amadey | 28d3e6fe6dc1d7dd77dbc06bdab670be965b6dd210f9d00847bc6404a0f148f5

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28d3e6fe6dc1d7dd77dbc06bdab670be965b6dd210f9d00847bc6404a0f148f5N.exe
Size

309KB
MD5

119c5224b25483be1b9be926bc087e00
SHA1

1e9218cd8232b26c670b32f94ff8ffe11f74f770
SHA256

28d3e6fe6dc1d7dd77dbc06bdab670be965b6dd210f9d00847bc6404a0f148f5
SHA512

e8c338e876b1e3f672d427ef080d95ef8de053e2a621f4770a46d1b8037dc34a05f0ed6695ee16324691fd707410f888217f46b5014cbdd1674ecc63c9305070
SSDEEP

6144:KFy+bnr+6p0yN90QEeGqw767yWc74TbfWiSI0AIyf:PMrey90TebRAyf

Score

10^/10

amadey healer 32c858 discovery dropper evasion persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.69

Botnet

32c858

http://77.91.124.242

Attributes

install_dir
550693dc87
install_file
oneetx.exe
strings_key
148c8260bc34f461da3708ace57fdffd
url_paths
/games/category/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b8f-5.dat	healer
behavioral1/memory/1480-8-0x0000000000430000-0x000000000043A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	az181786.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	az181786.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	az181786.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	az181786.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	az181786.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	az181786.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	bu678177.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 5 IoCs

pid	Process
1480	az181786.exe
4848	bu678177.exe
3684	oneetx.exe
4424	oneetx.exe
1192	oneetx.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	az181786.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	28d3e6fe6dc1d7dd77dbc06bdab670be965b6dd210f9d00847bc6404a0f148f5N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 26 IoCs

pid	pid_target	Process	procid_target
5068	4848	WerFault.exe	83
4212	4848	WerFault.exe	83
920	4848	WerFault.exe	83
2152	4848	WerFault.exe	83
1336	4848	WerFault.exe	83
1456	4848	WerFault.exe	83
1688	4848	WerFault.exe	83
2000	4848	WerFault.exe	83
3268	4848	WerFault.exe	83
3844	4848	WerFault.exe	83
4560	3684	WerFault.exe	103
2808	3684	WerFault.exe	103
832	3684	WerFault.exe	103
664	3684	WerFault.exe	103
532	3684	WerFault.exe	103
2404	3684	WerFault.exe	103
2972	3684	WerFault.exe	103
4472	3684	WerFault.exe	103
516	3684	WerFault.exe	103
4760	3684	WerFault.exe	103
3140	3684	WerFault.exe	103
4700	3684	WerFault.exe	103
748	3684	WerFault.exe	103
4980	4424	WerFault.exe	142
3724	3684	WerFault.exe	103
4684	1192	WerFault.exe	148

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	28d3e6fe6dc1d7dd77dbc06bdab670be965b6dd210f9d00847bc6404a0f148f5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bu678177.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oneetx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4280	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1480	az181786.exe
1480	az181786.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1480	az181786.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4848	bu678177.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 1480	1428	28d3e6fe6dc1d7dd77dbc06bdab670be965b6dd210f9d00847bc6404a0f148f5N.exe	82
PID 1428 wrote to memory of 1480	1428	28d3e6fe6dc1d7dd77dbc06bdab670be965b6dd210f9d00847bc6404a0f148f5N.exe	82
PID 1428 wrote to memory of 4848	1428	28d3e6fe6dc1d7dd77dbc06bdab670be965b6dd210f9d00847bc6404a0f148f5N.exe	83
PID 1428 wrote to memory of 4848	1428	28d3e6fe6dc1d7dd77dbc06bdab670be965b6dd210f9d00847bc6404a0f148f5N.exe	83
PID 1428 wrote to memory of 4848	1428	28d3e6fe6dc1d7dd77dbc06bdab670be965b6dd210f9d00847bc6404a0f148f5N.exe	83
PID 4848 wrote to memory of 3684	4848	bu678177.exe	103
PID 4848 wrote to memory of 3684	4848	bu678177.exe	103
PID 4848 wrote to memory of 3684	4848	bu678177.exe	103
PID 3684 wrote to memory of 4280	3684	oneetx.exe	120
PID 3684 wrote to memory of 4280	3684	oneetx.exe	120
PID 3684 wrote to memory of 4280	3684	oneetx.exe	120
PID 3684 wrote to memory of 4732	3684	oneetx.exe	126
PID 3684 wrote to memory of 4732	3684	oneetx.exe	126
PID 3684 wrote to memory of 4732	3684	oneetx.exe	126
PID 4732 wrote to memory of 3136	4732	cmd.exe	130
PID 4732 wrote to memory of 3136	4732	cmd.exe	130
PID 4732 wrote to memory of 3136	4732	cmd.exe	130
PID 4732 wrote to memory of 4832	4732	cmd.exe	131
PID 4732 wrote to memory of 4832	4732	cmd.exe	131
PID 4732 wrote to memory of 4832	4732	cmd.exe	131
PID 4732 wrote to memory of 4820	4732	cmd.exe	132
PID 4732 wrote to memory of 4820	4732	cmd.exe	132
PID 4732 wrote to memory of 4820	4732	cmd.exe	132
PID 4732 wrote to memory of 1500	4732	cmd.exe	133
PID 4732 wrote to memory of 1500	4732	cmd.exe	133
PID 4732 wrote to memory of 1500	4732	cmd.exe	133
PID 4732 wrote to memory of 2944	4732	cmd.exe	134
PID 4732 wrote to memory of 2944	4732	cmd.exe	134
PID 4732 wrote to memory of 2944	4732	cmd.exe	134
PID 4732 wrote to memory of 4372	4732	cmd.exe	135
PID 4732 wrote to memory of 4372	4732	cmd.exe	135
PID 4732 wrote to memory of 4372	4732	cmd.exe	135

