amadey | 2274fc3d6a67f8daadebadb0e38b5774aa4ed4c33e9710a74142cdd4ae5c3efc

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/11/2024, 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2274fc3d6a67f8daadebadb0e38b5774aa4ed4c33e9710a74142cdd4ae5c3efc.exe
Size

1.1MB
MD5

5a895d3d74676dca682530f55a20d72a
SHA1

21d6d1a1a48a66272711a9b25e9a5f8abae6c78a
SHA256

2274fc3d6a67f8daadebadb0e38b5774aa4ed4c33e9710a74142cdd4ae5c3efc
SHA512

253ef90f4a54ccbe5bbf720af7efcfef4485e58b18c0ebb759f5423836caad8feb079ecd0c1b7b11d0495616e2474f616d5955ad46b63e53e82519b8eb905d08
SSDEEP

24576:xyZMzgmpdcBdOZlhkzZQTJN+0TcvmRfZSwukAQc3LdFc/:kePDcgjkzWdNOq5ukAz

Score

10^/10

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.80

Botnet

9c0adb

http://193.3.19.154

Attributes

install_dir
cb7ae701b3
install_file
oneetx.exe
strings_key
23b27c80db2465a8e1dc15491b69b82f
url_paths
/store/games/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detects Healer an antivirus disabler dropper 34 IoCs

resource	yara_rule
behavioral1/memory/3156-28-0x0000000002310000-0x000000000232A000-memory.dmp	healer
behavioral1/memory/3156-30-0x0000000004AC0000-0x0000000004AD8000-memory.dmp	healer
behavioral1/memory/3156-31-0x0000000004AC0000-0x0000000004AD3000-memory.dmp	healer
behavioral1/memory/3156-44-0x0000000004AC0000-0x0000000004AD3000-memory.dmp	healer
behavioral1/memory/3156-58-0x0000000004AC0000-0x0000000004AD3000-memory.dmp	healer
behavioral1/memory/3156-56-0x0000000004AC0000-0x0000000004AD3000-memory.dmp	healer
behavioral1/memory/3156-54-0x0000000004AC0000-0x0000000004AD3000-memory.dmp	healer
behavioral1/memory/3156-52-0x0000000004AC0000-0x0000000004AD3000-memory.dmp	healer
behavioral1/memory/3156-50-0x0000000004AC0000-0x0000000004AD3000-memory.dmp	healer
behavioral1/memory/3156-48-0x0000000004AC0000-0x0000000004AD3000-memory.dmp	healer
behavioral1/memory/3156-46-0x0000000004AC0000-0x0000000004AD3000-memory.dmp	healer
behavioral1/memory/3156-43-0x0000000004AC0000-0x0000000004AD3000-memory.dmp	healer
behavioral1/memory/3156-40-0x0000000004AC0000-0x0000000004AD3000-memory.dmp	healer
behavioral1/memory/3156-38-0x0000000004AC0000-0x0000000004AD3000-memory.dmp	healer
behavioral1/memory/3156-36-0x0000000004AC0000-0x0000000004AD3000-memory.dmp	healer
behavioral1/memory/3156-34-0x0000000004AC0000-0x0000000004AD3000-memory.dmp	healer
behavioral1/memory/3156-32-0x0000000004AC0000-0x0000000004AD3000-memory.dmp	healer
behavioral1/memory/1304-64-0x0000000002350000-0x000000000236A000-memory.dmp	healer
behavioral1/memory/1304-65-0x00000000024B0000-0x00000000024C8000-memory.dmp	healer
behavioral1/memory/1304-66-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/1304-71-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/1304-93-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/1304-91-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/1304-89-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/1304-87-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/1304-85-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/1304-83-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/1304-81-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/1304-79-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/1304-77-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/1304-75-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/1304-73-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/1304-69-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/1304-67-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	276995524.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	276995524.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	276995524.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	276995524.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	158805937.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	158805937.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	158805937.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	276995524.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	158805937.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	158805937.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	158805937.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral1/memory/528-114-0x0000000002370000-0x00000000023AC000-memory.dmp	family_redline
behavioral1/memory/528-115-0x0000000002480000-0x00000000024BA000-memory.dmp	family_redline
behavioral1/memory/528-117-0x0000000002480000-0x00000000024B5000-memory.dmp	family_redline
behavioral1/memory/528-121-0x0000000002480000-0x00000000024B5000-memory.dmp	family_redline
behavioral1/memory/528-119-0x0000000002480000-0x00000000024B5000-memory.dmp	family_redline
behavioral1/memory/528-116-0x0000000002480000-0x00000000024B5000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	326348868.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

