Analysis Overview
SHA256
dc3a1c0a9e91f9db2fff71c534b9b0e94067f24c7823bdabecfbdb495e4fe76a
Threat Level: Known bad
The file red.zip was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
RedLine
Modifies Windows Defender Real-time Protection settings
SmokeLoader
Amadey
Healer
RedLine payload
Checks computer location settings
Windows security modification
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 10:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 10:07
Reported
2024-05-09 10:11
Platform
win10v2004-20240426-en
Max time kernel
145s
Max time network
155s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7860601.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7860601.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7860601.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7860601.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7860601.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7860601.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3533435.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7393391.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3533435.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7860601.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j2231043.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7860601.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\0e413fa9690c02a45dc95f1ea020874ed2745670117fed803aea439be9b8683c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7393391.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7860601.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7860601.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7860601.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0e413fa9690c02a45dc95f1ea020874ed2745670117fed803aea439be9b8683c.exe
"C:\Users\Admin\AppData\Local\Temp\0e413fa9690c02a45dc95f1ea020874ed2745670117fed803aea439be9b8683c.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7393391.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7393391.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3533435.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3533435.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7860601.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7860601.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j2231043.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j2231043.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| BE | 2.17.196.74:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.196.17.2.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7393391.exe
| MD5 | 96dd5c20abd210baa91f86e4edbfb558 |
| SHA1 | dfce7817aa9b2991e92b5c6bb4308f6c746749e1 |
| SHA256 | 76a718f3477ed03957bd7d5e5c63b6c088704c676c9a1b5a60418994c37b4c3b |
| SHA512 | 0df7bed01da27cf98056ad7ea7c26f90b3fa90f6772217d1cddd17b9fab6b3c4b69e597fa4bc290d31cb77a1c5f7a22a0b05f6f6b3c6af98dc922f0b32655991 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3533435.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7860601.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/4884-27-0x0000000000680000-0x000000000068A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j2231043.exe
| MD5 | c4bd20ecd43258a3d1a7df9be295164b |
| SHA1 | 025eb31ab5884996202eee9816e7588356977ceb |
| SHA256 | 9128f17b28c7487ecd466da752a2b824df6fc9465af5106d01f87b02f25eb6b4 |
| SHA512 | cc86779d65bd44fb4fe6b27f5db447ef7d4d62800a88dd4d5745b49a8043860fabf96ed530b75d90f9bd4c4c38f7c6b103fb4e772c6c6288aa7db7f1dbcd4c44 |
memory/1960-32-0x0000000000EE0000-0x0000000000F10000-memory.dmp
memory/1960-33-0x00000000018E0000-0x00000000018E6000-memory.dmp
memory/1960-34-0x000000000B330000-0x000000000B948000-memory.dmp
memory/1960-35-0x000000000AE90000-0x000000000AF9A000-memory.dmp
memory/1960-36-0x000000000ADD0000-0x000000000ADE2000-memory.dmp
memory/1960-37-0x000000000AE30000-0x000000000AE6C000-memory.dmp
memory/1960-38-0x00000000031C0000-0x000000000320C000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-09 10:07
Reported
2024-05-09 10:10
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0423755.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0423755.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0423755.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0423755.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0423755.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0423755.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3882292.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9804047.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1593511.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0423755.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3882292.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0749332.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6820135.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0423755.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\5a9212ccca92111e18358da4163f1a5d4c12debc5b1d9ac429198c7ad68de5d1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9804047.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1593511.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0749332.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0749332.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0749332.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0423755.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0423755.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0423755.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5a9212ccca92111e18358da4163f1a5d4c12debc5b1d9ac429198c7ad68de5d1.exe
"C:\Users\Admin\AppData\Local\Temp\5a9212ccca92111e18358da4163f1a5d4c12debc5b1d9ac429198c7ad68de5d1.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9804047.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9804047.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1593511.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1593511.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0423755.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0423755.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3882292.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3882292.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0749332.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0749332.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6820135.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6820135.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| BE | 2.17.196.65:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.196.17.2.in-addr.arpa | udp |
