amadey | f5f0149664121e356cc43b761cc83280b629e8e565f125375a20e929cf5924d4

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5f0149664121e356cc43b761cc83280b629e8e565f125375a20e929cf5924d4.exe
Size

1.6MB
MD5

1c2573963c8f808f67ee3a2b91ab82f5
SHA1

879be5b0098b4eda3d4526b28ea79f3db7fce745
SHA256

f5f0149664121e356cc43b761cc83280b629e8e565f125375a20e929cf5924d4
SHA512

1876c2f978d7175cf5c06e351a9972ffa3137048eeee84bcb6a02003a2d13c5e07a8d6fc442121f943ff2ee65a0947968a74969956bec474e02fc79eae1d340d
SSDEEP

24576:fyBcQX9V0IfrmCLIKaKO7tdOh5tL/qAgg5F91g+bz2wy9TWefBh6qyrNaOi:qDrmCLQKatAh5tLydI6wQqyh6qyrNaO

Score

10^/10

amadey healer redline 9c0adb gena most discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.80

Botnet

9c0adb

http://193.3.19.154

Attributes

install_dir
cb7ae701b3
install_file
oneetx.exe
strings_key
23b27c80db2465a8e1dc15491b69b82f
url_paths
/store/games/index.php

rc4.plain

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detects Healer an antivirus disabler dropper 5 IoCs

resource	yara_rule
behavioral1/memory/64-2166-0x0000000004AA0000-0x0000000004AAA000-memory.dmp	healer
behavioral1/files/0x0002000000022ef8-2171.dat	healer
behavioral1/memory/2564-2182-0x0000000000680000-0x000000000068A000-memory.dmp	healer
behavioral1/memory/3864-2184-0x00000000024E0000-0x00000000024FA000-memory.dmp	healer
behavioral1/memory/3864-2185-0x0000000002950000-0x0000000002968000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	b96367294.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	b96367294.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	b96367294.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	b96367294.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	b96367294.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	b96367294.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/540-4383-0x0000000005760000-0x0000000005792000-memory.dmp	family_redline
behavioral1/files/0x0002000000022ef8-4388.dat	family_redline
behavioral1/memory/2136-4396-0x0000000000E30000-0x0000000000E5E000-memory.dmp	family_redline
behavioral1/files/0x0007000000023ca0-4406.dat	family_redline
behavioral1/memory/5152-4407-0x0000000000530000-0x0000000000560000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	a61672366.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	c59980360.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	d33912739.exe

Executes dropped EXE 15 IoCs

pid	Process
3832	xW271169.exe
3856	tS354223.exe
5096	Kc335548.exe
700	Pb466937.exe
64	a61672366.exe
2564	1.exe
3864	b96367294.exe
3784	c59980360.exe
3512	oneetx.exe
540	d33912739.exe
2136	1.exe
5152	f39088516.exe
2716	oneetx.exe
1172	oneetx.exe
6120	oneetx.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	b96367294.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	b96367294.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Pb466937.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f5f0149664121e356cc43b761cc83280b629e8e565f125375a20e929cf5924d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	xW271169.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	tS354223.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Kc335548.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5556	3864	WerFault.exe	96
5496	540	WerFault.exe	105

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oneetx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xW271169.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kc335548.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pb466937.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a61672366.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c59980360.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5f0149664121e356cc43b761cc83280b629e8e565f125375a20e929cf5924d4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d33912739.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f39088516.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tS354223.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b96367294.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2456	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2564	1.exe
2564	1.exe
3864	b96367294.exe
3864	b96367294.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	64	a61672366.exe
Token: SeDebugPrivilege	3864	b96367294.exe
Token: SeDebugPrivilege	2564	1.exe
Token: SeDebugPrivilege	540	d33912739.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 3832	964	f5f0149664121e356cc43b761cc83280b629e8e565f125375a20e929cf5924d4.exe	83
PID 964 wrote to memory of 3832	964	f5f0149664121e356cc43b761cc83280b629e8e565f125375a20e929cf5924d4.exe	83
PID 964 wrote to memory of 3832	964	f5f0149664121e356cc43b761cc83280b629e8e565f125375a20e929cf5924d4.exe	83
PID 3832 wrote to memory of 3856	3832	xW271169.exe	84
PID 3832 wrote to memory of 3856	3832	xW271169.exe	84
PID 3832 wrote to memory of 3856	3832	xW271169.exe	84
PID 3856 wrote to memory of 5096	3856	tS354223.exe	86
PID 3856 wrote to memory of 5096	3856	tS354223.exe	86
PID 3856 wrote to memory of 5096	3856	tS354223.exe	86
PID 5096 wrote to memory of 700	5096	Kc335548.exe	87
PID 5096 wrote to memory of 700	5096	Kc335548.exe	87
PID 5096 wrote to memory of 700	5096	Kc335548.exe	87
PID 700 wrote to memory of 64	700	Pb466937.exe	89
PID 700 wrote to memory of 64	700	Pb466937.exe	89
PID 700 wrote to memory of 64	700	Pb466937.exe	89
PID 64 wrote to memory of 2564	64	a61672366.exe	95
PID 64 wrote to memory of 2564	64	a61672366.exe	95
PID 700 wrote to memory of 3864	700	Pb466937.exe	96
PID 700 wrote to memory of 3864	700	Pb466937.exe	96
PID 700 wrote to memory of 3864	700	Pb466937.exe	96
PID 5096 wrote to memory of 3784	5096	Kc335548.exe	103
PID 5096 wrote to memory of 3784	5096	Kc335548.exe	103
PID 5096 wrote to memory of 3784	5096	Kc335548.exe	103
PID 3784 wrote to memory of 3512	3784	c59980360.exe	104
PID 3784 wrote to memory of 3512	3784	c59980360.exe	104
PID 3784 wrote to memory of 3512	3784	c59980360.exe	104
PID 3856 wrote to memory of 540	3856	tS354223.exe	105
PID 3856 wrote to memory of 540	3856	tS354223.exe	105
PID 3856 wrote to memory of 540	3856	tS354223.exe	105
PID 3512 wrote to memory of 2456	3512	oneetx.exe	106
PID 3512 wrote to memory of 2456	3512	oneetx.exe	106
PID 3512 wrote to memory of 2456	3512	oneetx.exe	106
PID 3512 wrote to memory of 60	3512	oneetx.exe	108
PID 3512 wrote to memory of 60	3512	oneetx.exe	108
PID 3512 wrote to memory of 60	3512	oneetx.exe	108
PID 60 wrote to memory of 400	60	cmd.exe	110
PID 60 wrote to memory of 400	60	cmd.exe	110
PID 60 wrote to memory of 400	60	cmd.exe	110
PID 60 wrote to memory of 5128	60	cmd.exe	111
PID 60 wrote to memory of 5128	60	cmd.exe	111
PID 60 wrote to memory of 5128	60	cmd.exe	111
PID 60 wrote to memory of 5164	60	cmd.exe	112
PID 60 wrote to memory of 5164	60	cmd.exe	112
PID 60 wrote to memory of 5164	60	cmd.exe	112
PID 60 wrote to memory of 5500	60	cmd.exe	113
PID 60 wrote to memory of 5500	60	cmd.exe	113
PID 60 wrote to memory of 5500	60	cmd.exe	113
PID 60 wrote to memory of 5532	60	cmd.exe	114
PID 60 wrote to memory of 5532	60	cmd.exe	114
PID 60 wrote to memory of 5532	60	cmd.exe	114
PID 60 wrote to memory of 5584	60	cmd.exe	115
PID 60 wrote to memory of 5584	60	cmd.exe	115
PID 60 wrote to memory of 5584	60	cmd.exe	115
PID 540 wrote to memory of 2136	540	d33912739.exe	116
PID 540 wrote to memory of 2136	540	d33912739.exe	116
PID 540 wrote to memory of 2136	540	d33912739.exe	116
PID 3832 wrote to memory of 5152	3832	xW271169.exe	119
PID 3832 wrote to memory of 5152	3832	xW271169.exe	119
PID 3832 wrote to memory of 5152	3832	xW271169.exe	119

