amadey | 20e74c82f905bf2b2a1ccf8670bb66a00109569db326ec5fc35010b5a0777ff1

Analysis

max time kernel
120s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20e74c82f905bf2b2a1ccf8670bb66a00109569db326ec5fc35010b5a0777ff1N.exe
Size

1.5MB
MD5

ac66b91059e6f4164ba4b151c6347970
SHA1

6511519678b85bdd6a3660f7ac34fc3d98780566
SHA256

20e74c82f905bf2b2a1ccf8670bb66a00109569db326ec5fc35010b5a0777ff1
SHA512

2c0f9b13567a5ba394389ed5b2aaf9d7fa69cdf7aa875119543c6b878e0f9b4c70e0c0ca9b6c1fe0233e56541531bb424f73e01de9c749ddc59c721572dab219
SSDEEP

24576:dykFK+dGy7Ah/6PoKPk5AUGL54y2Is1zNdThvoFzif87MoPHJTxntiuwEe1AMThH:4kFKzy72CliAU8W9Is1zPylifuHTxnTg

Score

10^/10

amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.80

Botnet

9c0adb

http://193.3.19.154

Attributes

install_dir
cb7ae701b3
install_file
oneetx.exe
strings_key
23b27c80db2465a8e1dc15491b69b82f
url_paths
/store/games/index.php

rc4.plain

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2688-35-0x00000000048B0000-0x00000000048CA000-memory.dmp	healer
behavioral1/memory/2688-37-0x0000000004980000-0x0000000004998000-memory.dmp	healer
behavioral1/memory/2688-38-0x0000000004980000-0x0000000004993000-memory.dmp	healer
behavioral1/memory/2688-65-0x0000000004980000-0x0000000004993000-memory.dmp	healer
behavioral1/memory/2688-63-0x0000000004980000-0x0000000004993000-memory.dmp	healer
behavioral1/memory/2688-61-0x0000000004980000-0x0000000004993000-memory.dmp	healer
behavioral1/memory/2688-59-0x0000000004980000-0x0000000004993000-memory.dmp	healer
behavioral1/memory/2688-57-0x0000000004980000-0x0000000004993000-memory.dmp	healer
behavioral1/memory/2688-55-0x0000000004980000-0x0000000004993000-memory.dmp	healer
behavioral1/memory/2688-53-0x0000000004980000-0x0000000004993000-memory.dmp	healer
behavioral1/memory/2688-51-0x0000000004980000-0x0000000004993000-memory.dmp	healer
behavioral1/memory/2688-49-0x0000000004980000-0x0000000004993000-memory.dmp	healer
behavioral1/memory/2688-47-0x0000000004980000-0x0000000004993000-memory.dmp	healer
behavioral1/memory/2688-45-0x0000000004980000-0x0000000004993000-memory.dmp	healer
behavioral1/memory/2688-43-0x0000000004980000-0x0000000004993000-memory.dmp	healer
behavioral1/memory/2688-41-0x0000000004980000-0x0000000004993000-memory.dmp	healer
behavioral1/memory/2688-39-0x0000000004980000-0x0000000004993000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

0470580066.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	0470580066.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	0470580066.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	0470580066.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	0470580066.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	0470580066.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	0470580066.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b18971314.exe	family_redline
behavioral1/memory/2724-89-0x0000000000490000-0x00000000004C0000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a44497125.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	a44497125.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

Processes:

s60607149.exes05993880.exes93773154.exes26199896.exe0470580066.exea44497125.exeoneetx.exeb18971314.exeoneetx.exeoneetx.exe

pid	process
2068	s60607149.exe
1576	s05993880.exe
4356	s93773154.exe
1168	s26199896.exe
2688	0470580066.exe
1452	a44497125.exe
4064	oneetx.exe
2724	b18971314.exe
3380	oneetx.exe
2696	oneetx.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

