Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:26
Static task
static1
Behavioral task
behavioral1
Sample
bd05f1aabb282e649812df8d9e30363a76b00bf400756fd419a31cb4808d6751.exe
Resource
win10v2004-20241007-en
General
-
Target
bd05f1aabb282e649812df8d9e30363a76b00bf400756fd419a31cb4808d6751.exe
-
Size
1.1MB
-
MD5
02ea92117780415bab2a5272571e5981
-
SHA1
9cea6857b20378f53d4614e9480df8a36b3dc23a
-
SHA256
bd05f1aabb282e649812df8d9e30363a76b00bf400756fd419a31cb4808d6751
-
SHA512
8179ce727e9e146115c82e9ef04b941d609ef3733257f6c4ac48b06cc421986de2b53d63548c1432b24d8b3a6118a054fa32981338c4ece9fdb1c5c094ccc7e7
-
SSDEEP
24576:wy49Vo+Wk0ADAkXWmNBjjJXwqkB4zL+zuo1cJf2lENDZI:34AZr2WmNBjjlwT6+zuo1cJYCD
Malware Config
Extracted
amadey
3.80
9c0adb
http://193.3.19.154
-
install_dir
cb7ae701b3
-
install_file
oneetx.exe
-
strings_key
23b27c80db2465a8e1dc15491b69b82f
-
url_paths
/store/games/index.php
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 17 IoCs
Processes:
resource yara_rule behavioral1/memory/1580-28-0x0000000002100000-0x000000000211A000-memory.dmp healer behavioral1/memory/1580-30-0x0000000004980000-0x0000000004998000-memory.dmp healer behavioral1/memory/1580-56-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/1580-54-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/1580-52-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/1580-50-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/1580-48-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/1580-46-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/1580-45-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/1580-42-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/1580-58-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/1580-40-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/1580-39-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/1580-36-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/1580-34-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/1580-31-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/1580-32-0x0000000004980000-0x0000000004993000-memory.dmp healer -
Healer family
-
Processes:
173531645.exe241387287.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 173531645.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 173531645.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 173531645.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 173531645.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 173531645.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 173531645.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 241387287.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 241387287.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 241387287.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 241387287.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 241387287.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/4764-117-0x00000000022C0000-0x00000000022FC000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\592905642.exe family_redline behavioral1/memory/4764-123-0x0000000002560000-0x0000000002595000-memory.dmp family_redline behavioral1/memory/4764-124-0x0000000002560000-0x0000000002595000-memory.dmp family_redline behavioral1/memory/2176-122-0x0000000000BB0000-0x0000000000BD8000-memory.dmp family_redline behavioral1/memory/4764-121-0x0000000002560000-0x000000000259A000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
371786097.exeoneetx.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 371786097.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 12 IoCs
Processes:
CQ358647.exejl333720.exeGM344696.exe173531645.exe241387287.exe371786097.exeoneetx.exe417106916.exe417106916.exe592905642.exeoneetx.exeoneetx.exepid process 1572 CQ358647.exe 4288 jl333720.exe 1348 GM344696.exe 1580 173531645.exe 3624 241387287.exe 3288 371786097.exe 1080 oneetx.exe 3548 417106916.exe 4764 417106916.exe 2176 592905642.exe 6052 oneetx.exe 1968 oneetx.exe -
Processes:
173531645.exe241387287.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 173531645.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 173531645.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 241387287.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
bd05f1aabb282e649812df8d9e30363a76b00bf400756fd419a31cb4808d6751.exeCQ358647.exejl333720.exeGM344696.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bd05f1aabb282e649812df8d9e30363a76b00bf400756fd419a31cb4808d6751.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" CQ358647.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" jl333720.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" GM344696.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
417106916.exedescription pid process target process PID 3548 set thread context of 4764 3548 417106916.exe 417106916.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3084 3624 WerFault.exe 241387287.exe -
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
