amadey | 11acc2d6c049bd254673ee8f512b35ce825591f9551749960b8bd7f4dcc63288

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11acc2d6c049bd254673ee8f512b35ce825591f9551749960b8bd7f4dcc63288.exe
Size

1.0MB
MD5

a8a2e8c0760afc7ddd395cce8c9b507f
SHA1

14bd03df0e0dfc9548ffd5e69bf7332b88232438
SHA256

11acc2d6c049bd254673ee8f512b35ce825591f9551749960b8bd7f4dcc63288
SHA512

1ff6ced8f3ced27fc1edd5df7401920bb141c53960e67e433d438fcf21cc7f8e5a3948150ae8ca780c8960690894c56f4fb8a4d2e3f3626282f21bd96637819b
SSDEEP

24576:YyzRMmF2Ikeb3+E8IKdimYNkZfq7ZCfQ5OsEgys9X5Qj:fqc2IpYdXq7Zr5REs9pQ

Score

10^/10

amadey healer redline b50502 rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.70

Botnet

b50502

http://77.91.124.207

Attributes

install_dir
595f021478
install_file
oneetx.exe
strings_key
6e3d32d239380a49b6f83128fe71ea01
url_paths
/plays/chapter/index.php

rc4.plain

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detects Healer an antivirus disabler dropper 19 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az821167.exe	healer
behavioral1/memory/2908-28-0x0000000000700000-0x000000000070A000-memory.dmp	healer
behavioral1/memory/3760-53-0x0000000002240000-0x000000000225A000-memory.dmp	healer
behavioral1/memory/3760-55-0x0000000002400000-0x0000000002418000-memory.dmp	healer
behavioral1/memory/3760-73-0x0000000002400000-0x0000000002412000-memory.dmp	healer
behavioral1/memory/3760-81-0x0000000002400000-0x0000000002412000-memory.dmp	healer
behavioral1/memory/3760-79-0x0000000002400000-0x0000000002412000-memory.dmp	healer
behavioral1/memory/3760-77-0x0000000002400000-0x0000000002412000-memory.dmp	healer
behavioral1/memory/3760-75-0x0000000002400000-0x0000000002412000-memory.dmp	healer
behavioral1/memory/3760-71-0x0000000002400000-0x0000000002412000-memory.dmp	healer
behavioral1/memory/3760-70-0x0000000002400000-0x0000000002412000-memory.dmp	healer
behavioral1/memory/3760-67-0x0000000002400000-0x0000000002412000-memory.dmp	healer
behavioral1/memory/3760-65-0x0000000002400000-0x0000000002412000-memory.dmp	healer
behavioral1/memory/3760-63-0x0000000002400000-0x0000000002412000-memory.dmp	healer
behavioral1/memory/3760-61-0x0000000002400000-0x0000000002412000-memory.dmp	healer
behavioral1/memory/3760-59-0x0000000002400000-0x0000000002412000-memory.dmp	healer
behavioral1/memory/3760-57-0x0000000002400000-0x0000000002412000-memory.dmp	healer
behavioral1/memory/3760-56-0x0000000002400000-0x0000000002412000-memory.dmp	healer
behavioral1/memory/3760-83-0x0000000002400000-0x0000000002412000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