0470580066.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	0470580066.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	0470580066.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

s05993880.exes93773154.exes26199896.exe20e74c82f905bf2b2a1ccf8670bb66a00109569db326ec5fc35010b5a0777ff1N.exes60607149.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	s05993880.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	s93773154.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	s26199896.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	20e74c82f905bf2b2a1ccf8670bb66a00109569db326ec5fc35010b5a0777ff1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	s60607149.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 26 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3428	1452	WerFault.exe	a44497125.exe
3488	1452	WerFault.exe	a44497125.exe
3852	1452	WerFault.exe	a44497125.exe
2728	1452	WerFault.exe	a44497125.exe
3996	1452	WerFault.exe	a44497125.exe
1624	1452	WerFault.exe	a44497125.exe
2336	1452	WerFault.exe	a44497125.exe
536	1452	WerFault.exe	a44497125.exe
3104	1452	WerFault.exe	a44497125.exe
1300	1452	WerFault.exe	a44497125.exe
940	4064	WerFault.exe	oneetx.exe
2432	4064	WerFault.exe	oneetx.exe
348	4064	WerFault.exe	oneetx.exe
3720	4064	WerFault.exe	oneetx.exe
2696	4064	WerFault.exe	oneetx.exe
2644	4064	WerFault.exe	oneetx.exe
3704	4064	WerFault.exe	oneetx.exe
3972	4064	WerFault.exe	oneetx.exe
2184	4064	WerFault.exe	oneetx.exe
752	4064	WerFault.exe	oneetx.exe
4244	4064	WerFault.exe	oneetx.exe
1120	4064	WerFault.exe	oneetx.exe
1840	4064	WerFault.exe	oneetx.exe
4300	3380	WerFault.exe	oneetx.exe
4168	4064	WerFault.exe	oneetx.exe
4624	2696	WerFault.exe	oneetx.exe

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

oneetx.execacls.execacls.execacls.exes05993880.exes93773154.exes26199896.exe0470580066.exea44497125.execmd.execmd.execacls.exe20e74c82f905bf2b2a1ccf8670bb66a00109569db326ec5fc35010b5a0777ff1N.exes60607149.exeschtasks.exeb18971314.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oneetx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s05993880.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s93773154.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s26199896.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0470580066.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a44497125.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20e74c82f905bf2b2a1ccf8670bb66a00109569db326ec5fc35010b5a0777ff1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s60607149.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b18971314.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2708 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0470580066.exe

pid process

2688 0470580066.exe
2688 0470580066.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0470580066.exe

description pid process

Token: SeDebugPrivilege 2688 0470580066.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

a44497125.exe

pid process

1452 a44497125.exe

pid	process
2708	schtasks.exe

pid	process
2688	0470580066.exe
2688	0470580066.exe

description	pid	process
Token: SeDebugPrivilege	2688	0470580066.exe

pid	process
1452	a44497125.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

20e74c82f905bf2b2a1ccf8670bb66a00109569db326ec5fc35010b5a0777ff1N.exes60607149.exes05993880.exes93773154.exes26199896.exea44497125.exeoneetx.execmd.exe

description	pid	process	target process
PID 3076 wrote to memory of 2068	3076	20e74c82f905bf2b2a1ccf8670bb66a00109569db326ec5fc35010b5a0777ff1N.exe	s60607149.exe
PID 3076 wrote to memory of 2068	3076	20e74c82f905bf2b2a1ccf8670bb66a00109569db326ec5fc35010b5a0777ff1N.exe	s60607149.exe
PID 3076 wrote to memory of 2068	3076	20e74c82f905bf2b2a1ccf8670bb66a00109569db326ec5fc35010b5a0777ff1N.exe	s60607149.exe
PID 2068 wrote to memory of 1576	2068	s60607149.exe	s05993880.exe
PID 2068 wrote to memory of 1576	2068	s60607149.exe	s05993880.exe
PID 2068 wrote to memory of 1576	2068	s60607149.exe	s05993880.exe
PID 1576 wrote to memory of 4356	1576	s05993880.exe	s93773154.exe
PID 1576 wrote to memory of 4356	1576	s05993880.exe	s93773154.exe
PID 1576 wrote to memory of 4356	1576	s05993880.exe	s93773154.exe
PID 4356 wrote to memory of 1168	4356	s93773154.exe	s26199896.exe
PID 4356 wrote to memory of 1168	4356	s93773154.exe	s26199896.exe
PID 4356 wrote to memory of 1168	4356	s93773154.exe	s26199896.exe
PID 1168 wrote to memory of 2688	1168	s26199896.exe	0470580066.exe
PID 1168 wrote to memory of 2688	1168	s26199896.exe	0470580066.exe
PID 1168 wrote to memory of 2688	1168	s26199896.exe	0470580066.exe
PID 1168 wrote to memory of 1452	1168	s26199896.exe	a44497125.exe
PID 1168 wrote to memory of 1452	1168	s26199896.exe	a44497125.exe
PID 1168 wrote to memory of 1452	1168	s26199896.exe	a44497125.exe
PID 1452 wrote to memory of 4064	1452	a44497125.exe	oneetx.exe
PID 1452 wrote to memory of 4064	1452	a44497125.exe	oneetx.exe
PID 1452 wrote to memory of 4064	1452	a44497125.exe	oneetx.exe
PID 4356 wrote to memory of 2724	4356	s93773154.exe	b18971314.exe
PID 4356 wrote to memory of 2724	4356	s93773154.exe	b18971314.exe
PID 4356 wrote to memory of 2724	4356	s93773154.exe	b18971314.exe
PID 4064 wrote to memory of 2708	4064	oneetx.exe	schtasks.exe
PID 4064 wrote to memory of 2708	4064	oneetx.exe	schtasks.exe
PID 4064 wrote to memory of 2708	4064	oneetx.exe	schtasks.exe
PID 4064 wrote to memory of 3852	4064	oneetx.exe	cmd.exe
PID 4064 wrote to memory of 3852	4064	oneetx.exe	cmd.exe
PID 4064 wrote to memory of 3852	4064	oneetx.exe	cmd.exe
PID 3852 wrote to memory of 4448	3852	cmd.exe	cmd.exe
PID 3852 wrote to memory of 4448	3852	cmd.exe	cmd.exe
PID 3852 wrote to memory of 4448	3852	cmd.exe	cmd.exe
PID 3852 wrote to memory of 548	3852	cmd.exe	cacls.exe
PID 3852 wrote to memory of 548	3852	cmd.exe	cacls.exe
PID 3852 wrote to memory of 548	3852	cmd.exe	cacls.exe
PID 3852 wrote to memory of 3084	3852	cmd.exe	cacls.exe
PID 3852 wrote to memory of 3084	3852	cmd.exe	cacls.exe
PID 3852 wrote to memory of 3084	3852	cmd.exe	cacls.exe
PID 3852 wrote to memory of 2188	3852	cmd.exe	cmd.exe
PID 3852 wrote to memory of 2188	3852	cmd.exe	cmd.exe
PID 3852 wrote to memory of 2188	3852	cmd.exe	cmd.exe
PID 3852 wrote to memory of 2772	3852	cmd.exe	cacls.exe
PID 3852 wrote to memory of 2772	3852	cmd.exe	cacls.exe
PID 3852 wrote to memory of 2772	3852	cmd.exe	cacls.exe
PID 3852 wrote to memory of 3472	3852	cmd.exe	cacls.exe
PID 3852 wrote to memory of 3472	3852	cmd.exe	cacls.exe
PID 3852 wrote to memory of 3472	3852	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\20e74c82f905bf2b2a1ccf8670bb66a00109569db326ec5fc35010b5a0777ff1N.exe
"C:\Users\Admin\AppData\Local\Temp\20e74c82f905bf2b2a1ccf8670bb66a00109569db326ec5fc35010b5a0777ff1N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s60607149.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s60607149.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s05993880.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s05993880.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s93773154.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s93773154.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4356
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s26199896.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s26199896.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1168
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\0470580066.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\0470580066.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a44497125.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a44497125.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 696
        7⤵
        Program crash
        
        PID:3428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 776
        7⤵
        Program crash
        
        PID:3488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 856
        7⤵
        Program crash
        
        PID:3852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 968
        7⤵
        Program crash
        
        PID:2728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 868
        7⤵
        Program crash
        
        PID:3996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 868
        7⤵
        Program crash
        
        PID:1624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 1208
        7⤵
        Program crash
        
        PID:2336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 1208
        7⤵
        Program crash
        
        PID:536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 1312
        7⤵
        Program crash
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 692
        8⤵
        Program crash
        
        PID:940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1004
        8⤵
        Program crash
        
        PID:2432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1012
        8⤵
        Program crash
        
        PID:348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1088
        8⤵
        Program crash
        
        PID:3720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1096
        8⤵
        Program crash
        
        PID:2696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1136
        8⤵
        Program crash
        
        PID:2644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1004
        8⤵
        Program crash
        
        PID:3704
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 992
        8⤵
        Program crash
        
        PID:3972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1296
        8⤵
        Program crash
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1356
        8⤵
        Program crash
        
        PID:752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1332
        8⤵
        Program crash
        
        PID:4244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1312
        8⤵
        Program crash
        
        PID:1120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1292
        8⤵
        Program crash
        
        PID:1840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1112
        8⤵
        Program crash
        
        PID:4168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 1328
        7⤵
        Program crash
        
        PID:1300
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b18971314.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b18971314.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1452 -ip 1452
1⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1452 -ip 1452
1⤵
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1452 -ip 1452
1⤵
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1452 -ip 1452
1⤵
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1452 -ip 1452
1⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1452 -ip 1452
1⤵
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1452 -ip 1452
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1452 -ip 1452
1⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1452 -ip 1452
1⤵
PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1452 -ip 1452
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4064 -ip 4064
1⤵
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4064 -ip 4064
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4064 -ip 4064
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4064 -ip 4064
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4064 -ip 4064
1⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4064 -ip 4064
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4064 -ip 4064
1⤵
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4064 -ip 4064
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4064 -ip 4064
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4064 -ip 4064
1⤵
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4064 -ip 4064
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4064 -ip 4064
1⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4064 -ip 4064
1⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:3380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 316
  2⤵
  - Program crash
  PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3380 -ip 3380
1⤵
PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4064 -ip 4064
1⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:2696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 216
  2⤵
  - Program crash
  PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2696 -ip 2696
1⤵
PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s60607149.exe

Filesize
1.2MB

MD5
7d801aaa0c0d112fd3fb6957d0fe41b8

SHA1
9aecc98da07b2e8e49c5b9fff0cab9a17d76f76b

SHA256
99e0ab95f3893cd138ba530fac24dde40e667c61e5210442d254a0ac0d351252

SHA512
d2dd0f032fd58d9fee1901917fb0c619f2359086e12eec8ba1bbc82007bccafb668171e5d02fb90933388a8b53f0e5dab3b397e86db2952a837bf8058b7fb8c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s05993880.exe

Filesize
1.0MB

MD5
ba117ccb5f151a5834bea947dd269c17

SHA1
ee62a8e54c5125a4e46a9ab3358117b84b153133

SHA256
c8263ee4d738285a742e9ff2afe49d9caadc2a60a3b6e77cdfaf18d1c0e65340

SHA512
3adb061e3bc5cacd54aeb81e0feeadfd674c1b356efc473ee3b6add9f5fc320d29a1e3c6682cbb5d2e97dc6626a9a78b799835e928b9af42e922763bd6317a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s93773154.exe

Filesize
561KB

MD5
2a7654376a71e9a37c700900c006b4d9

SHA1
652be720029b98740ea6b7b9d571e7a376789de5

SHA256
087cabdbf919a1655f09821955b6b660202a7b2bda63483f93ec1a41f59fa3a7

SHA512
1f27a452e5903edfd520e926994c3881c941061b5b99f16ab2e3a889183f32dc5d0d25d0c0d7ee20d5aec9808dcb8432f1c1a0068be97428dcf1888ff73ac97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b18971314.exe

Filesize
169KB

MD5
67292d3b7447a21f1410ab0f5d0c94cd

SHA1
d16ebec35cb74b59242b4ed3b478cb32fb1d7035

SHA256
99752eac0c7c54286b5dc482391795e1e35f3efaa9900940dd078b40d9210d84

SHA512
b14b8eed6ab007ebe9726be1e3246b1589bf027412b6da9ac28731add96db75e4f6b3841db6745602a03db1b9819ae0e73141b6ca7793bf754b76839db6a4ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s26199896.exe

