amadey | cae685c30fbe54a7617f9812d36ceaaa9e157c198098ef126645b0ec306510f0

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cae685c30fbe54a7617f9812d36ceaaa9e157c198098ef126645b0ec306510f0.exe
Size

1.1MB
MD5

8ae4404b2f33e9b4789a873b4c679f06
SHA1

50c18c49f8dcd5a64fb9653ea076df74e96da4b4
SHA256

cae685c30fbe54a7617f9812d36ceaaa9e157c198098ef126645b0ec306510f0
SHA512

fb0a6b6d3c2a8fa95c36ce6761edd4bd0359dcd4cdbb7e767947f64304f1ff537f2bcff7ae06b48995b0e0ff9836488beb72b6b2c132f294fff1df7dd033d51d
SSDEEP

24576:yyu7BKo1pV02KYagjbBCcEEi9VpY2TRNSkfql2:ZKAoHdx9Njbir60Pdg

Score

10^/10

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.80

Botnet

9c0adb

http://193.3.19.154

Attributes

install_dir
cb7ae701b3
install_file
oneetx.exe
strings_key
23b27c80db2465a8e1dc15491b69b82f
url_paths
/store/games/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/2096-28-0x00000000022D0000-0x00000000022EA000-memory.dmp	healer
behavioral1/memory/2096-30-0x0000000004980000-0x0000000004998000-memory.dmp	healer
behavioral1/memory/2096-40-0x0000000004980000-0x0000000004993000-memory.dmp	healer
behavioral1/memory/2096-56-0x0000000004980000-0x0000000004993000-memory.dmp	healer
behavioral1/memory/2096-54-0x0000000004980000-0x0000000004993000-memory.dmp	healer
behavioral1/memory/2096-52-0x0000000004980000-0x0000000004993000-memory.dmp	healer
behavioral1/memory/2096-51-0x0000000004980000-0x0000000004993000-memory.dmp	healer
behavioral1/memory/2096-48-0x0000000004980000-0x0000000004993000-memory.dmp	healer
behavioral1/memory/2096-47-0x0000000004980000-0x0000000004993000-memory.dmp	healer
behavioral1/memory/2096-44-0x0000000004980000-0x0000000004993000-memory.dmp	healer
behavioral1/memory/2096-42-0x0000000004980000-0x0000000004993000-memory.dmp	healer
behavioral1/memory/2096-39-0x0000000004980000-0x0000000004993000-memory.dmp	healer
behavioral1/memory/2096-36-0x0000000004980000-0x0000000004993000-memory.dmp	healer
behavioral1/memory/2096-34-0x0000000004980000-0x0000000004993000-memory.dmp	healer
behavioral1/memory/2096-58-0x0000000004980000-0x0000000004993000-memory.dmp	healer
behavioral1/memory/2096-32-0x0000000004980000-0x0000000004993000-memory.dmp	healer
behavioral1/memory/2096-31-0x0000000004980000-0x0000000004993000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	254837953.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	173506151.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	173506151.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	173506151.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	173506151.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	254837953.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	173506151.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	173506151.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	254837953.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	254837953.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	254837953.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral1/memory/4284-117-0x0000000004900000-0x000000000493C000-memory.dmp	family_redline
behavioral1/files/0x000a000000023b96-120.dat	family_redline
behavioral1/memory/2020-122-0x0000000000030000-0x0000000000058000-memory.dmp	family_redline
behavioral1/memory/4284-121-0x0000000004F70000-0x0000000004FAA000-memory.dmp	family_redline
behavioral1/memory/4284-124-0x0000000004F70000-0x0000000004FA5000-memory.dmp	family_redline
behavioral1/memory/4284-123-0x0000000004F70000-0x0000000004FA5000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	315303610.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 12 IoCs

pid	Process
2368	tn574114.exe
4164	Fe524808.exe
4560	rL306849.exe
2096	173506151.exe
3936	254837953.exe
2828	315303610.exe
2528	oneetx.exe
4840	424801495.exe
4284	424801495.exe
2020	527948528.exe
4508	oneetx.exe
1348	oneetx.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	254837953.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	173506151.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	173506151.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cae685c30fbe54a7617f9812d36ceaaa9e157c198098ef126645b0ec306510f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	tn574114.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Fe524808.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	rL306849.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4840 set thread context of 4284	4840	424801495.exe	111

