Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:29
Static task
static1
Behavioral task
behavioral1
Sample
db253ba569f2268c29fa8f944d606268c9c8527f6fb6bcf3bd786da42c994c2e.exe
Resource
win10v2004-20241007-en
General
-
Target
db253ba569f2268c29fa8f944d606268c9c8527f6fb6bcf3bd786da42c994c2e.exe
-
Size
1.1MB
-
MD5
901e82946b09c6f856e8f0a7035fd4af
-
SHA1
02d53bf9c05647b1d97d0ddef4f4d3f03ba63410
-
SHA256
db253ba569f2268c29fa8f944d606268c9c8527f6fb6bcf3bd786da42c994c2e
-
SHA512
2c8cbec8cdc914e1421ee6dec95557cfa6f77310d83ff4d2f0c21eeb8e0fe51b4b2065de059df091db799162adc085d9328ad5298cf69ca4b25f43f86aa31444
-
SSDEEP
24576:ry3sIE2xnCS061mo5fB/5HLaA2h/K1jIIvKm9dYj6XwScvmfWuFw07M4wSs:e3s6CP9kF952ZK1EsUVlp075
Malware Config
Extracted
amadey
3.80
9c0adb
http://193.3.19.154
-
install_dir
cb7ae701b3
-
install_file
oneetx.exe
-
strings_key
23b27c80db2465a8e1dc15491b69b82f
-
url_paths
/store/games/index.php
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 34 IoCs
Processes:
resource yara_rule behavioral1/memory/3652-28-0x00000000023F0000-0x000000000240A000-memory.dmp healer behavioral1/memory/3652-30-0x0000000005090000-0x00000000050A8000-memory.dmp healer behavioral1/memory/3652-50-0x0000000005090000-0x00000000050A3000-memory.dmp healer behavioral1/memory/3652-58-0x0000000005090000-0x00000000050A3000-memory.dmp healer behavioral1/memory/3652-56-0x0000000005090000-0x00000000050A3000-memory.dmp healer behavioral1/memory/3652-54-0x0000000005090000-0x00000000050A3000-memory.dmp healer behavioral1/memory/3652-52-0x0000000005090000-0x00000000050A3000-memory.dmp healer behavioral1/memory/3652-48-0x0000000005090000-0x00000000050A3000-memory.dmp healer behavioral1/memory/3652-46-0x0000000005090000-0x00000000050A3000-memory.dmp healer behavioral1/memory/3652-42-0x0000000005090000-0x00000000050A3000-memory.dmp healer behavioral1/memory/3652-40-0x0000000005090000-0x00000000050A3000-memory.dmp healer behavioral1/memory/3652-38-0x0000000005090000-0x00000000050A3000-memory.dmp healer behavioral1/memory/3652-36-0x0000000005090000-0x00000000050A3000-memory.dmp healer behavioral1/memory/3652-34-0x0000000005090000-0x00000000050A3000-memory.dmp healer behavioral1/memory/3652-32-0x0000000005090000-0x00000000050A3000-memory.dmp healer behavioral1/memory/3652-31-0x0000000005090000-0x00000000050A3000-memory.dmp healer behavioral1/memory/3652-44-0x0000000005090000-0x00000000050A3000-memory.dmp healer behavioral1/memory/2352-64-0x00000000024A0000-0x00000000024BA000-memory.dmp healer behavioral1/memory/2352-65-0x00000000024C0000-0x00000000024D8000-memory.dmp healer behavioral1/memory/2352-71-0x00000000024C0000-0x00000000024D2000-memory.dmp healer behavioral1/memory/2352-66-0x00000000024C0000-0x00000000024D2000-memory.dmp healer behavioral1/memory/2352-93-0x00000000024C0000-0x00000000024D2000-memory.dmp healer behavioral1/memory/2352-91-0x00000000024C0000-0x00000000024D2000-memory.dmp healer behavioral1/memory/2352-89-0x00000000024C0000-0x00000000024D2000-memory.dmp healer behavioral1/memory/2352-87-0x00000000024C0000-0x00000000024D2000-memory.dmp healer behavioral1/memory/2352-85-0x00000000024C0000-0x00000000024D2000-memory.dmp healer behavioral1/memory/2352-83-0x00000000024C0000-0x00000000024D2000-memory.dmp healer behavioral1/memory/2352-81-0x00000000024C0000-0x00000000024D2000-memory.dmp healer behavioral1/memory/2352-79-0x00000000024C0000-0x00000000024D2000-memory.dmp healer behavioral1/memory/2352-77-0x00000000024C0000-0x00000000024D2000-memory.dmp healer behavioral1/memory/2352-75-0x00000000024C0000-0x00000000024D2000-memory.dmp healer behavioral1/memory/2352-73-0x00000000024C0000-0x00000000024D2000-memory.dmp healer behavioral1/memory/2352-69-0x00000000024C0000-0x00000000024D2000-memory.dmp healer behavioral1/memory/2352-67-0x00000000024C0000-0x00000000024D2000-memory.dmp healer -
Healer family
-
Processes:
