Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:26
Static task
static1
Behavioral task
behavioral1
Sample
6f6ea2c005f82b0f783bd0db0fc379432172aabe583a98e64ea9d35e21155e36.exe
Resource
win10v2004-20241007-en
General
-
Target
6f6ea2c005f82b0f783bd0db0fc379432172aabe583a98e64ea9d35e21155e36.exe
-
Size
1.1MB
-
MD5
466b47d3dbae93f2b5594a471cd4e90a
-
SHA1
729829f3c583dc53732e12f391cd91e6b5127cc5
-
SHA256
6f6ea2c005f82b0f783bd0db0fc379432172aabe583a98e64ea9d35e21155e36
-
SHA512
faf87faa9c14b19c1e9eb05c232777833a90486be56dea8a11c8116aa7b9c3a771c05fe3d32ab56ec5f318cf632eaf53dedb4a62f18bc48213cfbfd5cc07251a
-
SSDEEP
24576:xyRl6sDxOzffMktW8GvJSPs5TzCfzDUqCWa5:kKsDk4ktUOs5TzC7DXl
Malware Config
Extracted
amadey
3.80
9c0adb
http://193.3.19.154
-
install_dir
cb7ae701b3
-
install_file
oneetx.exe
-
strings_key
23b27c80db2465a8e1dc15491b69b82f
-
url_paths
/store/games/index.php
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 34 IoCs
Processes:
resource yara_rule behavioral1/memory/2672-28-0x0000000002260000-0x000000000227A000-memory.dmp healer behavioral1/memory/2672-30-0x0000000004F40000-0x0000000004F58000-memory.dmp healer behavioral1/memory/2672-31-0x0000000004F40000-0x0000000004F53000-memory.dmp healer behavioral1/memory/2672-58-0x0000000004F40000-0x0000000004F53000-memory.dmp healer behavioral1/memory/2672-56-0x0000000004F40000-0x0000000004F53000-memory.dmp healer behavioral1/memory/2672-54-0x0000000004F40000-0x0000000004F53000-memory.dmp healer behavioral1/memory/2672-52-0x0000000004F40000-0x0000000004F53000-memory.dmp healer behavioral1/memory/2672-50-0x0000000004F40000-0x0000000004F53000-memory.dmp healer behavioral1/memory/2672-48-0x0000000004F40000-0x0000000004F53000-memory.dmp healer behavioral1/memory/2672-46-0x0000000004F40000-0x0000000004F53000-memory.dmp healer behavioral1/memory/2672-44-0x0000000004F40000-0x0000000004F53000-memory.dmp healer behavioral1/memory/2672-42-0x0000000004F40000-0x0000000004F53000-memory.dmp healer behavioral1/memory/2672-40-0x0000000004F40000-0x0000000004F53000-memory.dmp healer behavioral1/memory/2672-38-0x0000000004F40000-0x0000000004F53000-memory.dmp healer behavioral1/memory/2672-36-0x0000000004F40000-0x0000000004F53000-memory.dmp healer behavioral1/memory/2672-35-0x0000000004F40000-0x0000000004F53000-memory.dmp healer behavioral1/memory/2672-32-0x0000000004F40000-0x0000000004F53000-memory.dmp healer behavioral1/memory/4892-64-0x0000000002440000-0x000000000245A000-memory.dmp healer behavioral1/memory/4892-65-0x00000000025A0000-0x00000000025B8000-memory.dmp healer behavioral1/memory/4892-66-0x00000000025A0000-0x00000000025B2000-memory.dmp healer behavioral1/memory/4892-83-0x00000000025A0000-0x00000000025B2000-memory.dmp healer behavioral1/memory/4892-93-0x00000000025A0000-0x00000000025B2000-memory.dmp healer behavioral1/memory/4892-91-0x00000000025A0000-0x00000000025B2000-memory.dmp healer behavioral1/memory/4892-89-0x00000000025A0000-0x00000000025B2000-memory.dmp healer behavioral1/memory/4892-87-0x00000000025A0000-0x00000000025B2000-memory.dmp healer behavioral1/memory/4892-85-0x00000000025A0000-0x00000000025B2000-memory.dmp healer behavioral1/memory/4892-81-0x00000000025A0000-0x00000000025B2000-memory.dmp healer behavioral1/memory/4892-79-0x00000000025A0000-0x00000000025B2000-memory.dmp healer behavioral1/memory/4892-77-0x00000000025A0000-0x00000000025B2000-memory.dmp healer behavioral1/memory/4892-75-0x00000000025A0000-0x00000000025B2000-memory.dmp healer behavioral1/memory/4892-73-0x00000000025A0000-0x00000000025B2000-memory.dmp healer behavioral1/memory/4892-71-0x00000000025A0000-0x00000000025B2000-memory.dmp healer behavioral1/memory/4892-69-0x00000000025A0000-0x00000000025B2000-memory.dmp healer behavioral1/memory/4892-67-0x00000000025A0000-0x00000000025B2000-memory.dmp healer -
Healer family
-
Processes:
204539758.exe111472413.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 204539758.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 204539758.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 111472413.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 111472413.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 204539758.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 111472413.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 204539758.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 204539758.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 111472413.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 111472413.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 111472413.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/3156-114-0x00000000026E0000-0x000000000271C000-memory.dmp family_redline behavioral1/memory/3156-115-0x0000000004BD0000-0x0000000004C0A000-memory.dmp family_redline behavioral1/memory/3156-121-0x0000000004BD0000-0x0000000004C05000-memory.dmp family_redline behavioral1/memory/3156-119-0x0000000004BD0000-0x0000000004C05000-memory.dmp family_redline behavioral1/memory/3156-117-0x0000000004BD0000-0x0000000004C05000-memory.dmp family_redline behavioral1/memory/3156-116-0x0000000004BD0000-0x0000000004C05000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
346143622.exeoneetx.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 346143622.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 10 IoCs
Processes:
Kk045592.exeCl891900.exeKe579172.exe111472413.exe204539758.exe346143622.exeoneetx.exe462111286.exeoneetx.exeoneetx.exepid process 2584 Kk045592.exe 1160 Cl891900.exe 2792 Ke579172.exe 2672 111472413.exe 4892 204539758.exe 2996 346143622.exe 2892 oneetx.exe 3156 462111286.exe 6096 oneetx.exe 3524 oneetx.exe -
Processes:
111472413.exe204539758.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 111472413.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 111472413.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 204539758.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
6f6ea2c005f82b0f783bd0db0fc379432172aabe583a98e64ea9d35e21155e36.exeKk045592.exeCl891900.exeKe579172.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6f6ea2c005f82b0f783bd0db0fc379432172aabe583a98e64ea9d35e21155e36.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Kk045592.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" Cl891900.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" Ke579172.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 428 4892 WerFault.exe 204539758.exe -
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.execmd.execacls.execacls.exeKe579172.exe346143622.exeoneetx.execmd.execacls.exe6f6ea2c005f82b0f783bd0db0fc379432172aabe583a98e64ea9d35e21155e36.exe462111286.exeschtasks.execacls.exe111472413.exeKk045592.exeCl891900.exe204539758.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ke579172.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 346143622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oneetx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6f6ea2c005f82b0f783bd0db0fc379432172aabe583a98e64ea9d35e21155e36.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 462111286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 111472413.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kk045592.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cl891900.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 204539758.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
111472413.exe204539758.exepid process 2672 111472413.exe 2672 111472413.exe 4892 204539758.exe 4892 204539758.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
111472413.exe204539758.exe462111286.exedescription pid process Token: SeDebugPrivilege 2672 111472413.exe Token: SeDebugPrivilege 4892 204539758.exe Token: SeDebugPrivilege 3156 462111286.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