C:\Users\Admin\AppData\Local\Temp\28d3e6fe6dc1d7dd77dbc06bdab670be965b6dd210f9d00847bc6404a0f148f5N.exe
"C:\Users\Admin\AppData\Local\Temp\28d3e6fe6dc1d7dd77dbc06bdab670be965b6dd210f9d00847bc6404a0f148f5N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\az181786.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\az181786.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bu678177.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bu678177.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 696
    3⤵
    - Program crash
    PID:5068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 764
    3⤵
    - Program crash
    PID:4212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 856
    3⤵
    - Program crash
    PID:920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 972
    3⤵
    - Program crash
    PID:2152
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 948
    3⤵
    - Program crash
    PID:1336
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 956
    3⤵
    - Program crash
    PID:1456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 1220
    3⤵
    - Program crash
    PID:1688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 1236
    3⤵
    - Program crash
    PID:2000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 1316
    3⤵
    - Program crash
    PID:3268
- - C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 692
      4⤵
      Program crash
      PID:4560
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 940
      4⤵
      Program crash
      PID:2808
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1072
      4⤵
      Program crash
      PID:832
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1096
      4⤵
      Program crash
      PID:664
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 952
      4⤵
      Program crash
      PID:532
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 952
      4⤵
      Program crash
      PID:2404
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1108
      4⤵
      Program crash
      PID:2972
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe" /F
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4280
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1012
      4⤵
      Program crash
      PID:4472
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 756
      4⤵
      Program crash
      PID:516
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\550693dc87" /P "Admin:N"&&CACLS "..\550693dc87" /P "Admin:R" /E&&Exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4732
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3136
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4832
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4820
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1500
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\550693dc87" /P "Admin:N"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\550693dc87" /P "Admin:R" /E
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4372
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1324
      4⤵
      Program crash
      PID:4760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1296
      4⤵
      Program crash
      PID:3140
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1208
      4⤵
      Program crash
      PID:4700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1340
      4⤵
      Program crash
      PID:748
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1112
      4⤵
      Program crash
      PID:3724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 1432
    3⤵
    - Program crash
    PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4848 -ip 4848
1⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4848 -ip 4848
1⤵
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4848 -ip 4848
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4848 -ip 4848
1⤵
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4848 -ip 4848
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4848 -ip 4848
1⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4848 -ip 4848
1⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4848 -ip 4848
1⤵
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4848 -ip 4848
1⤵
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4848 -ip 4848
1⤵
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3684 -ip 3684
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3684 -ip 3684
1⤵
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3684 -ip 3684
1⤵
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3684 -ip 3684
1⤵
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3684 -ip 3684
1⤵
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3684 -ip 3684
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3684 -ip 3684
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3684 -ip 3684
1⤵
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3684 -ip 3684
1⤵
PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3684 -ip 3684
1⤵
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3684 -ip 3684
1⤵
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3684 -ip 3684
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3684 -ip 3684
1⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe
1⤵
- Executes dropped EXE
PID:4424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 312
  2⤵
  - Program crash
  PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4424 -ip 4424
1⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3684 -ip 3684
1⤵
PID:3944

C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe
1⤵
- Executes dropped EXE
PID:1192
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 316
  2⤵
  - Program crash
  PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1192 -ip 1192
1⤵
PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\az181786.exe

Filesize
12KB

MD5
83914f9394959ccb9501c1eda5b9290e

SHA1
af9730b7a0d439ba4196471d65f9fd2044917e37

SHA256
60bfb07cb15cd0a9c9bf7b8c0861afdba3a40768a67f414931abff88cb196b15

SHA512
145e2e3b09462b2ad4edfdf797a6ff5e81b607056aae9c5842bd89d2763656e6f4edfd8173fa7e185b3f1f59992cd1f943ecc8266d9dca26c884e5777826252e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bu678177.exe

Filesize
227KB

MD5
a30a75340cbf4ec2d1e2959c5a88ff2f

SHA1
d013cc3f70f6a9f1e31c3b91d0a9d9ffd56b1763

SHA256
454d6304ecbdffb25ede38b315f2f39a3df8a443b120e0c1731ca5de7d9dcdb2

SHA512
e1cc2747f047cff4d36b90095c389e795115cdb21dda4dffa31e2e45fda8c2082bfa1a8505162e13c7d67cd03e13d342d7195bd2fa50eb6d4d8b8c3022e63214

Download Submit
memory/1192-43-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/1480-7-0x00007FFD3FE73000-0x00007FFD3FE75000-memory.dmp

Filesize
8KB

Download
memory/1480-8-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download
memory/1480-9-0x00007FFD3FE73000-0x00007FFD3FE75000-memory.dmp

Filesize
8KB

Download
memory/3684-35-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/3684-40-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/3684-45-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/4424-34-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/4848-17-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4848-30-0x00000000005A0000-0x00000000005DD000-memory.dmp

Filesize
244KB

Download
memory/4848-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4848-29-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/4848-16-0x00000000005A0000-0x00000000005DD000-memory.dmp

Filesize
244KB

Download
memory/4848-15-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download