pid	Process
4196	Lu587720.exe
3952	hf800068.exe
4008	LB517745.exe
3156	158805937.exe
1304	276995524.exe
1736	326348868.exe
1420	oneetx.exe
528	440969557.exe
2764	oneetx.exe
3092	oneetx.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	158805937.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	276995524.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	158805937.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	hf800068.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	LB517745.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2274fc3d6a67f8daadebadb0e38b5774aa4ed4c33e9710a74142cdd4ae5c3efc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Lu587720.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
60	1304	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	158805937.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2274fc3d6a67f8daadebadb0e38b5774aa4ed4c33e9710a74142cdd4ae5c3efc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LB517745.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hf800068.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	276995524.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	326348868.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	440969557.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lu587720.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oneetx.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3156	158805937.exe
3156	158805937.exe
1304	276995524.exe
1304	276995524.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3156	158805937.exe
Token: SeDebugPrivilege	1304	276995524.exe
Token: SeDebugPrivilege	528	440969557.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1736	326348868.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 4196	388	2274fc3d6a67f8daadebadb0e38b5774aa4ed4c33e9710a74142cdd4ae5c3efc.exe	83
PID 388 wrote to memory of 4196	388	2274fc3d6a67f8daadebadb0e38b5774aa4ed4c33e9710a74142cdd4ae5c3efc.exe	83
PID 388 wrote to memory of 4196	388	2274fc3d6a67f8daadebadb0e38b5774aa4ed4c33e9710a74142cdd4ae5c3efc.exe	83
PID 4196 wrote to memory of 3952	4196	Lu587720.exe	84
PID 4196 wrote to memory of 3952	4196	Lu587720.exe	84
PID 4196 wrote to memory of 3952	4196	Lu587720.exe	84
PID 3952 wrote to memory of 4008	3952	hf800068.exe	85
PID 3952 wrote to memory of 4008	3952	hf800068.exe	85
PID 3952 wrote to memory of 4008	3952	hf800068.exe	85
PID 4008 wrote to memory of 3156	4008	LB517745.exe	87
PID 4008 wrote to memory of 3156	4008	LB517745.exe	87
PID 4008 wrote to memory of 3156	4008	LB517745.exe	87
PID 4008 wrote to memory of 1304	4008	LB517745.exe	95
PID 4008 wrote to memory of 1304	4008	LB517745.exe	95
PID 4008 wrote to memory of 1304	4008	LB517745.exe	95
PID 3952 wrote to memory of 1736	3952	hf800068.exe	99
PID 3952 wrote to memory of 1736	3952	hf800068.exe	99
PID 3952 wrote to memory of 1736	3952	hf800068.exe	99
PID 1736 wrote to memory of 1420	1736	326348868.exe	100
PID 1736 wrote to memory of 1420	1736	326348868.exe	100
PID 1736 wrote to memory of 1420	1736	326348868.exe	100
PID 4196 wrote to memory of 528	4196	Lu587720.exe	101
PID 4196 wrote to memory of 528	4196	Lu587720.exe	101
PID 4196 wrote to memory of 528	4196	Lu587720.exe	101
PID 1420 wrote to memory of 3744	1420	oneetx.exe	102
PID 1420 wrote to memory of 3744	1420	oneetx.exe	102
PID 1420 wrote to memory of 3744	1420	oneetx.exe	102
PID 1420 wrote to memory of 3904	1420	oneetx.exe	104
PID 1420 wrote to memory of 3904	1420	oneetx.exe	104
PID 1420 wrote to memory of 3904	1420	oneetx.exe	104
PID 3904 wrote to memory of 3344	3904	cmd.exe	106
PID 3904 wrote to memory of 3344	3904	cmd.exe	106
PID 3904 wrote to memory of 3344	3904	cmd.exe	106
PID 3904 wrote to memory of 4108	3904	cmd.exe	107
PID 3904 wrote to memory of 4108	3904	cmd.exe	107
PID 3904 wrote to memory of 4108	3904	cmd.exe	107
PID 3904 wrote to memory of 2532	3904	cmd.exe	108
PID 3904 wrote to memory of 2532	3904	cmd.exe	108
PID 3904 wrote to memory of 2532	3904	cmd.exe	108
PID 3904 wrote to memory of 1240	3904	cmd.exe	109
PID 3904 wrote to memory of 1240	3904	cmd.exe	109
PID 3904 wrote to memory of 1240	3904	cmd.exe	109
PID 3904 wrote to memory of 3796	3904	cmd.exe	110
PID 3904 wrote to memory of 3796	3904	cmd.exe	110
PID 3904 wrote to memory of 3796	3904	cmd.exe	110
PID 3904 wrote to memory of 3460	3904	cmd.exe	111
PID 3904 wrote to memory of 3460	3904	cmd.exe	111
PID 3904 wrote to memory of 3460	3904	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\2274fc3d6a67f8daadebadb0e38b5774aa4ed4c33e9710a74142cdd4ae5c3efc.exe
"C:\Users\Admin\AppData\Local\Temp\2274fc3d6a67f8daadebadb0e38b5774aa4ed4c33e9710a74142cdd4ae5c3efc.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:388
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lu587720.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lu587720.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hf800068.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hf800068.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3952
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LB517745.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LB517745.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4008
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\158805937.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\158805937.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3156
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\276995524.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\276995524.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 1084
        6⤵
        Program crash
        
