amadey | d1051a6e5813ae8faf78b2248f8f81592f08f8f996507fe0b322c21f5a92a84f

Resubmissions

29-10-2024 10:37

241029-mnv55avbqk 10

05-05-2023 19:46

230505-yg72wscd81 10

Analysis

max time kernel
143s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-10-2024 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1051a6e5813ae8faf78b2248f8f81592f08f8f996507fe0b322c21f5a92a84f.exe
Size

1.2MB
MD5

74b0ccf3de68e8e63088a697bccced26
SHA1

d3d8252558125ac843ac3c339bab3641e23a61d5
SHA256

d1051a6e5813ae8faf78b2248f8f81592f08f8f996507fe0b322c21f5a92a84f
SHA512

85de1d6d8b4ec19a3b82ecbbd41ce129742c63fd306214bb37c3005733056a7cab7c5a3765c41612a00d5e12c694f11864146e69fb723d696ce18a50caec74c9
SSDEEP

24576:LyfKfMXMQEseAkUF4Owq7/nqC0fIXSV8UQRBQfU3LEI:+fwMc5PCF4OhPqC0fzQLQfOL

Score

10^/10

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.80

Botnet

9c0adb

http://193.3.19.154

Attributes

install_dir
cb7ae701b3
install_file
oneetx.exe
strings_key
23b27c80db2465a8e1dc15491b69b82f
url_paths
/store/games/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detects Healer an antivirus disabler dropper 34 IoCs

resource	yara_rule
behavioral1/memory/1912-40-0x00000000003E0000-0x00000000003FA000-memory.dmp	healer
behavioral1/memory/1912-41-0x00000000005E0000-0x00000000005F8000-memory.dmp	healer
behavioral1/memory/1912-42-0x00000000005E0000-0x00000000005F3000-memory.dmp	healer
behavioral1/memory/1912-57-0x00000000005E0000-0x00000000005F3000-memory.dmp	healer
behavioral1/memory/1912-69-0x00000000005E0000-0x00000000005F3000-memory.dmp	healer
behavioral1/memory/1912-67-0x00000000005E0000-0x00000000005F3000-memory.dmp	healer
behavioral1/memory/1912-65-0x00000000005E0000-0x00000000005F3000-memory.dmp	healer
behavioral1/memory/1912-63-0x00000000005E0000-0x00000000005F3000-memory.dmp	healer
behavioral1/memory/1912-61-0x00000000005E0000-0x00000000005F3000-memory.dmp	healer
behavioral1/memory/1912-59-0x00000000005E0000-0x00000000005F3000-memory.dmp	healer
behavioral1/memory/1912-55-0x00000000005E0000-0x00000000005F3000-memory.dmp	healer
behavioral1/memory/1912-53-0x00000000005E0000-0x00000000005F3000-memory.dmp	healer
behavioral1/memory/1912-51-0x00000000005E0000-0x00000000005F3000-memory.dmp	healer
behavioral1/memory/1912-49-0x00000000005E0000-0x00000000005F3000-memory.dmp	healer
behavioral1/memory/1912-47-0x00000000005E0000-0x00000000005F3000-memory.dmp	healer
behavioral1/memory/1912-45-0x00000000005E0000-0x00000000005F3000-memory.dmp	healer
behavioral1/memory/1912-43-0x00000000005E0000-0x00000000005F3000-memory.dmp	healer
behavioral1/memory/2608-80-0x0000000000920000-0x000000000093A000-memory.dmp	healer
behavioral1/memory/2608-81-0x0000000002850000-0x0000000002868000-memory.dmp	healer
behavioral1/memory/2608-82-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/2608-109-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/2608-107-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/2608-105-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/2608-103-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/2608-101-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/2608-99-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/2608-97-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/2608-95-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/2608-93-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/2608-91-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/2608-89-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/2608-87-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/2608-85-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/2608-83-0x0000000002850000-0x0000000002862000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	186127212.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	186127212.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	298211359.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	298211359.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	298211359.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	298211359.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	186127212.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	186127212.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	298211359.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	186127212.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	186127212.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral1/memory/1744-137-0x0000000002A40000-0x0000000002A7C000-memory.dmp	family_redline
behavioral1/memory/1744-138-0x0000000002A80000-0x0000000002ABA000-memory.dmp	family_redline
behavioral1/memory/1744-144-0x0000000002A80000-0x0000000002AB5000-memory.dmp	family_redline
behavioral1/memory/1744-142-0x0000000002A80000-0x0000000002AB5000-memory.dmp	family_redline
behavioral1/memory/1744-140-0x0000000002A80000-0x0000000002AB5000-memory.dmp	family_redline
behavioral1/memory/1744-139-0x0000000002A80000-0x0000000002AB5000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 10 IoCs

pid	Process
2324	cZ674215.exe
1664	KB289092.exe
2292	qE215205.exe
1912	186127212.exe
2608	298211359.exe
1620	385941545.exe
1660	oneetx.exe
1744	415153552.exe
4856	oneetx.exe
984	oneetx.exe

Loads dropped DLL 18 IoCs

pid	Process
2672	d1051a6e5813ae8faf78b2248f8f81592f08f8f996507fe0b322c21f5a92a84f.exe
2324	cZ674215.exe
2324	cZ674215.exe
1664	KB289092.exe
1664	KB289092.exe
2292	qE215205.exe
2292	qE215205.exe
1912	186127212.exe
2292	qE215205.exe
2292	qE215205.exe
2608	298211359.exe
1664	KB289092.exe
1620	385941545.exe
1620	385941545.exe
1660	oneetx.exe
2324	cZ674215.exe
2324	cZ674215.exe
1744	415153552.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	186127212.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	186127212.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	298211359.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d1051a6e5813ae8faf78b2248f8f81592f08f8f996507fe0b322c21f5a92a84f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	cZ674215.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	KB289092.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	qE215205.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	298211359.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	186127212.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	385941545.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oneetx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	415153552.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cZ674215.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KB289092.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qE215205.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1051a6e5813ae8faf78b2248f8f81592f08f8f996507fe0b322c21f5a92a84f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2800	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1912	186127212.exe
1912	186127212.exe
2608	298211359.exe
2608	298211359.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1912	186127212.exe
Token: SeDebugPrivilege	2608	298211359.exe
Token: SeDebugPrivilege	1744	415153552.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1620	385941545.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2324	2672	d1051a6e5813ae8faf78b2248f8f81592f08f8f996507fe0b322c21f5a92a84f.exe	30
PID 2672 wrote to memory of 2324	2672	d1051a6e5813ae8faf78b2248f8f81592f08f8f996507fe0b322c21f5a92a84f.exe	30
PID 2672 wrote to memory of 2324	2672	d1051a6e5813ae8faf78b2248f8f81592f08f8f996507fe0b322c21f5a92a84f.exe	30
PID 2672 wrote to memory of 2324	2672	d1051a6e5813ae8faf78b2248f8f81592f08f8f996507fe0b322c21f5a92a84f.exe	30
PID 2672 wrote to memory of 2324	2672	d1051a6e5813ae8faf78b2248f8f81592f08f8f996507fe0b322c21f5a92a84f.exe	30
PID 2672 wrote to memory of 2324	2672	d1051a6e5813ae8faf78b2248f8f81592f08f8f996507fe0b322c21f5a92a84f.exe	30
PID 2672 wrote to memory of 2324	2672	d1051a6e5813ae8faf78b2248f8f81592f08f8f996507fe0b322c21f5a92a84f.exe	30
PID 2324 wrote to memory of 1664	2324	cZ674215.exe	31
PID 2324 wrote to memory of 1664	2324	cZ674215.exe	31
PID 2324 wrote to memory of 1664	2324	cZ674215.exe	31
PID 2324 wrote to memory of 1664	2324	cZ674215.exe	31
PID 2324 wrote to memory of 1664	2324	cZ674215.exe	31
PID 2324 wrote to memory of 1664	2324	cZ674215.exe	31
PID 2324 wrote to memory of 1664	2324	cZ674215.exe	31
PID 1664 wrote to memory of 2292	1664	KB289092.exe	32
PID 1664 wrote to memory of 2292	1664	KB289092.exe	32
PID 1664 wrote to memory of 2292	1664	KB289092.exe	32
PID 1664 wrote to memory of 2292	1664	KB289092.exe	32
PID 1664 wrote to memory of 2292	1664	KB289092.exe	32
PID 1664 wrote to memory of 2292	1664	KB289092.exe	32
PID 1664 wrote to memory of 2292	1664	KB289092.exe	32
PID 2292 wrote to memory of 1912	2292	qE215205.exe	33
PID 2292 wrote to memory of 1912	2292	qE215205.exe	33
PID 2292 wrote to memory of 1912	2292	qE215205.exe	33
PID 2292 wrote to memory of 1912	2292	qE215205.exe	33
PID 2292 wrote to memory of 1912	2292	qE215205.exe	33
PID 2292 wrote to memory of 1912	2292	qE215205.exe	33
PID 2292 wrote to memory of 1912	2292	qE215205.exe	33
PID 2292 wrote to memory of 2608	2292	qE215205.exe	35
PID 2292 wrote to memory of 2608	2292	qE215205.exe	35
PID 2292 wrote to memory of 2608	2292	qE215205.exe	35
PID 2292 wrote to memory of 2608	2292	qE215205.exe	35
PID 2292 wrote to memory of 2608	2292	qE215205.exe	35
PID 2292 wrote to memory of 2608	2292	qE215205.exe	35
PID 2292 wrote to memory of 2608	2292	qE215205.exe	35
PID 1664 wrote to memory of 1620	1664	KB289092.exe	36
PID 1664 wrote to memory of 1620	1664	KB289092.exe	36
PID 1664 wrote to memory of 1620	1664	KB289092.exe	36
PID 1664 wrote to memory of 1620	1664	KB289092.exe	36
PID 1664 wrote to memory of 1620	1664	KB289092.exe	36
PID 1664 wrote to memory of 1620	1664	KB289092.exe	36
PID 1664 wrote to memory of 1620	1664	KB289092.exe	36
PID 1620 wrote to memory of 1660	1620	385941545.exe	37
PID 1620 wrote to memory of 1660	1620	385941545.exe	37
PID 1620 wrote to memory of 1660	1620	385941545.exe	37
PID 1620 wrote to memory of 1660	1620	385941545.exe	37
PID 1620 wrote to memory of 1660	1620	385941545.exe	37
PID 1620 wrote to memory of 1660	1620	385941545.exe	37
PID 1620 wrote to memory of 1660	1620	385941545.exe	37
PID 2324 wrote to memory of 1744	2324	cZ674215.exe	38
PID 2324 wrote to memory of 1744	2324	cZ674215.exe	38
PID 2324 wrote to memory of 1744	2324	cZ674215.exe	38
PID 2324 wrote to memory of 1744	2324	cZ674215.exe	38
PID 2324 wrote to memory of 1744	2324	cZ674215.exe	38
PID 2324 wrote to memory of 1744	2324	cZ674215.exe	38
PID 2324 wrote to memory of 1744	2324	cZ674215.exe	38
PID 1660 wrote to memory of 2800	1660	oneetx.exe	39
PID 1660 wrote to memory of 2800	1660	oneetx.exe	39
PID 1660 wrote to memory of 2800	1660	oneetx.exe	39
PID 1660 wrote to memory of 2800	1660	oneetx.exe	39
PID 1660 wrote to memory of 2800	1660	oneetx.exe	39
PID 1660 wrote to memory of 2800	1660	oneetx.exe	39
PID 1660 wrote to memory of 2800	1660	oneetx.exe	39
PID 1660 wrote to memory of 2788	1660	oneetx.exe	40

C:\Users\Admin\AppData\Local\Temp\d1051a6e5813ae8faf78b2248f8f81592f08f8f996507fe0b322c21f5a92a84f.exe
"C:\Users\Admin\AppData\Local\Temp\d1051a6e5813ae8faf78b2248f8f81592f08f8f996507fe0b322c21f5a92a84f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cZ674215.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cZ674215.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KB289092.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KB289092.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qE215205.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qE215205.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2292
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\186127212.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\186127212.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\298211359.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\298211359.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\385941545.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\385941545.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1660
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2800
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\415153552.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\415153552.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1744

C:\Windows\system32\taskeng.exe
taskeng.exe {37DFCD92-8166-4299-A7AD-36894187ACE7} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
1⤵
PID:4824
- C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\385941545.exe

Filesize
204KB

MD5
b38ef258d68b6aaf1ad2c6cfa99e3f94

SHA1
40ef301f931486216c9293fbfba1a0ba846cf647

SHA256
e2bed58b32d53409b8a316926a462dd4c5bb4375f3268d43561ce426f0da5e94

SHA512
529fc4d4ae0dcf9fa3f95e0904d68d06ab0fcf4ee6cf59df76f42587920be3f51eee5e7473f95fa25bd502bec4f15d8d0550b013b9ea3bbebe8c1de56d389a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qE215205.exe

Filesize
467KB

MD5
ee0f317f44b37b2bd1d2c476cd496f80

SHA1
00874fed0aaf45d425d05e44561fae53f704d807

SHA256
4d1ab88c142d74d9773d3f040faeb56827a7f8324a71ac635c82a8b327a9c2c3

SHA512
c61447e7e0b620da890340263811a356b4173978560b72fb7cd9d520360eba4fffc8fd1fe2323afdacf91fb834dc025a18d3e73d5a193dead62bc68b1cd245a6

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
11KB

MD5
b7759166a0f1807b202b45f510c2172e

SHA1
ef160ebdf82a6cadd27197fb589a3786e58e3fa5

SHA256
825eb1a627f34c3d1fad85cb5904b5ac0fded65f677c5a85fa992e42c450fd99

SHA512
5085882d85f2d3ab9fa2c2b3bfbde24072ae732b02529946700df1ee92fbafb0e7d305bf21f6034b44012d310495bc7ebd4826b226685a1cc3790b429d0169ec

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\cZ674215.exe

Filesize
1.0MB

MD5
fac510b9d09689ed6da473f4299d9842

SHA1
3490f68eb4c9e7bd8732c10653acd78d433c3ac0

SHA256
c758a98d0ec766e3f19658ef398052f3352c2cece1058db9563918f4f4000053

SHA512
1ae59a73f816ef59185b2a699860fe24e65c383b41738642fc11e31aae3272aecd48dd6dd79097507bd63feb86396f9d8c65e9a24b1c6d17092b7e7d143d0cea

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\415153552.exe

Filesize
461KB

MD5
1f83c7703947d020013d1da55720af72

SHA1
3a3711e6d659131f3ea1b9fca6721821b3d7a95e

SHA256
3bbc69bedd6ba43241f7fe993ad3085a860a4316cbbbfa301d91e74fcfdc75ab

SHA512
9f1d266e021a209ad8da310b91345bd718799558711ddb28e0116f5672a57c840825aa9df831967451957112713504fc4dfd270eb7afa636710cbe011ef63391

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\KB289092.exe

Filesize
638KB

MD5
c4833707e57427ae9ef317823c0856ac

SHA1
b0fceeea6a88a31aee0d802db8fffa0f2b297274

SHA256
50db37d6ba78f12d481ee474b72387f3f543ac7c96488fcbda035feaaf45bda5

SHA512
c7a778c3210fc966f51fae28364caabeb4bbaa445a9007d775241c0c6906781b72cee4e4e6dfd518a911e2c67564f3367ef2c0f70ffd6aff53b0b7f964df936b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\186127212.exe

Filesize
176KB

MD5
1961de8005293372ef065337715b49e3

SHA1
c4c4f869a66f4c173ecde374db1df30752b6de1d

SHA256
f85bd9845e59c591e90363ab6170456122e213e4bc5ca7f9ad976c2b68951ccb

SHA512
74ce76066fa56a4ca9818cd5fbbf4241f63bd982378c5f46909330e9c979af303b2a70f049c342fd54450a1e2a4b99131051031509efae589182c095c0277155

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\298211359.exe

Filesize
377KB

MD5
81be911edfff00fe91967c45f80fa86b

SHA1
39319ebb19b09b46b5825f4d27436640957be112

SHA256
6e7439841be72fe0401d1866629b15fe3598b24dc54362c695afd527a3c940f2

SHA512
9f8baed9088c84c4bfaad6a87a810325c29aa457259a65efbd5604ff6b02d63903c3cca5aaeec7151f87137aaee00605c0ad5fd92f07046624ed89b985c6acbb

Download Submit
memory/1744-138-0x0000000002A80000-0x0000000002ABA000-memory.dmp

Filesize
232KB

Download
memory/1744-142-0x0000000002A80000-0x0000000002AB5000-memory.dmp

Filesize
212KB

Download
memory/1744-140-0x0000000002A80000-0x0000000002AB5000-memory.dmp

Filesize
212KB

Download
memory/1744-144-0x0000000002A80000-0x0000000002AB5000-memory.dmp

Filesize
212KB

Download
memory/1744-139-0x0000000002A80000-0x0000000002AB5000-memory.dmp

Filesize
212KB

Download
memory/1744-137-0x0000000002A40000-0x0000000002A7C000-memory.dmp

Filesize
240KB

Download
memory/1912-57-0x00000000005E0000-0x00000000005F3000-memory.dmp

Filesize
76KB

Download
memory/1912-61-0x00000000005E0000-0x00000000005F3000-memory.dmp

Filesize
76KB

Download
memory/1912-51-0x00000000005E0000-0x00000000005F3000-memory.dmp

Filesize
76KB

Download
memory/1912-49-0x00000000005E0000-0x00000000005F3000-memory.dmp

Filesize
76KB

Download
memory/1912-47-0x00000000005E0000-0x00000000005F3000-memory.dmp

Filesize
76KB

Download
memory/1912-45-0x00000000005E0000-0x00000000005F3000-memory.dmp

Filesize
76KB

Download
memory/1912-43-0x00000000005E0000-0x00000000005F3000-memory.dmp

Filesize
76KB

Download
memory/1912-55-0x00000000005E0000-0x00000000005F3000-memory.dmp

Filesize
76KB

Download
memory/1912-59-0x00000000005E0000-0x00000000005F3000-memory.dmp

Filesize
76KB

Download
memory/1912-53-0x00000000005E0000-0x00000000005F3000-memory.dmp

Filesize
76KB

Download
memory/1912-63-0x00000000005E0000-0x00000000005F3000-memory.dmp

Filesize
76KB

Download
memory/1912-65-0x00000000005E0000-0x00000000005F3000-memory.dmp

Filesize
76KB

Download
memory/1912-67-0x00000000005E0000-0x00000000005F3000-memory.dmp

Filesize
76KB

Download
memory/1912-69-0x00000000005E0000-0x00000000005F3000-memory.dmp

Filesize
76KB

Download
memory/1912-42-0x00000000005E0000-0x00000000005F3000-memory.dmp

Filesize
76KB

Download
memory/1912-41-0x00000000005E0000-0x00000000005F8000-memory.dmp

Filesize
96KB

Download
memory/1912-40-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/2608-82-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2608-95-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2608-93-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2608-91-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2608-89-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2608-87-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2608-85-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2608-83-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2608-110-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2608-97-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2608-99-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2608-101-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2608-103-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2608-105-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2608-107-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2608-109-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2608-81-0x0000000002850000-0x0000000002868000-memory.dmp

Filesize
96KB

Download
memory/2608-80-0x0000000000920000-0x000000000093A000-memory.dmp

Filesize
104KB

Download