GM344696.exe173531645.execmd.execacls.exebd05f1aabb282e649812df8d9e30363a76b00bf400756fd419a31cb4808d6751.exe371786097.exeschtasks.execmd.execacls.exe417106916.exe592905642.exe241387287.exeoneetx.execacls.exejl333720.exe417106916.execmd.execacls.exeCQ358647.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GM344696.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 173531645.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bd05f1aabb282e649812df8d9e30363a76b00bf400756fd419a31cb4808d6751.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 371786097.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 417106916.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 592905642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 241387287.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oneetx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jl333720.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 417106916.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CQ358647.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
173531645.exe241387287.exepid process 1580 173531645.exe 1580 173531645.exe 3624 241387287.exe 3624 241387287.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
173531645.exe241387287.exe417106916.exedescription pid process Token: SeDebugPrivilege 1580 173531645.exe Token: SeDebugPrivilege 3624 241387287.exe Token: SeDebugPrivilege 4764 417106916.exe -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
bd05f1aabb282e649812df8d9e30363a76b00bf400756fd419a31cb4808d6751.exeCQ358647.exejl333720.exeGM344696.exe371786097.exeoneetx.execmd.exe417106916.exedescription pid process target process PID 3312 wrote to memory of 1572 3312 bd05f1aabb282e649812df8d9e30363a76b00bf400756fd419a31cb4808d6751.exe CQ358647.exe PID 3312 wrote to memory of 1572 3312 bd05f1aabb282e649812df8d9e30363a76b00bf400756fd419a31cb4808d6751.exe CQ358647.exe PID 3312 wrote to memory of 1572 3312 bd05f1aabb282e649812df8d9e30363a76b00bf400756fd419a31cb4808d6751.exe CQ358647.exe PID 1572 wrote to memory of 4288 1572 CQ358647.exe jl333720.exe PID 1572 wrote to memory of 4288 1572 CQ358647.exe jl333720.exe PID 1572 wrote to memory of 4288 1572 CQ358647.exe jl333720.exe PID 4288 wrote to memory of 1348 4288 jl333720.exe GM344696.exe PID 4288 wrote to memory of 1348 4288 jl333720.exe GM344696.exe PID 4288 wrote to memory of 1348 4288 jl333720.exe GM344696.exe PID 1348 wrote to memory of 1580 1348 GM344696.exe 173531645.exe PID 1348 wrote to memory of 1580 1348 GM344696.exe 173531645.exe PID 1348 wrote to memory of 1580 1348 GM344696.exe 173531645.exe PID 1348 wrote to memory of 3624 1348 GM344696.exe 241387287.exe PID 1348 wrote to memory of 3624 1348 GM344696.exe 241387287.exe PID 1348 wrote to memory of 3624 1348 GM344696.exe 241387287.exe PID 4288 wrote to memory of 3288 4288 jl333720.exe 371786097.exe PID 4288 wrote to memory of 3288 4288 jl333720.exe 371786097.exe PID 4288 wrote to memory of 3288 4288 jl333720.exe 371786097.exe PID 3288 wrote to memory of 1080 3288 371786097.exe oneetx.exe PID 3288 wrote to memory of 1080 3288 371786097.exe oneetx.exe PID 3288 wrote to memory of 1080 3288 371786097.exe oneetx.exe PID 1572 wrote to memory of 3548 1572 CQ358647.exe 417106916.exe PID 1572 wrote to memory of 3548 1572 CQ358647.exe 417106916.exe PID 1572 wrote to memory of 3548 1572 CQ358647.exe 417106916.exe PID 1080 wrote to memory of 1796 1080 oneetx.exe schtasks.exe PID 1080 wrote to memory of 1796 1080 oneetx.exe schtasks.exe PID 1080 wrote to memory of 1796 1080 oneetx.exe schtasks.exe PID 1080 wrote to memory of 1084 1080 oneetx.exe cmd.exe PID 1080 wrote to memory of 1084 1080 oneetx.exe cmd.exe PID 1080 wrote to memory of 1084 1080 oneetx.exe cmd.exe PID 1084 wrote to memory of 4848 1084 cmd.exe cmd.exe PID 1084 wrote to memory of 4848 1084 cmd.exe cmd.exe PID 1084 wrote to memory of 4848 1084 cmd.exe cmd.exe PID 1084 wrote to memory of 4568 1084 cmd.exe cacls.exe PID 1084 wrote to memory of 4568 1084 cmd.exe cacls.exe PID 1084 wrote to memory of 4568 1084 cmd.exe cacls.exe PID 1084 wrote to memory of 2052 1084 cmd.exe cacls.exe PID 1084 wrote to memory of 2052 1084 cmd.exe cacls.exe PID 1084 wrote to memory of 2052 1084 cmd.exe cacls.exe PID 1084 wrote to memory of 2204 1084 cmd.exe cmd.exe PID 1084 wrote to memory of 2204 1084 cmd.exe cmd.exe PID 1084 wrote to memory of 2204 1084 cmd.exe cmd.exe PID 1084 wrote to memory of 3500 1084 cmd.exe cacls.exe PID 1084 wrote to memory of 3500 1084 cmd.exe cacls.exe PID 1084 wrote to memory of 3500 1084 cmd.exe cacls.exe PID 1084 wrote to memory of 3792 1084 cmd.exe cacls.exe PID 1084 wrote to memory of 3792 1084 cmd.exe cacls.exe PID 1084 wrote to memory of 3792 1084 cmd.exe cacls.exe PID 3548 wrote to memory of 4764 3548 417106916.exe 417106916.exe PID 3548 wrote to memory of 4764 3548 417106916.exe 417106916.exe PID 3548 wrote to memory of 4764 3548 417106916.exe 417106916.exe PID 3548 wrote to memory of 4764 3548 417106916.exe 417106916.exe PID 3548 wrote to memory of 4764 3548 417106916.exe 417106916.exe PID 3548 wrote to memory of 4764 3548 417106916.exe 417106916.exe PID 3548 wrote to memory of 4764 3548 417106916.exe 417106916.exe PID 3548 wrote to memory of 4764 3548 417106916.exe 417106916.exe PID 3548 wrote to memory of 4764 3548 417106916.exe 417106916.exe PID 3312 wrote to memory of 2176 3312 bd05f1aabb282e649812df8d9e30363a76b00bf400756fd419a31cb4808d6751.exe 592905642.exe PID 3312 wrote to memory of 2176 3312 bd05f1aabb282e649812df8d9e30363a76b00bf400756fd419a31cb4808d6751.exe 592905642.exe PID 3312 wrote to memory of 2176 3312 bd05f1aabb282e649812df8d9e30363a76b00bf400756fd419a31cb4808d6751.exe 592905642.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd05f1aabb282e649812df8d9e30363a76b00bf400756fd419a31cb4808d6751.exe"C:\Users\Admin\AppData\Local\Temp\bd05f1aabb282e649812df8d9e30363a76b00bf400756fd419a31cb4808d6751.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CQ358647.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CQ358647.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jl333720.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jl333720.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GM344696.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GM344696.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\173531645.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\173531645.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\241387287.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\241387287.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3624 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 10806⤵
- Program crash
PID:3084
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\371786097.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\371786097.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1796
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
- System Location Discovery: System Language Discovery
PID:4848
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"7⤵
- System Location Discovery: System Language Discovery
PID:4568
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E7⤵
- System Location Discovery: System Language Discovery
PID:2052
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
- System Location Discovery: System Language Discovery
PID:2204
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:N"7⤵
- System Location Discovery: System Language Discovery
PID:3500
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:R" /E7⤵
- System Location Discovery: System Language Discovery
PID:3792
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\417106916.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\417106916.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\417106916.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\417106916.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4764
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\592905642.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\592905642.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2176
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3624 -ip 36241⤵PID:4868
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
PID:6052
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
PID:1968
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5100a9d616da8dbb82fd696af48f1891e
SHA1ca5011879625e02ef42b732232885c736d30fbd0
SHA256307c15e07a61de6f9d9c4cbf949504460d8f1725e812c97ca2aa8656180bd18e
SHA5120f8f3271c8a466502da57f6f2e126f96e3cca594334242f700d900dafad856120206353e77896e49b3f12a50193e4e4b78c6a8ba7529cb4dfea18e97909a70c5
-
Filesize
940KB
MD56d4c69e485cda470e0e520484bdf8ffc
SHA18f0fd745a678be9d1f26e6e749be129bead771b1
SHA256f4d386660fa1295364b0c62216bdb9ab9765b176774c59380764ed5fde617bb8
SHA512ba7fe6386ddccc583a54dd72758a15d803f22f93bcf35540dd61550637c1f5a2fc1a45712600a9173737b31345fcee78c23c654aeb8e589d4a66facd87c2b566
-
Filesize
342KB
MD587ae6e0ec4e835d5a476b312a62dcdc3
SHA19bfa479bc59a8153901c766bc2dc3e7faa4b993d
SHA256948b51d0b7b480000ecf0f9634f2112d0c940a6277fedacf697bf21ac7c58293
SHA5121b75194daf0909b14dee53b5c518dbdbe1bbf337edaf80fc2e785d581a8c07b1206cf4c4d408a4b962c534eb2ae9cb89f86d99f13f095d84a9d3f28342a0c127
-
Filesize
585KB
MD518a3145a836714106a300a27a17b9d6c
SHA17a29a99e32eabfae1f0c6de903f87809e92ac149
SHA256dcebde37a04a6abe051556d8ea7d02c7c983dfebb71b8eff8aa797f489c04bce
SHA5126fe9fd407f206df13d6102c73d9d1fe173d7e96ca58469c03e7edbbbf51d303539040cadb8e49a3ebf591c5e4d0914bb2e94ccc33cb9c2445b38f7309b070273
-
Filesize
204KB
MD51304f384653e08ae497008ff13498608
SHA1d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA2562a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA5124138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1
-
Filesize
414KB
MD544468af881a4a93a83da9027fd3c4754
SHA1f121ec469716330080b8333cb85d1f86502a8135
SHA256f7db511644ef5d27641297993ee32ce1a29a0895c6b038d6f8ceea7984b4e9ce
SHA51267f6eb9e0f2139083b4694da618cb41b322ba877f13785627fa352a1057005b3c8467a89b76cd9f66bb18819e02a8fcbe3e03697934ff46fb09562e7bec97a7f
-
Filesize
175KB
MD53d10b67208452d7a91d7bd7066067676
SHA1e6c3ab7b6da65c8cc7dd95351f118caf3a50248d
SHA2565c8ae96739bd9454a59e92b5eb6965647030e87453f7c417dbd7d53ebd837302
SHA512b86d5ff4f55c90922a890401ae4301da7e71eb5e546a82536073cc58780ce55585214cff39ec9b52f70704580ad36c1fa95ebee1515dd2e7ea313cb670f2b4df
-
Filesize
259KB
MD5ad2967beee518632cb84139f9a634aa2
SHA1654a336303389ea74f1ee0b26bbb9761f57a6a20
SHA256d1815f9bc574917de2b60df1f3cea67924c43552e3dfff174640295689b44476
SHA512b4ddf71652e6167ce1f9c7c8c79f6b39ad713f07714da51cd526af325bf73523be470226fa5df66f788c8334d8f43a582505b9ab7771e535cabb973f93de0b84