| BE | 2.17.196.65:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9804047.exe
| MD5 | f96731ad89768ce38ca85155833675d0 |
| SHA1 | c5d8a91c287100b4fe000328e838a442380efed0 |
| SHA256 | 7441d0da025a83eb86b2311e1d4eba38dabcdc4d77ba48942bd0b8318e1cd4a0 |
| SHA512 | 0d2e17273a0222b9779ad33af67c33dc98e6a1917e5926ab5c44daa037698f169d1645380f46300d028303a9692d894210ae9b5c04e720fd535768c314e70c45 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1593511.exe
| MD5 | f022d704d6a78d750895a61fa69ac1c0 |
| SHA1 | 1cd6a0036b9b623372a3cc265cf498bdb6a992a8 |
| SHA256 | c9aa8e6cc76da1ba13bb15864e57ccce2ea5f191245f3289a15a6df22a4f6c77 |
| SHA512 | c228a1db499b7eaea173da79b87b95ba3d06664958d8e03ac6f95379732c22ccca25557c1247e2ae0d915fad34ee08103d8d7d0dee14edea331074348474d646 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0423755.exe
| MD5 | db00354a2702c30e10247ec3409494ed |
| SHA1 | e08194ec9f17cbc43f2fba1462feed2f89dd1550 |
| SHA256 | dfd3e39fdb8c41e7b58bc6138a3773186bfc0bb2b65c555e66292603f032acd5 |
| SHA512 | 78af980cad7b2af08d261f42e2ed7191556f5c66de16246db82cee4391af644018a9ea8efe33ca390821b09c00ff9e150dc9bccfeb70991b0dba1cb72d38b511 |
memory/2600-21-0x0000000000AD0000-0x0000000000ADA000-memory.dmp
memory/2600-22-0x00007FFA94B93000-0x00007FFA94B95000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3882292.exe
| MD5 | 1559c7c688a29ee1fbc80447c10bb7d7 |
| SHA1 | 770fd8c753c5f5bca3001a6a5d132504f29bbcd7 |
| SHA256 | bf50960f0a97170ac60526811496d5f47fb73e6d94962a4d624fdaa5669ed645 |
| SHA512 | cdbb1dea45137051c156e05d698c018e5253f3ca48f4c9d637948594180431c33fc08f879549fd1a8f1fa38837c2cca4b540c15f2701cafb9284bf31c88f6e94 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0749332.exe
| MD5 | ff0df20aebaf00c240e35f3c6b3957ec |
| SHA1 | 651f9c7a07b9f8b960e7ded63930e6e28b82b3f8 |
| SHA256 | 0397e50962c0459763242b1b1334a5e3fb923f693fbeb47a5a837ede9ab207bb |
| SHA512 | 70de52de0f30a327b22d0d9a1d081369f1fc50cefc9b00d1c70c6919271e878b5d7d2d2fe824e81f418e7454c531956d875149827f31d8f4aeca779f2e485afa |
memory/4580-39-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4580-41-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6820135.exe
| MD5 | 35c069df2551d2e840fda156cc641cc6 |
| SHA1 | 3d585c42d1263b19654dbbb2116c6e1634748f45 |
| SHA256 | 6f0c4d8a21e15d15d6f6bc50e37e67a0e9217cc8601de1c084e16a35a82f3042 |
| SHA512 | 55bb9bc855872a4c51033e0343f78e3dd7c998bc46a704c9cff631e9bb27a117eaff3a2005a35e836d8c66d89372441c2b233778ff3dfbaa7edbaaa1f28b0619 |
memory/3392-45-0x0000000000D20000-0x0000000000D50000-memory.dmp
memory/3392-46-0x0000000005500000-0x0000000005506000-memory.dmp
memory/3392-47-0x0000000005D00000-0x0000000006318000-memory.dmp
memory/3392-48-0x00000000057F0000-0x00000000058FA000-memory.dmp
memory/3392-49-0x00000000055A0000-0x00000000055B2000-memory.dmp
memory/3392-50-0x0000000005720000-0x000000000575C000-memory.dmp
memory/3392-51-0x0000000005760000-0x00000000057AC000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 10:07
Reported
2024-05-09 10:11
Platform
win10v2004-20240508-en
Max time kernel
132s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7678896.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0633454.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9751033.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2585981.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2700905.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0633454.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\000643ece079f96ed416c42e9dec2e3a647599f99950c60349c52e36cb724e88.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7678896.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5044 set thread context of 1676 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9751033.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 3684 set thread context of 1748 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2585981.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9751033.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2585981.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\000643ece079f96ed416c42e9dec2e3a647599f99950c60349c52e36cb724e88.exe
"C:\Users\Admin\AppData\Local\Temp\000643ece079f96ed416c42e9dec2e3a647599f99950c60349c52e36cb724e88.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7678896.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7678896.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0633454.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0633454.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9751033.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9751033.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5044 -ip 5044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 152
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2585981.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2585981.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3684 -ip 3684
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 148
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2700905.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2700905.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3452,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4432 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| RU | 83.97.73.129:19068 | tcp | |
| RU | 83.97.73.129:19068 | tcp | |
| RU | 83.97.73.129:19068 | tcp | |
| RU | 83.97.73.129:19068 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 83.97.73.129:19068 | tcp | |
| RU | 83.97.73.129:19068 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| RU | 83.97.73.129:19068 | tcp | |
| RU | 83.97.73.129:19068 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| RU | 83.97.73.129:19068 | tcp | |
| RU | 83.97.73.129:19068 | tcp | |
| RU | 83.97.73.129:19068 | tcp | |
| RU | 83.97.73.129:19068 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7678896.exe
| MD5 | a76aada563b5fff5cf81824d40e87c25 |
| SHA1 | b6c50c7d69b765a396e3995642cd3c82ed9eb370 |
| SHA256 | f25337a343c26cdecd99eb7f095938fd24fb233463a8af3fa69acc5201eed956 |
| SHA512 | 093e3da142ee67a4da1c8f352460e5d90e9565ec60855285a19eb6e2c2f85d8b8ec22e0b5f46194222954ffeb19e1a8451f9d364c8869f1ef8050decc7154a56 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0633454.exe
| MD5 | 7df1e56d4c1a1612ee126463fcf8ceb4 |