az821167.execor3754.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	az821167.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	az821167.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor3754.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor3754.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	az821167.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	az821167.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor3754.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor3754.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor3754.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor3754.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	az821167.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	az821167.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1324-92-0x0000000004900000-0x0000000004946000-memory.dmp	family_redline
behavioral1/memory/1324-93-0x0000000005070000-0x00000000050B4000-memory.dmp	family_redline
behavioral1/memory/1324-105-0x0000000005070000-0x00000000050AF000-memory.dmp	family_redline
behavioral1/memory/1324-103-0x0000000005070000-0x00000000050AF000-memory.dmp	family_redline
behavioral1/memory/1324-101-0x0000000005070000-0x00000000050AF000-memory.dmp	family_redline
behavioral1/memory/1324-99-0x0000000005070000-0x00000000050AF000-memory.dmp	family_redline
behavioral1/memory/1324-121-0x0000000005070000-0x00000000050AF000-memory.dmp	family_redline
behavioral1/memory/1324-97-0x0000000005070000-0x00000000050AF000-memory.dmp	family_redline
behavioral1/memory/1324-125-0x0000000005070000-0x00000000050AF000-memory.dmp	family_redline
behavioral1/memory/1324-124-0x0000000005070000-0x00000000050AF000-memory.dmp	family_redline
behavioral1/memory/1324-119-0x0000000005070000-0x00000000050AF000-memory.dmp	family_redline
behavioral1/memory/1324-117-0x0000000005070000-0x00000000050AF000-memory.dmp	family_redline
behavioral1/memory/1324-115-0x0000000005070000-0x00000000050AF000-memory.dmp	family_redline
behavioral1/memory/1324-113-0x0000000005070000-0x00000000050AF000-memory.dmp	family_redline
behavioral1/memory/1324-111-0x0000000005070000-0x00000000050AF000-memory.dmp	family_redline
behavioral1/memory/1324-109-0x0000000005070000-0x00000000050AF000-memory.dmp	family_redline
behavioral1/memory/1324-107-0x0000000005070000-0x00000000050AF000-memory.dmp	family_redline
behavioral1/memory/1324-95-0x0000000005070000-0x00000000050AF000-memory.dmp	family_redline
behavioral1/memory/1324-94-0x0000000005070000-0x00000000050AF000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bu523511.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	bu523511.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

Processes:

kina4947.exekina9841.exekina8414.exeaz821167.exebu523511.exeoneetx.execor3754.exedVT65s66.exeoneetx.exeoneetx.exe

pid	process
3552	kina4947.exe
2472	kina9841.exe
2968	kina8414.exe
2908	az821167.exe
4628	bu523511.exe
2852	oneetx.exe
3760	cor3754.exe
1324	dVT65s66.exe
1264	oneetx.exe
3396	oneetx.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

az821167.execor3754.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	az821167.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor3754.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor3754.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

kina4947.exekina9841.exekina8414.exe11acc2d6c049bd254673ee8f512b35ce825591f9551749960b8bd7f4dcc63288.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kina4947.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kina9841.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kina8414.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	11acc2d6c049bd254673ee8f512b35ce825591f9551749960b8bd7f4dcc63288.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4256 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4256	sc.exe

Program crash 29 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4352	4628	WerFault.exe	bu523511.exe
3280	4628	WerFault.exe	bu523511.exe
2792	4628	WerFault.exe	bu523511.exe
2320	4628	WerFault.exe	bu523511.exe
1860	4628	WerFault.exe	bu523511.exe
4220	4628	WerFault.exe	bu523511.exe
212	4628	WerFault.exe	bu523511.exe
5092	4628	WerFault.exe	bu523511.exe
3816	4628	WerFault.exe	bu523511.exe
4440	4628	WerFault.exe	bu523511.exe
2692	4628	WerFault.exe	bu523511.exe
5080	4628	WerFault.exe	bu523511.exe
5104	2852	WerFault.exe	oneetx.exe
5040	2852	WerFault.exe	oneetx.exe
1612	2852	WerFault.exe	oneetx.exe
3776	2852	WerFault.exe	oneetx.exe
4536	2852	WerFault.exe	oneetx.exe
1476	2852	WerFault.exe	oneetx.exe
5068	2852	WerFault.exe	oneetx.exe
1480	2852	WerFault.exe	oneetx.exe
100	2852	WerFault.exe	oneetx.exe
5020	2852	WerFault.exe	oneetx.exe
1204	2852	WerFault.exe	oneetx.exe
2052	3760	WerFault.exe	cor3754.exe
1892	1264	WerFault.exe	oneetx.exe
3808	2852	WerFault.exe	oneetx.exe
3776	3396	WerFault.exe	oneetx.exe
4900	2852	WerFault.exe	oneetx.exe
4112	2852	WerFault.exe	oneetx.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

kina9841.exekina8414.exebu523511.execor3754.exedVT65s66.exe11acc2d6c049bd254673ee8f512b35ce825591f9551749960b8bd7f4dcc63288.exekina4947.exeoneetx.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kina9841.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kina8414.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bu523511.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cor3754.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dVT65s66.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11acc2d6c049bd254673ee8f512b35ce825591f9551749960b8bd7f4dcc63288.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kina4947.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oneetx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

