Malware Analysis Report

2024-10-16 03:50

Sample ID 240428-xbsjkseb24
Target 1099cec3fdcb3e4b1e4c7c2350c146f6f715e25bdecbe02fea6cbdb9fc0cc1ac
SHA256 1099cec3fdcb3e4b1e4c7c2350c146f6f715e25bdecbe02fea6cbdb9fc0cc1ac
Tags
amadey healer redline zgrat dropper evasion infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1099cec3fdcb3e4b1e4c7c2350c146f6f715e25bdecbe02fea6cbdb9fc0cc1ac

Threat Level: Known bad

The file 1099cec3fdcb3e4b1e4c7c2350c146f6f715e25bdecbe02fea6cbdb9fc0cc1ac was found to be: Known bad.

Malicious Activity Summary

amadey healer redline zgrat dropper evasion infostealer persistence rat trojan

Modifies Windows Defender Real-time Protection settings

Healer

RedLine

Detect ZGRat V1

Amadey

Detects Healer an antivirus disabler dropper

RedLine payload

ZGRat

Detects executables packed with ConfuserEx Mod

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Executes dropped EXE

Checks computer location settings

Windows security modification

Adds Run key to start application

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-28 18:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-28 18:41

Reported

2024-04-28 18:43

Platform

win10v2004-20240419-en

Max time kernel

147s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1099cec3fdcb3e4b1e4c7c2350c146f6f715e25bdecbe02fea6cbdb9fc0cc1ac.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\172655600.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\172655600.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\172655600.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\225242081.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\225242081.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\225242081.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\225242081.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\172655600.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\172655600.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\172655600.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\225242081.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with ConfuserEx Mod

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\397865473.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\172655600.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\172655600.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\225242081.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ke215243.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\go963454.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lb854998.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1099cec3fdcb3e4b1e4c7c2350c146f6f715e25bdecbe02fea6cbdb9fc0cc1ac.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\172655600.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\225242081.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\458882322.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4792 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\1099cec3fdcb3e4b1e4c7c2350c146f6f715e25bdecbe02fea6cbdb9fc0cc1ac.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ke215243.exe
PID 4792 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\1099cec3fdcb3e4b1e4c7c2350c146f6f715e25bdecbe02fea6cbdb9fc0cc1ac.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ke215243.exe
PID 4792 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\1099cec3fdcb3e4b1e4c7c2350c146f6f715e25bdecbe02fea6cbdb9fc0cc1ac.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ke215243.exe
PID 2988 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ke215243.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\go963454.exe
PID 2988 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ke215243.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\go963454.exe
PID 2988 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ke215243.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\go963454.exe
PID 4604 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\go963454.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lb854998.exe
PID 4604 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\go963454.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lb854998.exe
PID 4604 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\go963454.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lb854998.exe
PID 2952 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lb854998.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\172655600.exe
PID 2952 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lb854998.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\172655600.exe
PID 2952 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lb854998.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\172655600.exe
PID 2952 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lb854998.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\225242081.exe
PID 2952 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lb854998.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\225242081.exe
PID 2952 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lb854998.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\225242081.exe
PID 4604 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\go963454.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\397865473.exe
PID 4604 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\go963454.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\397865473.exe
PID 4604 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\go963454.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\397865473.exe
PID 3480 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\397865473.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3480 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\397865473.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3480 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\397865473.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2988 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ke215243.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\458882322.exe
PID 2988 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ke215243.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\458882322.exe
PID 2988 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ke215243.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\458882322.exe
PID 1796 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1796 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1796 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1796 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 4404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 4404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 4404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 4188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2848 wrote to memory of 4188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2848 wrote to memory of 4188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2848 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2848 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2848 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2848 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2848 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2848 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2848 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2848 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2848 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1099cec3fdcb3e4b1e4c7c2350c146f6f715e25bdecbe02fea6cbdb9fc0cc1ac.exe

"C:\Users\Admin\AppData\Local\Temp\1099cec3fdcb3e4b1e4c7c2350c146f6f715e25bdecbe02fea6cbdb9fc0cc1ac.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ke215243.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ke215243.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\go963454.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\go963454.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lb854998.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lb854998.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\172655600.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\172655600.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\225242081.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\225242081.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1452 -ip 1452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\397865473.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\397865473.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\458882322.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\458882322.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
RU 185.161.248.72:38452 tcp
RU 185.161.248.72:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ke215243.exe

MD5 8f097502ac1ec512247a72d2d6626b21
SHA1 08395f12ee4d71b4de7cc5f61fe423dee92e8a8e
SHA256 1962a5bafb9ad416884960cb6dc2b8caa9b23014fe19509ba7045c940f2aa9e0
SHA512 c406d892faf6618aa99a6ebdf6ea960157d598cda2105e1b6fbd38fcfa750fbe5c82bab3569fbdf484b8b3380a12c1cd8aaf13884160656a6af264d685427de6