| SHA1 | 774ab26898cfa2ace41b0d5fa53538d318e0fa57 |
| SHA256 | a62a548ffb1dcb9166d2336968bea9011a44039f391a1a7ef70364f4a0e131a0 |
| SHA512 | a84427f66c991496b014e82a1e52a969da9b627d6dfebdb93b74acdda4907df02b7b7d17b25cb732999e4a01e7f6e327be630b93b6dd6c55ed78e3d920ccae15 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9751033.exe
| MD5 | c0e3f771bcbb789d734e7d3e1b1f4e65 |
| SHA1 | 02e6e5e508188955181ac98bb1b9c414d2c1aa9e |
| SHA256 | 53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02 |
| SHA512 | c983b76772a50aece42107a39c828abfa768fc33c8865df73de57e1beca2919e8cc7b8afe1d5ae3e7556273519e311d5e49ed6d52eaf895c3c3d7c34608d2118 |
memory/1676-21-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1676-26-0x00000000014F0000-0x00000000014F6000-memory.dmp
memory/1676-27-0x0000000005E20000-0x0000000006438000-memory.dmp
memory/1676-28-0x0000000005910000-0x0000000005A1A000-memory.dmp
memory/1676-29-0x0000000005820000-0x0000000005832000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2585981.exe
| MD5 | cd5a529d645436b72dc72ebc19950ef3 |
| SHA1 | 5f571b5fce5b5e210e812e28dad02b80bb1f5d80 |
| SHA256 | 887d08bb7735494fa22a46935055d0c2d612f70e97ecdd07bccf427d8e49efa3 |
| SHA512 | b314a9d61340e1cafd67aef45b5151721a6100ca0f7d6ec787e4fc4d83d1cdb571cfafcd1cc1cee681f3016bfb3fc8074681633607221711163e7da2c2e6b123 |
memory/1676-32-0x0000000005880000-0x00000000058BC000-memory.dmp
memory/1748-34-0x00000000001B0000-0x00000000001BA000-memory.dmp
memory/1676-39-0x00000000058C0000-0x000000000590C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2700905.exe
| MD5 | 3722a3e958832f918370e3491d62d642 |
| SHA1 | 86d28aa415f98a3ffa95279b4ac521e96ab8131a |
| SHA256 | fc953ae5ccb8716ad6fa4b015596e010272dc5095fb5cf36fc1fe1ac7ca39db9 |
| SHA512 | 510caffa854da75b5cef2b52ef61dee6670fc684c090911b9bf51678c68144e3f83a2ca2b43364abd0619c6742c03b9f68f29f91d6bb6259c49fc2b8bbaeb791 |
memory/5020-43-0x00000000004F0000-0x0000000000520000-memory.dmp
memory/5020-44-0x0000000000E20000-0x0000000000E26000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-09 10:07
Reported
2024-05-09 10:10
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2037556.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2037556.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2037556.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2037556.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2037556.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2037556.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6911514.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9758243.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8236123.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2037556.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6911514.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3067524.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9995990.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2037556.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\729187837b6282872fd853df135ab03458edda808d089983498f29a635b978ea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9758243.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8236123.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3067524.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3067524.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3067524.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2037556.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2037556.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2037556.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\729187837b6282872fd853df135ab03458edda808d089983498f29a635b978ea.exe
"C:\Users\Admin\AppData\Local\Temp\729187837b6282872fd853df135ab03458edda808d089983498f29a635b978ea.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9758243.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9758243.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8236123.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8236123.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2037556.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2037556.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6911514.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6911514.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3067524.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3067524.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9995990.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9995990.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9758243.exe
| MD5 | abf9d89a34b06d6f61fc036a6b92a314 |
| SHA1 | d415dd212d5cae8bdfa864b5a6a8aa616056ed9c |
| SHA256 | 23a7242b34faf2fe65e8c459e2f1e409eabf56b87169f0d76795644cb778eb39 |
| SHA512 | 54949548c32035f8ff8da57a68dbdebf870598b5735bf0b0162a49234a107258af9219112304c66bc947f4ff6711cb26cd94743cbffe36fbd0363d65b5009446 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8236123.exe
| MD5 | a7f0088e3a5ea0f52c5faf6ee4deebfd |
| SHA1 | 985aab914633e0d92d8cc6d0daf9c3f98e85a53d |
| SHA256 | 0eb954c26f144a5b2eaa8bec5728b1b9cc08bf98df5df5b7422ead3ba8429d5f |
| SHA512 | cdf3f795532511e07b0bef19558c36530621ed49b143dda187882af63c6ffd2ec27748ad1d1d9ac9f24fc0f4dcff9a5f3763df547f997f21ae5d1a11250bd348 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2037556.exe
| MD5 | 06f9ea1b9d99aeffa658940300e5b3e9 |
| SHA1 | 203ed88851ce92ca9fc935b5e9cd9ea635134521 |
| SHA256 | 4afd5d4a8b6fe6f193572915a00f0d64abf365a92588643d58c34b30cceca324 |
| SHA512 | e6ace7bc58005f92c3207d3fe4da785e6795ea9f86d95a5648c802d6d5a10adf89786c201911745ad20796fc3923e86d0def2913d7015b140809e06b59b59865 |
memory/2180-21-0x00007FFB82043000-0x00007FFB82045000-memory.dmp
memory/2180-22-0x0000000000930000-0x000000000093A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6911514.exe
| MD5 | 08fb0a39e54c5f25a5ef13805b240ef6 |
| SHA1 | 7c4815bdebfb69cb6ed09f9af8c1febd70b09f0b |
| SHA256 | 857a3a468952305783338ea17fbac38c0c3b4509a045142886195b0de4e4fe22 |
| SHA512 | 8bffd267209d12ddd0401a3c72cd033280530f10a064bb8db1e5dd4f938e7f46b60b0e00443d306121318bf253201b43e5d324b6793d69815eab22893982ce39 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3067524.exe
| MD5 | 69d19cb0ae5efc1681018dc89feaf5d4 |
| SHA1 | 1cd77651dcbef0a1da387dad78a5667fb4d7805d |
| SHA256 | 12b9fb30a3b5c93abc180037dfcc5ba55547807b8e1b397d807d0d3a3dd79cae |
| SHA512 | da9c5647b129e5990f9c0806c947aaace1fcb09010b66b68bf5d7afc781017755522e72b0f704cfb4635dac21fd7b783a203267993e4cac595630fcf251bdba8 |