        PID:60
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326348868.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326348868.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1736
    - - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1420
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3744
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3796
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3460
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\440969557.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\440969557.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1304 -ip 1304
1⤵
PID:4840

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:2764

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:3092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lu587720.exe

Filesize
994KB

MD5
3d5086dcf04a88318ff096585b7f62f3

SHA1
3f85e1304c55e2d215170d3a1682918288ea6d32

SHA256
bf67d61e50ceee99489b363f788a0b674bafba83e5e44fcd75f8b7dd5188827a

SHA512
79422f28d33c55aa432f3c256ac38c3874db298b8c5750ca329097d3d349094b4bb0b471510df441416f9d26f73331bd386065e4c93c3e01a22b8f53dbb89a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\440969557.exe

Filesize
415KB

MD5
eaa267d3059f11f775c940b257f5f30a

SHA1
1fad2f471f202dd7162816e32b300c31ba432fcd

SHA256
4674997c909900c0ab6bea6e41dc548c69eb7f5c377b17a76887627edf778b9c

SHA512
7674a16031231d986b828840a5ea3c2ccbc5fbbb83a98569d5d5513344bf4ea67bd28325ae2d5b89e0bf801179b2a9826c0ae4c3b10144461978e78cf78b58c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hf800068.exe

Filesize
610KB

MD5
50ab74dae3a5828464f2752f7098ba9f

SHA1
a11edaf64c4fd9d700efe07fa4b0402fd01e5028

SHA256
6e325f0af19cd91e0e073d51c6e2f53665807008a2f405ed1d0954b8bfaa8034

SHA512
943462ede5ddd87a7a68c0537f8cd171aa0e79bb0673d3ebbdb94963f4e8e76902a6fe4d729e2b0b4bb58d5c926357d8e3ad93498d0365714cdec2a65fad9b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326348868.exe

Filesize
204KB

MD5
3f9d1ae5251ef110558cc83d94bfc0a0

SHA1
ec7d5677ecd14500e350646e77538be08187fa24

SHA256
778b48f87c667cd459c326244eae34cf0b672c291635912dac63937493d1be44

SHA512
1b589fd72e1cfacedbf6fc2a3a8dfbde2d0e335519aa86c7a82242e7cc64e7b1d1c2dec5e1d3f28b86572d0c5dff6690684bb515710394069701a98e0c068783

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LB517745.exe

Filesize
438KB

MD5
7e9abb577741db1839d93520434fd73c

SHA1
12a3e4dde27685688e7a70a7095da1dbb56591be

SHA256
42e0b8a5d34fc60f4b7cb8bc4c6a81e729d61b4162f5186e75cb8221e8c55905

SHA512
05adbdb3f934b8f8795248da85b300eb3e23a44cc50d27ec86fd6a0971f8edab3e29a95aa41451a39936af0b8ff485cd8727f5672faaf26bf5cd16edb0d8f868