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
760	3936	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cae685c30fbe54a7617f9812d36ceaaa9e157c198098ef126645b0ec306510f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fe524808.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	527948528.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rL306849.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oneetx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tn574114.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	173506151.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	254837953.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	315303610.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	424801495.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	424801495.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4912	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2096	173506151.exe
2096	173506151.exe
3936	254837953.exe
3936	254837953.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	173506151.exe
Token: SeDebugPrivilege	3936	254837953.exe
Token: SeDebugPrivilege	4284	424801495.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2828	315303610.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2368	2100	cae685c30fbe54a7617f9812d36ceaaa9e157c198098ef126645b0ec306510f0.exe	83
PID 2100 wrote to memory of 2368	2100	cae685c30fbe54a7617f9812d36ceaaa9e157c198098ef126645b0ec306510f0.exe	83
PID 2100 wrote to memory of 2368	2100	cae685c30fbe54a7617f9812d36ceaaa9e157c198098ef126645b0ec306510f0.exe	83
PID 2368 wrote to memory of 4164	2368	tn574114.exe	84
PID 2368 wrote to memory of 4164	2368	tn574114.exe	84
PID 2368 wrote to memory of 4164	2368	tn574114.exe	84
PID 4164 wrote to memory of 4560	4164	Fe524808.exe	86
PID 4164 wrote to memory of 4560	4164	Fe524808.exe	86
PID 4164 wrote to memory of 4560	4164	Fe524808.exe	86
PID 4560 wrote to memory of 2096	4560	rL306849.exe	88
PID 4560 wrote to memory of 2096	4560	rL306849.exe	88
PID 4560 wrote to memory of 2096	4560	rL306849.exe	88
PID 4560 wrote to memory of 3936	4560	rL306849.exe	94
PID 4560 wrote to memory of 3936	4560	rL306849.exe	94
PID 4560 wrote to memory of 3936	4560	rL306849.exe	94
PID 4164 wrote to memory of 2828	4164	Fe524808.exe	98
PID 4164 wrote to memory of 2828	4164	Fe524808.exe	98
PID 4164 wrote to memory of 2828	4164	Fe524808.exe	98
PID 2828 wrote to memory of 2528	2828	315303610.exe	99
PID 2828 wrote to memory of 2528	2828	315303610.exe	99
PID 2828 wrote to memory of 2528	2828	315303610.exe	99
PID 2368 wrote to memory of 4840	2368	tn574114.exe	100
PID 2368 wrote to memory of 4840	2368	tn574114.exe	100
PID 2368 wrote to memory of 4840	2368	tn574114.exe	100
PID 2528 wrote to memory of 4912	2528	oneetx.exe	101
PID 2528 wrote to memory of 4912	2528	oneetx.exe	101
PID 2528 wrote to memory of 4912	2528	oneetx.exe	101
PID 2528 wrote to memory of 3300	2528	oneetx.exe	103
PID 2528 wrote to memory of 3300	2528	oneetx.exe	103
PID 2528 wrote to memory of 3300	2528	oneetx.exe	103
PID 3300 wrote to memory of 2332	3300	cmd.exe	105
PID 3300 wrote to memory of 2332	3300	cmd.exe	105
PID 3300 wrote to memory of 2332	3300	cmd.exe	105
PID 3300 wrote to memory of 3804	3300	cmd.exe	106
PID 3300 wrote to memory of 3804	3300	cmd.exe	106
PID 3300 wrote to memory of 3804	3300	cmd.exe	106
PID 3300 wrote to memory of 1520	3300	cmd.exe	107
PID 3300 wrote to memory of 1520	3300	cmd.exe	107
PID 3300 wrote to memory of 1520	3300	cmd.exe	107
PID 3300 wrote to memory of 5108	3300	cmd.exe	108
PID 3300 wrote to memory of 5108	3300	cmd.exe	108
PID 3300 wrote to memory of 5108	3300	cmd.exe	108
PID 3300 wrote to memory of 1580	3300	cmd.exe	109
PID 3300 wrote to memory of 1580	3300	cmd.exe	109
PID 3300 wrote to memory of 1580	3300	cmd.exe	109
PID 3300 wrote to memory of 1660	3300	cmd.exe	110
PID 3300 wrote to memory of 1660	3300	cmd.exe	110
PID 3300 wrote to memory of 1660	3300	cmd.exe	110
PID 4840 wrote to memory of 4284	4840	424801495.exe	111
PID 4840 wrote to memory of 4284	4840	424801495.exe	111
PID 4840 wrote to memory of 4284	4840	424801495.exe	111
PID 4840 wrote to memory of 4284	4840	424801495.exe	111
PID 4840 wrote to memory of 4284	4840	424801495.exe	111
PID 4840 wrote to memory of 4284	4840	424801495.exe	111
PID 4840 wrote to memory of 4284	4840	424801495.exe	111
PID 4840 wrote to memory of 4284	4840	424801495.exe	111
PID 4840 wrote to memory of 4284	4840	424801495.exe	111
PID 2100 wrote to memory of 2020	2100	cae685c30fbe54a7617f9812d36ceaaa9e157c198098ef126645b0ec306510f0.exe	112
PID 2100 wrote to memory of 2020	2100	cae685c30fbe54a7617f9812d36ceaaa9e157c198098ef126645b0ec306510f0.exe	112
PID 2100 wrote to memory of 2020	2100	cae685c30fbe54a7617f9812d36ceaaa9e157c198098ef126645b0ec306510f0.exe	112

