Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
26/06/2023, 01:19
Static task
static1
Behavioral task
behavioral1
Sample
8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe
Resource
win10v2004-20230621-en
General
-
Target
8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe
-
Size
901KB
-
MD5
4d0f16309f1dfe19ab558a13624df4aa
-
SHA1
d188e8d274935043436c6cae0c56d24a974f6800
-
SHA256
8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9
-
SHA512
dc54240ec0a21e8719e9e212445ecbecb40c14eb5f6b7d74706976e879ddc14fbd324d83383f4c463e8c1c25166f2105ed613b7f3ad3a125214d68c484e1b005
-
SSDEEP
24576:XhAHI6vOZZU1gJVwHdoI8BV/MUxbO1P8n22:XiZsU+VI+BV/M6bsUn2
Malware Config
Extracted
amadey
3.83
45.9.74.80/0bjdn2Z/index.php
Extracted
smokeloader
pub5
Extracted
gcleaner
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Extracted
smokeloader
up3
Extracted
smokeloader
2022
http://aapu.at/tmp/
http://poudineh.com/tmp/
http://firsttrusteedrx.ru/tmp/
http://kingpirate.ru/tmp/
Signatures
-
Detect Fabookie payload 2 IoCs
resource yara_rule behavioral2/memory/4092-194-0x0000000002FE0000-0x0000000003111000-memory.dmp family_fabookie behavioral2/memory/4092-282-0x0000000002FE0000-0x0000000003111000-memory.dmp family_fabookie -
Glupteba payload 14 IoCs
resource yara_rule behavioral2/memory/5020-240-0x0000000002EC0000-0x00000000037AB000-memory.dmp family_glupteba behavioral2/memory/5020-286-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/5020-321-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/4456-333-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/4456-379-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/3320-383-0x0000000003300000-0x0000000003BEB000-memory.dmp family_glupteba behavioral2/memory/3320-447-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/3320-472-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/3320-483-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/3320-488-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/3320-491-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/3320-494-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/3320-497-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/3320-507-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 4732 netsh.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation 8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe Key value queried \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation newplayer.exe Key value queried \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation oneetx.exe Key value queried \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation setup.exe -
Executes dropped EXE 16 IoCs
pid Process 4092 ss41.exe 3924 ec193bd8.exe 2800 newplayer.exe 228 oneetx.exe 5064 setup.exe 680 toolspub2.exe 3332 toolspub2.exe 5020 3eef203fb515bda85f514e168abb5973.exe 4456 3eef203fb515bda85f514e168abb5973.exe 3320 csrss.exe 1492 injector.exe 2288 oneetx.exe 676 windefender.exe 2524 windefender.exe 4776 f801950a962ddba14caaa44bf084b55c.exe 3704 oneetx.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x0007000000023153-477.dat upx behavioral2/files/0x0007000000023153-478.dat upx behavioral2/files/0x0007000000023153-480.dat upx behavioral2/memory/676-481-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/2524-493-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/files/0x0006000000023154-503.dat upx behavioral2/files/0x0006000000023154-504.dat upx behavioral2/memory/2524-506-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/4776-510-0x0000000000400000-0x0000000000C25000-memory.dmp upx behavioral2/memory/4776-512-0x0000000000400000-0x0000000000C25000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 680 set thread context of 3332 680 toolspub2.exe 104 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 3eef203fb515bda85f514e168abb5973.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\rss 3eef203fb515bda85f514e168abb5973.exe File created C:\Windows\rss\csrss.exe 3eef203fb515bda85f514e168abb5973.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5000 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 8 IoCs