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\158805937.exe

Filesize
175KB

MD5
142391b43d3bdc7b0dca3e0a93a27b58

SHA1
c9ba62f7077751934c9749dbe905b6ab6639e827

SHA256
f51a664b818b2c6b38efe07a40bbdeb0ed6209b4561fdbe7ff793f2ba574fc70

SHA512
b42c9490002ac86e2b92f0c15f95aa3d55c278fc5c06493e73f5ab7deca5504abf1b8b2de04bd7fa61a9f5f55316ed8f18d1bbd06b0eb80106096e86d3c2c6ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\276995524.exe

Filesize
333KB

MD5
15625910587867df2863cb7a6303613f

SHA1
f284feaa5b1f12f85f470390f988793348cd7d78

SHA256
8a8ac40b9a82c7299603b9cb2cf6e2b0ab8ec6cf09d178ca7b0cee2c9318870a

SHA512
1cc74dbcba18c9a1cdc66bb9e0fef6a47f352808676ffedfcd56afb3d6cb607d8e0580925f28ab2b7eec01a56af4e102565f1a318600af4d9fe58904c69f0cb2

Download Submit
memory/528-908-0x0000000007BD0000-0x00000000081E8000-memory.dmp

Filesize
6.1MB

Download
memory/528-910-0x0000000007600000-0x000000000770A000-memory.dmp

Filesize
1.0MB

Download
memory/528-116-0x0000000002480000-0x00000000024B5000-memory.dmp

Filesize
212KB

Download
memory/528-119-0x0000000002480000-0x00000000024B5000-memory.dmp

Filesize
212KB

Download
memory/528-121-0x0000000002480000-0x00000000024B5000-memory.dmp

Filesize
212KB

Download
memory/528-117-0x0000000002480000-0x00000000024B5000-memory.dmp

Filesize
212KB

Download
memory/528-115-0x0000000002480000-0x00000000024BA000-memory.dmp

Filesize
232KB

Download
memory/528-114-0x0000000002370000-0x00000000023AC000-memory.dmp

Filesize
240KB

Download
memory/528-909-0x00000000075E0000-0x00000000075F2000-memory.dmp

Filesize
72KB

Download
memory/528-911-0x0000000007720000-0x000000000775C000-memory.dmp

Filesize
240KB

Download
memory/528-912-0x00000000046B0000-0x00000000046FC000-memory.dmp

Filesize
304KB

Download
memory/1304-67-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1304-73-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1304-96-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1304-94-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1304-69-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1304-64-0x0000000002350000-0x000000000236A000-memory.dmp

Filesize
104KB

Download
memory/1304-65-0x00000000024B0000-0x00000000024C8000-memory.dmp

Filesize
96KB

Download
memory/1304-66-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1304-71-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1304-93-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1304-91-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1304-89-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1304-87-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1304-85-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1304-83-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1304-81-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1304-79-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1304-77-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1304-75-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/3156-50-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

Filesize
76KB

Download
memory/3156-54-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

Filesize
76KB

Download
memory/3156-40-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

Filesize
76KB

Download
memory/3156-32-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

Filesize
76KB

Download
memory/3156-34-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

Filesize
76KB

Download
memory/3156-43-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

Filesize
76KB

Download
memory/3156-46-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

Filesize
76KB

Download
memory/3156-48-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

Filesize
76KB

Download
memory/3156-38-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

Filesize
76KB

Download
memory/3156-36-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

Filesize
76KB

Download
memory/3156-52-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

Filesize
76KB

Download
memory/3156-56-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

Filesize
76KB

Download
memory/3156-58-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

Filesize
76KB

Download
memory/3156-44-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

Filesize
76KB

Download
memory/3156-31-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

Filesize
76KB

Download
memory/3156-30-0x0000000004AC0000-0x0000000004AD8000-memory.dmp

Filesize
96KB

Download
memory/3156-29-0x0000000004B30000-0x00000000050D4000-memory.dmp

Filesize
5.6MB

Download
memory/3156-28-0x0000000002310000-0x000000000232A000-memory.dmp

Filesize
104KB

Download