memory/1004-40-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9995990.exe
| MD5 | 82272970e8557d9bdcd29d3dcc2af441 |
| SHA1 | 0f12180cbe8f9cca11ea0a07df5c3683f4007b09 |
| SHA256 | d7777c84268ca0d047ddce997f76fd17654e661ba7ccbbe2e1d184669114ede7 |
| SHA512 | 08721c6d4666312dc322f2ea848e7e1cda4ed1dc4a3e83cad8a62ab6c4fbf7968acb68d6054ab4c0e9757dbfe1abe481a738637dd052daca7c0f268c7620336e |
memory/4508-45-0x0000000000D10000-0x0000000000D40000-memory.dmp
memory/4508-46-0x0000000002FC0000-0x0000000002FC6000-memory.dmp
memory/4508-47-0x000000000B170000-0x000000000B788000-memory.dmp
memory/4508-48-0x000000000ACC0000-0x000000000ADCA000-memory.dmp
memory/4508-49-0x000000000AC00000-0x000000000AC12000-memory.dmp
memory/4508-50-0x000000000AC60000-0x000000000AC9C000-memory.dmp
memory/4508-51-0x0000000005010000-0x000000000505C000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-09 10:07
Reported
2024-05-09 10:10
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2139977.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2139977.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2139977.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2139977.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2139977.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2139977.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9997339.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0382227.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9997339.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2139977.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j6445848.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2139977.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\747238b5bd007fbf264cbd66b42a3fa3d6c54ccb6a1d0ce2c79715650a55d097.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0382227.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2139977.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2139977.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2139977.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\747238b5bd007fbf264cbd66b42a3fa3d6c54ccb6a1d0ce2c79715650a55d097.exe
"C:\Users\Admin\AppData\Local\Temp\747238b5bd007fbf264cbd66b42a3fa3d6c54ccb6a1d0ce2c79715650a55d097.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0382227.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0382227.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9997339.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9997339.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2139977.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2139977.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j6445848.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j6445848.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| BE | 2.17.196.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 106.196.17.2.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 175.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0382227.exe
| MD5 | d8841161db50003567d3e18475320655 |
| SHA1 | bb50ed0463e4d3406fe4c998a2f8cecb128afe4c |
| SHA256 | ddfc2fe4adb70a5b498353691678322f1662bc511aab9a136f0509290d000853 |
| SHA512 | 83ab3964ddaf3139a7006a1a5c25ec17dbf6d5123019f0c1631cdd900f9cf0fde448b0aacab059e9c048b93b3087f77910030bdab0da72610d0591472d136f98 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9997339.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2139977.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/4324-27-0x0000000000690000-0x000000000069A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j6445848.exe
| MD5 | c5b3dbc8bc5701662bbc0836cc0d3818 |
| SHA1 | 18e66c49be365a6d6045cf00417e069fcac3aa81 |
| SHA256 | 9b084c421cab4c03db5704c77b75c392d9327914967e99fc8dffaa310f246e26 |
| SHA512 | 7e9068b08666c6b0301f2b58054afb4248d1bafea78cea3ac669d4bfed441ff3e8a2baa047da516ee38e6d52abe10ae011d61e2eafcf397ffafa1dc14341d450 |
memory/4972-32-0x0000000000070000-0x00000000000A0000-memory.dmp
memory/4972-33-0x0000000002320000-0x0000000002326000-memory.dmp
memory/4972-34-0x000000000A540000-0x000000000AB58000-memory.dmp
memory/4972-35-0x000000000A030000-0x000000000A13A000-memory.dmp
memory/4972-36-0x0000000009F60000-0x0000000009F72000-memory.dmp
memory/4972-37-0x0000000009FC0000-0x0000000009FFC000-memory.dmp
memory/4972-38-0x0000000004360000-0x00000000043AC000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-09 10:07
Reported
2024-05-09 10:11
Platform
win10v2004-20240426-en
Max time kernel
142s
Max time network
153s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2964602.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2964602.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2964602.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2964602.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2964602.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2964602.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4445769.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5253760.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4445769.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2964602.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j8082767.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2964602.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\8e6dae5587d0150e1fa568f6ff42d2f6790750c017c08f86cff2c14b18de7422.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5253760.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2964602.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2964602.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2964602.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8e6dae5587d0150e1fa568f6ff42d2f6790750c017c08f86cff2c14b18de7422.exe
"C:\Users\Admin\AppData\Local\Temp\8e6dae5587d0150e1fa568f6ff42d2f6790750c017c08f86cff2c14b18de7422.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5253760.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5253760.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4445769.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4445769.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2964602.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2964602.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j8082767.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j8082767.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.196.65:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| BE | 2.17.196.65:443 | www.bing.com | tcp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5253760.exe
