Malware Analysis Report

2025-03-15 01:38

Sample ID 230910-k2qfpaga55
Target file.exe
SHA256 a2f28321fe155d154fee2fa53c6116b193e1c908ea0ae3aa7157ea739f38861d
Tags
healer redline smokeloader virad backdoor dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a2f28321fe155d154fee2fa53c6116b193e1c908ea0ae3aa7157ea739f38861d

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

healer redline smokeloader virad backdoor dropper evasion infostealer persistence trojan

RedLine

SmokeLoader

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 09:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 09:06

Reported

2023-09-10 09:08

Platform

win7-20230831-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1152 set thread context of 1896 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1152 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1152 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1152 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1152 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1152 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1152 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1152 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1152 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1152 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1152 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1152 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1152 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1152 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1152 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1896 wrote to memory of 1872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 1896 wrote to memory of 1872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 1896 wrote to memory of 1872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 1896 wrote to memory of 1872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 1896 wrote to memory of 1872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 1896 wrote to memory of 1872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 1896 wrote to memory of 1872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 200

Network

N/A

Files

memory/1896-0-0x0000000000400000-0x0000000000525000-memory.dmp

memory/1896-1-0x0000000000400000-0x0000000000525000-memory.dmp

memory/1896-2-0x0000000000400000-0x0000000000525000-memory.dmp

memory/1896-4-0x0000000000400000-0x0000000000525000-memory.dmp

memory/1896-3-0x0000000000400000-0x0000000000525000-memory.dmp

memory/1896-5-0x0000000000400000-0x0000000000525000-memory.dmp

memory/1896-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1896-7-0x0000000000400000-0x0000000000525000-memory.dmp

memory/1896-9-0x0000000000400000-0x0000000000525000-memory.dmp

memory/1896-11-0x0000000000400000-0x0000000000525000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-10 09:06

Reported

2023-09-10 09:08

Platform

win10v2004-20230831-en

Max time kernel

151s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3557447.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2000 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2000 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2000 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2000 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2000 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2000 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2000 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2000 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2000 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2000 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 768 wrote to memory of 832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3557447.exe
PID 768 wrote to memory of 832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3557447.exe
PID 768 wrote to memory of 832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3557447.exe
PID 832 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3557447.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe
PID 832 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3557447.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe
PID 832 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3557447.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe
PID 2032 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe
PID 2032 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe
PID 2032 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe
PID 5032 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe
PID 5032 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe
PID 5032 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe
PID 3808 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe
PID 3808 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe
PID 3808 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe
PID 5048 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5048 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5048 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5048 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5048 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5048 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5048 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5048 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5048 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5048 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5048 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3808 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe
PID 3808 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe
PID 3808 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe
PID 1232 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1232 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1232 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1232 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1232 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1232 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1232 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1232 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1232 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1232 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5032 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe
PID 5032 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe
PID 5032 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe
PID 2352 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2352 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2352 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2352 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2352 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2352 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2032 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d7015979.exe
PID 2032 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d7015979.exe
PID 2032 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d7015979.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2000 -ip 2000

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3557447.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3557447.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 236

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5048 -ip 5048

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 572

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1232 -ip 1232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2012 -ip 2012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 184

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2352 -ip 2352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 552

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d7015979.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d7015979.exe

C:\Users\Admin\AppData\Roaming\wivdter

C:\Users\Admin\AppData\Roaming\wivdter

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

memory/768-0-0x0000000000400000-0x0000000000525000-memory.dmp

memory/768-1-0x0000000000400000-0x0000000000525000-memory.dmp

memory/768-2-0x0000000000400000-0x0000000000525000-memory.dmp

memory/768-3-0x0000000000400000-0x0000000000525000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3557447.exe

MD5 bafb2d8450df47c7e24c29c4c09a89f6
SHA1 3e1f5226c10b89868f2ba02765d216c77b05a2e7
SHA256 5423bbfb958e1e1f63e71258dcb4627f8c032b52bc041031836963dd91438761
SHA512 646d9b6b8884a4122bbe1dcb19203214114c91dbf8fecb4f701ef1e34c3592df2a75eaa5c7c3f9b70a6aa0dd9cef4990d37424168f93c09e2e52b07740f9b4fa

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3557447.exe

MD5 bafb2d8450df47c7e24c29c4c09a89f6
SHA1 3e1f5226c10b89868f2ba02765d216c77b05a2e7
SHA256 5423bbfb958e1e1f63e71258dcb4627f8c032b52bc041031836963dd91438761
SHA512 646d9b6b8884a4122bbe1dcb19203214114c91dbf8fecb4f701ef1e34c3592df2a75eaa5c7c3f9b70a6aa0dd9cef4990d37424168f93c09e2e52b07740f9b4fa

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe

MD5 c9e6cadf3478906f3f8fd3a457955b84
SHA1 e0b931c456ff10556a35057b42a664b6c339606e
SHA256 182fdde752aff01648128a5fffb0bd56bd5ccbe3c091f466129f90fde7694cab
SHA512 39046dd1b7c55de8772e5942fcb1463d715c33d7008b7e79579f935a34b36dd65745d9d68a5bfc15b53cb2ed9894aaba9b787758a1a68800239df704c6408b18

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe

MD5 c9e6cadf3478906f3f8fd3a457955b84
SHA1 e0b931c456ff10556a35057b42a664b6c339606e
SHA256 182fdde752aff01648128a5fffb0bd56bd5ccbe3c091f466129f90fde7694cab
SHA512 39046dd1b7c55de8772e5942fcb1463d715c33d7008b7e79579f935a34b36dd65745d9d68a5bfc15b53cb2ed9894aaba9b787758a1a68800239df704c6408b18

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe

MD5 c768f7d41a7dea0ec447894dd1923286
SHA1 66d98aab3cb17657fd6b0adef818df95ad7d084c
SHA256 b3d5058d30bdefc609434282b4f4ee7bf02fcb4df0e478d28207b3bac3327390
SHA512 38e74198945a7d05edce739053418c9a300b46c8b5ce460b4b1657c85319f5b55551f97de5b1db12878ad5f289f6aa459be9b2b785101168ba155d8e56fa2181

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe

MD5 c768f7d41a7dea0ec447894dd1923286
SHA1 66d98aab3cb17657fd6b0adef818df95ad7d084c
SHA256 b3d5058d30bdefc609434282b4f4ee7bf02fcb4df0e478d28207b3bac3327390
SHA512 38e74198945a7d05edce739053418c9a300b46c8b5ce460b4b1657c85319f5b55551f97de5b1db12878ad5f289f6aa459be9b2b785101168ba155d8e56fa2181

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe

MD5 0489b6d5ae6fad72336cbb3a111b9bc4
SHA1 2ca8cd81a7965b190219c289db536c12f5a2fe2b
SHA256 04e1c33603caa9189f797274c789a84421e267f5323839c21583b9911610200a
SHA512 5eab7c3527751333227ebb2ac87476fa59e53af69625cb4af0687033ea5b189e534b1f85a0c505d7815e61a4a59fe35c5c42fa20271465530ceeb45a95301248

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe

MD5 0489b6d5ae6fad72336cbb3a111b9bc4
SHA1 2ca8cd81a7965b190219c289db536c12f5a2fe2b
SHA256 04e1c33603caa9189f797274c789a84421e267f5323839c21583b9911610200a
SHA512 5eab7c3527751333227ebb2ac87476fa59e53af69625cb4af0687033ea5b189e534b1f85a0c505d7815e61a4a59fe35c5c42fa20271465530ceeb45a95301248

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe

MD5 ae5b250ffb0d2a9ca9fcc270d9fc202a
SHA1 aec1190c5cc903f771746f1be9dc5b73743840c4
SHA256 5912811fc9fd1400d6d1f1db48cd18ffa19c9e2c2a2d76d1a49cb80350f43c01
SHA512 dba3d5ede1a3e82625452a499ef56d5a90a5c927d3822b2af467e3852ed061b9c32acf0fd30b942061ad2945221e3c3b00c049f5f738a2e552a638dc43205a46

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe

MD5 ae5b250ffb0d2a9ca9fcc270d9fc202a
SHA1 aec1190c5cc903f771746f1be9dc5b73743840c4
SHA256 5912811fc9fd1400d6d1f1db48cd18ffa19c9e2c2a2d76d1a49cb80350f43c01
SHA512 dba3d5ede1a3e82625452a499ef56d5a90a5c927d3822b2af467e3852ed061b9c32acf0fd30b942061ad2945221e3c3b00c049f5f738a2e552a638dc43205a46

memory/4832-39-0x0000000000400000-0x000000000040A000-memory.dmp

memory/4832-40-0x00000000734B0000-0x0000000073C60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe

MD5 a59e94fb59115e83bf896b9f28f88ce5
SHA1 644f8222a1e7af573131e9db2045f48e0d6386a6
SHA256 85b44c0cad0dfd9da0d1da420e65d2a1336565574836041299624b749703533a
SHA512 e5f5698271c60ac856554921c9622258de92f79a46c60583bab8d55a35fb897fe56425d41d92658f19162be736b8f54a9aaf2f7c5494f98e119785251ed22b98

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe

MD5 a59e94fb59115e83bf896b9f28f88ce5
SHA1 644f8222a1e7af573131e9db2045f48e0d6386a6
SHA256 85b44c0cad0dfd9da0d1da420e65d2a1336565574836041299624b749703533a
SHA512 e5f5698271c60ac856554921c9622258de92f79a46c60583bab8d55a35fb897fe56425d41d92658f19162be736b8f54a9aaf2f7c5494f98e119785251ed22b98

memory/2012-44-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2012-45-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2012-46-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2012-48-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe

MD5 37115f3c0c1614a487f0d113597cb27f
SHA1 3ea7c535787769fd5e7ce87c9d7c1d9d92e53915
SHA256 275ea88dfa54c56c85812b9f0d9324a02ed6f82b6291dc933aee128382d94e5a
SHA512 81af23582e05793931acf382172d0f0b76793716f051e533985a2310a71d1f0c4950f21a75327574605d2d23038f184a60460d502c06779edb017b5ed3ffbe45

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe

MD5 37115f3c0c1614a487f0d113597cb27f
SHA1 3ea7c535787769fd5e7ce87c9d7c1d9d92e53915
SHA256 275ea88dfa54c56c85812b9f0d9324a02ed6f82b6291dc933aee128382d94e5a
SHA512 81af23582e05793931acf382172d0f0b76793716f051e533985a2310a71d1f0c4950f21a75327574605d2d23038f184a60460d502c06779edb017b5ed3ffbe45

memory/4280-52-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4280-53-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d7015979.exe

MD5 5ef335d8ec5c9b50adbc35a0895c19f0
SHA1 4c574dc5d646c42c7c507fdfe8c96ac42d653e90
SHA256 927dffce1baf35a6af33e8f645de335f9f53b2707b563438603cb7dd16c29844
SHA512 492adfdd9fe7c39ecc7dafb145b47f72915294270f4ac0dfedefecac67d55daec9c4f7b582539cf275e1ff1d6867aac9aa00bebf6845a3771bdf6c0e0cbff9b0

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d7015979.exe

MD5 5ef335d8ec5c9b50adbc35a0895c19f0
SHA1 4c574dc5d646c42c7c507fdfe8c96ac42d653e90
SHA256 927dffce1baf35a6af33e8f645de335f9f53b2707b563438603cb7dd16c29844
SHA512 492adfdd9fe7c39ecc7dafb145b47f72915294270f4ac0dfedefecac67d55daec9c4f7b582539cf275e1ff1d6867aac9aa00bebf6845a3771bdf6c0e0cbff9b0

memory/1872-57-0x00000000000A0000-0x00000000000D0000-memory.dmp

memory/1872-58-0x00000000734B0000-0x0000000073C60000-memory.dmp

memory/1872-59-0x0000000005010000-0x0000000005628000-memory.dmp

memory/1872-60-0x0000000004B00000-0x0000000004C0A000-memory.dmp

memory/1872-62-0x00000000048A0000-0x00000000048B0000-memory.dmp

memory/1872-61-0x0000000004A30000-0x0000000004A42000-memory.dmp

memory/1872-63-0x0000000004A90000-0x0000000004ACC000-memory.dmp

memory/768-64-0x0000000000400000-0x0000000000525000-memory.dmp

memory/3192-65-0x0000000002AF0000-0x0000000002B06000-memory.dmp

memory/4280-66-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4832-69-0x00000000734B0000-0x0000000073C60000-memory.dmp

memory/4832-71-0x00000000734B0000-0x0000000073C60000-memory.dmp

memory/1872-72-0x00000000734B0000-0x0000000073C60000-memory.dmp

memory/1872-73-0x00000000048A0000-0x00000000048B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\wivdter

MD5 89d41e1cf478a3d3c2c701a27a5692b2
SHA1 691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256 dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA512 5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

C:\Users\Admin\AppData\Roaming\wivdter

MD5 89d41e1cf478a3d3c2c701a27a5692b2
SHA1 691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256 dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA512 5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc