amadey | ce880f90252cc583f9e960f263fea8c105a56d2d3a730843891ed1ced17d7700

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/11/2024, 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce880f90252cc583f9e960f263fea8c105a56d2d3a730843891ed1ced17d7700.exe
Size

1.3MB
MD5

10ae42062a868981fea665370c73b397
SHA1

af16f50e65df702d4f552e6ff0615482ad9f29fe
SHA256

ce880f90252cc583f9e960f263fea8c105a56d2d3a730843891ed1ced17d7700
SHA512

893095d2a346e32de1f11c996359d78abb396d29536deaf644da0198103abbe1c296770fbcfed44f872c4c2c6a2cfef3117a2a97a785e27c8b997923eaf70ba6
SSDEEP

24576:BykWaTDniI2yvKqQzvtYx92Ia+l6Sy0D3loPjIa0OIo2wSvKo:0kWe1LvbQTt0/5ys/oST

Score

10^/10

amadey healer redline 9c0adb gena most discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.80

Botnet

9c0adb

http://193.3.19.154

Attributes

install_dir
cb7ae701b3
install_file
oneetx.exe
strings_key
23b27c80db2465a8e1dc15491b69b82f
url_paths
/store/games/index.php

rc4.plain

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detects Healer an antivirus disabler dropper 5 IoCs

resource	yara_rule
behavioral1/memory/4804-2159-0x00000000052F0000-0x00000000052FA000-memory.dmp	healer
behavioral1/files/0x0002000000022b11-2164.dat	healer
behavioral1/memory/4388-2174-0x0000000000810000-0x000000000081A000-memory.dmp	healer
behavioral1/memory/912-2177-0x00000000024C0000-0x00000000024DA000-memory.dmp	healer
behavioral1/memory/912-2178-0x0000000004DA0000-0x0000000004DB8000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	b48571767.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	b48571767.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	b48571767.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	b48571767.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	b48571767.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	b48571767.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/4936-4376-0x0000000005760000-0x0000000005792000-memory.dmp	family_redline
behavioral1/files/0x0002000000022b11-4381.dat	family_redline
behavioral1/memory/3924-4389-0x00000000001C0000-0x00000000001EE000-memory.dmp	family_redline
behavioral1/files/0x000a000000023ba9-4397.dat	family_redline
behavioral1/memory/5848-4399-0x00000000009F0000-0x0000000000A20000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	a03166713.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	c83304388.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	d81697325.exe

Executes dropped EXE 13 IoCs

pid	Process
4088	Qz016160.exe
1676	ll675285.exe
3040	gx244589.exe
4804	a03166713.exe
4388	1.exe
912	b48571767.exe
1040	c83304388.exe
3004	oneetx.exe
4936	d81697325.exe
3924	1.exe
5848	f40049312.exe
5928	oneetx.exe
4432	oneetx.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	b48571767.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	b48571767.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ce880f90252cc583f9e960f263fea8c105a56d2d3a730843891ed1ced17d7700.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Qz016160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ll675285.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	gx244589.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2064	912	WerFault.exe	91
3448	4936	WerFault.exe	105