| MD5 | a72f3bd21a0f5ba2a3d3903acd1d164d |
| SHA1 | 5438ccc0dc322ad716aa4c3049859214324afd19 |
| SHA256 | d9573bf8c3ef3e53a24e21ddaaa207f5491ca37b11b20395b161304ff8e8987d |
| SHA512 | 5245d3b824d5404bbfee44819e2ad4fc095bbc9cf31082116f75321d1c5e7fa2c22486178870b69e2044107c2634b9318123bcf7f486194b13447ef42ea852b2 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4445769.exe
| MD5 | 8c6b79ec436d7cf6950a804c1ec7d3e9 |
| SHA1 | 4a589d5605d8ef785fdc78b0bf64e769e3a21ad6 |
| SHA256 | 4e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d |
| SHA512 | 06f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2964602.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/2744-27-0x0000000000CC0000-0x0000000000CCA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j8082767.exe
| MD5 | 1f4efb9e5524db0684d7c0f6b7d3e0c0 |
| SHA1 | f31578b9161d7d5c440b845221f0d22d483273be |
| SHA256 | dd9f33038785627461d8b967c9facc426e92c4240cac475aeb3e2d0ec4cfdb18 |
| SHA512 | 7694913b0fb58d97105d70894c6b9050209ce3cf39a5060fb7bf0e3c905886c466dcf30b308ef353192b09eed957d8a641893ca0102eb7144ae0996859cb0998 |
memory/2792-32-0x0000000000340000-0x0000000000370000-memory.dmp
memory/2792-33-0x0000000004C20000-0x0000000004C26000-memory.dmp
memory/2792-34-0x000000000A640000-0x000000000AC58000-memory.dmp
memory/2792-35-0x000000000A1B0000-0x000000000A2BA000-memory.dmp
memory/2792-36-0x000000000A0F0000-0x000000000A102000-memory.dmp
memory/2792-37-0x000000000A150000-0x000000000A18C000-memory.dmp
memory/2792-38-0x0000000004600000-0x000000000464C000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-09 10:07
Reported
2024-05-09 10:10
Platform
win10v2004-20240508-en
Max time kernel
91s
Max time network
95s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FNF_FREE_DOWNLOAD.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FNF_FREE_DOWNLOAD.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FNF_FREE_DOWNLOAD.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FNF_FREE_DOWNLOAD.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3848 wrote to memory of 3496 | N/A | C:\Users\Admin\AppData\Local\Temp\dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FNF_FREE_DOWNLOAD.exe |
| PID 3848 wrote to memory of 3496 | N/A | C:\Users\Admin\AppData\Local\Temp\dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FNF_FREE_DOWNLOAD.exe |
| PID 3848 wrote to memory of 3496 | N/A | C:\Users\Admin\AppData\Local\Temp\dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FNF_FREE_DOWNLOAD.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9.exe
"C:\Users\Admin\AppData\Local\Temp\dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FNF_FREE_DOWNLOAD.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FNF_FREE_DOWNLOAD.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x470 0x2ec
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.196.114:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.196.17.2.in-addr.arpa | udp |
| BE | 2.17.196.114:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FNF_FREE_DOWNLOAD.exe
| MD5 | 02f3e06d9da4b99c66ad76a7f97939f8 |
| SHA1 | f7e4ff2a2a7399639ebe2be7f45419ffdc347046 |
| SHA256 | 90b6b4492df192ebbafd5bf01ebb88301a20558c256b52d0fce8811f714b93e6 |
| SHA512 | f88112492c3e23663243c4eec9be329420fd736b6516341da1df29065f18b2860b2fb189fef94a8a495e477e5ee4bc5e0bf439d0f0c83113b71853909b01cd2c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3dx9_43.dll
| MD5 | 86e39e9161c3d930d93822f1563c280d |
| SHA1 | f5944df4142983714a6d9955e6e393d9876c1e11 |
| SHA256 | 0b28546be22c71834501f7d7185ede5d79742457331c7ee09efc14490dd64f5f |
| SHA512 | 0a3e311c4fd5c2194a8807469e47156af35502e10aeb8a3f64a01ff802cd8669c7e668cc87b593b182fd830a126d002b5d5d7b6c77991158bffdb0b5b997f6b3 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\songs@mus_cinemassacre.swows
| MD5 | ebd57c027b931472dc8328271dcd2874 |
| SHA1 | 25cea55dc4e4b868043dc90e0c098ea8554f3e64 |
| SHA256 | ba0a003f8010c44236eb7891d31b87795c54adcf4795f4d9210348cc9cb6c1e0 |
| SHA512 | 34b5db54fc508957fbdf331fd9fce7f01cfe81e3988b81e2da2bc99ea8e548a6240f18c656a3fe61e1a0f133cc100bd7048d9e7f98d65187ce95a6f18caa1e9e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\data.win
| MD5 | 89b2da0fab50c9d1a9a560caf554aa0c |
| SHA1 | a9921d3260bea112764344e255246ee5ac881d6d |
| SHA256 | b2def46b4c5c7e4393b393749390c261ba75cd6fe9829140f9b18a854039de03 |
| SHA512 | 8f672ef37835317a6b6e5787a65cf69d09c11c56ae277a964a98fb5430c2c0c982c05f6e37a3f47864af45a8270fe0341ef261f349110095746e958a77f32e39 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\songs@toby test.swows.txt
| MD5 | cbe43c10d0e1a5d6199cb4c02e97b298 |
| SHA1 | 60809509bf01cbd93f783a7feb0f8db839576e5a |
| SHA256 | 8825512b463b0fb1dd4531fcbbbf583afd68f5c3f5ba74806a377456ed493af4 |
| SHA512 | cba817443d53af0957d29062d668699bada8a8add208a406df395c68f9f73e64ff2cd22723add39f520d3bb62fdde70f307a5e5ea070028547834eb0a8510acd |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\options.ini
| MD5 | 396f73a1185a5642f5f1e2538b64396a |
| SHA1 | d72d687a5a1258986f218bfccacc6118c39ec4f9 |
| SHA256 | e267293f58d257d2dd1e00ad25425bdb798fcbf75256a7d45b7d7086159dbc58 |
| SHA512 | e17cfca14ce79c71eea01973385fa4151989d40bfc5a04b97fd3534ff5b4f04b385d11867d80a60325aa0bd13403910fee73ab9379f0e05c669d24d5d95957da |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\songs@mus_w4s2.swows
| MD5 | 10998944ff90841e0859e856277ea358 |
| SHA1 | 6b0ec880ae9dd7b24f95c680a94d72e0963aab4b |
| SHA256 | eeb305f3d17f0fc7efa24578cf877590f486d8fd6b8ecf4c9d86ee43a842c9f5 |
| SHA512 | 4a19e6122c7a238307fc49a9a730b1c4d33d3e8dd3fffe511f1e1240497425f9f35ce294810160d89a227c1bd9b7e3c219f2513deda8a7d3db43078f1689fb3f |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\songs@mus_w4s1.swows
| MD5 | 29a2efeecdcc29feb8f178b847439995 |
| SHA1 | 4c307c3b34165726a4747f0abdf5b8f0c5dd58d3 |
| SHA256 | 2b62f113a0d3fc5d3c8b68686995a7409217b4e399b31c66fb11d00b6d02de70 |
| SHA512 | 14d09ce5e7fdccdec3cf73a8baf57fe8262388eac06a3f04a993d7407f8eec5928fb3a69defaba8832dd420983b82541b9b2eac33e98fc68bc6af7db3b8ff5c6 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\songs@mus_w3s2.swows
| MD5 | 7ed8f7ea17dc8c515e0815167101faef |
| SHA1 | 7f16baff1d12b4858fd470a1e22f82884f129e12 |
| SHA256 | 41db0c0b54a7c254e2da04616eabbbef4d915776eb07b09e51724f329bc9d94b |
| SHA512 | fb5ec0323510a370f3c953aaa80178e93211aa254a2bee5e0553b6d9ea9a6a94add08324ecbf0d381684a696e93cadf5c22c3f9a09fce05549371015d899b24b |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\songs@mus_w3s1.swows
| MD5 | 980a7b8c20131273ee7d6327e36ab646 |
| SHA1 | d19b2ca626f240b0e009fdd0bbadfaf03174b472 |
| SHA256 | b4fa0e07ff9bd7acd215ba65aaf78c38ebb686a5c6f5d3f2bc97cabfa681a438 |
| SHA512 | 1efe7daf267abab5ca631fd0dfa21882073b139d21b2f3096f59c897e616635b7747fcd9144831c432cc18da4cb2e7f02d02ef559273c3952c00c48e7c006a95 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\songs@mus_w2s2.swows
| MD5 | f58c343cc7f81541f466204cb4aadf20 |
| SHA1 | aa4c99160dbd15587a22fea7faaa86b6f3eac0a1 |
| SHA256 | 3029816f9b2eaaac5e70eac37864ca1388f61fbfc46d7d87fe370922be841a56 |
| SHA512 | 1cdab9498d53ac1e9b184a4b8adfb666d9dfc6bce05623bdbd39cffe0a1ea9863896ea6aaaa08861b88c2b19cfb5438e77399f69c56dfba45466cff7f672b721 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\songs@mus_w2s1.swows
| MD5 | 08385e474ddbfb2e466f4c3753cf2e3c |
| SHA1 | 0b7c322e963c4483b3f50342f91aaad08cba0342 |
| SHA256 | cbf2817bbfa0aed7659032908c2b1da41ff02563660cc18c07dfcdec70d704a4 |
| SHA512 | 2500cd06e891d5c929b18627afce618b14a8a003b7746b03d341710942a4aca22cc2a8d77c255949faa21c86c482865847e892994801af6f5654af59cbd5b968 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\songs@mus_w1s2.swows
| MD5 | ca9b484cddd819bc1a744a73b4a6ad32 |
| SHA1 | a4128174cd75f6ff370aaf497ad4f196b46ae135 |
| SHA256 | bf4c8e0d92aa9adb5f0317ba9310527d4ecdbdc3fc46a3e96fa9d86ece341ed2 |
| SHA512 | 02b957ef27b44f74ab53d32c3e16f7c5cf187a4f4d33071c81b9e4bebed756d54a9afc51b90f7aa3bde77b590fd6988b994b81fd5ba137b25f6ed61250089565 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\songs@mus_w1s1.swows
| MD5 | cb88ad7efad086b2dd62bfa98b4a049a |
| SHA1 | 7807d65e7269b2e55a79bf3c73deb020e3a87949 |
| SHA256 | a96ef2102b309315dda8e9f2520f14c4ea7f728e8db4163465110dae3bd38387 |
| SHA512 | 7dbfbc7f342b37e385fd8409855d82b1f33bbbd44267b37b5664a1d5083685d1a56dc6c8fb3bcaadbec3b64de7728a09ebf95824666ee28fd12efb8b9bca501c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\songs@mus_tutorial.swows
| MD5 | aa573ea35c94f0a0a11d6c2c1d3f4823 |
| SHA1 | 8f223f174eabbc5852f04f6ab579bb7bffa77201 |
| SHA256 | f7afdb2f0a90992b381026e76f8e9a7b462b25bdcdea8d216a145349b5827234 |
| SHA512 | 7eeeffb3ec02282ec11d1d1adb5642b18c55067722a344ea462fbe509c64e4606775ceaf2b15efdba9ff59ab810dd4e8092f607cf287248d92ba32d0d34cefe3 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\songs@mus_frostbytep2.swows
| MD5 | cd654391eb8d3932b5f4bd1401f786d5 |
| SHA1 | 67926e6c7d00f725cda9c1adcb8e8533c9f34cef |
| SHA256 | 71f5de7726c5960488c3d7de00650ea916be26ee5cf2716b65b2567b21f5ad71 |
| SHA512 | 42184ba6e10e91e327bc4ec464e3d6d63e5e733f1217cb36ba481fc642bf4d3ecb1ea4d522d0afb34d54246931ad39ebc801d5e59f6f90cbfc8ccb51dea9b971 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\songs@mus_frostbytep1.swows
| MD5 | 642550fe0541978b70f5757001636863 |
| SHA1 | 646ca0324bb15672380d54e6891d479f428e9485 |
| SHA256 | 8de198a43bc72b868fc7b89908406cdeeadcc6ba6b286a857466f65ef10d4dd3 |
| SHA512 | 404ba473e2f304bdcd288dece96964c529248065212a6545d553d360fc58740bf74e5136bd795ebf9cd3229d61d44361e0f0648947996d350f6ec3b34f6124eb |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\songs@mus_channelsurf.swows
| MD5 | 73b4a89d395eaa0135488dd16445240d |
| SHA1 | 88e22d9c318651e4687fd15173993053e88c0fd3 |
| SHA256 | 87c7a777c9e45cb98a7574a7e74116e5f409f36de203e375a1de31aaad7cd4cb |
| SHA512 | 7b2113832b716ce323a02bd39cc3495244ebb95a6f05436d307f301dfb0504d6767111453f2c6b4f05cf92a939e8f0bf89224d7fa56456f6d2f3d8716733145c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\songs@mus_breakitdown.swows
| MD5 | 122d21ec49586b295ab8d8cfd86c1471 |
| SHA1 | 5f42d9dc934445c83da2f26c24d1025016828e24 |
| SHA256 | 19add083e7a262b58d0eced6370924c045d123f100d668c30ee52548f328a7bd |
| SHA512 | 9da9639dd255f2ec2ee37804e4dc85aba4276a23623a1a3433c668d6b93419984bd66017a5051aa4f7058faa6cf75c8745f1229b60eada768bd79363833fd4f0 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\snd_recordscratch.ogg
| MD5 | 7063fcd92394608267f83a28f83a9b6a |
| SHA1 | dd0a49b562f831b1a754b485bb08e93a8186737e |
| SHA256 | 1ccf4c82e4fc6cf43726323a670aaa81d5e711be09613fc03d3c353bd758d127 |
| SHA512 | 76bad32303fb361480c222b14ad0ee45adb9b7d80e3105728f6b8a39a557480fa2fce134f20aea4386be21822daca49feed8f5772b40d3e95921076e93a40ca0 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mus_howdoileavetheoptionsmenu.ogg
| MD5 | 52d58680003f351eea0f5c4b489ad7e1 |
| SHA1 | 413e7e52fad96c05f2b8eb86ef556356efc797b0 |
| SHA256 | d8da8bbf7da74fd8639b31192e569bb7790adcc0945517d99fd6f514bcf64b3f |
| SHA512 | 7bbd98ec1c89e7cb72b35e7493c6abbc9436188a5d0b194b46552977f0b618a7cf8bffb06c1686aa9efe069a26c39980db1deecc5dcabfd780a00ec4214ceca2 |
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-09 10:07
Reported
2024-05-09 10:11
Platform
win10v2004-20240508-en
Max time kernel
126s
Max time network
144s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0686319.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0686319.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6801018.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6801018.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6801018.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0686319.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0686319.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0686319.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6801018.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6801018.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6801018.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0686319.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0520560.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0565861.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0689812.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6801018.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0686319.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7618530.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6801018.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6801018.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0686319.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\e500bee084b2757ef23283d465255eeb1eed61d9ed67171a24f814de66cf3b71.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0520560.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0565861.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0689812.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6801018.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6801018.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0686319.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0686319.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6801018.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0686319.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e500bee084b2757ef23283d465255eeb1eed61d9ed67171a24f814de66cf3b71.exe