346143622.exepid process 2996 346143622.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
6f6ea2c005f82b0f783bd0db0fc379432172aabe583a98e64ea9d35e21155e36.exeKk045592.exeCl891900.exeKe579172.exe346143622.exeoneetx.execmd.exedescription pid process target process PID 424 wrote to memory of 2584 424 6f6ea2c005f82b0f783bd0db0fc379432172aabe583a98e64ea9d35e21155e36.exe Kk045592.exe PID 424 wrote to memory of 2584 424 6f6ea2c005f82b0f783bd0db0fc379432172aabe583a98e64ea9d35e21155e36.exe Kk045592.exe PID 424 wrote to memory of 2584 424 6f6ea2c005f82b0f783bd0db0fc379432172aabe583a98e64ea9d35e21155e36.exe Kk045592.exe PID 2584 wrote to memory of 1160 2584 Kk045592.exe Cl891900.exe PID 2584 wrote to memory of 1160 2584 Kk045592.exe Cl891900.exe PID 2584 wrote to memory of 1160 2584 Kk045592.exe Cl891900.exe PID 1160 wrote to memory of 2792 1160 Cl891900.exe Ke579172.exe PID 1160 wrote to memory of 2792 1160 Cl891900.exe Ke579172.exe PID 1160 wrote to memory of 2792 1160 Cl891900.exe Ke579172.exe PID 2792 wrote to memory of 2672 2792 Ke579172.exe 111472413.exe PID 2792 wrote to memory of 2672 2792 Ke579172.exe 111472413.exe PID 2792 wrote to memory of 2672 2792 Ke579172.exe 111472413.exe PID 2792 wrote to memory of 4892 2792 Ke579172.exe 204539758.exe PID 2792 wrote to memory of 4892 2792 Ke579172.exe 204539758.exe PID 2792 wrote to memory of 4892 2792 Ke579172.exe 204539758.exe PID 1160 wrote to memory of 2996 1160 Cl891900.exe 346143622.exe PID 1160 wrote to memory of 2996 1160 Cl891900.exe 346143622.exe PID 1160 wrote to memory of 2996 1160 Cl891900.exe 346143622.exe PID 2996 wrote to memory of 2892 2996 346143622.exe oneetx.exe PID 2996 wrote to memory of 2892 2996 346143622.exe oneetx.exe PID 2996 wrote to memory of 2892 2996 346143622.exe oneetx.exe PID 2584 wrote to memory of 3156 2584 Kk045592.exe 462111286.exe PID 2584 wrote to memory of 3156 2584 Kk045592.exe 462111286.exe PID 2584 wrote to memory of 3156 2584 Kk045592.exe 462111286.exe PID 2892 wrote to memory of 3540 2892 oneetx.exe schtasks.exe PID 2892 wrote to memory of 3540 2892 oneetx.exe schtasks.exe PID 2892 wrote to memory of 3540 2892 oneetx.exe schtasks.exe PID 2892 wrote to memory of 2072 2892 oneetx.exe cmd.exe PID 2892 wrote to memory of 2072 2892 oneetx.exe cmd.exe PID 2892 wrote to memory of 2072 2892 oneetx.exe cmd.exe PID 2072 wrote to memory of 3476 2072 cmd.exe cmd.exe PID 2072 wrote to memory of 3476 2072 cmd.exe cmd.exe PID 2072 wrote to memory of 3476 2072 cmd.exe cmd.exe PID 2072 wrote to memory of 3976 2072 cmd.exe cacls.exe PID 2072 wrote to memory of 3976 2072 cmd.exe cacls.exe PID 2072 wrote to memory of 3976 2072 cmd.exe cacls.exe PID 2072 wrote to memory of 1320 2072 cmd.exe cacls.exe PID 2072 wrote to memory of 1320 2072 cmd.exe cacls.exe PID 2072 wrote to memory of 1320 2072 cmd.exe cacls.exe PID 2072 wrote to memory of 4372 2072 cmd.exe cmd.exe PID 2072 wrote to memory of 4372 2072 cmd.exe cmd.exe PID 2072 wrote to memory of 4372 2072 cmd.exe cmd.exe PID 2072 wrote to memory of 5004 2072 cmd.exe cacls.exe PID 2072 wrote to memory of 5004 2072 cmd.exe cacls.exe PID 2072 wrote to memory of 5004 2072 cmd.exe cacls.exe PID 2072 wrote to memory of 2764 2072 cmd.exe cacls.exe PID 2072 wrote to memory of 2764 2072 cmd.exe cacls.exe PID 2072 wrote to memory of 2764 2072 cmd.exe cacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f6ea2c005f82b0f783bd0db0fc379432172aabe583a98e64ea9d35e21155e36.exe"C:\Users\Admin\AppData\Local\Temp\6f6ea2c005f82b0f783bd0db0fc379432172aabe583a98e64ea9d35e21155e36.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kk045592.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kk045592.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cl891900.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cl891900.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ke579172.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ke579172.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\111472413.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\111472413.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\204539758.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\204539758.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4892 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 10926⤵