pid pid_target Process procid_target 4836 5064 WerFault.exe 96 1488 5064 WerFault.exe 96 4724 5064 WerFault.exe 96 4784 5064 WerFault.exe 96 3632 5064 WerFault.exe 96 1536 5064 WerFault.exe 96 3516 5064 WerFault.exe 96 2148 5064 WerFault.exe 96 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ec193bd8.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ec193bd8.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ec193bd8.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3232 schtasks.exe 4304 schtasks.exe 4308 schtasks.exe -
Kills process with taskkill 3 IoCs
pid Process 1796 taskkill.exe 4876 taskkill.exe 1284 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" 3eef203fb515bda85f514e168abb5973.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3924 ec193bd8.exe 3924 ec193bd8.exe 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3168 Process not Found 3860 powershell.exe 3168 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3168 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3924 ec193bd8.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4876 taskkill.exe Token: SeDebugPrivilege 1796 taskkill.exe Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeDebugPrivilege 3860 powershell.exe Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeDebugPrivilege 1284 taskkill.exe Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeDebugPrivilege 5020 3eef203fb515bda85f514e168abb5973.exe Token: SeImpersonatePrivilege 5020 3eef203fb515bda85f514e168abb5973.exe Token: SeDebugPrivilege 1576 powershell.exe Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeDebugPrivilege 1960 powershell.exe Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeDebugPrivilege 5016 powershell.exe Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeDebugPrivilege 3680 powershell.exe Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeDebugPrivilege 2068 powershell.exe Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeDebugPrivilege 4088 powershell.exe Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeSystemEnvironmentPrivilege 3320 csrss.exe Token: SeSecurityPrivilege 5000 sc.exe Token: SeSecurityPrivilege 5000 sc.exe Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeShutdownPrivilege 3168 Process not Found Token: SeCreatePagefilePrivilege 3168 Process not Found Token: SeShutdownPrivilege 3168 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3772 wrote to memory of 4092 3772 8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe 82 PID 3772 wrote to memory of 4092 3772 8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe 82 PID 3772 wrote to memory of 3924 3772 8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe 83 PID 3772 wrote to memory of 3924 3772 8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe 83 PID 3772 wrote to memory of 3924 3772 8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe 83 PID 3772 wrote to memory of 2800 3772 8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe 84 PID 3772 wrote to memory of 2800 3772 8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe 84 PID 3772 wrote to memory of 2800 3772 8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe 84 PID 2800 wrote to memory of 228 2800 newplayer.exe 85 PID 2800 wrote to memory of 228 2800 newplayer.exe 85 PID 2800 wrote to memory of 228 2800 newplayer.exe 85 PID 228 wrote to memory of 3232 228 oneetx.exe 86 PID 228 wrote to memory of 3232 228 oneetx.exe 86 PID 228 wrote to memory of 3232 228 oneetx.exe 86 PID 228 wrote to memory of 2572 228 oneetx.exe 88 PID 228 wrote to memory of 2572 228 oneetx.exe 88 PID 228 wrote to memory of 2572 228 oneetx.exe 88 PID 2572 wrote to memory of 3140 2572 cmd.exe 90 PID 2572 wrote to memory of 3140 2572 cmd.exe 90 PID 2572 wrote to memory of 3140 2572 cmd.exe 90 PID 2572 wrote to memory of 2008 2572 cmd.exe 91 PID 2572 wrote to memory of 2008 2572 cmd.exe 91 PID 2572 wrote to memory of 2008 2572 cmd.exe 91 PID 2572 wrote to memory of 4708 2572 cmd.exe 92 PID 2572 wrote to memory of 4708 2572 cmd.exe 92 PID 2572 wrote to memory of 4708 2572 cmd.exe 92 PID 2572 wrote to memory of 832 2572 cmd.exe 93 PID 2572 wrote to memory of 832 2572 cmd.exe 93 PID 2572 wrote to memory of 832 2572 cmd.exe 93 PID 2572 wrote to memory of 4408 2572 cmd.exe 94 PID 2572 wrote to memory of 4408 2572 cmd.exe 94 PID 2572 wrote to memory of 4408 2572 cmd.exe 94 PID 2572 wrote to memory of 732 2572 cmd.exe 95 PID 2572 wrote to memory of 732 2572 cmd.exe 95 PID 2572 wrote to memory of 732 2572 cmd.exe 95 PID 4092 wrote to memory of 1796 4092 ss41.exe 97 PID 4092 wrote to memory of 1796 4092 ss41.exe 