"C:\Users\Admin\AppData\Local\Temp\e500bee084b2757ef23283d465255eeb1eed61d9ed67171a24f814de66cf3b71.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0520560.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0520560.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0565861.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0565861.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0689812.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0689812.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6801018.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6801018.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0686319.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0686319.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7618530.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7618530.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0520560.exe
| MD5 | 5a006d527dde72f0bc51a3fdee4b1cdd |
| SHA1 | cf0962f8ee0635e59e92221584a875e45a047480 |
| SHA256 | 0c06bebf8e11d8d2467f90c5b26a5d24797cf65590877d5e30e804d07792187c |
| SHA512 | 89dc2c221b39c8b72e420e5f547b04a5e58a6102f6afe75acd7607897bb99fb9451d53bee131fa1cffa128defc07d58ef39b256a0779dbeec082ed90468fa40c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0565861.exe
| MD5 | 2d2f98038a94c1b5a27dabb43516b481 |
| SHA1 | c38e7390d73496ee51ebcd6d2c998efde21d196b |
| SHA256 | e7b28986d5e5ddba7a489d10bb1cd93e41add21f3e8e0b472f885b5d393d112f |
| SHA512 | 40da19e60229855024459fe45c2f0c645ed7bc208af82478948a5f2474d25f039e958ce8437cf10f66e17685c7976b1e2d64a5e8e2c5a8fec3150ae828ce8ca3 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0689812.exe
| MD5 | 9c8172d995e82f94df848aa37a96bb73 |
| SHA1 | 2e5ccafda1f76202b5c90c8a52ea12042b0e1565 |
| SHA256 | 85399056e1683ef7185f77951310e5f7eba10a2df94382523ad09c479950b3f0 |
| SHA512 | 7bb100316a12017d934dc3cb1bbbbc3e5d0171775da4d8c2f79e14f265fc5f153c68f16aef5160b20626a0e6a0d0cb9bcc3f5591378ba2d9d9b24fb0a064eb6b |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6801018.exe
| MD5 | 231fa67dcb2a7c6190da502d02a7ae9f |
| SHA1 | 1d2ba9ec8de8d4a8dde062739313e126c7fd756a |
| SHA256 | 369898f70baee653a53774650f75ff74ed4c0ce7ec690de9511e3e7b6f1e43ae |
| SHA512 | b3253446c2ce9af7123c67ac54ae3f7f4202ad8ea32885bac3e0b60089a05b1f2066e57a1216496f79de415d4ba8a606243d030fda741e44b41c24295bf9b00e |
memory/224-28-0x00000000004F0000-0x00000000004FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0686319.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/4400-37-0x0000000000870000-0x000000000087A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7618530.exe
| MD5 | 8c07c258604ef2c6253686dc2ebe6937 |
| SHA1 | b91099c9103265611e877f398dccfa6edaaefd25 |
| SHA256 | b59ecca695cc3aac7d02df5329cadec0168779df455dce2bb69711c06aae6389 |
| SHA512 | 367d8bfb15eb92ffd750649e75abc2976d8ed3a82c050f053c3622daa57e9a70e312caab2bd63e464ca0878d75928cbaf39406d4d3a05d06e7ec057dd227f2a9 |
memory/2720-42-0x0000000000510000-0x0000000000540000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/2720-47-0x0000000002350000-0x0000000002356000-memory.dmp
memory/2720-48-0x0000000004BF0000-0x0000000005208000-memory.dmp
memory/2720-49-0x0000000005220000-0x000000000532A000-memory.dmp
memory/2720-50-0x0000000005360000-0x0000000005372000-memory.dmp
memory/2720-51-0x0000000005380000-0x00000000053BC000-memory.dmp
memory/2720-52-0x0000000005420000-0x000000000546C000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-09 10:07
Reported
2024-05-09 10:11
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
163s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4315223.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4315223.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4315223.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4315223.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4315223.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4315223.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5253401.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1221184.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5253401.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4315223.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j7695654.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4315223.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1221184.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\4312b77e6031b30312b6c5c30180fca1895d4c065914103fa2e4ca9e8da9a0ce.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4315223.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4315223.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4315223.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5253401.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4312b77e6031b30312b6c5c30180fca1895d4c065914103fa2e4ca9e8da9a0ce.exe
"C:\Users\Admin\AppData\Local\Temp\4312b77e6031b30312b6c5c30180fca1895d4c065914103fa2e4ca9e8da9a0ce.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1221184.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1221184.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5253401.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5253401.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4315223.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4315223.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j7695654.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j7695654.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4448 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1221184.exe
| MD5 | a6f74296187384140fe945e019ab9282 |
| SHA1 | 562b86fee677de5c75d85f7e21d886431b6efb76 |
| SHA256 | 39fe4108c52abdcd2a2b2f78f624a08df4a25af058d4fe34fa3ba4dea14b97ba |