C:\Users\Admin\AppData\Local\Temp\f5f0149664121e356cc43b761cc83280b629e8e565f125375a20e929cf5924d4.exe
"C:\Users\Admin\AppData\Local\Temp\f5f0149664121e356cc43b761cc83280b629e8e565f125375a20e929cf5924d4.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:964
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW271169.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW271169.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3832
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tS354223.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tS354223.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3856
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kc335548.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kc335548.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5096
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Pb466937.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Pb466937.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:700
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a61672366.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a61672366.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b96367294.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b96367294.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 1084
        7⤵
        Program crash
        
        PID:5556
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c59980360.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c59980360.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3784
      - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5532
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5584
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d33912739.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d33912739.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:540
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2136
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 1536
        5⤵
        Program crash
        
        PID:5496
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f39088516.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f39088516.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3864 -ip 3864
1⤵
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 540 -ip 540
1⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:2716

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:1172

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:6120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW271169.exe

Filesize
1.3MB

MD5
8bccc826f0931c5a58f4fea33e86ea9a

SHA1
903cd7f1d786c9d90d3beab023e36e22b07a0ff0

SHA256
030df1aadae3a3177f8a69e89bd3ff619517eba49e8c4559ac48e9f8e63bc1ba

SHA512
ff9e924622edf23cbc19f5bd78981402ab64cd1d6987492eda678e11d95a2795e1c6f4bd15fd1dec3199a52ee76aeb21970adc92402e3f45cedfe91ed312c485

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f39088516.exe

Filesize
169KB

MD5
77e7d59cee75b40695cb33eabe910f45

SHA1
d5fa666dfad5486c40b6725d666668af5eaa84d1

SHA256
50833cb800864ba8267e8a0e5227cfba81b49d0c58191129cf98e3faabf10f1c

SHA512
3a6080d54a3aba056f4d77c23cd8ca56f6d4fe81ff79af6cc45c21706d0cb1f3e70d61803af6358a43ce78d2a029f6c190f657fe123d7aa17e1d47f099bbacde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tS354223.exe

Filesize
1.2MB

MD5
25521fbca17d1df979c83762f84f7752

SHA1
ad9160058f870770b11a91c51c0f0aa76b08aa68

SHA256
f1fa87f8713bbac68ae4542d42b600fc55bb196ce8c0acbc2d13b565a4420cca

SHA512
667eedffe4de8b865a373d4d81ce851c29e087d9172a073393ac4cd3628dc856cfda2aaf78b92abf0ba07378a30a039b046dc98a20db44dd2e58ba7978d4df56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kc335548.exe

Filesize
726KB

MD5
38c83491dfe8c0d7eb449720bea4caad

SHA1
70ab07a8347461a255d95e7e910a1f8a429a7775

SHA256
038294b0d735f89cfe5809d1053e9a8c3648b349a434b79961fc26c7430f54b8

SHA512
60ab0680d8ae5d00f650209cb6e1d7283442695ae20495ab6f384a8dc347d3f4f04273d7f9fc5806f58e9ad6a4fb5efbbc337c7023949baa682841396c26fb19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d33912739.exe

Filesize
574KB

MD5
ddff2515f570ce764b51d1ff79f1600b

SHA1
33c45c9d9b5bb5a80935c3f13fc6d88e2af45cbe

SHA256
b5d1949a19d3997aaa1646ab4d281e44e008f4a682006581bbbe2c804bcbd03e

SHA512
d15fee9f70dba6357010ed9efa8e31dc3a47183a514bb0fdb00f9e1211c4bc2673098b0f7f828426c021c800afa71710d0f9ffa4842878ea5c249f1d73bce7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Pb466937.exe

Filesize
554KB

MD5
a8e6894efef3b6ece718676e412da916

SHA1
850aac0470562e193b73ac969491bec106c9c00a

SHA256
3c49eda4f4b1d7f333f5fd8239b8ea4af5af10bf65e074609d46e028abfb65e6

SHA512
b96a97357bd29083552f50a6a72a91d75b1d61c668412116c08bcfca6751fd5fc57bbd1f744d63194a5cd3db1300d6a06b642e49b7d9140bd6e49dff127a7525