C:\Users\Admin\AppData\Local\Temp\cae685c30fbe54a7617f9812d36ceaaa9e157c198098ef126645b0ec306510f0.exe
"C:\Users\Admin\AppData\Local\Temp\cae685c30fbe54a7617f9812d36ceaaa9e157c198098ef126645b0ec306510f0.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tn574114.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tn574114.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fe524808.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fe524808.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL306849.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL306849.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4560
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\173506151.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\173506151.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\254837953.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\254837953.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3936
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1080
        6⤵
        Program crash
        
        PID:760
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\315303610.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\315303610.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2528
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4912
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3804
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\424801495.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\424801495.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\424801495.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\424801495.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4284
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\527948528.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\527948528.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3936 -ip 3936
1⤵
PID:3444

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:4508

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\527948528.exe

Filesize
136KB

MD5
100a9d616da8dbb82fd696af48f1891e

SHA1
ca5011879625e02ef42b732232885c736d30fbd0

SHA256
307c15e07a61de6f9d9c4cbf949504460d8f1725e812c97ca2aa8656180bd18e

SHA512
0f8f3271c8a466502da57f6f2e126f96e3cca594334242f700d900dafad856120206353e77896e49b3f12a50193e4e4b78c6a8ba7529cb4dfea18e97909a70c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tn574114.exe

Filesize
940KB

MD5
c26a5b7b53a50934a56865909ccdae00

SHA1
551f506632431206da8834b00d5e9370e56fde5b

SHA256
dc33caaced44cb9130169d359cd88bdf6e603788058aad9d74c1807eda6a4374

SHA512
058bd2d26f0e383911f6aa35ea7a6d45484d3b5f376794dae013d626fbf07a653638aa8ea896afb0b0c0278f34e53fcf58f94890e1aaf170ca78155420e29459

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\424801495.exe

Filesize
342KB

MD5
0a456fa89a2e64cfd0ba7b8b39f988a8

SHA1
e4c61bf462597a80773ebc6f072a41579dea9f44

SHA256
1222d1d6578875767fa95abea92d98159158be5c426c1709b0ee28b81bc44f66

SHA512
3f4ec9ba88d7cf09c4e1560c9709176fcd7b5c8d36771d7ce72372b2d38ac8db4418327753afb4c5526cdea5e015d24ff9d76204a3127e05cb7abb03857b02c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fe524808.exe