3244 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

az821167.execor3754.exe

pid process

2908 az821167.exe
2908 az821167.exe
3760 cor3754.exe
3760 cor3754.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

az821167.execor3754.exedVT65s66.exe

description pid process

Token: SeDebugPrivilege 2908 az821167.exe
Token: SeDebugPrivilege 3760 cor3754.exe
Token: SeDebugPrivilege 1324 dVT65s66.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

bu523511.exe

pid process

4628 bu523511.exe

pid	process
3244	schtasks.exe

pid	process
2908	az821167.exe
2908	az821167.exe
3760	cor3754.exe
3760	cor3754.exe

description	pid	process
Token: SeDebugPrivilege	2908	az821167.exe
Token: SeDebugPrivilege	3760	cor3754.exe
Token: SeDebugPrivilege	1324	dVT65s66.exe

pid	process
4628	bu523511.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

11acc2d6c049bd254673ee8f512b35ce825591f9551749960b8bd7f4dcc63288.exekina4947.exekina9841.exekina8414.exebu523511.exeoneetx.exe

description	pid	process	target process
PID 544 wrote to memory of 3552	544	11acc2d6c049bd254673ee8f512b35ce825591f9551749960b8bd7f4dcc63288.exe	kina4947.exe
PID 544 wrote to memory of 3552	544	11acc2d6c049bd254673ee8f512b35ce825591f9551749960b8bd7f4dcc63288.exe	kina4947.exe
PID 544 wrote to memory of 3552	544	11acc2d6c049bd254673ee8f512b35ce825591f9551749960b8bd7f4dcc63288.exe	kina4947.exe
PID 3552 wrote to memory of 2472	3552	kina4947.exe	kina9841.exe
PID 3552 wrote to memory of 2472	3552	kina4947.exe	kina9841.exe
PID 3552 wrote to memory of 2472	3552	kina4947.exe	kina9841.exe
PID 2472 wrote to memory of 2968	2472	kina9841.exe	kina8414.exe
PID 2472 wrote to memory of 2968	2472	kina9841.exe	kina8414.exe
PID 2472 wrote to memory of 2968	2472	kina9841.exe	kina8414.exe
PID 2968 wrote to memory of 2908	2968	kina8414.exe	az821167.exe
PID 2968 wrote to memory of 2908	2968	kina8414.exe	az821167.exe
PID 2968 wrote to memory of 4628	2968	kina8414.exe	bu523511.exe
PID 2968 wrote to memory of 4628	2968	kina8414.exe	bu523511.exe
PID 2968 wrote to memory of 4628	2968	kina8414.exe	bu523511.exe
PID 4628 wrote to memory of 2852	4628	bu523511.exe	oneetx.exe
PID 4628 wrote to memory of 2852	4628	bu523511.exe	oneetx.exe
PID 4628 wrote to memory of 2852	4628	bu523511.exe	oneetx.exe
PID 2472 wrote to memory of 3760	2472	kina9841.exe	cor3754.exe
PID 2472 wrote to memory of 3760	2472	kina9841.exe	cor3754.exe
PID 2472 wrote to memory of 3760	2472	kina9841.exe	cor3754.exe
PID 2852 wrote to memory of 3244	2852	oneetx.exe	schtasks.exe
PID 2852 wrote to memory of 3244	2852	oneetx.exe	schtasks.exe
PID 2852 wrote to memory of 3244	2852	oneetx.exe	schtasks.exe
PID 3552 wrote to memory of 1324	3552	kina4947.exe	dVT65s66.exe
PID 3552 wrote to memory of 1324	3552	kina4947.exe	dVT65s66.exe
PID 3552 wrote to memory of 1324	3552	kina4947.exe	dVT65s66.exe

C:\Users\Admin\AppData\Local\Temp\11acc2d6c049bd254673ee8f512b35ce825591f9551749960b8bd7f4dcc63288.exe
"C:\Users\Admin\AppData\Local\Temp\11acc2d6c049bd254673ee8f512b35ce825591f9551749960b8bd7f4dcc63288.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:544

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina4947.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina4947.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3552

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9841.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9841.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina8414.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina8414.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az821167.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az821167.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu523511.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu523511.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 696
6⤵
- Program crash
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 780
6⤵
- Program crash
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 804
6⤵
- Program crash
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 968
6⤵
- Program crash
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 976
6⤵
- Program crash
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 980
6⤵
- Program crash
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1216
6⤵
- Program crash
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1200
6⤵
- Program crash
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1316
6⤵
- Program crash
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1700
6⤵
- Program crash
PID:4440