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c59980360.exe

Filesize
205KB

MD5
2620314de17fd141747a1ab97161e2f3

SHA1
92f320ae220e55fc71a56c853adaebbac1f4ce9d

SHA256
eddbc8f8fd24905e9ed6963f16413f8ea997e8f0960b8ce5fcf229fd594172e4

SHA512
e371d95f89415b71f2e924a1ceebb2d7819e249feb2450dbb04c8a6ff5552bb5917d4905b0e092141692cd92b1ee45571f6eb1af82991fcff36d7c17378aceb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a61672366.exe

Filesize
303KB

MD5
3707cf985d136dd397a835367da28162

SHA1
7181fa23f131ece7b32fc7f432865444670bbe95

SHA256
78de6a1d3dc0cc4e71e3b32dde4bae0f3c3e577e01f518bcc34e465bd54c5ba8

SHA512
2dd3c8ac71caaccc9df39363033239e01dcc0e831df2c9cf0a07cbf59e27203346c59d0f76dda868557cfcde8eec2861b0a1c93d55a0c84063dcf9e9152da152

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b96367294.exe

Filesize
391KB

MD5
884351babea33e2e7ce49ef427861f1f

SHA1
604bdc17e0e7fbf5a97d43ca7a84a0e615b66320

SHA256
1e716bcee0cecd5f1f116c386339472e42e16ea04b94986419c5b578ff20a4c2

SHA512
cbb98c3dee32d7d63d6af1a36b2ad3539b94de4481b63a669cc2a2192e17a0aeb5246229ddadf8779308d8ba8192f56946caa9355890475fb8b19b0e523dd61d

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/64-63-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-51-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-101-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-99-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-97-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-95-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-93-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-91-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-89-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-87-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-83-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-81-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-79-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-77-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-73-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-71-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-69-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-67-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-65-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-37-0x0000000004A20000-0x0000000004A76000-memory.dmp

Filesize
344KB

Download
memory/64-61-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-59-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-57-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-55-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-53-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-85-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-49-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-45-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-43-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-41-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-39-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-75-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-47-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-38-0x0000000004A20000-0x0000000004A71000-memory.dmp

Filesize
324KB

Download
memory/64-2166-0x0000000004AA0000-0x0000000004AAA000-memory.dmp

Filesize
40KB

Download
memory/64-35-0x00000000021E0000-0x0000000002238000-memory.dmp

Filesize
352KB

Download
memory/64-36-0x0000000004AC0000-0x0000000005064000-memory.dmp

Filesize
5.6MB

Download
memory/540-4383-0x0000000005760000-0x0000000005792000-memory.dmp

Filesize
200KB

Download
memory/540-2236-0x0000000002900000-0x0000000002966000-memory.dmp

Filesize
408KB

Download
memory/540-2235-0x00000000027C0000-0x0000000002828000-memory.dmp

Filesize
416KB

Download
memory/2136-4397-0x0000000002F80000-0x0000000002F86000-memory.dmp

Filesize
24KB

Download
memory/2136-4398-0x0000000005DE0000-0x00000000063F8000-memory.dmp

Filesize
6.1MB

Download
memory/2136-4399-0x00000000058D0000-0x00000000059DA000-memory.dmp

Filesize
1.0MB

Download
memory/2136-4400-0x00000000057C0000-0x00000000057D2000-memory.dmp

Filesize
72KB

Download
memory/2136-4401-0x00000000057E0000-0x000000000581C000-memory.dmp

Filesize
240KB

Download
memory/2136-4402-0x0000000005860000-0x00000000058AC000-memory.dmp

Filesize
304KB

Download
memory/2136-4396-0x0000000000E30000-0x0000000000E5E000-memory.dmp

Filesize
184KB

Download
memory/2564-2182-0x0000000000680000-0x000000000068A000-memory.dmp

Filesize
40KB

Download
memory/3864-2184-0x00000000024E0000-0x00000000024FA000-memory.dmp

Filesize
104KB

Download
memory/3864-2185-0x0000000002950000-0x0000000002968000-memory.dmp

Filesize
96KB

Download
memory/5152-4408-0x0000000002630000-0x0000000002636000-memory.dmp

Filesize
24KB

Download
memory/5152-4407-0x0000000000530000-0x0000000000560000-memory.dmp

Filesize
192KB

Download