- Program crash
PID:428
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\346143622.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\346143622.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3540
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
- System Location Discovery: System Language Discovery
PID:3476
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"7⤵
- System Location Discovery: System Language Discovery
PID:3976
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E7⤵
- System Location Discovery: System Language Discovery
PID:1320
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
- System Location Discovery: System Language Discovery
PID:4372
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:N"7⤵
- System Location Discovery: System Language Discovery
PID:5004
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:R" /E7⤵
- System Location Discovery: System Language Discovery
PID:2764
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462111286.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462111286.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3156
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4892 -ip 48921⤵PID:872
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
PID:6096
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
PID:3524
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
994KB
MD5bd48b1e113432425fbc0eb84d866014e
SHA14d700a55290862f23238080d4482c6e4f10b8a98
SHA256f31ea5995c5f8e3ffefcd5bcd834e6c1e0e3be32404b83ed22df902230506043
SHA51255ff30494e5c5c6825d1f6f0fe6f5ac264267eb2cf0d60d996a767b14c986587a57a81c351a2da360748475c0bcb4f751a1be280e685e6b7163c1e58ab557980
-
Filesize
416KB
MD59b17c3ea73ab760f261cd16b84076374
SHA1bf218c36d697a05db83b4608e82a89b5cb1f2fb3
SHA256044d694dffe1461a219886aeabefe005f8cdcd4d507dddf58cb2126c5198df53
SHA512b029dfebccbf83b97514fe1e6f873c1511865cfde64851fcb6f64bdf0c1456ef42aa08a456a842a7efa406310e0592b50a8cdf9853ecde8cdedd81896e966178
-
Filesize
609KB
MD55b09271a839b86e04abf095a8533a9ae
SHA160cfd9668f64cbac3fa6f2c7ac43bf3dc29b3150
SHA25613c72d884a1e1dc443600cd2b6c3b5b9af75c8e201f006162c2a44b248819ff7
SHA512d7b2e1f553c5e04952853955424607fff41f571c7da0347730df96f3dfe2bca159a07e054f87b9d8549dfb6859b97aec6c207931763a22c86be4edb3eee96465
-
Filesize
204KB
MD51304f384653e08ae497008ff13498608
SHA1d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA2562a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA5124138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1
-
Filesize
437KB
MD5ca55ee6fe29e940b66b8c46f1e28a82b
SHA1c78b75a6a17142bd8b6bb1f49b2e2c1e6a5ed25c
SHA256f69b72f847227732b729b40d7071a2335871c4b5f6a5fa0f53c1c06c8be5aa53
SHA5120195c76ae6cd5ff4d4c60a26beecef0a168e63fe68977b0aece92e073da92edd165908bbf4a711d3d556935ab804b89fb9678891a26ff31acafbce7f28d7bb18
-
Filesize
175KB
MD5a165b5f6b0a4bdf808b71de57bf9347d
SHA139a7b301e819e386c162a47e046fa384bb5ab437
SHA25668349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a
SHA5123dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1
-
Filesize
332KB
MD5b45ef005794899de94c498fec749bf74
SHA19ea1a9f169fb291054a4af2839f2d2cf7bb16cf1
SHA2566778e81b751fe4009ef457d117367b7b0a54bf68697e4c1730c25d09d980e24e
SHA512802f85af062052434f7f37e742571132e939a53604a64a8f1a2734c07cfd3c64d0fcf7c428680e5a0878b346ab0378d1444b3709e1c807130bf02f62f6877738