97 PID 4092 wrote to memory of 4876 4092 ss41.exe 98 PID 4092 wrote to memory of 4876 4092 ss41.exe 98 PID 228 wrote to memory of 5064 228 oneetx.exe 96 PID 228 wrote to memory of 5064 228 oneetx.exe 96 PID 228 wrote to memory of 5064 228 oneetx.exe 96 PID 228 wrote to memory of 680 228 oneetx.exe 102 PID 228 wrote to memory of 680 228 oneetx.exe 102 PID 228 wrote to memory of 680 228 oneetx.exe 102 PID 680 wrote to memory of 3332 680 toolspub2.exe 104 PID 680 wrote to memory of 3332 680 toolspub2.exe 104 PID 680 wrote to memory of 3332 680 toolspub2.exe 104 PID 680 wrote to memory of 3332 680 toolspub2.exe 104 PID 680 wrote to memory of 3332 680 toolspub2.exe 104 PID 680 wrote to memory of 3332 680 toolspub2.exe 104 PID 228 wrote to memory of 5020 228 oneetx.exe 105 PID 228 wrote to memory of 5020 228 oneetx.exe 105 PID 228 wrote to memory of 5020 228 oneetx.exe 105 PID 5020 wrote to memory of 3860 5020 3eef203fb515bda85f514e168abb5973.exe 112 PID 5020 wrote to memory of 3860 5020 3eef203fb515bda85f514e168abb5973.exe 112 PID 5020 wrote to memory of 3860 5020 3eef203fb515bda85f514e168abb5973.exe 112 PID 5064 wrote to memory of 4688 5064 setup.exe 122 PID 5064 wrote to memory of 4688 5064 setup.exe 122 PID 5064 wrote to memory of 4688 5064 setup.exe 122 PID 4688 wrote to memory of 1284 4688 cmd.exe 124 PID 4688 wrote to memory of 1284 4688 cmd.exe 124 PID 4688 wrote to memory of 1284 4688 cmd.exe 124 PID 4456 wrote to memory of 1576 4456 3eef203fb515bda85f514e168abb5973.exe 128 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe"C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Users\Admin\AppData\Local\Temp\ss41.exe"C:\Users\Admin\AppData\Local\Temp\ss41.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SYSTEM32\taskkill.exetaskkill /IM chrome.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /IM msedge.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4876
-
-
-
C:\Users\Admin\AppData\Local\Temp\ec193bd8.exe"C:\Users\Admin\AppData\Local\Temp\ec193bd8.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3924
-
-
C:\Users\Admin\AppData\Local\Temp\newplayer.exe"C:\Users\Admin\AppData\Local\Temp\newplayer.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F4⤵
- Creates scheduled task(s)
PID:3232
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:3140
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵PID:2008
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵PID:4708
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:832
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\207aa4515d" /P "Admin:N"5⤵PID:4408
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\207aa4515d" /P "Admin:R" /E5⤵PID:732
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe"C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 6205⤵
- Program crash
PID:4836
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 8805⤵
- Program crash
PID:1488
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 9205⤵
- Program crash
PID:4724
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 9045⤵
- Program crash
PID:4784
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 9405⤵
- Program crash
PID:3632
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 11045⤵
- Program crash
PID:1536
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 11365⤵
- Program crash
PID:3516
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 14205⤵
- Program crash
PID:2148
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe" & exit5⤵
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "setup.exe" /f6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1284
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe"5⤵
- Executes dropped EXE
PID:3332
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe"C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3860
-
-
C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe"C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵PID:4876
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
PID:4732
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5016
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3320 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3680
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
PID:4304
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f7⤵PID:2168
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4088
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll7⤵
- Executes dropped EXE
PID:1492
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
PID:4308
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"7⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵PID:680
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)9⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exeC:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe7⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn "csrss" /f8⤵PID:460
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn "ScheduledUpdate" /f8⤵PID:3496
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5064 -ip 50641⤵PID:4116
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5064 -ip 50641⤵PID:3552
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5064 -ip 50641⤵PID:1132
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5064 -ip 50641⤵PID:2840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5064 -ip 50641⤵PID:1072
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5064 -ip 50641⤵PID:1596
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5064 -ip 50641⤵PID:3680
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5064 -ip 50641⤵PID:4972
-
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exeC:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe1⤵
- Executes dropped EXE
PID:2288
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2524
-
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exeC:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe1⤵
- Executes dropped EXE
PID:3704
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD5a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA2561eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89
-
Filesize
408KB
MD5a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA2561eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89
-
Filesize
408KB
MD5a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA2561eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89
-
Filesize
271KB
MD5a53b97f33623010a204d53ca814e8dd2
SHA11c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA2566ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA5126a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b
-
Filesize
271KB
MD5a53b97f33623010a204d53ca814e8dd2
SHA11c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA2566ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA5126a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b
-
Filesize
271KB
MD5a53b97f33623010a204d53ca814e8dd2
SHA11c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA2566ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA5126a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b
-
Filesize
271KB
MD5a53b97f33623010a204d53ca814e8dd2
SHA11c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA2566ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA5126a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
Filesize
198KB
MD5f0033521f40c06dec473854c7d98fa8b
SHA128dadfe642a0c308e1f744b0d87a6d22dd6cd55a
SHA2564458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
SHA512f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217
-
Filesize
198KB
MD5f0033521f40c06dec473854c7d98fa8b
SHA128dadfe642a0c308e1f744b0d87a6d22dd6cd55a
SHA2564458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
SHA512f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217
-
Filesize
198KB
MD5f0033521f40c06dec473854c7d98fa8b
SHA128dadfe642a0c308e1f744b0d87a6d22dd6cd55a
SHA2564458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
SHA512f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217
-
Filesize
198KB
MD5f0033521f40c06dec473854c7d98fa8b
SHA128dadfe642a0c308e1f744b0d87a6d22dd6cd55a
SHA2564458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
SHA512f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3.2MB
MD5f801950a962ddba14caaa44bf084b55c
SHA17cadc9076121297428442785536ba0df2d4ae996
SHA256c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA5124183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5
-
Filesize
3.2MB
MD5f801950a962ddba14caaa44bf084b55c
SHA17cadc9076121297428442785536ba0df2d4ae996
SHA256c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA5124183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5
-
Filesize
99KB
MD509031a062610d77d685c9934318b4170
SHA1880f744184e7774f3d14c1bb857e21cc7fe89a6d
SHA256778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd
SHA5129a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
272KB
MD540fd2785bdb43b73b9491616330ac1c4
SHA19951b356ff37de2a8be3023dd7dd45a157a05d06
SHA256214a0f4e1d3cf5f0f8cae11cd564d4bf51322e1b288f5f1ba7f7475d925e246d
SHA512240a87b35c032fdf4dc3d05d3c372bc78613e1d8f6a31ad28b7fa9c317ea11fa01edb5dc960bae08d4129bb6ab8a49d9f8f7e82e8af1e71ad4701ffa2efd0d3a
-
Filesize
272KB
MD540fd2785bdb43b73b9491616330ac1c4
SHA19951b356ff37de2a8be3023dd7dd45a157a05d06
SHA256214a0f4e1d3cf5f0f8cae11cd564d4bf51322e1b288f5f1ba7f7475d925e246d
SHA512240a87b35c032fdf4dc3d05d3c372bc78613e1d8f6a31ad28b7fa9c317ea11fa01edb5dc960bae08d4129bb6ab8a49d9f8f7e82e8af1e71ad4701ffa2efd0d3a
-
Filesize
272KB
MD540fd2785bdb43b73b9491616330ac1c4
SHA19951b356ff37de2a8be3023dd7dd45a157a05d06
SHA256214a0f4e1d3cf5f0f8cae11cd564d4bf51322e1b288f5f1ba7f7475d925e246d
SHA512240a87b35c032fdf4dc3d05d3c372bc78613e1d8f6a31ad28b7fa9c317ea11fa01edb5dc960bae08d4129bb6ab8a49d9f8f7e82e8af1e71ad4701ffa2efd0d3a
-
Filesize
198KB
MD5f0033521f40c06dec473854c7d98fa8b
SHA128dadfe642a0c308e1f744b0d87a6d22dd6cd55a
SHA2564458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
SHA512f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217
-
Filesize
198KB
MD5f0033521f40c06dec473854c7d98fa8b
SHA128dadfe642a0c308e1f744b0d87a6d22dd6cd55a
SHA2564458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
SHA512f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217
-
Filesize
198KB
MD5f0033521f40c06dec473854c7d98fa8b
SHA128dadfe642a0c308e1f744b0d87a6d22dd6cd55a
SHA2564458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
SHA512f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217
-
Filesize
421KB
MD5ea11d0630e80d6352a12d2f6038e10cf
SHA168ebbf2da9c694c1dfc5fbcf424001073fb8ab6b
SHA2562b21d02167f4e5bb4754d83bf9d69bcbd09b5a1507ab8045eaefb1980ecb989f
SHA512b93314fc9395181c2fa46eeb3ff212ad71ce8d536cc8519d0faba2f25699394fa49d29bd9d29ac1b4b794df686d040828c1ef96d3871446f1cb797357ab9580b
-
Filesize
421KB
MD5ea11d0630e80d6352a12d2f6038e10cf
SHA168ebbf2da9c694c1dfc5fbcf424001073fb8ab6b
SHA2562b21d02167f4e5bb4754d83bf9d69bcbd09b5a1507ab8045eaefb1980ecb989f
SHA512b93314fc9395181c2fa46eeb3ff212ad71ce8d536cc8519d0faba2f25699394fa49d29bd9d29ac1b4b794df686d040828c1ef96d3871446f1cb797357ab9580b
-
Filesize
421KB
MD5ea11d0630e80d6352a12d2f6038e10cf
SHA168ebbf2da9c694c1dfc5fbcf424001073fb8ab6b
SHA2562b21d02167f4e5bb4754d83bf9d69bcbd09b5a1507ab8045eaefb1980ecb989f
SHA512b93314fc9395181c2fa46eeb3ff212ad71ce8d536cc8519d0faba2f25699394fa49d29bd9d29ac1b4b794df686d040828c1ef96d3871446f1cb797357ab9580b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD543b47de9537891dbec5753897f00ef88
SHA1e48f02616132655fe46f1d848930cedfa1f60181
SHA2566716dae122c3df873a744fa9a88cb74459a13d08dcd3ddf649408491441676ee
SHA51224295c9ba1ebe3d443dea5f2b0c9978d3c13621d694b6d5037c7f66c70df631e9e721e4ae303cece3236d101a7be26fc688aefa6d16da296fac8a3e4162dd6ba
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD531d2760daf27576a51f02e60735363c5
SHA1d2a6229de32df8175b09e8867df7933fa824d946
SHA2567371acbfc79ee0dad8df1eb99cf2b88a01fe680e621e354140f29099b907393c
SHA512480e779d7a91076cc5327606c13471a5e00d86fc65acfd592dc9fada22d56b80bbf63cb89819c56108d3cf3e15c34e883c0e6647a3d729a945dd400c99c5849f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD54dec0ffc5294db78202b45d78bc43470
SHA1dc78d2ebde754b5b4c599e0050ce08e592330898
SHA25623ab6262fe78365463c16f4bff006faaa54713f9593de84b9f26a8f83f0f4fef
SHA5124168568b027839d560736e61f9a18f906a008c9e8c7912c339735fe9af5be83bd8b4165716c65ec20f792bd644e5c806628e76d224052fb2e6b14d82a4f57c75
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD531d9f6fb72794d9805f5811e64e2f625
SHA16173665f6fd8796c990cad121ac53ca591a2f212
SHA2560070d6ca3f981db950e944068881f0a13220f0df4e388ca98ce436b10a9e0b27
SHA512045efc6f82cb4b6cd72b785f2c3655b8f4a645ad21f81e9cae32ab1fe4ddf679e11459c718819245c5c7ab13351e90b63d7fc1cdb00b16a915b8877e4aecff4b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD51c62276c827a1fac605d437883152d0c
SHA1068eb32e9e99d9c8a6053dca1fa73f9a6123e2a7
SHA2564e278c5f4fb61644efcd4f7acc2e637b20ceaeb55011743d2e99e2a2eca54ee9
SHA512e4b8a2cbf9c3e21102de85c543fc297924d878eff8a500746914f12ce6f1d25a40df195258f5f9a43d38111a3170b4a1322fa190a8fd66ab165ee54f84c82709
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec