Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 13:43
Static task
static1
General
-
Target
603b9b43f8a935585156fe777a904712e21a590548392160c9faeae5e050b4fd.exe
-
Size
1.3MB
-
MD5
6cf23be0ef2622c90d7a2e088cee5993
-
SHA1
0b2e458582ded58f1203a1bf6892827c40d0b60e
-
SHA256
603b9b43f8a935585156fe777a904712e21a590548392160c9faeae5e050b4fd
-
SHA512
4c3beef35882c18fa2fa3d7e0042a6e043de9b5b9aacdb9cb448cae93d502fb1fefd2e5100442e0ed8f192ffb8d158a99ec5662265135f7ff07f301ac18f0126
-
SSDEEP
24576:tyvldvUrnyDoX+eCZMDoRt70yZag220ahL5P0q1TlTZ/5jvFB:IM2DoX+eMooRmyZP2ghuq/Z/57
Malware Config
Extracted
amadey
3.70
b50502
http://77.91.124.207
-
install_dir
595f021478
-
install_file
oneetx.exe
-
strings_key
6e3d32d239380a49b6f83128fe71ea01
-
url_paths
/plays/chapter/index.php
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 19 IoCs
resource yara_rule behavioral1/files/0x0008000000023cb2-33.dat healer behavioral1/memory/208-35-0x0000000000F20000-0x0000000000F2A000-memory.dmp healer behavioral1/memory/452-57-0x0000000002790000-0x00000000027AA000-memory.dmp healer behavioral1/memory/452-59-0x0000000002870000-0x0000000002888000-memory.dmp healer behavioral1/memory/452-60-0x0000000002870000-0x0000000002882000-memory.dmp healer behavioral1/memory/452-87-0x0000000002870000-0x0000000002882000-memory.dmp healer behavioral1/memory/452-85-0x0000000002870000-0x0000000002882000-memory.dmp healer behavioral1/memory/452-83-0x0000000002870000-0x0000000002882000-memory.dmp healer behavioral1/memory/452-82-0x0000000002870000-0x0000000002882000-memory.dmp healer behavioral1/memory/452-79-0x0000000002870000-0x0000000002882000-memory.dmp healer behavioral1/memory/452-77-0x0000000002870000-0x0000000002882000-memory.dmp healer behavioral1/memory/452-75-0x0000000002870000-0x0000000002882000-memory.dmp healer behavioral1/memory/452-73-0x0000000002870000-0x0000000002882000-memory.dmp healer behavioral1/memory/452-71-0x0000000002870000-0x0000000002882000-memory.dmp healer behavioral1/memory/452-69-0x0000000002870000-0x0000000002882000-memory.dmp healer behavioral1/memory/452-67-0x0000000002870000-0x0000000002882000-memory.dmp healer behavioral1/memory/452-65-0x0000000002870000-0x0000000002882000-memory.dmp healer behavioral1/memory/452-63-0x0000000002870000-0x0000000002882000-memory.dmp healer behavioral1/memory/452-61-0x0000000002870000-0x0000000002882000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" az833103.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" az833103.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" cor1512.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" cor1512.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" cor1512.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" cor1512.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection az833103.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" az833103.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" az833103.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" az833103.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection cor1512.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" cor1512.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral1/memory/1948-96-0x0000000002680000-0x00000000026C6000-memory.dmp family_redline behavioral1/memory/1948-97-0x0000000002B30000-0x0000000002B74000-memory.dmp family_redline behavioral1/memory/1948-99-0x0000000002B30000-0x0000000002B6F000-memory.dmp family_redline behavioral1/memory/1948-109-0x0000000002B30000-0x0000000002B6F000-memory.dmp family_redline behavioral1/memory/1948-129-0x0000000002B30000-0x0000000002B6F000-memory.dmp family_redline behavioral1/memory/1948-125-0x0000000002B30000-0x0000000002B6F000-memory.dmp family_redline behavioral1/memory/1948-123-0x0000000002B30000-0x0000000002B6F000-memory.dmp family_redline behavioral1/memory/1948-121-0x0000000002B30000-0x0000000002B6F000-memory.dmp family_redline behavioral1/memory/1948-119-0x0000000002B30000-0x0000000002B6F000-memory.dmp family_redline behavioral1/memory/1948-117-0x0000000002B30000-0x0000000002B6F000-memory.dmp family_redline behavioral1/memory/1948-116-0x0000000002B30000-0x0000000002B6F000-memory.dmp family_redline behavioral1/memory/1948-113-0x0000000002B30000-0x0000000002B6F000-memory.dmp family_redline behavioral1/memory/1948-111-0x0000000002B30000-0x0000000002B6F000-memory.dmp family_redline behavioral1/memory/1948-107-0x0000000002B30000-0x0000000002B6F000-memory.dmp family_redline behavioral1/memory/1948-105-0x0000000002B30000-0x0000000002B6F000-memory.dmp family_redline behavioral1/memory/1948-103-0x0000000002B30000-0x0000000002B6F000-memory.dmp family_redline behavioral1/memory/1948-101-0x0000000002B30000-0x0000000002B6F000-memory.dmp family_redline behavioral1/memory/1948-127-0x0000000002B30000-0x0000000002B6F000-memory.dmp family_redline behavioral1/memory/1948-98-0x0000000002B30000-0x0000000002B6F000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation bu481902.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 11 IoCs
pid Process 684 kina5076.exe 4564 kina7218.exe 3656 kina5157.exe 2500 kina5442.exe 208 az833103.exe 4176 bu481902.exe 3468 oneetx.exe 452 cor1512.exe 1948 dMT09s79.exe 5856 oneetx.exe 2112 oneetx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" az833103.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features cor1512.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" cor1512.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 603b9b43f8a935585156fe777a904712e21a590548392160c9faeae5e050b4fd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" kina5076.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" kina7218.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" kina5157.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" kina5442.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 26 IoCs
pid pid_target Process procid_target 2184 4176 WerFault.exe 97 3836 4176 WerFault.exe 97 2148 4176 WerFault.exe 97 3788 4176 WerFault.exe 97 3136 4176 WerFault.exe 97 1652 4176 WerFault.exe 97 3308 4176 WerFault.exe 97 2112 4176 WerFault.exe 97 1968 4176 WerFault.exe 97 2340 4176 WerFault.exe 97 4460 3468 WerFault.exe 117 100 3468 WerFault.exe 117 2512 3468 WerFault.exe 117 3416 3468 WerFault.exe 117 3164 3468 WerFault.exe 117 4536 3468 WerFault.exe 117 4644 3468 WerFault.exe 117 2160 3468 WerFault.exe 117 1364 3468 WerFault.exe 117 736 3468 WerFault.exe 117 4728 3468 WerFault.exe 117 2700 452 WerFault.exe 122 5908 5856 WerFault.exe 149 1960 3468 WerFault.exe 117 1516 2112 WerFault.exe 160 3648 3468 WerFault.exe 117 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 603b9b43f8a935585156fe777a904712e21a590548392160c9faeae5e050b4fd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dMT09s79.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bu481902.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oneetx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cor1512.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kina5076.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kina7218.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kina5157.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kina5442.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1088 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 208 az833103.exe 208 az833103.exe 452 cor1512.exe 452 cor1512.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 208 az833103.exe Token: SeDebugPrivilege 452 cor1512.exe Token: SeDebugPrivilege 1948 dMT09s79.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4176 bu481902.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1496 wrote to memory of 684 1496 603b9b43f8a935585156fe777a904712e21a590548392160c9faeae5e050b4fd.exe 84 PID 1496 wrote to memory of 684 1496 603b9b43f8a935585156fe777a904712e21a590548392160c9faeae5e050b4fd.exe 84 PID 1496 wrote to memory of 684 1496 603b9b43f8a935585156fe777a904712e21a590548392160c9faeae5e050b4fd.exe 84 PID 684 wrote to memory of 4564 684 kina5076.exe 85 PID 684 wrote to memory of 4564 684 kina5076.exe 85 PID 684 wrote to memory of 4564 684 kina5076.exe 85 PID 4564 wrote to memory of 3656 4564 kina7218.exe 88 PID 4564 wrote to memory of 3656 4564 kina7218.exe 88 PID 4564 wrote to memory of 3656 4564 kina7218.exe 88 PID 3656 wrote to memory of 2500 3656 kina5157.exe 89 PID 3656 wrote to memory of 2500 3656 kina5157.exe 89 PID 3656 wrote to memory of 2500 3656 kina5157.exe 89 PID 2500 wrote to memory of 208 2500 kina5442.exe 90 PID 2500 wrote to memory of 208 2500 kina5442.exe 90 PID 2500 wrote to memory of 4176 2500 kina5442.exe 97 PID 2500 wrote to memory of 4176 2500 kina5442.exe 97 PID 2500 wrote to memory of 4176 2500 kina5442.exe 97 PID 4176 wrote to memory of 3468 4176 bu481902.exe 117 PID 4176 wrote to memory of 3468 4176 bu481902.exe 117 PID 4176 wrote to memory of 3468 4176 bu481902.exe 117 PID 3656 wrote to memory of 452 3656 kina5157.exe 122 PID 3656 wrote to memory of 452 3656 kina5157.exe 122 PID 3656 wrote to memory of 452 3656 kina5157.exe 122 PID 3468 wrote to memory of 1088 3468 oneetx.exe 135 PID 3468 wrote to memory of 1088 3468 oneetx.exe 135 PID 3468 wrote to memory of 1088 3468 oneetx.exe 135 PID 4564 wrote to memory of 1948 4564 kina7218.exe 147 PID 4564 wrote to memory of 1948 4564 kina7218.exe 147 PID 4564 wrote to memory of 1948 4564 kina7218.exe 147
Processes
-
C:\Users\Admin\AppData\Local\Temp\603b9b43f8a935585156fe777a904712e21a590548392160c9faeae5e050b4fd.exe"C:\Users\Admin\AppData\Local\Temp\603b9b43f8a935585156fe777a904712e21a590548392160c9faeae5e050b4fd.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina5076.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina5076.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina7218.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina7218.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5157.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5157.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kina5442.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kina5442.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az833103.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az833103.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu481902.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu481902.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 6847⤵
- Program crash
PID:2184
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 7847⤵
- Program crash
PID:3836
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 8607⤵
- Program crash
PID:2148
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 8687⤵
- Program crash
PID:3788
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 8607⤵
- Program crash
PID:3136
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 9847⤵
- Program crash
PID:1652
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 12247⤵
- Program crash
PID:3308
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 12607⤵
- Program crash
PID:2112
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 12367⤵
- Program crash
PID:1968
-
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 6968⤵
- Program crash
PID:4460
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 10088⤵
- Program crash
PID:100
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 10768⤵
- Program crash
PID:2512
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 10928⤵
- Program crash
PID:3416
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 10928⤵
- Program crash
PID:3164
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 11208⤵
- Program crash
PID:4536
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 11008⤵
- Program crash
PID:4644
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F8⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1088
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 9968⤵
- Program crash
PID:2160
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 11168⤵
- Program crash
PID:1364
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 7208⤵
- Program crash
PID:736
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 7328⤵
- Program crash
PID:4728
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 11208⤵
- Program crash
PID:1960
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 15528⤵
- Program crash
PID:3648
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 14407⤵
- Program crash
PID:2340
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1512.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1512.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:452 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 10846⤵
- Program crash
PID:2700
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dMT09s79.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dMT09s79.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4176 -ip 41761⤵PID:3856
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4176 -ip 41761⤵PID:1524
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4176 -ip 41761⤵PID:1872
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4176 -ip 41761⤵PID:2544
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4176 -ip 41761⤵PID:4784
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4176 -ip 41761⤵PID:3264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4176 -ip 41761⤵PID:4992
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4176 -ip 41761⤵PID:5048
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4176 -ip 41761⤵PID:3404
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4176 -ip 41761⤵PID:4504
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3468 -ip 34681⤵PID:4124
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3468 -ip 34681⤵PID:4028
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3468 -ip 34681⤵PID:972
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3468 -ip 34681⤵PID:3548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3468 -ip 34681⤵PID:2524
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3468 -ip 34681⤵PID:2364
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3468 -ip 34681⤵PID:2124
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3468 -ip 34681⤵PID:3476
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3468 -ip 34681⤵PID:2344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3468 -ip 34681⤵PID:1936
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3468 -ip 34681⤵PID:1568
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 452 -ip 4521⤵PID:2352
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeC:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe1⤵
- Executes dropped EXE
PID:5856 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5856 -s 3162⤵
- Program crash
PID:5908
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5856 -ip 58561⤵PID:5884
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3468 -ip 34681⤵PID:1364
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeC:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe1⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 3162⤵
- Program crash
PID:1516
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2112 -ip 21121⤵PID:412
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3468 -ip 34681⤵PID:5860
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD528e6d54558ba393329a1ba0cf1a29bfe
SHA15f5cafe5ff03cccd8d9fc54414ecab11dc00f6f0
SHA25643d3d930de0d0a7d64ab1c3d8ca0f7c1f754b0cf5374b0df4c736d4486726dfd
SHA512814f6951dd5e648b7a507ed5bf76b906673e55074f3513bbec820c13e19fd03133f0bd5cfdc1d5a99bb9d16b81481f9d28d6126f7844273c48f0206f097b77fd
-
Filesize
994KB
MD525450a7629caf5a9255c7665c1b39567
SHA180388214bdfea7a4a07f4c3d292dafad37ae4c63
SHA256ce3e888b1ca013b746ecfe3afec0058df3b5713935fd42d1a325b49c887a5be5
SHA512ee11d528c9f6ee1052d46cf8faec65345d9972673476ee89e61dff82f02dd7a469be5e1894c43cc0da0a5a97644d342616e1919734dad61dac6212e801686cae
-
Filesize
411KB
MD504304cb2b964f1151372230427e6c0e8
SHA17f17f5fb08b2657b6a904d6ffb256a91e9015911
SHA256a1d01a8d99aeb8eabe3a485b3dc51e76f0d8aa57a386e94c6b65994cbe9029d5
SHA5122b6a93d4e75930aa36e210fe86ed1909d5de46491acd0444a0897dc9f119e72fd56abd61013f7efe53dd8c5321c458118ad855d682cda011c57d4bbc440d2cc3
-
Filesize
638KB
MD5f4377dfbfcd80336025f45140d6b8634
SHA1e24f504c659ea66533cb5775e458ba4ee2856e42
SHA25602ee5fb952d0d1d0fcf0ded1272e06a3c8eff1ad5f4a1862b8c27a5736ae37c6
SHA5129553f5ef2bba99324558755255288fa8bca14ed6dc545d6ed7343a1b965ee3bec4e2ca8eea645c05efbcc29115ef0bb030b2ec58dcccd461e6233bcd9ff10852
-
Filesize
352KB
MD54be59bc1eb6582e85a5c92885c9f00a1
SHA143ab36c4af47dc99d5754f7b64031cc52ba22699
SHA256dc94af17ed5ccc10adc6bef8dad845e229976a288d897365ef7990ec7db1b1f8
SHA5120689647553b9bf955d3083a5a71365f742a7e696f6f29b82dd610410ee5040267d6e58f18badc819f897bd503f3de4f48570897b0b67f0a3d27d3412065054a8
-
Filesize
341KB
MD5549a8241fd49dc3d9f058b31b2145d67
SHA1a7abc2bea09eb3675bfcf6d8827d18f7976544ed
SHA256dfcbe399241dd721963abdaf36c008435e6f2476e7bcfeb140b564a6a0f77c3c
SHA512c6315ce8bd1e0c15de2c9e162683de81418c43299f8597b600693e5b9ff411ef1395d044e971c5e5604ae0acf469dde31091ddd8c180a11bed107fe63150f622
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
344KB
MD58562de535018dff8de34d2ac5720156e
SHA181223fd3bf3305d79a1943bc3277a53762141720
SHA256883b52e4d2ad96f5f9ee283d0b669c6c15da99798d86f56715561818e0d63ddb
SHA512ab1f81a984d80f414c87a4458b31f1bd7d19cc5457360f9812994cab231fa1ebb3e3cc8510f3921036b3f57ca44170ea984d71e66b1a7661dccf54475ce81da9