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\go963454.exe

MD5 321f036da9686013d531c2e06bee31af
SHA1 a63ea9a16be77e13ff10fcfc1fa509130b9b72c4
SHA256 d6e80daf1625ad8723a538e40af3f40e45acaf395a72b52e2ae82e9067ea4b1a
SHA512 00bd6c1bc9a405e858e9bcfd575443c49e35bbe435997a026ce867ac52516b611e45424bc186422d4f6bba109792c5b352a8dc58dbe4e84000d54ff3d817611a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lb854998.exe

MD5 9ca1de4f62ad43bb4ac9561c8308dfc1
SHA1 7a98bd070aff8881d7fb3a4fd73a4d22772f2e91
SHA256 5902f0c790c6949693a130cc83152c67ca0a677eea761bad705cfdb9bbb9c3d4
SHA512 9539e51788355d85cff975882cba7f36e517da21dfa66ed6817459a6e8258d0c621b2bc1fec1376da8cd54c2312966d0b805a1ec5f77bf2c676f80a978bbcf96

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\172655600.exe

MD5 818944cb43f0a027ea987933b5d965e8
SHA1 cf99d8da30be79b647fce53d9280fa0a5f6f0e38
SHA256 e917d854ea9eca1e9c3c4dac0f7116aa87e62dbe7b482f7b2a4497592e8944d8
SHA512 03f2f76bb06308eda3728ca1f191c1c8b78eadda67f129001e8f184d2e7c654351d6ab9a495f8faf5caae47fa4f4e318f5314dcaf2ab6e4c0e9c2f8ee2b7ac1c

memory/2012-28-0x00000000023B0000-0x00000000023CA000-memory.dmp

memory/2012-29-0x0000000004C00000-0x00000000051A4000-memory.dmp

memory/2012-30-0x0000000004AC0000-0x0000000004AD8000-memory.dmp

memory/2012-58-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2012-52-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2012-50-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2012-46-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2012-44-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2012-42-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2012-40-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2012-38-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2012-36-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2012-34-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2012-32-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2012-31-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2012-56-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2012-54-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2012-48-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\225242081.exe

MD5 e1b605298c8dde321eba4e621b43b48a
SHA1 e787f354713555143158c0bb1281d1806a5325a6
SHA256 8772e25843562cef29c1b6fbd711009271f7f19635406c8592a12107f8798b19
SHA512 4fd502c6a150abd6d2a05613b419a2714e1b9e2e186c2f0037c7a2f964d7e7ef63c9ef5dc4ef6e3479e275456896687133726e5698e3bd4fe2c34b9cbcacda17

memory/1452-64-0x0000000002350000-0x000000000236A000-memory.dmp

memory/1452-65-0x00000000024F0000-0x0000000002508000-memory.dmp

memory/1452-69-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/1452-73-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/1452-93-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/1452-91-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/1452-89-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/1452-87-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/1452-85-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/1452-83-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/1452-81-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/1452-79-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/1452-77-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/1452-75-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/1452-71-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/1452-67-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/1452-66-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/1452-94-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1452-96-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\397865473.exe

MD5 f9b20c19cc1c412b2b77f379fa037ce8
SHA1 b8a1a68d57141c5054fc3296a3c6470269a80e7d
SHA256 aea3550c0164e16aec74057964431308f3ad1a2551c9081b7d260b1a009d5237
SHA512 a64d83109151d59130081d484470fb0960187af6581fdbc3529f850005e09d56985aee9adad5de3db3f57fad28773d1452a59dfe36260f4bff8002d7f6fc1014

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\458882322.exe

MD5 cd54bb78a5ab4a985cb042d76521f256
SHA1 fb6c2607afe8324c00636a2ea055e1c430439382
SHA256 cc5ce43c20fc2d2997d06d9a3d250a092401e9f4bcae9988af286bb9cf73ef99
SHA512 6f9e3c18622beebf2553c66ad3386cde2670f606a7e854f8cdf0b91dd3c79f6eb0cce46599031860243358ec676fd930e8a1fb3106733d483124d360769d5c17

memory/3792-114-0x0000000002590000-0x00000000025CC000-memory.dmp

memory/3792-115-0x0000000004A80000-0x0000000004ABA000-memory.dmp

memory/3792-121-0x0000000004A80000-0x0000000004AB5000-memory.dmp

memory/3792-119-0x0000000004A80000-0x0000000004AB5000-memory.dmp

memory/3792-117-0x0000000004A80000-0x0000000004AB5000-memory.dmp

memory/3792-116-0x0000000004A80000-0x0000000004AB5000-memory.dmp

memory/3792-908-0x00000000075B0000-0x0000000007BC8000-memory.dmp

memory/3792-909-0x0000000007C00000-0x0000000007C12000-memory.dmp

memory/3792-910-0x0000000007C20000-0x0000000007D2A000-memory.dmp

memory/3792-911-0x0000000007D80000-0x0000000007DBC000-memory.dmp

memory/3792-912-0x0000000002340000-0x000000000238C000-memory.dmp