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce880f90252cc583f9e960f263fea8c105a56d2d3a730843891ed1ced17d7700.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ll675285.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a03166713.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oneetx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d81697325.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qz016160.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gx244589.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c83304388.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b48571767.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f40049312.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3256	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4388	1.exe
4388	1.exe
912	b48571767.exe
912	b48571767.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4804	a03166713.exe
Token: SeDebugPrivilege	912	b48571767.exe
Token: SeDebugPrivilege	4388	1.exe
Token: SeDebugPrivilege	4936	d81697325.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 4088	2464	ce880f90252cc583f9e960f263fea8c105a56d2d3a730843891ed1ced17d7700.exe	83
PID 2464 wrote to memory of 4088	2464	ce880f90252cc583f9e960f263fea8c105a56d2d3a730843891ed1ced17d7700.exe	83
PID 2464 wrote to memory of 4088	2464	ce880f90252cc583f9e960f263fea8c105a56d2d3a730843891ed1ced17d7700.exe	83
PID 4088 wrote to memory of 1676	4088	Qz016160.exe	84
PID 4088 wrote to memory of 1676	4088	Qz016160.exe	84
PID 4088 wrote to memory of 1676	4088	Qz016160.exe	84
PID 1676 wrote to memory of 3040	1676	ll675285.exe	85
PID 1676 wrote to memory of 3040	1676	ll675285.exe	85
PID 1676 wrote to memory of 3040	1676	ll675285.exe	85
PID 3040 wrote to memory of 4804	3040	gx244589.exe	87
PID 3040 wrote to memory of 4804	3040	gx244589.exe	87
PID 3040 wrote to memory of 4804	3040	gx244589.exe	87
PID 4804 wrote to memory of 4388	4804	a03166713.exe	90
PID 4804 wrote to memory of 4388	4804	a03166713.exe	90
PID 3040 wrote to memory of 912	3040	gx244589.exe	91
PID 3040 wrote to memory of 912	3040	gx244589.exe	91
PID 3040 wrote to memory of 912	3040	gx244589.exe	91
PID 1676 wrote to memory of 1040	1676	ll675285.exe	103
PID 1676 wrote to memory of 1040	1676	ll675285.exe	103
PID 1676 wrote to memory of 1040	1676	ll675285.exe	103
PID 1040 wrote to memory of 3004	1040	c83304388.exe	104
PID 1040 wrote to memory of 3004	1040	c83304388.exe	104
PID 1040 wrote to memory of 3004	1040	c83304388.exe	104
PID 4088 wrote to memory of 4936	4088	Qz016160.exe	105
PID 4088 wrote to memory of 4936	4088	Qz016160.exe	105
PID 4088 wrote to memory of 4936	4088	Qz016160.exe	105
PID 3004 wrote to memory of 3256	3004	oneetx.exe	106
PID 3004 wrote to memory of 3256	3004	oneetx.exe	106
PID 3004 wrote to memory of 3256	3004	oneetx.exe	106
PID 3004 wrote to memory of 4996	3004	oneetx.exe	108
PID 3004 wrote to memory of 4996	3004	oneetx.exe	108
PID 3004 wrote to memory of 4996	3004	oneetx.exe	108
PID 4996 wrote to memory of 3616	4996	cmd.exe	110
PID 4996 wrote to memory of 3616	4996	cmd.exe	110
PID 4996 wrote to memory of 3616	4996	cmd.exe	110
PID 4996 wrote to memory of 3440	4996	cmd.exe	111
PID 4996 wrote to memory of 3440	4996	cmd.exe	111
PID 4996 wrote to memory of 3440	4996	cmd.exe	111
PID 4996 wrote to memory of 4788	4996	cmd.exe	112
PID 4996 wrote to memory of 4788	4996	cmd.exe	112
PID 4996 wrote to memory of 4788	4996	cmd.exe	112
PID 4996 wrote to memory of 4592	4996	cmd.exe	113
PID 4996 wrote to memory of 4592	4996	cmd.exe	113
PID 4996 wrote to memory of 4592	4996	cmd.exe	113
PID 4996 wrote to memory of 4988	4996	cmd.exe	114
PID 4996 wrote to memory of 4988	4996	cmd.exe	114
PID 4996 wrote to memory of 4988	4996	cmd.exe	114
PID 4996 wrote to memory of 5184	4996	cmd.exe	115
PID 4996 wrote to memory of 5184	4996	cmd.exe	115
PID 4996 wrote to memory of 5184	4996	cmd.exe	115
PID 4936 wrote to memory of 3924	4936	d81697325.exe	116
PID 4936 wrote to memory of 3924	4936	d81697325.exe	116
PID 4936 wrote to memory of 3924	4936	d81697325.exe	116
PID 2464 wrote to memory of 5848	2464	ce880f90252cc583f9e960f263fea8c105a56d2d3a730843891ed1ced17d7700.exe	119
PID 2464 wrote to memory of 5848	2464	ce880f90252cc583f9e960f263fea8c105a56d2d3a730843891ed1ced17d7700.exe	119
PID 2464 wrote to memory of 5848	2464	ce880f90252cc583f9e960f263fea8c105a56d2d3a730843891ed1ced17d7700.exe	119