Filesize
585KB

MD5
8af13e1fc3ba188cea921b9429c8ebd0

SHA1
d629bbb200ac267aed7157f68501745be0519b4f

SHA256
7d8b866bfaa81a4e304685a3872d64fd01ae3714c2ef8d50a77e2b5d1017deae

SHA512
fc8cb22a6e3e32d6d764ac3876968147aaa248a379168a3281c0931ad3549ad6921adf70e80a35556f1bf915ee9b6d31df72aff21ca41af6e42219dfec5a64fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\315303610.exe

Filesize
204KB

MD5
1304f384653e08ae497008ff13498608

SHA1
d9a76ed63d74d4217c5027757cb9a7a0d0093080

SHA256
2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa

SHA512
4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL306849.exe

Filesize
414KB

MD5
9dc4c0f1a47945af004e87c1ffdfa1c4

SHA1
14843d1cd1488b883a80e0e4299d24a66c15f255

SHA256
a429006b5a08686fcbc26b3b7db232032d87b8ee69b3d6bd0d7486c3ab347c9d

SHA512
0112cfe862aad9b106078b6f21e1aad19344f5b9839460507e930d9b15c2e71b0295c488396ad536d2c8064cd446cc1cecd2bcded233a88b883cadf0258c3a57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\173506151.exe

Filesize
175KB

MD5
3d10b67208452d7a91d7bd7066067676

SHA1
e6c3ab7b6da65c8cc7dd95351f118caf3a50248d

SHA256
5c8ae96739bd9454a59e92b5eb6965647030e87453f7c417dbd7d53ebd837302

SHA512
b86d5ff4f55c90922a890401ae4301da7e71eb5e546a82536073cc58780ce55585214cff39ec9b52f70704580ad36c1fa95ebee1515dd2e7ea313cb670f2b4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\254837953.exe

Filesize
259KB

MD5
d9535a935f46d3d6a5d3b5683053218e

SHA1
9b203294e5d1f428e1ee924efc194a5fab3c0a17

SHA256
b0e2410c6dbb64da2fd176cda09b111e90f3c0b6668c453f81b31f9681cebb2a

SHA512
0fb91d92a6c38e2d1749cb19b19669d370b6270c94f473b985f3727190f6978842e543e791e68de0285c57a6b91511a95d7d0071930264efbfee4a47785cb70f

Download Submit
memory/2020-918-0x0000000006E20000-0x0000000006E5C000-memory.dmp

Filesize
240KB

Download
memory/2020-122-0x0000000000030000-0x0000000000058000-memory.dmp

Filesize
160KB

Download
memory/2020-722-0x0000000006D50000-0x0000000006D62000-memory.dmp

Filesize
72KB

Download
memory/2020-660-0x00000000072D0000-0x00000000078E8000-memory.dmp

Filesize
6.1MB

Download
memory/2020-782-0x0000000006EC0000-0x0000000006FCA000-memory.dmp

Filesize
1.0MB

Download
memory/2020-919-0x00000000041E0000-0x000000000422C000-memory.dmp

Filesize
304KB

Download
memory/2096-32-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2096-42-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2096-39-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2096-36-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2096-34-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2096-58-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2096-44-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2096-31-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2096-47-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2096-40-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2096-54-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2096-48-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2096-51-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2096-56-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2096-28-0x00000000022D0000-0x00000000022EA000-memory.dmp

Filesize
104KB

Download
memory/2096-29-0x00000000049B0000-0x0000000004F54000-memory.dmp

Filesize
5.6MB

Download
memory/2096-30-0x0000000004980000-0x0000000004998000-memory.dmp

Filesize
96KB

Download
memory/2096-52-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/3936-94-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3936-92-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4284-112-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4284-123-0x0000000004F70000-0x0000000004FA5000-memory.dmp

Filesize
212KB

Download
memory/4284-124-0x0000000004F70000-0x0000000004FA5000-memory.dmp

Filesize
212KB

Download
memory/4284-121-0x0000000004F70000-0x0000000004FAA000-memory.dmp

Filesize
232KB

Download
memory/4284-117-0x0000000004900000-0x000000000493C000-memory.dmp

Filesize
240KB

Download
memory/4284-114-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4284-116-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download