164254601.exe232809639.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 164254601.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 164254601.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 164254601.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 232809639.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 232809639.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 164254601.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 164254601.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 164254601.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 232809639.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 232809639.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 232809639.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/4208-114-0x0000000002480000-0x00000000024BC000-memory.dmp family_redline behavioral1/memory/4208-115-0x0000000002670000-0x00000000026AA000-memory.dmp family_redline behavioral1/memory/4208-121-0x0000000002670000-0x00000000026A5000-memory.dmp family_redline behavioral1/memory/4208-119-0x0000000002670000-0x00000000026A5000-memory.dmp family_redline behavioral1/memory/4208-117-0x0000000002670000-0x00000000026A5000-memory.dmp family_redline behavioral1/memory/4208-116-0x0000000002670000-0x00000000026A5000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
397120157.exeoneetx.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 397120157.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 10 IoCs
Processes:
Tl271594.exeYA349765.exeEg824009.exe164254601.exe232809639.exe397120157.exeoneetx.exe463804643.exeoneetx.exeoneetx.exepid process 1700 Tl271594.exe 4984 YA349765.exe 816 Eg824009.exe 3652 164254601.exe 2352 232809639.exe 4140 397120157.exe 3804 oneetx.exe 4208 463804643.exe 400 oneetx.exe 2072 oneetx.exe -
Processes:
164254601.exe232809639.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 164254601.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 164254601.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 232809639.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
db253ba569f2268c29fa8f944d606268c9c8527f6fb6bcf3bd786da42c994c2e.exeTl271594.exeYA349765.exeEg824009.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" db253ba569f2268c29fa8f944d606268c9c8527f6fb6bcf3bd786da42c994c2e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Tl271594.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" YA349765.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" Eg824009.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1008 2352 WerFault.exe 232809639.exe -
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
463804643.execacls.execacls.exeYA349765.exeEg824009.exe232809639.exeschtasks.execmd.execmd.exeTl271594.exeoneetx.exedb253ba569f2268c29fa8f944d606268c9c8527f6fb6bcf3bd786da42c994c2e.exe164254601.exe397120157.execacls.execmd.execacls.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 463804643.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YA349765.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eg824009.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 232809639.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tl271594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oneetx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language db253ba569f2268c29fa8f944d606268c9c8527f6fb6bcf3bd786da42c994c2e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 164254601.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 397120157.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
164254601.exe232809639.exepid process 3652 164254601.exe 3652 164254601.exe 2352 232809639.exe 2352 232809639.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
164254601.exe232809639.exe463804643.exedescription pid process Token: SeDebugPrivilege 3652 164254601.exe Token: SeDebugPrivilege 2352 232809639.exe Token: SeDebugPrivilege 4208 463804643.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
397120157.exepid process 4140 397120157.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
db253ba569f2268c29fa8f944d606268c9c8527f6fb6bcf3bd786da42c994c2e.exeTl271594.exeYA349765.exeEg824009.exe397120157.exeoneetx.execmd.exedescription pid process target process PID 1124 wrote to memory of 1700 1124 db253ba569f2268c29fa8f944d606268c9c8527f6fb6bcf3bd786da42c994c2e.exe Tl271594.exe PID 1124 wrote to memory of 1700 1124 db253ba569f2268c29fa8f944d606268c9c8527f6fb6bcf3bd786da42c994c2e.exe Tl271594.exe PID 1124 wrote to memory of 1700 1124 db253ba569f2268c29fa8f944d606268c9c8527f6fb6bcf3bd786da42c994c2e.exe Tl271594.exe PID 1700 wrote to memory of 4984 1700 Tl271594.exe YA349765.exe PID 1700 wrote to memory of 4984 1700 Tl271594.exe YA349765.exe PID 1700 wrote to memory of 4984 1700 Tl271594.exe YA349765.exe PID 4984 wrote to memory of 816 4984 YA349765.exe Eg824009.exe PID 4984 wrote to memory of 816 4984 YA349765.exe Eg824009.exe PID 4984 wrote to memory of 816 4984 YA349765.exe Eg824009.exe PID 816 wrote to memory of 3652 816 Eg824009.exe 164254601.exe PID 816 wrote to memory of 3652 816 Eg824009.exe 164254601.exe PID 816 wrote to memory of 3652 816 Eg824009.exe 164254601.exe PID 816 wrote to memory of 2352 816 Eg824009.exe 232809639.exe PID 816 wrote to memory of 2352 816 Eg824009.exe 232809639.exe PID 816 wrote to memory of 2352 816 Eg824009.exe 232809639.exe PID 4984 wrote to memory of 4140 4984 YA349765.exe 397120157.exe PID 4984 wrote to memory of 4140 4984 YA349765.exe 397120157.exe PID 4984 wrote to memory of 4140 4984 YA349765.exe 397120157.exe PID 4140 wrote to memory of 3804 4140 397120157.exe oneetx.exe PID 4140 wrote to memory of 3804 4140 397120157.exe oneetx.exe PID 4140 wrote to memory of 3804 4140 397120157.exe oneetx.exe PID 1700 wrote to memory of 4208 1700 Tl271594.exe 463804643.exe PID 1700 wrote to memory of 4208 1700 Tl271594.exe 463804643.exe PID 1700 wrote to memory of 4208 1700 Tl271594.exe 463804643.exe PID 3804 wrote to memory of 4516 3804 oneetx.exe schtasks.exe PID 3804 wrote to memory of 4516 3804 oneetx.exe schtasks.exe PID 3804 wrote to memory of 4516 3804 oneetx.exe schtasks.exe PID 3804 wrote to memory of 2176 3804 oneetx.exe cmd.exe PID 3804 wrote to memory of 2176 3804 oneetx.exe cmd.exe PID 3804 wrote to memory of 2176 3804 oneetx.exe cmd.exe PID 2176 wrote to memory of 736 2176 cmd.exe cmd.exe PID 2176 wrote to memory of 736 2176 cmd.exe cmd.exe PID 2176 wrote to memory of 736 2176 cmd.exe cmd.exe PID 2176 wrote to memory of 4352 2176 cmd.exe cacls.exe PID 2176 wrote to memory of 4352 2176 cmd.exe cacls.exe PID 2176 wrote to memory of 4352 2176 cmd.exe cacls.exe PID 2176 wrote to memory of 728 2176 cmd.exe cacls.exe PID 2176 wrote to memory of 728 2176 cmd.exe cacls.exe PID 2176 wrote to memory of 728 2176 cmd.exe cacls.exe PID 2176 wrote to memory of 5096 2176 cmd.exe cmd.exe PID 2176 wrote to memory of 5096 2176 cmd.exe cmd.exe PID 2176 wrote to memory of 5096 2176 cmd.exe cmd.exe PID 2176 wrote to memory of 3888 2176 cmd.exe cacls.exe PID 2176 wrote to memory of 3888 2176 cmd.exe cacls.exe PID 2176 wrote to memory of 3888 2176 cmd.exe cacls.exe PID 2176 wrote to memory of 4284 2176 cmd.exe cacls.exe PID 2176 wrote to memory of 4284 2176 cmd.exe cacls.exe PID 2176 wrote to memory of 4284 2176 cmd.exe cacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\db253ba569f2268c29fa8f944d606268c9c8527f6fb6bcf3bd786da42c994c2e.exe"C:\Users\Admin\AppData\Local\Temp\db253ba569f2268c29fa8f944d606268c9c8527f6fb6bcf3bd786da42c994c2e.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tl271594.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tl271594.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YA349765.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YA349765.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Eg824009.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Eg824009.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\164254601.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\164254601.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3652
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\232809639.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\232809639.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 10326⤵
- Program crash
PID:1008
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\397120157.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\397120157.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4516
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
- System Location Discovery: System Language Discovery
PID:736
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"7⤵
- System Location Discovery: System Language Discovery
PID:4352
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E7⤵
- System Location Discovery: System Language Discovery
PID:728
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
- System Location Discovery: System Language Discovery
PID:5096
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:N"7⤵
- System Location Discovery: System Language Discovery
PID:3888
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:R" /E7⤵
- System Location Discovery: System Language Discovery
PID:4284
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\463804643.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\463804643.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4208
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2352 -ip 23521⤵PID:364
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
PID:400
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
PID:2072
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
994KB
MD579ae3b701db90f96e872a170ec19b6ec
SHA1d27d579a915b1e934e00bf324400dc21ebff0804
SHA256eb35a0dde84b121aadf3aa952bde178ac57342fc9c9563e666d4665ef6f7fba0
SHA512d9df7b52a940fc3ee7cc10fb0f63fd150541cff1b83ec8c0ad0da17c868f08ae091a14ecc3ab627314e555ce4920f9da2df1b8a771d751cc58e6d7cadadbd6a1
-
Filesize
415KB
MD5bcf890a4c86c225051a8d6a457a770da
SHA1fd468bf62ac7508973537378ca377b1035cdbff4
SHA2566a710d223435246c72e74ea4c084d395d1848b91f7ec456876e09cbade895792
SHA512ba63f7ec86c82c2ee9beb795a944e5ddef66c77300510779899ec56b3bc5995e378f5ffef07abe1bfd74ff19c55503c0d363bf14eefca3361f9820ee3a30293d
-
Filesize
610KB
MD527989837bb4ba4f868d7f5469a4e46ad
SHA194c90da9ef73e8f6b94ba6ca1c28bf99067c00e2
SHA25622956deba058821ee55e76dcc51259931aa2ba305538eb47b004a2c730e0e7c3
SHA512359e1c0c4ca9e6c6ecf733fe514a7adeaa6717f02635b179a3700af8fcf1c82db24d51ccb375f9e0552d3f4f7b642610f7cf7b977aad6d6c5a7fce8e6e3e3f56
-
Filesize
204KB
MD5eac5b3301594e554f8ad328404bbd551
SHA135cf34263ccacb9f7ea05bc453909ad206d9ffac
SHA256e768d37f8313b9622da97fa061702024b4a0eac513d8dd010303f5639efe413f
SHA51289d13632d1a2afbf7ac6475001975c421a208a863cd3688f9c8cc9a63cf478b80bde8594db053333a1ebe987fb97b6fcde56030d6eb51467ba991bfddc86c915
-
Filesize
438KB
MD5efc352558ad7d290c1c3c519d150c5b7
SHA117eebacc70c5a6bc0f7c9d65106081f3af602da0
SHA2561fe5acf6948ecaa3640370fcdcf88af99cdd16e2667f92c3319efb6bb0f55db4
SHA512e6e4ba78aebec7fda056a1b599790464b77e241eb6c01d802809da2b1c807884fda912ae16a11de5964e9a7194c006cc67cc312d0da7701e3bee76262bef9ef2
-
Filesize
175KB
MD577d4a51dd3f4798690fba9109abd5e05
SHA1cdc864671c88e0e60be7544a44b42878f557571b
SHA256aefb330bdc47080ef15945e94fc26f6c0f33ab075a81a6a4ab49ada8b20cb34e
SHA512520eca6490612d9d1789c30d3fe26c00ab77b10ea941f3f43f38c5845889568f6423c43b9092cc8888373bb7b34ae760c119e2e3f092fc07e75bead343bfb32c
-
Filesize
333KB
MD51a3d19d354efd3a3a02e0fe6ed0a588a
SHA1ae7e88cec15a6967d4d2fa056e1f37a973a717cf
SHA25670efb5a809389527e2ccae9a9d3cfa05619aceced4138dad70b7673ee7dd0386
SHA5128d3b124a5ab38e736df043ae6640edbb5d474e2fee1bdc78d46f533c919dc1f27da4bdb5088f4420a2c42991c86453b2aad9f62090bc8dc716d3907a83e4f4b2