| SHA512 | 2ea9d90b1bc80ad933efa75595abe0bf24914a7f8a4c2ba4a62410cba3545441dfd8fcc30799b698acb58c533beac5f6bbb22d581c4c6f37cc4f50dcd8fb5d7c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5253401.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4315223.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/488-27-0x0000000000660000-0x000000000066A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j7695654.exe
| MD5 | d42037dc1d47e21f4339e87e7ea0a8c3 |
| SHA1 | b99a3204b6c5f5a8a1216b709e90be8d96c50eb1 |
| SHA256 | 9c0fef1cc01510f17a769709bb0c438c52d8bf7c34a57d084f8e849338979c99 |
| SHA512 | 9faa4d3703ab93796610625942a2c7933bc461b3347bf3afea4c1459e37d209a9f9c3d68c2ec17179c837bf17886af30a4a1a4c0ca9ca0d96e5e305eff966447 |
memory/1388-32-0x0000000000540000-0x0000000000570000-memory.dmp
memory/1388-33-0x0000000004D60000-0x0000000004D66000-memory.dmp
memory/1388-34-0x000000000A970000-0x000000000AF88000-memory.dmp
memory/1388-35-0x000000000A4F0000-0x000000000A5FA000-memory.dmp
memory/1388-36-0x000000000A430000-0x000000000A442000-memory.dmp
memory/1388-37-0x000000000A490000-0x000000000A4CC000-memory.dmp
memory/1388-38-0x000000000A600000-0x000000000A64C000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-09 10:07
Reported
2024-05-09 10:11
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2236406.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2236406.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2236406.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2236406.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2236406.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2236406.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0839738.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9668283.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6794516.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2236406.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0839738.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5355716.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2038758.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2236406.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\617783538bdab4bd7c8fbacae9e8749b50cd02e596dc328612ea1d600c11dc1f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9668283.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6794516.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5355716.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5355716.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5355716.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2236406.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2236406.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2236406.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\617783538bdab4bd7c8fbacae9e8749b50cd02e596dc328612ea1d600c11dc1f.exe
"C:\Users\Admin\AppData\Local\Temp\617783538bdab4bd7c8fbacae9e8749b50cd02e596dc328612ea1d600c11dc1f.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9668283.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9668283.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6794516.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6794516.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2236406.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2236406.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1288,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4276 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0839738.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0839738.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5355716.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5355716.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2038758.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2038758.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9668283.exe
| MD5 | 1c8226a52d0ac47e1a6326c24f70d6ab |
| SHA1 | 5ccf3aaa14338e29022903feb5dd2941b25c5fa6 |
| SHA256 | da9c9df115044e0b11a35f53f64ac5edb1673447e3b7bc68875892abb056366f |
| SHA512 | 80f9f608e4fc7b684ba10c2b2ef2b14150a7d8b210c02db4f5ed9897c49799e8d0c2420704bf83b1455911b61f7a70cce64d02f1e5472b6ba4565669360faaf9 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6794516.exe
| MD5 | 35b7c3cd1b1fedf0934b9f92a74be9f1 |
| SHA1 | b9b5d486597ea2453aec873167b29be5b012d343 |
| SHA256 | 39b70cbe2d586c2aa07d140908c4f78b416c1725e96ae8ae66832e6088f80385 |
| SHA512 | bb6393c12178fd96f3c22e3c2a24bec82fbca3dc15cf62d23d09488f4a68f03ba529a68d38b1e8be26d4a393f8284f772ceaa944ec8eb5a7bd943ac2d38c2a24 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2236406.exe
| MD5 | 68aab4bc8dbb25defdeab2faefdb87de |
| SHA1 | 5086c566bc0468041cf5f1a95789407d7271b112 |
| SHA256 | 19f47e802ae35eb0dfed1e712105fb2d2abdd05d567a0cb18e02a17173a2f988 |
| SHA512 | 4e7292aeaf1c320c100ce620125a7e4f1e5f51baecedd014c48e921a2c3f0adcbe3d6cf4afd911ea3a37ab19f88f662820494befbac7fb09e7d12ef1d1167299 |
memory/212-21-0x0000000000E10000-0x0000000000E1A000-memory.dmp
memory/212-22-0x00007FF9919F3000-0x00007FF9919F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0839738.exe
| MD5 | d2b47284c2966c20e24fdfc256d58481 |
| SHA1 | e6eaf8171003ab990af8d6b5088fb364d50a0011 |
| SHA256 | 4542f254afadc9ffbba4727ad4661855cb0f54562205e356568f44e09b58a4b9 |
| SHA512 | 8c4990d0dedd04ad1b74e87c5270628d97e55c981d3f1c626c8bc085cd526d612ad9e2ea9150e8af26278aba57f105439319dabc071b896435130a91d5a87f2b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5355716.exe
| MD5 | 71fef25c46415692b392d100ae97e1b0 |
| SHA1 | f06ab9b468b036a6a0348dc4ba5f54ba387d5b72 |
| SHA256 | 68caaa916d4e3019a4bdb948e49b549d92b8825923ca4f6fbc66244fe424da7b |
| SHA512 | 56213dc992e727c489446bcca96ce4c92ebb6bcb01726a01267c9f438c314dc76a4c585674baf034041cfe42b980e3b070a663b0647da8d4ebab3ea339694db8 |
memory/1892-40-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2038758.exe
| MD5 | 6a8cc5e017cb0eb900292da23eb5ebae |
| SHA1 | 90b02dd2ef5e7b6d78050af6637df3fb9312ecac |
| SHA256 | ec4419032350df60c94cc4c6da38e5f0e353c5382dd782800b07a031efe5af23 |
| SHA512 | 38344907d3f519f318c9b5684b75b7217878a3060fbb424bc9f8800d34f107d47f2eb675a587e9654a99010e6afd50a809210e0092daecf1498ab69e76979644 |
memory/1288-45-0x0000000000620000-0x0000000000650000-memory.dmp
memory/1288-46-0x0000000000E10000-0x0000000000E16000-memory.dmp
memory/1288-47-0x000000000A990000-0x000000000AFA8000-memory.dmp
memory/1288-48-0x000000000A490000-0x000000000A59A000-memory.dmp
memory/1288-49-0x000000000A3D0000-0x000000000A3E2000-memory.dmp
memory/1288-50-0x000000000A430000-0x000000000A46C000-memory.dmp
memory/1288-51-0x0000000002820000-0x000000000286C000-memory.dmp