Malware Analysis Report

2024-10-16 03:50

Sample ID 240428-x44gjsfa89
Target 23fba2c2ae34608d478a900d31c322eb8ff88cab230848ad9664699ae8fce28a
SHA256 23fba2c2ae34608d478a900d31c322eb8ff88cab230848ad9664699ae8fce28a
Tags
amadey healer redline zgrat dropper evasion infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

23fba2c2ae34608d478a900d31c322eb8ff88cab230848ad9664699ae8fce28a

Threat Level: Known bad

The file 23fba2c2ae34608d478a900d31c322eb8ff88cab230848ad9664699ae8fce28a was found to be: Known bad.

Malicious Activity Summary

amadey healer redline zgrat dropper evasion infostealer persistence rat trojan

Amadey

Healer

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine

ZGRat

RedLine payload

Detect ZGRat V1

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Detects executables packed with ConfuserEx Mod

Executes dropped EXE

Windows security modification

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-28 19:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-28 19:25

Reported

2024-04-28 19:27

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\23fba2c2ae34608d478a900d31c322eb8ff88cab230848ad9664699ae8fce28a.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156290212.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156290212.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156290212.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156290212.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\253948168.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\253948168.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\253948168.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156290212.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156290212.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\253948168.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\253948168.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with ConfuserEx Mod

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\343316617.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156290212.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156290212.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\253948168.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uv339845.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nt937097.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iN158839.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\23fba2c2ae34608d478a900d31c322eb8ff88cab230848ad9664699ae8fce28a.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156290212.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\253948168.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\449423373.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\23fba2c2ae34608d478a900d31c322eb8ff88cab230848ad9664699ae8fce28a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uv339845.exe
PID 2296 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\23fba2c2ae34608d478a900d31c322eb8ff88cab230848ad9664699ae8fce28a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uv339845.exe
PID 2296 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\23fba2c2ae34608d478a900d31c322eb8ff88cab230848ad9664699ae8fce28a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uv339845.exe
PID 1508 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uv339845.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nt937097.exe
PID 1508 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uv339845.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nt937097.exe
PID 1508 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uv339845.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nt937097.exe
PID 1056 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nt937097.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iN158839.exe
PID 1056 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nt937097.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iN158839.exe
PID 1056 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nt937097.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iN158839.exe
PID 4784 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iN158839.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156290212.exe
PID 4784 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iN158839.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156290212.exe
PID 4784 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iN158839.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156290212.exe
PID 4784 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iN158839.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\253948168.exe
PID 4784 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iN158839.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\253948168.exe
PID 4784 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iN158839.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\253948168.exe
PID 1056 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nt937097.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\343316617.exe
PID 1056 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nt937097.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\343316617.exe
PID 1056 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nt937097.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\343316617.exe
PID 3036 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\343316617.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3036 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\343316617.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3036 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\343316617.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1508 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uv339845.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\449423373.exe
PID 1508 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uv339845.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\449423373.exe
PID 1508 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uv339845.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\449423373.exe
PID 224 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 224 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 224 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 224 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 224 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 224 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3660 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3660 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3660 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3660 wrote to memory of 2396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3660 wrote to memory of 2396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3660 wrote to memory of 2396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3660 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3660 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3660 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3660 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3660 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3660 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3660 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3660 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3660 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3660 wrote to memory of 3632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3660 wrote to memory of 3632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3660 wrote to memory of 3632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\23fba2c2ae34608d478a900d31c322eb8ff88cab230848ad9664699ae8fce28a.exe

"C:\Users\Admin\AppData\Local\Temp\23fba2c2ae34608d478a900d31c322eb8ff88cab230848ad9664699ae8fce28a.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uv339845.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uv339845.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nt937097.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nt937097.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iN158839.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iN158839.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156290212.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156290212.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\253948168.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\253948168.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3672 -ip 3672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\343316617.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\343316617.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\449423373.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\449423373.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 50.28.101.95.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
RU 185.161.248.72:38452 tcp
RU 185.161.248.72:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp
RU 185.161.248.72:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uv339845.exe

MD5 40db4ec774e00ad765b8f6f9d4e5d8c0
SHA1 e7d52703cacf54563107adcbe14014e7925f17db
SHA256 505ac42abf815ff774aaef235a08e2e9a4641cf5047b9b39c29e0d569d86f975
SHA512 1ff82a38ba26dc5dab610bd9a106f15658458b7b72039f7d27d56962532dc65dcb12c2b9c4b75ecd5643ac0384c83fd6733af3b23f895bfa267a07649e043f1d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nt937097.exe

MD5 5c09f4f206ac9712ebe1f9b699ffc12b
SHA1 5c2403c884d94765ad94dcd1cebc285128bb05c2
SHA256 329c5f33db93271feb930cdb1a0bc9fd2accbcea714fde4521a1ce2f3a394ff6
SHA512 5439d942e958ff871c7ff2e49f4e992d263c273dcc3f508acf11b2d77aedfb5e6c4c98c4e2a914f151b3790c0706ea92430c3e06464ae1c2a8f671c208161fd0