Filesize
407KB

MD5
2373ced449172b76a1077f5e06104d63

SHA1
5596ceefa5c5ba6cc60dbbc335555a301dd4c1a2

SHA256
d11b5419db2237c5ec7011d56b21753216d4ffa55fc8a86687dd948b27766e4a

SHA512
c59710ff48ef96214b114d78a3a12a341ebade2c9f9cb6ed3bc2d276c62d2d5cbd7be8fa6ff5145e41585362e54c7e12dde9ac4ef68ded7c82e675041e9bc56d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\0470580066.exe

Filesize
176KB

MD5
bf03316ff37e6107e84c7103c37f192d

SHA1
40c77c1a1f77f9fba10d149d5d3ce3d4c8c1b12f

SHA256
a30b18bcb96a8d3706c34e5faf8b286278b79d621c9a94f49ed1102f141561a9

SHA512
cf42699ab542140ab34d873c5b0d9bcf3414927875fe8926bb7d79ca5bd91d67e4031a1f119eb2edfaefd3f216d021dae8cfef404ad39ac63f830005f9414b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a44497125.exe

Filesize
368KB

MD5
c4b59b28f9167dec001716b41bf16d80

SHA1
d83342c109cf8161d0907fa6c38f78e779c580ed

SHA256
2b2dfd4fd116bea4fbd56c11bd4c39e328588a16bf6200a01810d9154c7fe7b9

SHA512
32df1bc50612b1046d7c76c5d7c4aa3725a0e650d8235afdf890f5003ef526ec90c8835b70bb2057bf8c344e64226efc8a11331a9de1a3e59b873b26c52a6e08

Download Submit
memory/1452-85-0x0000000000400000-0x0000000000801000-memory.dmp

Filesize
4.0MB

Download
memory/2688-47-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2688-37-0x0000000004980000-0x0000000004998000-memory.dmp

Filesize
96KB

Download
memory/2688-63-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2688-61-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2688-59-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2688-57-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2688-55-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2688-53-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2688-51-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2688-49-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2688-38-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2688-45-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2688-43-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2688-41-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2688-39-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2688-65-0x0000000004980000-0x0000000004993000-memory.dmp

Filesize
76KB

Download
memory/2688-36-0x00000000049B0000-0x0000000004F54000-memory.dmp

Filesize
5.6MB

Download
memory/2688-35-0x00000000048B0000-0x00000000048CA000-memory.dmp

Filesize
104KB

Download
memory/2696-107-0x0000000000400000-0x0000000000801000-memory.dmp

Filesize
4.0MB

Download
memory/2724-89-0x0000000000490000-0x00000000004C0000-memory.dmp

Filesize
192KB

Download
memory/2724-90-0x0000000004C30000-0x0000000004C36000-memory.dmp

Filesize
24KB

Download
memory/2724-91-0x00000000053C0000-0x00000000059D8000-memory.dmp

Filesize
6.1MB

Download
memory/2724-92-0x0000000004EE0000-0x0000000004FEA000-memory.dmp

Filesize
1.0MB

Download
memory/2724-93-0x0000000004E10000-0x0000000004E22000-memory.dmp

Filesize
72KB

Download
memory/2724-94-0x0000000004E70000-0x0000000004EAC000-memory.dmp

Filesize
240KB

Download
memory/2724-95-0x0000000004FF0000-0x000000000503C000-memory.dmp

Filesize
304KB

Download
memory/3380-98-0x0000000000400000-0x0000000000801000-memory.dmp

Filesize
4.0MB

Download
memory/4064-99-0x0000000000400000-0x0000000000801000-memory.dmp

Filesize
4.0MB

Download
memory/4064-104-0x0000000000400000-0x0000000000801000-memory.dmp

Filesize
4.0MB

Download
memory/4064-109-0x0000000000400000-0x0000000000801000-memory.dmp

Filesize
4.0MB

Download