C:\Users\Admin\AppData\Local\Temp\ce880f90252cc583f9e960f263fea8c105a56d2d3a730843891ed1ced17d7700.exe
"C:\Users\Admin\AppData\Local\Temp\ce880f90252cc583f9e960f263fea8c105a56d2d3a730843891ed1ced17d7700.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qz016160.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qz016160.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ll675285.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ll675285.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gx244589.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gx244589.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3040
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a03166713.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a03166713.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4804
      - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4388
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b48571767.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b48571767.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1096
        6⤵
        Program crash
        
        PID:2064
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c83304388.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c83304388.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1040
    - - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3004
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3256
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5184
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d81697325.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d81697325.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3924
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 1384
      4⤵
      Program crash
      PID:3448
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f40049312.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f40049312.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 912 -ip 912
1⤵
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4936 -ip 4936
1⤵
PID:5352

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:5928

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qz016160.exe

Filesize
1.2MB

MD5
83223ac67deb9a9818a6f12667b8d23c

SHA1
ece9e6ea116de3d59e5cffa815ed7adfed253423

SHA256
4b816651b131c83c08da0375ac5f22101a07f0e31924966b1a40344dc97c40f3

SHA512
ca8277e86dd75a768fd3c6cd1562577ff5e6ba6fdd0b21b6afb83bdcb8977cfbba35ebe1b4c701009995670720476c73632976812ea33dcf5551bc6d49a43216

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f40049312.exe

Filesize
169KB

MD5
7ea9b370a1fb0fb21388fc58dfb66566

SHA1
894e0e8ec71efdd30a4cccf1a7a4e8057f6fede1

SHA256
751710597b5c16e16dafb0d9a0b9fdfa953d2cb7bbd8d6854c0774650ef2b6ab

SHA512
dd723720307021ca0d51f442dd66dd5d7b011ebc89b4f63c0dd64660524324dc4effefee6defa380ce5e2e765a745be1e3b237f57476b112deb1ae8e984250cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d81697325.exe

Filesize
576KB

MD5
b1931c66842d94f4b5a3603045b15d69

SHA1
d5429dd1b0f59ecd376a8d7aee2feb51ca192a95

SHA256
07adf441b972f1b11b9634b502b02bfc58a8b8a45d2f72c8c79a3cc390c443e3

SHA512
08280e33d0d95fbe0e8f735d3777f4a2f01fe5c1c2edfa5c21832d1b34d9b1aed1424a05c236f08b02dc0961bbb4f92717291dea057afdc2f4b15045258db18c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ll675285.exe

Filesize
727KB

MD5
acfaee97330ffa2d73428759c3262686

SHA1
7a633b4683ad02b2b777995a41f2c640f556b3f8

SHA256
3e003669319397a1cf8e432dcd7598f138a639c1a5911248dea12326fa33f49a

SHA512
91883314de24be29099a76f7530f931ea5bed2dde5d958b3d0d68a99d3e2af281f97552b17261108642657752daa2563bb50be01663881d688524d7ac4782d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c83304388.exe

Filesize
205KB

MD5
d21db5cc87227f8686766ba78ff78f35

SHA1
1ecbc3c947ec2aaeaaac3c4abe26c466f087b815

SHA256
57250e1689507233b976c9e36bfd7c87cb5c31f4631bdf439ba9f115912207c2

SHA512
743e1da8b3e6406bc6ee749a73b6a667c1e72bdfc905dac469610a90ca7ea86c3fc1a257dea7aa4e35ff68b5c569d7d2b636053feda05596369af97781915ff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gx244589.exe

Filesize
555KB

MD5
6386f673c09d893b23d07c1d96740823

SHA1
9003d9901f5b29f78cf7c46d61057bd83bbd4cda

SHA256
6edcb4e581abade915ea198bc41440e4ff7259a172dce8b5dab6c1722485e50f

SHA512
e02ed5aa94d5cd955d6c0a8d3480708d09f538ca61a1a33fe580367c39739d8bdb346eff437c32bb2c27799dea87576f02fb2f74efd39d3c430a0fd05d790d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a03166713.exe

Filesize
303KB

MD5
d1dce49902fcbdef6b8681a83e30c599

SHA1
00f3575f1194fc6c2d2128083ddc96687b5a1aed

SHA256
62c74fcc6a139c7b58e4d1bdf2a9bc7fdf7fdd0f4b4ed18496fcc6bc7ad2d397

SHA512
da6c545e38d0fdaf5f96e267ddf08cc53e53f5b075c73d62964bfbde95dda7afc499a56d8fc6a5b9bd238d65ac6afaa30e4571ff21a8c04f9e1640b76aa545f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b48571767.exe

Filesize
393KB

MD5
5f2fa8ffe4fe42fd8878221534d1ca3f

SHA1
b7e5165d36c7727b08e7eb5ffd2e88b6d865f2ef

SHA256
699111a50a8cc5b5a9dc9828a9d5a36d6d64f1af183d1c2b0b2542153f104c9b

SHA512
dedb96c1458f41972ec078e78709aa2e2b0a434badeb8b1526f4296ca37d64d2c9371fa2e8b6bc8656eda232e10a0c0ce3ff19eb420f7ddec18b63bf98afadb6

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/912-2177-0x00000000024C0000-0x00000000024DA000-memory.dmp

Filesize
104KB

Download
memory/912-2178-0x0000000004DA0000-0x0000000004DB8000-memory.dmp

Filesize
96KB

Download
memory/3924-4395-0x0000000004BA0000-0x0000000004BDC000-memory.dmp

Filesize
240KB

Download
memory/3924-4400-0x0000000004BF0000-0x0000000004C3C000-memory.dmp

Filesize
304KB

Download
memory/3924-4389-0x00000000001C0000-0x00000000001EE000-memory.dmp

Filesize
184KB

Download
memory/3924-4392-0x0000000004C50000-0x0000000004D5A000-memory.dmp

Filesize
1.0MB

Download
memory/3924-4393-0x0000000004B40000-0x0000000004B52000-memory.dmp

Filesize
72KB

Download
memory/3924-4391-0x0000000005160000-0x0000000005778000-memory.dmp

Filesize
6.1MB

Download
memory/3924-4390-0x0000000002550000-0x0000000002556000-memory.dmp

Filesize
24KB

Download
memory/4388-2174-0x0000000000810000-0x000000000081A000-memory.dmp

Filesize
40KB

Download
memory/4804-78-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-66-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-62-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-60-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-58-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-56-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-50-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-48-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-46-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-44-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-42-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-40-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-38-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-36-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-35-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-32-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-72-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-54-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-52-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-31-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-2159-0x00000000052F0000-0x00000000052FA000-memory.dmp

Filesize
40KB

Download
memory/4804-64-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-68-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-70-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-74-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-76-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-80-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-82-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-28-0x00000000048E0000-0x0000000004938000-memory.dmp

Filesize
352KB

Download
memory/4804-29-0x0000000004A30000-0x0000000004FD4000-memory.dmp

Filesize
5.6MB

Download
memory/4804-30-0x0000000004FE0000-0x0000000005036000-memory.dmp

Filesize
344KB

Download
memory/4804-84-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-88-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-90-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-92-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-94-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4804-86-0x0000000004FE0000-0x0000000005031000-memory.dmp

Filesize
324KB

Download
memory/4936-4376-0x0000000005760000-0x0000000005792000-memory.dmp

Filesize
200KB

Download
memory/4936-2229-0x0000000005520000-0x0000000005586000-memory.dmp

Filesize
408KB

Download
memory/4936-2228-0x0000000004E70000-0x0000000004ED8000-memory.dmp

Filesize
416KB

Download
memory/5848-4399-0x00000000009F0000-0x0000000000A20000-memory.dmp

Filesize
192KB

Download
memory/5848-4401-0x0000000001100000-0x0000000001106000-memory.dmp

Filesize
24KB

Download