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iN158839.exe

MD5 791cfc3c5902051fa7f92affe12fd4c7
SHA1 774e8fef815388c7a9453e72fb47e73b61ba1bc3
SHA256 48023a9d4a5e8aa35a99d1f32aedbe2d35b70e04df8bf4040e58e959c59f740e
SHA512 135e073b2ac0952385096faf3061bd90998db428920f03a62e8abd65a36e0bb9e6611fa67105b927a9b2d4c10ff7446567c2bc260b9e65beae4e51b15911814c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156290212.exe

MD5 3d8bd03b2fc9de52e7164547fcd8a9f4
SHA1 c223e4a232feecfff267ebcf68e4e2b486ef99c9
SHA256 c21b053de1cafdc4afc86926438dc6c08ddda6c570fdff93f5f07c474bc358f0
SHA512 f4cb9cf687ddb57dfef47471deadf7c3c2ae08b3db0871ed661deb5f7a541dc52b58d36c537638768c693a21956994ae46053a09209008c3501cf4803700ab77

memory/1652-28-0x0000000004A10000-0x0000000004A2A000-memory.dmp

memory/1652-29-0x0000000004B70000-0x0000000005114000-memory.dmp

memory/1652-30-0x0000000004AC0000-0x0000000004AD8000-memory.dmp

memory/1652-31-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/1652-58-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/1652-56-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/1652-54-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/1652-52-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/1652-50-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/1652-48-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/1652-46-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/1652-42-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/1652-40-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/1652-38-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/1652-37-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/1652-34-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/1652-33-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/1652-45-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\253948168.exe

MD5 d12ac6a0fb2bcc77826019b7185e0c45
SHA1 032170314e9d384d8ca7c8213d1ec9b678f85c77
SHA256 8bef91225deb2c0271fc5011628a13618bce9a0ab56173fe66dae8eae45ec2ca
SHA512 a5fb2e55ecd88b678da9857a63161a7c3e0c4a3e58c796bb32909bf45ce4d13ec7ee18a0992807972d143555b5e9a0e387e91257581d21abd017a81284989290

memory/3672-64-0x0000000002400000-0x000000000241A000-memory.dmp

memory/3672-65-0x00000000026C0000-0x00000000026D8000-memory.dmp

memory/3672-79-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/3672-71-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/3672-83-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/3672-93-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/3672-91-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/3672-89-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/3672-87-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/3672-85-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/3672-81-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/3672-77-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/3672-75-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/3672-73-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/3672-69-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/3672-67-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/3672-66-0x00000000026C0000-0x00000000026D2000-memory.dmp

memory/3672-94-0x0000000000400000-0x0000000000466000-memory.dmp

memory/3672-96-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\343316617.exe

MD5 d5f76b45ca024975642cb5922f431ca0
SHA1 31d4c90be2c0ea7b72a7cc47dcbaf19acf3b611b
SHA256 c0efdbc48d3fead12a051f6a37c36372f220090bd35b6254e0d20c81fd7e5c30
SHA512 b3820a7c76f74265fc8f8ab8b8b45701c73b5f3597cdc737e833206cba2e107f8d6cf6b36c5f2b7660b2e5cc90d09a6de8cb76a5d27287efc11970c2cd6c92f1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\449423373.exe

MD5 517d2a88dc40fbed026000098137614e
SHA1 88241dee5dbbb420e31e3384ea200a936444a64b
SHA256 1f14ff1a3bec8b38b0dcb90c48c6059892d7409e6877131e8a109b15f357ab95
SHA512 98178f3ef8b772e911e70bb8593d7996cd7c771fa0f408609f2713e8453858c7ae3a7d179c19129ea3818488d87eef1e97d8320320f46eb22985320d523984e1

memory/640-114-0x0000000004A60000-0x0000000004A9C000-memory.dmp

memory/640-115-0x0000000004AE0000-0x0000000004B1A000-memory.dmp

memory/640-121-0x0000000004AE0000-0x0000000004B15000-memory.dmp

memory/640-119-0x0000000004AE0000-0x0000000004B15000-memory.dmp

memory/640-117-0x0000000004AE0000-0x0000000004B15000-memory.dmp

memory/640-116-0x0000000004AE0000-0x0000000004B15000-memory.dmp

memory/640-908-0x0000000007C80000-0x0000000008298000-memory.dmp

memory/640-910-0x0000000007660000-0x000000000776A000-memory.dmp

memory/640-909-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

memory/640-911-0x0000000004BD0000-0x0000000004C0C000-memory.dmp

memory/640-912-0x0000000004590000-0x00000000045DC000-memory.dmp