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 708
7⤵
- Program crash
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1004
7⤵
- Program crash
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1012
7⤵
- Program crash
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1088
7⤵
- Program crash
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1112
7⤵
- Program crash
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1140
7⤵
- Program crash
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1004
7⤵
- Program crash
PID:5068

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 992
7⤵
- Program crash
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 772
7⤵
- Program crash
PID:100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1280
7⤵
- Program crash
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1320
7⤵
- Program crash
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1072
7⤵
- Program crash
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1416
7⤵
- Program crash
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1412
7⤵
- Program crash
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 784
6⤵
- Program crash
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1388
6⤵
- Program crash
PID:5080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cor3754.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cor3754.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 1084
5⤵
- Program crash
PID:2052

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dVT65s66.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dVT65s66.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4628 -ip 4628
1⤵
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4628 -ip 4628
1⤵
PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4628 -ip 4628
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4628 -ip 4628
1⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4628 -ip 4628
1⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4628 -ip 4628
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4628 -ip 4628
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4628 -ip 4628
1⤵
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4628 -ip 4628
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4628 -ip 4628
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4628 -ip 4628
1⤵
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4628 -ip 4628
1⤵
PID:820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2852 -ip 2852
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2852 -ip 2852
1⤵
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2852 -ip 2852
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2852 -ip 2852
1⤵
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2852 -ip 2852
1⤵
PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2852 -ip 2852
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2852 -ip 2852
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2852 -ip 2852
1⤵
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2852 -ip 2852
1⤵
PID:724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2852 -ip 2852
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2852 -ip 2852
1⤵
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3760 -ip 3760
1⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 312
2⤵
- Program crash
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1264 -ip 1264
1⤵
PID:712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2852 -ip 2852
1⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 320
2⤵
- Program crash
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3396 -ip 3396
1⤵
PID:3992

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2852 -ip 2852
1⤵
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2852 -ip 2852
1⤵
PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina4947.exe

Filesize
920KB

MD5
404a88a696faf07ce311993122b26bde

SHA1
f9ae2babd85dc408ef8e4b32eb03520215c704d9

SHA256
c4d01ad4b6fab6b9524d7840e5a906336dfea03ec15fac5ac1daa35a2b87b7b8

SHA512
653d3f8f60e9b9eedad75e46ea8566d6b3d88263733b6a91f6249326dcbe8a6141123a8a7e8e85ca8baf6184e2283f3a6e8e7003f82e0952d71a2f37baec73cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dVT65s66.exe

Filesize
298KB

MD5
6fd75e5b2df81393ad330e0e8a9cd489

SHA1
8ca4e2b293f8ecec85e8c5d046df714c06c8152c

SHA256
a37f7a8f9749758c78812c8fb12c4e61aac3a9b292bd079d4279cc81b5b04cee

SHA512
af42f4b48760279704f2c60be05ada16d07d2e5e75c9dd68fdef8ab01be29b1abff4875c61466edea96d702f1004d1819573fd9a14dcb7a7bd2bd068a136bd67

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9841.exe

Filesize
588KB

MD5
d6e3f61440f98b5a5b33251a44bf88f1

SHA1
b6c23e018cd691a82e1d62eaa9c80fe7c7110011

SHA256
a8ca254fac5afb4ba86577ef1baeebda261e87101b4ed06123d6eeea8b193ebe

SHA512
bfe2ce12437cf50f2dd281d2790c02b5f297896882df48276e6735fb02523e828e89f6147386e716a8a3cd3db2b72b68eb195e2505ac493974665a2492960f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cor3754.exe

Filesize
239KB

MD5
816f5c3fd7d40c6b8283d0644ae4363c

SHA1
cab9d8421a8a6fe2455880ff77adcaa88e4d94a3

SHA256
5f22090f07b302d130f809d436cf6c89d488f1144ca3db925a9af3ced7c8acbd

SHA512
6c2610f9afd099484616056d93d40e5fdbebfc3bdaf02af251571ff21e8577f238b9b358108c839e2f15e2ef83da6b07f0771a2581a6742840e5eb461dd94fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina8414.exe

Filesize
315KB

MD5
ad7158ff2d6dc5a5ac3fa495de3a3c19

SHA1
64f9d466319842bf1258fe23a98dd849b3ad8b06

SHA256
dbc2759a9c171a02cd7cbbc87826e8b15658d5e7eb7321b045fefcc3c622bbc4

SHA512
3ff76fe460670227afa182c67ed277636bcf4676e6f64ede28019fdbd12c0310a209e0111f0215c505533e7ab1e4b4a55ea342990b601a300f23a649f574c929

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az821167.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu523511.exe

Filesize
231KB

MD5
27d46213f24b50b85930d758e983dcbd

SHA1
f2271208cbc2a0fa43bb26c7ebcf1775b10ee53a

SHA256
7bb18f7c0b2597b3f9b0359894960deafb4ddf0f4f71c03ad88d7ca2742ffeff

SHA512
61ede5ede75f1d84d63731f13ab0477c09e710fcf6e1868b5a671d4f600bcdf13d824f1078abebf443b18ccbb19aebed603373fe6d8c42f0dcc2b0d65e4a5128

Download Submit
memory/1324-109-0x0000000005070000-0x00000000050AF000-memory.dmp

Filesize
252KB

Download
memory/1324-117-0x0000000005070000-0x00000000050AF000-memory.dmp

Filesize
252KB

Download
memory/1324-1002-0x00000000058D0000-0x00000000058E2000-memory.dmp

Filesize
72KB

Download
memory/1324-1001-0x0000000005790000-0x000000000589A000-memory.dmp

Filesize
1.0MB

Download
memory/1324-1000-0x00000000050F0000-0x0000000005708000-memory.dmp

Filesize
6.1MB

Download
memory/1324-94-0x0000000005070000-0x00000000050AF000-memory.dmp

Filesize
252KB

Download
memory/1324-1004-0x0000000005A40000-0x0000000005A8C000-memory.dmp

Filesize
304KB

Download
memory/1324-95-0x0000000005070000-0x00000000050AF000-memory.dmp

Filesize
252KB

Download
memory/1324-107-0x0000000005070000-0x00000000050AF000-memory.dmp

Filesize
252KB

Download
memory/1324-101-0x0000000005070000-0x00000000050AF000-memory.dmp

Filesize
252KB

Download
memory/1324-111-0x0000000005070000-0x00000000050AF000-memory.dmp

Filesize
252KB

Download
memory/1324-113-0x0000000005070000-0x00000000050AF000-memory.dmp

Filesize
252KB

Download
memory/1324-115-0x0000000005070000-0x00000000050AF000-memory.dmp

Filesize
252KB

Download
memory/1324-1003-0x00000000058F0000-0x000000000592C000-memory.dmp

Filesize
240KB

Download
memory/1324-119-0x0000000005070000-0x00000000050AF000-memory.dmp

Filesize
252KB

Download
memory/1324-124-0x0000000005070000-0x00000000050AF000-memory.dmp

Filesize
252KB

Download
memory/1324-125-0x0000000005070000-0x00000000050AF000-memory.dmp

Filesize
252KB

Download
memory/1324-97-0x0000000005070000-0x00000000050AF000-memory.dmp

Filesize
252KB

Download
memory/1324-121-0x0000000005070000-0x00000000050AF000-memory.dmp

Filesize
252KB

Download
memory/1324-103-0x0000000005070000-0x00000000050AF000-memory.dmp

Filesize
252KB

Download
memory/1324-99-0x0000000005070000-0x00000000050AF000-memory.dmp

Filesize
252KB

Download
memory/1324-105-0x0000000005070000-0x00000000050AF000-memory.dmp

Filesize
252KB

Download
memory/1324-92-0x0000000004900000-0x0000000004946000-memory.dmp

Filesize
280KB

Download
memory/1324-93-0x0000000005070000-0x00000000050B4000-memory.dmp

Filesize
272KB

Download
memory/2852-84-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2908-28-0x0000000000700000-0x000000000070A000-memory.dmp

Filesize
40KB

Download
memory/3760-79-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/3760-86-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/3760-83-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/3760-56-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/3760-57-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/3760-59-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/3760-61-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/3760-63-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/3760-65-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/3760-67-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/3760-70-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/3760-71-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/3760-75-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/3760-77-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/3760-81-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/3760-73-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/3760-55-0x0000000002400000-0x0000000002418000-memory.dmp

Filesize
96KB

Download
memory/3760-54-0x0000000004CD0000-0x0000000005274000-memory.dmp

Filesize
5.6MB

Download
memory/3760-53-0x0000000002240000-0x000000000225A000-memory.dmp

Filesize
104KB

Download
memory/4628-48-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download