

MD5
cd38958c25e1859abf4141a562032057

SHA1
57b0bdc8e01bbc3bb34d7673e0a3af4fd2bb6ad1

SHA256
b7791bb1458839d0cfc759ddf5a55801759ffa029bd2f03f546592734fb202d1

SHA512
ab363dd115e57448a2b626fa23ea061d24914eb6699e810f9774298ee44bf564755adfee5f8275f51dcf15dc7809f10c40b12cb53055d93c4d972c4751010694

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0681982.exe

Filesize
178KB

MD5
cd38958c25e1859abf4141a562032057

SHA1
57b0bdc8e01bbc3bb34d7673e0a3af4fd2bb6ad1

SHA256
b7791bb1458839d0cfc759ddf5a55801759ffa029bd2f03f546592734fb202d1

SHA512
ab363dd115e57448a2b626fa23ea061d24914eb6699e810f9774298ee44bf564755adfee5f8275f51dcf15dc7809f10c40b12cb53055d93c4d972c4751010694

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
268KB

MD5
12495987e79d7d1e6eb824352b458bd4

SHA1
5900c594a711e82b5dd3f8dbebc3cc0e9b71b97c

SHA256
351dd0da9a2925a453d0ca91e3414b4ee999c8315fe134a319206a62e7b3f051

SHA512
a495051f539e8c3c9e0b81b64c880c28d721c229b4dcafa2644686b4aff7268f17163ef5939c2edde6fc390a4aba45ee74b6554a16b22ca6f518089b8adcf0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
268KB

MD5
12495987e79d7d1e6eb824352b458bd4

SHA1
5900c594a711e82b5dd3f8dbebc3cc0e9b71b97c

SHA256
351dd0da9a2925a453d0ca91e3414b4ee999c8315fe134a319206a62e7b3f051

SHA512
a495051f539e8c3c9e0b81b64c880c28d721c229b4dcafa2644686b4aff7268f17163ef5939c2edde6fc390a4aba45ee74b6554a16b22ca6f518089b8adcf0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
268KB

MD5
12495987e79d7d1e6eb824352b458bd4

SHA1
5900c594a711e82b5dd3f8dbebc3cc0e9b71b97c

SHA256
351dd0da9a2925a453d0ca91e3414b4ee999c8315fe134a319206a62e7b3f051

SHA512
a495051f539e8c3c9e0b81b64c880c28d721c229b4dcafa2644686b4aff7268f17163ef5939c2edde6fc390a4aba45ee74b6554a16b22ca6f518089b8adcf0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
268KB

MD5
12495987e79d7d1e6eb824352b458bd4

SHA1
5900c594a711e82b5dd3f8dbebc3cc0e9b71b97c

SHA256
351dd0da9a2925a453d0ca91e3414b4ee999c8315fe134a319206a62e7b3f051

SHA512
a495051f539e8c3c9e0b81b64c880c28d721c229b4dcafa2644686b4aff7268f17163ef5939c2edde6fc390a4aba45ee74b6554a16b22ca6f518089b8adcf0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
268KB

MD5
12495987e79d7d1e6eb824352b458bd4

SHA1
5900c594a711e82b5dd3f8dbebc3cc0e9b71b97c

SHA256
351dd0da9a2925a453d0ca91e3414b4ee999c8315fe134a319206a62e7b3f051

SHA512
a495051f539e8c3c9e0b81b64c880c28d721c229b4dcafa2644686b4aff7268f17163ef5939c2edde6fc390a4aba45ee74b6554a16b22ca6f518089b8adcf0c6

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/228-215-0x0000000000400000-0x00000000006C4000-memory.dmp

Filesize
2.8MB

Download
memory/228-201-0x00000000006D0000-0x0000000000705000-memory.dmp

Filesize
212KB

Download
memory/2796-176-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/2796-194-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/2796-168-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/2796-165-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/2796-170-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/2796-172-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/2796-174-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/2796-195-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/2796-180-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/2796-178-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/2796-182-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/2796-184-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/2796-186-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/2796-188-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/2796-190-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/2796-192-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/2796-193-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/2796-166-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/3868-217-0x0000000000400000-0x00000000006C4000-memory.dmp

Filesize
2.8MB

Download
memory/3868-244-0x0000000000400000-0x00000000006C4000-memory.dmp

Filesize
2.8MB

Download
memory/3936-156-0x000000000C000000-0x000000000C5A4000-memory.dmp

Filesize
5.6MB

Download
memory/3936-152-0x000000000AB10000-0x000000000AB4C000-memory.dmp

Filesize
240KB

Download
memory/3936-160-0x0000000001620000-0x0000000001630000-memory.dmp

Filesize
64KB

Download
memory/3936-155-0x000000000AEA0000-0x000000000AF06000-memory.dmp

Filesize
408KB

Download
memory/3936-154-0x000000000AF40000-0x000000000AFD2000-memory.dmp

Filesize
584KB

Download
memory/3936-153-0x000000000AE20000-0x000000000AE96000-memory.dmp

Filesize
472KB

Download
memory/3936-158-0x000000000CCB0000-0x000000000D1DC000-memory.dmp

Filesize
5.2MB

Download
memory/3936-157-0x000000000C5B0000-0x000000000C772000-memory.dmp

Filesize
1.8MB

Download
memory/3936-147-0x0000000000C00000-0x0000000000C30000-memory.dmp

Filesize
192KB

Download
memory/3936-151-0x0000000001620000-0x0000000001630000-memory.dmp

Filesize
64KB

Download
memory/3936-150-0x000000000AAB0000-0x000000000AAC2000-memory.dmp

Filesize
72KB

Download
memory/3936-149-0x000000000AB80000-0x000000000AC8A000-memory.dmp

Filesize
1.0MB

Download
memory/3936-148-0x000000000B030000-0x000000000B648000-memory.dmp

Filesize
6.1MB

Download
memory/3936-159-0x000000000BD60000-0x000000000BDB0000-memory.dmp

Filesize
320KB

Download
memory/4352-224-0x0000000000400000-0x00000000006C4000-memory.dmp

Filesize
2.8MB

Download
memory/4840-252-0x0000000000400000-0x00000000006C4000-memory.dmp

Filesize
2.8MB

Download