amadey | 0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e

General

Target

file.exe
Size

301KB
MD5

5599f89944adc8ccad21b5ab94d33381
SHA1

8df8ce98cdf2a8cef21e26b03841818c9d522ded
SHA256

0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e
SHA512

a02bbfcecc55aa12ed16f5ef3db495a77be4ae328260f71a91bd93dcbba4de2f5ff9f0cc66c12e3bdc921a816aec3c1b429700f7a9024fdc2e0e901b87276171
SSDEEP

6144:BWHRhTLdCwcaYsbhO83elSyRG/1dZENASIbNjVveSvdNGf3m:BYBCwssbhOnSy3iBbNpvdk/

Score

10^/10

amadey redline persom infostealer spyware trojan

Malware Config

Extracted

Family

amadey

Version

3.69

C2

88.218.60.230/Gb2dZz/index.php

Extracted

Family

redline

Botnet

PERSOM

C2

176.124.219.192:14487

Attributes

auth_value
0695a610af712a57529526101d7e83b2

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

file.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 4 IoCs

Processes:

oneetx.exeexodus.exeoneetx.exeoneetx.exe

pid process

3856 oneetx.exe
1680 exodus.exe
1028 oneetx.exe
1484 oneetx.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

exodus.exe

description pid process target process

PID 1680 set thread context of 2920 1680 exodus.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3856	oneetx.exe
1680	exodus.exe
1028	oneetx.exe
1484	oneetx.exe

description	pid	process	target process
PID 1680 set thread context of 2920	1680	exodus.exe	AppLaunch.exe

Program crash 38 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1544	3676	WerFault.exe	file.exe
1840	3676	WerFault.exe	file.exe
3120	3676	WerFault.exe	file.exe
2624	3676	WerFault.exe	file.exe
4408	3676	WerFault.exe	file.exe
4404	3676	WerFault.exe	file.exe
3476	3676	WerFault.exe	file.exe
4672	3676	WerFault.exe	file.exe
1752	3676	WerFault.exe	file.exe
1020	3676	WerFault.exe	file.exe
800	3856	WerFault.exe	oneetx.exe
1700	3856	WerFault.exe	oneetx.exe
564	3856	WerFault.exe	oneetx.exe
3164	3856	WerFault.exe	oneetx.exe
2680	3856	WerFault.exe	oneetx.exe
4572	3856	WerFault.exe	oneetx.exe
3352	3856	WerFault.exe	oneetx.exe
2080	3856	WerFault.exe	oneetx.exe
4968	3856	WerFault.exe	oneetx.exe
440	3856	WerFault.exe	oneetx.exe
1968	3856	WerFault.exe	oneetx.exe
2776	3856	WerFault.exe	oneetx.exe
3376	3856	WerFault.exe	oneetx.exe
4852	3856	WerFault.exe	oneetx.exe
4312	3856	WerFault.exe	oneetx.exe
5008	3856	WerFault.exe	oneetx.exe
1196	3856	WerFault.exe	oneetx.exe
2044	3856	WerFault.exe	oneetx.exe
4044	3856	WerFault.exe	oneetx.exe
3660	3856	WerFault.exe	oneetx.exe
2020	3856	WerFault.exe	oneetx.exe
448	3856	WerFault.exe	oneetx.exe
1872	3856	WerFault.exe	oneetx.exe
2196	3856	WerFault.exe	oneetx.exe
4596	3856	WerFault.exe	oneetx.exe
2632	1028	WerFault.exe	oneetx.exe
3644	1484	WerFault.exe	oneetx.exe
2064	3856	WerFault.exe	oneetx.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2228 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

2920 AppLaunch.exe
2920 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 2920 AppLaunch.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

file.exe

pid process

3676 file.exe

pid	process
2228	schtasks.exe

pid	process
2920	AppLaunch.exe
2920	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2920	AppLaunch.exe

pid	process
3676	file.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

file.exeoneetx.execmd.exeexodus.exe

description	pid	process	target process
PID 3676 wrote to memory of 3856	3676	file.exe	oneetx.exe
PID 3676 wrote to memory of 3856	3676	file.exe	oneetx.exe
PID 3676 wrote to memory of 3856	3676	file.exe	oneetx.exe
PID 3856 wrote to memory of 2228	3856	oneetx.exe	schtasks.exe
PID 3856 wrote to memory of 2228	3856	oneetx.exe	schtasks.exe
PID 3856 wrote to memory of 2228	3856	oneetx.exe	schtasks.exe
PID 3856 wrote to memory of 3332	3856	oneetx.exe	cmd.exe
PID 3856 wrote to memory of 3332	3856	oneetx.exe	cmd.exe
PID 3856 wrote to memory of 3332	3856	oneetx.exe	cmd.exe
PID 3332 wrote to memory of 5040	3332	cmd.exe	cmd.exe
PID 3332 wrote to memory of 5040	3332	cmd.exe	cmd.exe
PID 3332 wrote to memory of 5040	3332	cmd.exe	cmd.exe
PID 3332 wrote to memory of 5092	3332	cmd.exe	cacls.exe
PID 3332 wrote to memory of 5092	3332	cmd.exe	cacls.exe
PID 3332 wrote to memory of 5092	3332	cmd.exe	cacls.exe
PID 3332 wrote to memory of 4108	3332	cmd.exe	cacls.exe
PID 3332 wrote to memory of 4108	3332	cmd.exe	cacls.exe
PID 3332 wrote to memory of 4108	3332	cmd.exe	cacls.exe
PID 3332 wrote to memory of 2180	3332	cmd.exe	cmd.exe
PID 3332 wrote to memory of 2180	3332	cmd.exe	cmd.exe
PID 3332 wrote to memory of 2180	3332	cmd.exe	cmd.exe
PID 3332 wrote to memory of 1032	3332	cmd.exe	cacls.exe
PID 3332 wrote to memory of 1032	3332	cmd.exe	cacls.exe
PID 3332 wrote to memory of 1032	3332	cmd.exe	cacls.exe
PID 3332 wrote to memory of 2632	3332	cmd.exe	cacls.exe
PID 3332 wrote to memory of 2632	3332	cmd.exe	cacls.exe
PID 3332 wrote to memory of 2632	3332	cmd.exe	cacls.exe
PID 3856 wrote to memory of 1680	3856	oneetx.exe	exodus.exe
PID 3856 wrote to memory of 1680	3856	oneetx.exe	exodus.exe
PID 3856 wrote to memory of 1680	3856	oneetx.exe	exodus.exe
PID 1680 wrote to memory of 2920	1680	exodus.exe	AppLaunch.exe
PID 1680 wrote to memory of 2920	1680	exodus.exe	AppLaunch.exe
PID 1680 wrote to memory of 2920	1680	exodus.exe	AppLaunch.exe
PID 1680 wrote to memory of 2920	1680	exodus.exe	AppLaunch.exe
PID 1680 wrote to memory of 2920	1680	exodus.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 560
2⤵
- Program crash
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 612
2⤵
- Program crash
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 720
2⤵
- Program crash
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 824
2⤵
- Program crash
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 772
2⤵
- Program crash
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 772
2⤵
- Program crash
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 1056
2⤵
- Program crash
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 1116
2⤵
- Program crash
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 1220
2⤵
- Program crash
PID:1752

C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 584
3⤵
- Program crash
PID:800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 792
3⤵
- Program crash
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 880
3⤵
- Program crash
PID:564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 888
3⤵
- Program crash
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 844
3⤵
- Program crash
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 972
3⤵
- Program crash
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 880
3⤵
- Program crash
PID:3352

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe" /F
3⤵
- Creates scheduled task(s)
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 916
3⤵
- Program crash
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 652
3⤵
- Program crash
PID:4968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\d96cb54b4a" /P "Admin:N"&&CACLS "..\d96cb54b4a" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:5040

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
4⤵
PID:5092

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
4⤵
PID:4108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:2180

C:\Windows\SysWOW64\cacls.exe
CACLS "..\d96cb54b4a" /P "Admin:N"
4⤵
PID:1032

C:\Windows\SysWOW64\cacls.exe
CACLS "..\d96cb54b4a" /P "Admin:R" /E
4⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 776
3⤵
- Program crash
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 136
3⤵
- Program crash
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 1192
3⤵
- Program crash
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 1324
3⤵
- Program crash
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 1740
3⤵
- Program crash
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 1752
3⤵
- Program crash
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 1808
3⤵
- Program crash
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 1988
3⤵
- Program crash
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 1996
3⤵
- Program crash
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 1888
3⤵
- Program crash
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 1988
3⤵
- Program crash
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 1996
3⤵
- Program crash
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 2088
3⤵
- Program crash
PID:448

C:\Users\Admin\AppData\Local\Temp\1000029001\exodus.exe
"C:\Users\Admin\AppData\Local\Temp\1000029001\exodus.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 1804
3⤵
- Program crash
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 2040
3⤵
- Program crash
PID:2196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 844
3⤵
- Program crash
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 1308
3⤵
- Program crash
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 1252
2⤵
- Program crash
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3676 -ip 3676
1⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3676 -ip 3676
1⤵
PID:2672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3676 -ip 3676
1⤵
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3676 -ip 3676
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3676 -ip 3676
1⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3676 -ip 3676
1⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3676 -ip 3676
1⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3676 -ip 3676
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3676 -ip 3676
1⤵
PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3676 -ip 3676
1⤵
PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3856 -ip 3856
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3856 -ip 3856
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3856 -ip 3856
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3856 -ip 3856
1⤵
PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3856 -ip 3856
1⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3856 -ip 3856
1⤵
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3856 -ip 3856
1⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3856 -ip 3856
1⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3856 -ip 3856
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3856 -ip 3856
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3856 -ip 3856
1⤵
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3856 -ip 3856
1⤵
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3856 -ip 3856
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3856 -ip 3856
1⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3856 -ip 3856
1⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3856 -ip 3856
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3856 -ip 3856
1⤵
PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3856 -ip 3856
1⤵
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3856 -ip 3856
1⤵
PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3856 -ip 3856
1⤵
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3856 -ip 3856
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3856 -ip 3856
1⤵
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3856 -ip 3856
1⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3856 -ip 3856
1⤵
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3856 -ip 3856
1⤵
PID:568

C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe
1⤵
- Executes dropped EXE
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 320
2⤵
- Program crash
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1028 -ip 1028
1⤵
PID:1032

C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe
1⤵
- Executes dropped EXE
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 316
2⤵
- Program crash
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1484 -ip 1484
1⤵
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3856 -ip 3856
1⤵
PID:2068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000029001\exodus.exe
Filesize
320KB

MD5
b9352f9dcaba6a6ebeed5c756dfe5e74

SHA1
cf0fd4f388aac8302606d59f83cd576cdfe94e92

SHA256
e25c3f7621547050d8b33edb42b6efb31f3eecbfdf5ff347ca2396a67fb41b27

SHA512
e595bbd5e37579d561565879de6ac4aadf43c155c770d4506419e575d74d202ccde61bee216b5ffc1996cd4e49e5fd819e21c536de19b79fbaecf44a8c9807ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000029001\exodus.exe
Filesize
320KB

MD5
b9352f9dcaba6a6ebeed5c756dfe5e74

SHA1
cf0fd4f388aac8302606d59f83cd576cdfe94e92

SHA256
e25c3f7621547050d8b33edb42b6efb31f3eecbfdf5ff347ca2396a67fb41b27

SHA512
e595bbd5e37579d561565879de6ac4aadf43c155c770d4506419e575d74d202ccde61bee216b5ffc1996cd4e49e5fd819e21c536de19b79fbaecf44a8c9807ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000029001\exodus.exe
Filesize
320KB

MD5
b9352f9dcaba6a6ebeed5c756dfe5e74

SHA1
cf0fd4f388aac8302606d59f83cd576cdfe94e92

SHA256
e25c3f7621547050d8b33edb42b6efb31f3eecbfdf5ff347ca2396a67fb41b27

SHA512
e595bbd5e37579d561565879de6ac4aadf43c155c770d4506419e575d74d202ccde61bee216b5ffc1996cd4e49e5fd819e21c536de19b79fbaecf44a8c9807ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe
Filesize
301KB

MD5
5599f89944adc8ccad21b5ab94d33381

SHA1
8df8ce98cdf2a8cef21e26b03841818c9d522ded

SHA256
0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e

SHA512
a02bbfcecc55aa12ed16f5ef3db495a77be4ae328260f71a91bd93dcbba4de2f5ff9f0cc66c12e3bdc921a816aec3c1b429700f7a9024fdc2e0e901b87276171

Download Submit
C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe
Filesize
301KB

MD5
5599f89944adc8ccad21b5ab94d33381

SHA1
8df8ce98cdf2a8cef21e26b03841818c9d522ded

SHA256
0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e

SHA512
a02bbfcecc55aa12ed16f5ef3db495a77be4ae328260f71a91bd93dcbba4de2f5ff9f0cc66c12e3bdc921a816aec3c1b429700f7a9024fdc2e0e901b87276171

Download Submit
C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe
Filesize
301KB

MD5
5599f89944adc8ccad21b5ab94d33381

SHA1
8df8ce98cdf2a8cef21e26b03841818c9d522ded

SHA256
0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e

SHA512
a02bbfcecc55aa12ed16f5ef3db495a77be4ae328260f71a91bd93dcbba4de2f5ff9f0cc66c12e3bdc921a816aec3c1b429700f7a9024fdc2e0e901b87276171

Download Submit
C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe
Filesize
301KB

MD5
5599f89944adc8ccad21b5ab94d33381

SHA1
8df8ce98cdf2a8cef21e26b03841818c9d522ded

SHA256
0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e

SHA512
a02bbfcecc55aa12ed16f5ef3db495a77be4ae328260f71a91bd93dcbba4de2f5ff9f0cc66c12e3bdc921a816aec3c1b429700f7a9024fdc2e0e901b87276171

Download Submit
C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe
Filesize
301KB

MD5
5599f89944adc8ccad21b5ab94d33381

SHA1
8df8ce98cdf2a8cef21e26b03841818c9d522ded

SHA256
0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e

SHA512
a02bbfcecc55aa12ed16f5ef3db495a77be4ae328260f71a91bd93dcbba4de2f5ff9f0cc66c12e3bdc921a816aec3c1b429700f7a9024fdc2e0e901b87276171

Download Submit
memory/1028-203-0x0000000000400000-0x000000000090F000-memory.dmp

Filesize
5.1MB

Download
memory/1484-212-0x0000000000400000-0x000000000090F000-memory.dmp

Filesize
5.1MB

Download
memory/2920-187-0x00000000052A0000-0x00000000052B2000-memory.dmp

Filesize
72KB

Download
memory/2920-192-0x0000000005770000-0x0000000005802000-memory.dmp

Filesize
584KB

Download
memory/2920-180-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2920-188-0x0000000005300000-0x000000000533C000-memory.dmp

Filesize
240KB

Download
memory/2920-189-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/2920-185-0x00000000058C0000-0x0000000005ED8000-memory.dmp

Filesize
6.1MB

Download
memory/2920-191-0x0000000006490000-0x0000000006A34000-memory.dmp

Filesize
5.6MB

Download
memory/2920-186-0x00000000053B0000-0x00000000054BA000-memory.dmp

Filesize
1.0MB

Download
memory/2920-193-0x0000000005810000-0x0000000005876000-memory.dmp

Filesize
408KB

Download
memory/2920-194-0x0000000006C10000-0x0000000006DD2000-memory.dmp

Filesize
1.8MB

Download
memory/2920-195-0x0000000007310000-0x000000000783C000-memory.dmp

Filesize
5.2MB

Download
memory/2920-196-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/3676-134-0x0000000002680000-0x00000000026BA000-memory.dmp

Filesize
232KB

Download
memory/3676-149-0x0000000000400000-0x000000000090F000-memory.dmp

Filesize
5.1MB

Download
memory/3856-190-0x0000000000400000-0x000000000090F000-memory.dmp

Filesize
5.1MB

Download
memory/3856-150-0x0000000000400000-0x000000000090F000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads