Analysis Overview
SHA256
d3b7e5cbe2980cd2fb6f7f30eaade26a956ec4a02e71ed37c80b263166b40ef2
Threat Level: Known bad
The file red.zip was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Lumma Stealer
Modifies Windows Defender Real-time Protection settings
ZGRat
Detects Healer an antivirus disabler dropper
Healer
RedLine
Amadey
SmokeLoader
Detect ZGRat V1
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
Checks computer location settings
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Program crash
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 14:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-09 14:29
Reported
2024-05-09 14:32
Platform
win10v2004-20240426-en
Max time kernel
142s
Max time network
148s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8198779.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8198779.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8198779.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8198779.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8198779.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8198779.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2779660.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1492613.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8198779.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2779660.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n1976579.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8198779.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1492613.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\64792ffeeccbab6bb3d100eb7b35cb61c8c90b802e42d83350baf6d1ceefbb35.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8198779.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8198779.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8198779.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2779660.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\64792ffeeccbab6bb3d100eb7b35cb61c8c90b802e42d83350baf6d1ceefbb35.exe
"C:\Users\Admin\AppData\Local\Temp\64792ffeeccbab6bb3d100eb7b35cb61c8c90b802e42d83350baf6d1ceefbb35.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1492613.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1492613.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8198779.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8198779.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2779660.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2779660.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n1976579.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n1976579.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.107.104:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.107.17.2.in-addr.arpa | udp |
| BE | 2.17.107.104:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1492613.exe
| MD5 | 4be6814f9d7bcc1f7dcec1d86c7e2ce3 |
| SHA1 | 97c5e69123e903a4b0350f8eaaf724915462809f |
| SHA256 | 772037aa9042a2f87b6cf8d460834e0cbc2fdf6458d26bad6d7a44da067505f9 |
| SHA512 | 1dc408479f4c5e0cb4ab4a0232c5ee320d4c8781ec2ad10d1d996c73ac995637b18bfe9422cb0559a3c2c1277b0e6c1c9a202994d0e9b14f06a4caf9258afff2 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8198779.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/4212-14-0x00007FFC21A93000-0x00007FFC21A95000-memory.dmp
memory/4212-15-0x00000000005F0000-0x00000000005FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2779660.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n1976579.exe
| MD5 | 0bd83394787cc1ab96c40cd65888ddb2 |
| SHA1 | 368839d202e6a809ee02d0fa153b63e5f793faaa |
| SHA256 | a38ad2401242f87821082534fcc1f40b6fd418777a1d9d20b600eb25a744703a |
| SHA512 | 4effae3df94ddbfdee10614fb06aca92c361c7bbaab95a269e29d88ed024adc38b502219e8ad5138ca8f85c9116f2a74295de03932a3a0d210621bbbed05a66d |
memory/1260-33-0x0000000000560000-0x0000000000590000-memory.dmp
memory/1260-34-0x0000000002700000-0x0000000002706000-memory.dmp
memory/1260-35-0x0000000005510000-0x0000000005B28000-memory.dmp
memory/1260-36-0x0000000005000000-0x000000000510A000-memory.dmp
memory/1260-37-0x0000000004EF0000-0x0000000004F02000-memory.dmp
memory/1260-38-0x0000000004F50000-0x0000000004F8C000-memory.dmp
memory/1260-39-0x0000000004F90000-0x0000000004FDC000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-09 14:29
Reported
2024-05-09 14:32
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0089499.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0089499.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0089499.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0089499.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0089499.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0089499.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2080448.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6127935.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0089499.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2080448.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t7168966.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0089499.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\71d1420ff1b7b7e37d536b943d3ba7e0a2fa5972fce4156cbbc73c7416d49d80.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6127935.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0089499.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0089499.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0089499.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\71d1420ff1b7b7e37d536b943d3ba7e0a2fa5972fce4156cbbc73c7416d49d80.exe
"C:\Users\Admin\AppData\Local\Temp\71d1420ff1b7b7e37d536b943d3ba7e0a2fa5972fce4156cbbc73c7416d49d80.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6127935.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6127935.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0089499.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0089499.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2080448.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2080448.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
"C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t7168966.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t7168966.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legola.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legola.exe" /P "Admin:N"&&CACLS "legola.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "legola.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "legola.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\ebb444342c" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\ebb444342c" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.107.107:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| BE | 2.17.107.107:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| SE | 5.42.92.67:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| SE | 5.42.92.67:80 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| SE | 5.42.92.67:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6127935.exe
| MD5 | 5cc11266b3d8b9fdfb73c46b6929c50c |
| SHA1 | 7a8b5a32269f1785a749a7f0577c2d9600fd9c84 |
| SHA256 | 423dbbd7bdf741d19877d057fc05252d1464e68636e988bebd460e214986416b |
| SHA512 | 9b2fa4a88c467a2499c453505cdfdbf6fe22374d67e8ba4b45fa1da8594f126b155dbffcb9f2546b88814262feea677fc394ed36283172e88f80fc3ea85477fc |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0089499.exe
| MD5 | 5e9cb39b7fd0110e2b07b5bb53e46943 |
| SHA1 | 78f74fd61257827ed4a010d04705431203e6ed37 |
| SHA256 | b45d8a5bdba93cfa6879367d146f3b62e17ea91d99bd28cd5598ba67b832a9f8 |
| SHA512 | aa50da7eb3806f572b4bd41ab3d857ab7a8ba6e1296e27c8c04f350220292cd01cf8b7e04535177943789f10fd6640a03cbd097e562bad5d08d710f407d0376a |
memory/2652-14-0x0000000000600000-0x000000000060A000-memory.dmp
memory/2652-15-0x00007FFF636C3000-0x00007FFF636C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2080448.exe
| MD5 | b5b873d143037f6f5b0f786292fcaf34 |
| SHA1 | 052639c3611d2df6b849e4da83b2bbebc978e8f0 |
| SHA256 | 6d7d3363c6f6c7615e0106f45c36038ad4949ad828b8b549f28184f60a5c7767 |
| SHA512 | 4f5047de6a84fd5e883a3c6bd8de5d995add661379c48bbdbd8758a7eef447ba7d08974fe70ccd7eac06e5adcc9f887c887d9e83cff9328269f35abf8cc37a2d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t7168966.exe
| MD5 | 8d389d073b2beebc6758e4426950acf1 |
| SHA1 | 418b296c120f7d03a8fda12546f84abefe101bd7 |
| SHA256 | 22052d0b22cb9fbf76cc9ce7d73630aae6709880c857d6c86e9297ba8728117c |
| SHA512 | 6382aa3ed4aec88b3ada0e001f8cca4d7ffeedb20650d4b63ce78dbad373d5b265954116604525e35af177b7cc0f729783560f20b04d0f8c90c76962ee277e27 |
memory/4764-33-0x0000000000770000-0x00000000007A0000-memory.dmp
memory/4764-34-0x0000000000F70000-0x0000000000F76000-memory.dmp
memory/4764-35-0x00000000057D0000-0x0000000005DE8000-memory.dmp
memory/4764-36-0x00000000052C0000-0x00000000053CA000-memory.dmp
memory/4764-37-0x0000000004FF0000-0x0000000005002000-memory.dmp
memory/4764-38-0x0000000005050000-0x000000000508C000-memory.dmp
memory/4764-39-0x00000000051B0000-0x00000000051FC000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-09 14:29
Reported
2024-05-09 14:32
Platform
win10v2004-20240508-en
Max time kernel
132s
Max time network
155s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7635366.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f3093622.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7635366.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\eca60134d922b4bca2cb5060841b6d45581f33e04f763a9c118fc9f22e289e3f.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\eca60134d922b4bca2cb5060841b6d45581f33e04f763a9c118fc9f22e289e3f.exe
"C:\Users\Admin\AppData\Local\Temp\eca60134d922b4bca2cb5060841b6d45581f33e04f763a9c118fc9f22e289e3f.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7635366.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7635366.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f3093622.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f3093622.exe
Network
| Country | Destination | Domain | Proto |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7635366.exe
| MD5 | 20715fe4786611010dd91e5fb0fee438 |
| SHA1 | 8e0f979a58df8603089d7c3d34ffc66f31aff7e1 |
| SHA256 | 39390e8abc1907a2db11cd48d0435f7ad40bf8a88ea849f4a7bb914320c9538b |
| SHA512 | 5792f697cf925ef1bb614277dbc7c2e4bf77de8a783f311e786d79e445c9066ea0a6a1b2639e7a5c0cbf644353697322b4a2dc4414dcad95bb1ea53fe18cb04c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f3093622.exe
| MD5 | 2245540fefa6d92f4abf404ca89b4bea |
| SHA1 | af501e7d76d8af527d807f637e9c0bbc6830194e |
| SHA256 | 40baf491e87bf3ef59a9701dd8d7fb20f6dc803aa25915ca27ed36376650a1b3 |
| SHA512 | 7e48156ff67155aa8d2a3548978556bab7dc9ea93c8a1a973e150604018599f3e1a203154deea360fe06eeffb97d03245dd9a524b0b5af0b2611e6c526731469 |
memory/1012-14-0x0000000000401000-0x0000000000402000-memory.dmp
memory/1012-15-0x0000000000440000-0x0000000000470000-memory.dmp
memory/1012-19-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1012-20-0x0000000004A60000-0x0000000004A66000-memory.dmp
memory/1012-21-0x000000000A5C0000-0x000000000ABD8000-memory.dmp
memory/1012-22-0x000000000A020000-0x000000000A12A000-memory.dmp
memory/1012-23-0x000000000A160000-0x000000000A172000-memory.dmp
memory/1012-24-0x000000000A180000-0x000000000A1BC000-memory.dmp
memory/1012-25-0x0000000004440000-0x000000000448C000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-09 14:29
Reported
2024-05-09 14:32
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3968565.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3968565.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3968565.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3968565.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3968565.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3968565.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2293620.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1680674.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3968565.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7023074.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3968565.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3968565.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\f16db96028a7afeb1141a5506032310d36b0354cd63f796d585fdd9cd3b2c8f1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2293620.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1680674.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3968565.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3968565.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3968565.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f16db96028a7afeb1141a5506032310d36b0354cd63f796d585fdd9cd3b2c8f1.exe
"C:\Users\Admin\AppData\Local\Temp\f16db96028a7afeb1141a5506032310d36b0354cd63f796d585fdd9cd3b2c8f1.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2293620.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2293620.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1680674.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1680674.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3968565.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3968565.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7023074.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7023074.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| BE | 88.221.83.192:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 192.83.221.88.in-addr.arpa | udp |
| BE | 88.221.83.192:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 104.193.132.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2293620.exe
| MD5 | 18e389e79f96cbe2d759c734d3e49e78 |
| SHA1 | 50cb298fd91a90ebf2bac3bde37b6d77cca4267d |
| SHA256 | 48fd34f5c8037fad88d01fc9863612f020fbc15409efca49d40f7e91639d33ff |
| SHA512 | ac4e859905944e6b2e868207279aa880aeb6fd0ad2aa962f59f7c89285b7c99be54a35166df5d64174bcea5f718e4e4a277e0d39d568093033d1903dc4610b79 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1680674.exe
| MD5 | 68067bec765ac70f1c242f4c4046c282 |
| SHA1 | ff713e405ab12cde47cbaf932cf1cb87e557c956 |
| SHA256 | 2bd9ad30ef9ab2fc56a38f9487a2466f5f4d031f2bbb4d3e44668958433bc79a |
| SHA512 | d8d04c652650d26d12caeadbbd2dea80ac31c039f79a415035ad40f4fea08fd2ef07ea01a7b3d03ef8518dc8df8b135bd035a144e9b50d391c1da5e755922016 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3968565.exe
| MD5 | 8da17d71715c495fb0be1adf72311636 |
| SHA1 | 87f0490b70f70fd36e00bb7d2d7ff279119296fd |
| SHA256 | 5c02f1c047f26359ace7383a60bec2b7f4cc68c8948007e12f8a7757d6b309d2 |
| SHA512 | 3db56898bdee039a7d1fd374852a564e39ea97469a72203e0d3e0c18862a90475f51390c617f05d0a04f9531e0b785e625549caea0f484063029c25ab2c59b93 |
memory/4416-21-0x0000000000401000-0x0000000000404000-memory.dmp
memory/4416-22-0x0000000000680000-0x00000000006BE000-memory.dmp
memory/4416-28-0x0000000000680000-0x00000000006BE000-memory.dmp
memory/4416-29-0x0000000002300000-0x0000000002301000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7023074.exe
| MD5 | 01e3487170c4d9d1da491a231157e6fd |
| SHA1 | 12d851baae91313bcae4da1d254cf5a8a8a424a1 |
| SHA256 | 952c7cdd3f35e9c7ff35b78ac3bcf2e3fd6be449a8d017f515b1262c3697fbb6 |
| SHA512 | f98cd58a23a26f76196bb95849a2d0eb435e10702f5bf1d0d17f8cfbc0eeb94f3be6e1da1780eca081215a87c30f40270ba0ab2b5f9b777910b104e1a29785a9 |
memory/1324-35-0x0000000002010000-0x000000000209C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/1324-44-0x0000000002530000-0x0000000002536000-memory.dmp
memory/1324-42-0x0000000002010000-0x000000000209C000-memory.dmp
memory/1324-45-0x0000000005010000-0x0000000005628000-memory.dmp
memory/1324-46-0x0000000004A80000-0x0000000004B8A000-memory.dmp
memory/1324-47-0x0000000004BB0000-0x0000000004BC2000-memory.dmp
memory/1324-48-0x0000000004BD0000-0x0000000004C0C000-memory.dmp
memory/1324-49-0x0000000004C40000-0x0000000004C8C000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-09 14:29
Reported
2024-05-09 14:32
Platform
win10v2004-20240426-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3432513.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3432513.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3432513.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3432513.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3432513.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3432513.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8177984.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8175024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3432513.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8177984.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n2169610.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3432513.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\dcfab037f7269dd60bc810f260b86d7331030c746f879fa94f4b6bf922ae96a0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8175024.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3432513.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3432513.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3432513.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8177984.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dcfab037f7269dd60bc810f260b86d7331030c746f879fa94f4b6bf922ae96a0.exe
"C:\Users\Admin\AppData\Local\Temp\dcfab037f7269dd60bc810f260b86d7331030c746f879fa94f4b6bf922ae96a0.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8175024.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8175024.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3432513.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3432513.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8177984.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8177984.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n2169610.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n2169610.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.203:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 88.221.83.203:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.83.221.88.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 35.197.79.40.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8175024.exe
| MD5 | 2992c1c37ef21e6c16de467bd513befe |
| SHA1 | 9eacfd4ecf51548ccb35cea4f99f570a476377d6 |
| SHA256 | 8d781b380fbf923c740ef35c5684110a1f6babd0a3bbc953a6e8d732be7a0af2 |
| SHA512 | 7bfb7f285c0751747b6624e12d6adf9866276b01c2766354f46308eb278a35c1e562bd372a0e99d94bc66734821a097714fa9a79cbd789baf3c66f3bfd56b9e2 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3432513.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/4836-14-0x0000000000750000-0x000000000075A000-memory.dmp
memory/4836-15-0x00007FFC4AB63000-0x00007FFC4AB65000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8177984.exe
| MD5 | 8c6b79ec436d7cf6950a804c1ec7d3e9 |
| SHA1 | 4a589d5605d8ef785fdc78b0bf64e769e3a21ad6 |
| SHA256 | 4e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d |
| SHA512 | 06f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n2169610.exe
| MD5 | e75bfc15b4b78b8eafca01391aaa3e0c |
| SHA1 | 096726c5001c30072259f91bc161a51dd4ff1c46 |
| SHA256 | 631b5276e3d8c2b3ca2337e6ad52d6c788ea933056dd0c14e5b9a38930e58ecc |
| SHA512 | 26d5f46cc8f78b85471cec6b721694f075f1dea382c1a2f9c2354724c16f662e80ea614d43660ee634e155d954a6a65df86ecad132eb8d37dcee1504d284f9ad |
memory/3872-33-0x0000000000730000-0x0000000000760000-memory.dmp
memory/3872-34-0x0000000000F70000-0x0000000000F76000-memory.dmp
memory/3872-35-0x0000000005810000-0x0000000005E28000-memory.dmp
memory/3872-36-0x0000000005300000-0x000000000540A000-memory.dmp
memory/3872-37-0x0000000005210000-0x0000000005222000-memory.dmp
memory/3872-38-0x0000000005270000-0x00000000052AC000-memory.dmp
memory/3872-39-0x00000000052B0000-0x00000000052FC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 14:29
Reported
2024-05-09 14:32
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1185734.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f0011085.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1185734.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6.exe
"C:\Users\Admin\AppData\Local\Temp\3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1185734.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1185734.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f0011085.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f0011085.exe
Network
| Country | Destination | Domain | Proto |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| US | 52.111.229.43:443 | tcp | |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1185734.exe
| MD5 | 3211325470f6929971deb61d33db781a |
| SHA1 | b71e886212447aac365b2485623873f4122080bc |
| SHA256 | f5e9db4e25450c63ea89cf56c3bb7e2d9e2f7f70a2d7ef01f9070c9c9e7ea3fe |
| SHA512 | 7fca2883972e3a967a1fc19c43994b57eb60edea4690ea8b47922c970e649597db40880fe511123a126b2adf0c224091308e4004d77bf110c9033d87b1861607 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f0011085.exe
| MD5 | 5b55a135c863ac61103a4cd53f53ebf4 |
| SHA1 | a7366c5895d88489f3535a903fa915bcd1f141b1 |
| SHA256 | 711b3f68d2100dfa3f4ee01aada958c1f9f347144cc982dfb1824e01cce64ad2 |
| SHA512 | e4d1ea6248202d6a10ae0914af581d68d8fdd339ef773cabc93f70867409bb0dc7be0f42b614a376cd200921d345ab7581daa2e620b7057dee3d4b3f56a3e9f9 |
memory/3960-14-0x0000000000401000-0x0000000000402000-memory.dmp
memory/3960-15-0x0000000000510000-0x0000000000540000-memory.dmp
memory/3960-19-0x0000000000400000-0x000000000043A000-memory.dmp
memory/3960-20-0x0000000002530000-0x0000000002536000-memory.dmp
memory/3960-21-0x000000000A000000-0x000000000A618000-memory.dmp
memory/3960-22-0x000000000A640000-0x000000000A74A000-memory.dmp
memory/3960-23-0x000000000A780000-0x000000000A792000-memory.dmp
memory/3960-24-0x000000000A7A0000-0x000000000A7DC000-memory.dmp
memory/3960-25-0x0000000004590000-0x00000000045DC000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-09 14:29
Reported
2024-05-09 14:32
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8584563.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8584563.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8584563.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8584563.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8584563.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8584563.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7518209.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4815437.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7518209.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8584563.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j5111262.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8584563.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\53cf9b6e163fb85f7a2983777330f4b842b13db5809af32dc4a7847702037208.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4815437.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8584563.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8584563.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8584563.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\53cf9b6e163fb85f7a2983777330f4b842b13db5809af32dc4a7847702037208.exe
"C:\Users\Admin\AppData\Local\Temp\53cf9b6e163fb85f7a2983777330f4b842b13db5809af32dc4a7847702037208.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4815437.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4815437.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7518209.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7518209.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8584563.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8584563.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j5111262.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j5111262.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| BE | 2.17.107.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.107.17.2.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4815437.exe
| MD5 | 19d766497628bfafaa16fe135f1f1b0a |
| SHA1 | f8aad0b5a19a861713e9b12597b60a88ca60e3a4 |
| SHA256 | 86dceae601fa5b5e73cc2d2b996ef7dd67a0130f76e6834c71bac9c5e38327e4 |
| SHA512 | 941bffa57c78f8cd2b8e18ad71a265403b5d51779f494c6ad6728fa67c3d21a1bbe2e5b02cfcc83307960543add6ed522f5df9b0362ce6c7e76aee832ac45ff7 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7518209.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8584563.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/1728-27-0x0000000000F80000-0x0000000000F8A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j5111262.exe
| MD5 | c87109957c730f02a9a3a9c27d25c1e2 |
| SHA1 | 1ffa77d30d7e1e724155eedd75abf60bccc150e2 |
| SHA256 | 7572487d05661722768b23f6a8d9228f64606d0ddb5868babc1f8b2c1dac508d |
| SHA512 | cea4654ee49c6f01bcd6a9502eb6bfe4e39ed3228810406f437235be9542e9c20d419ec2bba75b36709ca28ded52bc848847c50db8be7ed3c9f7bd2da4a91aee |
memory/4952-32-0x0000000000190000-0x00000000001C0000-memory.dmp
memory/4952-33-0x0000000002520000-0x0000000002526000-memory.dmp
memory/4952-34-0x000000000A690000-0x000000000ACA8000-memory.dmp
memory/4952-35-0x000000000A180000-0x000000000A28A000-memory.dmp
memory/4952-36-0x000000000A090000-0x000000000A0A2000-memory.dmp
memory/4952-37-0x000000000A0F0000-0x000000000A12C000-memory.dmp
memory/4952-38-0x0000000002460000-0x00000000024AC000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-09 14:29
Reported
2024-05-09 14:32
Platform
win10v2004-20240426-en
Max time kernel
143s
Max time network
112s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ZGRat
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2344 set thread context of 4172 | N/A | C:\Users\Admin\AppData\Local\Temp\7dbf05d83f893a3fd85e266599155069e13d532333012d62fa0a41a625878965.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7dbf05d83f893a3fd85e266599155069e13d532333012d62fa0a41a625878965.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7dbf05d83f893a3fd85e266599155069e13d532333012d62fa0a41a625878965.exe
"C:\Users\Admin\AppData\Local\Temp\7dbf05d83f893a3fd85e266599155069e13d532333012d62fa0a41a625878965.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2344 -ip 2344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 336
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| RU | 147.45.47.64:11837 | tcp | |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.107.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.47.45.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.107.17.2.in-addr.arpa | udp |
| BE | 2.17.107.104:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 104.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/2344-1-0x0000000000542000-0x0000000000543000-memory.dmp
memory/4172-0-0x0000000000400000-0x000000000044A000-memory.dmp
memory/4172-2-0x0000000074B5E000-0x0000000074B5F000-memory.dmp
memory/4172-3-0x0000000005550000-0x0000000005AF4000-memory.dmp
memory/4172-4-0x0000000004FA0000-0x0000000005032000-memory.dmp
memory/4172-5-0x0000000074B50000-0x0000000075300000-memory.dmp
memory/4172-6-0x0000000004F60000-0x0000000004F6A000-memory.dmp
memory/4172-7-0x00000000065B0000-0x0000000006BC8000-memory.dmp
memory/4172-8-0x00000000060E0000-0x00000000061EA000-memory.dmp
memory/4172-9-0x0000000006010000-0x0000000006022000-memory.dmp
memory/4172-10-0x0000000006070000-0x00000000060AC000-memory.dmp
memory/4172-11-0x00000000061F0000-0x000000000623C000-memory.dmp
memory/4172-12-0x0000000006370000-0x00000000063D6000-memory.dmp
memory/4172-13-0x0000000006CD0000-0x0000000006D46000-memory.dmp
memory/4172-14-0x0000000005E00000-0x0000000005E1E000-memory.dmp
memory/4172-15-0x0000000008150000-0x0000000008312000-memory.dmp
memory/4172-16-0x0000000008850000-0x0000000008D7C000-memory.dmp
memory/4172-18-0x0000000074B50000-0x0000000075300000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-09 14:29
Reported
2024-05-09 14:32
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4489630.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4489630.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4489630.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4489630.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4489630.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4489630.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8646615.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7478428.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8646615.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4489630.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j5514228.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4489630.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\d134576ca7416e71db7bd5aad43296de284dd20154fd0784d9bf45d27603fc48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7478428.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4489630.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4489630.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4489630.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d134576ca7416e71db7bd5aad43296de284dd20154fd0784d9bf45d27603fc48.exe
"C:\Users\Admin\AppData\Local\Temp\d134576ca7416e71db7bd5aad43296de284dd20154fd0784d9bf45d27603fc48.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7478428.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7478428.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8646615.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8646615.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4489630.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4489630.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j5514228.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j5514228.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| BE | 2.17.107.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.107.17.2.in-addr.arpa | udp |
| BE | 2.17.107.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 104.246.116.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7478428.exe
| MD5 | a2e2b2e91e367edefb8b3d429de90444 |
| SHA1 | b4ed46aa9d248f3475a65f38212821f52a98eee7 |
| SHA256 | b74ec7c6b49bb61b42dae591ca9ad52a2e67544c9e1c29c0621872c0ca129611 |
| SHA512 | 9ecbd13effc0ffe7db57469253d62cb9d671c579ec5c7d3fd2a15cdc133b4e6af203adc47e0c0e70bd7ad764f7a5327a5b985f0152d4788746bd845a5915d90b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8646615.exe
| MD5 | 8c6b79ec436d7cf6950a804c1ec7d3e9 |
| SHA1 | 4a589d5605d8ef785fdc78b0bf64e769e3a21ad6 |
| SHA256 | 4e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d |
| SHA512 | 06f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4489630.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/4292-27-0x00000000007E0000-0x00000000007EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j5514228.exe
| MD5 | ba393144fc7eb292801f8c21a99a0cec |
| SHA1 | 9f124ac70cb5c8cb87716179b36178cb69b0f622 |
| SHA256 | bf2fa018ecaf0d11c856214f17abfec1e53eb56e3f949a00596cb491950753e4 |
| SHA512 | 296f055ae096e9013139f3550a0ae39e95bad741f41aadfb1e3501878d1d918c748e0b4959bf1da053af8a36bc11a391dad7825491c4a0ee8bae2f597678bb6e |
memory/2428-32-0x0000000000070000-0x00000000000A0000-memory.dmp
memory/2428-33-0x0000000002210000-0x0000000002216000-memory.dmp
memory/2428-34-0x000000000A420000-0x000000000AA38000-memory.dmp
memory/2428-35-0x0000000009F10000-0x000000000A01A000-memory.dmp
memory/2428-36-0x0000000009E20000-0x0000000009E32000-memory.dmp
memory/2428-37-0x0000000009E80000-0x0000000009EBC000-memory.dmp
memory/2428-38-0x0000000002360000-0x00000000023AC000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-09 14:29
Reported
2024-05-09 14:32
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3764084.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3764084.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3764084.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3764084.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3764084.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3764084.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2609246.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0103356.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3789475.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3764084.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2609246.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2036005.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3764084.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3789475.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\da09729d570cd93ed61c515d8407a5f4b201aca65e870a52b3082a39645d32e8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0103356.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3764084.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3764084.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3764084.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\da09729d570cd93ed61c515d8407a5f4b201aca65e870a52b3082a39645d32e8.exe
"C:\Users\Admin\AppData\Local\Temp\da09729d570cd93ed61c515d8407a5f4b201aca65e870a52b3082a39645d32e8.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0103356.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0103356.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3789475.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3789475.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3764084.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3764084.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2609246.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2609246.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2036005.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2036005.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| BE | 88.221.83.248:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| BE | 88.221.83.248:443 | www.bing.com | tcp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.156:19071 | tcp | |
| FI | 77.91.124.156:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| FI | 77.91.124.156:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.156:19071 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| FI | 77.91.124.156:19071 | tcp | |
| FI | 77.91.124.156:19071 | tcp | |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0103356.exe
| MD5 | 8946f43c4f6b2aaa321cedfc50ce97d3 |
| SHA1 | 1cca4806b37f3230d6a149ca309bdb56267a9e3c |
| SHA256 | dfe8a1dffeda9afdbcba34ea47036899d611f8c5a4e4331b25686d841275052b |
| SHA512 | 0f895d951fd7697b783ae24a6917daef8c66baa9aff32d3aaa71cce0e567513a6f0b3c93bfb25832288c6fcbafdc877c941fc3a70db6025be793c73455aa187a |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3789475.exe
| MD5 | 8f4832135e473e91d5f7301239ecae68 |
| SHA1 | 7e560cdc769c6e341a794ed094cfe660440b888b |
| SHA256 | d315f9acc87dd7c6aabeb8867f35ede70db558e8a5498fec0161b37c1d7459b7 |
| SHA512 | d2f5e8f5999fc04d3862a749294779c961af86a80f653516d34ca0f37482d85d937cc369a31ef466ea598dc726aa2e059bc9eccfb972a9a8df39162fc762caf7 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3764084.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/4776-21-0x00000000001D0000-0x00000000001DA000-memory.dmp
memory/4776-22-0x00007FFB46C43000-0x00007FFB46C45000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2609246.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2036005.exe
| MD5 | 3528f1546bae24918049af28aee6a65a |
| SHA1 | 17a5b595c09a02d1b67f026b482e39017fc5a249 |
| SHA256 | fd70d0db24520ddb344ca2d73fae611dd4151c5be50869303eb5aa75a406aaa8 |
| SHA512 | 0ed68ecf747d17ebb04e1d13fb2421529ac857d4e0d2b0a6cd86e413a820869dc7e4523955ce1e45ac69aafff27e52565d3bfc9b0ae5036d6006a7b48b7fb1bf |
memory/1580-40-0x0000000000C40000-0x0000000000C70000-memory.dmp
memory/1580-41-0x0000000002F20000-0x0000000002F26000-memory.dmp
memory/1580-42-0x0000000005D20000-0x0000000006338000-memory.dmp
memory/1580-43-0x0000000005810000-0x000000000591A000-memory.dmp
memory/1580-44-0x0000000005720000-0x0000000005732000-memory.dmp
memory/1580-45-0x0000000005780000-0x00000000057BC000-memory.dmp
memory/1580-46-0x00000000057C0000-0x000000000580C000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 14:29
Reported
2024-05-09 14:32
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7668654.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7668654.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7668654.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7668654.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7668654.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7668654.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2178207.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4488290.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7668654.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2178207.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n3064036.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7668654.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4488290.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\35c135016a0f649443e821c488d88916ba73f8c81eba1b57cf92cbafb9cd49ef.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7668654.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7668654.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7668654.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\35c135016a0f649443e821c488d88916ba73f8c81eba1b57cf92cbafb9cd49ef.exe
"C:\Users\Admin\AppData\Local\Temp\35c135016a0f649443e821c488d88916ba73f8c81eba1b57cf92cbafb9cd49ef.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4488290.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4488290.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7668654.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7668654.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2178207.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2178207.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n3064036.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n3064036.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.235:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.83.221.88.in-addr.arpa | udp |
| BE | 88.221.83.235:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4488290.exe
| MD5 | d7b6739f2703240b6d89519c0da6913f |
| SHA1 | 88c418680590fec81908c514bf6e56332fc381c9 |
| SHA256 | abbe33fb1814a2da048be512fbfbaecdeb4636e010bccb71ea47f7f0798250f2 |
| SHA512 | 6957e772806360d58e861064c252253319463ffdb3d5fe9b6862be801ba88597597dd372bfce406111dacaf93fa2bc7923f4d19e067d0684579d5408ad5d9e4e |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7668654.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/1168-14-0x0000000000270000-0x000000000027A000-memory.dmp
memory/1168-15-0x00007FFCBA783000-0x00007FFCBA785000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2178207.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n3064036.exe
| MD5 | 4096ab9f86269efb1a5daf2eb6166511 |
| SHA1 | 78ec2ee18997fddf53b78416c1b79b4cc39a0384 |
| SHA256 | af4fee3a1d54d3458ac3c931bce39e419b40971512fb98fe434390b2749e4970 |
| SHA512 | 608bd89a81d6b184e0d3497dd7088f949ae57cfcf425b968cf21183eb8e49b3adf2ea48c831afea44d4d4c933d145236548062caa5b9b8243d5c7392e69c0c77 |
memory/2132-33-0x0000000000E00000-0x0000000000E30000-memory.dmp
memory/2132-34-0x0000000002FE0000-0x0000000002FE6000-memory.dmp
memory/2132-35-0x0000000005DF0000-0x0000000006408000-memory.dmp
memory/2132-36-0x00000000058E0000-0x00000000059EA000-memory.dmp
memory/2132-37-0x0000000005680000-0x0000000005692000-memory.dmp
memory/2132-38-0x0000000005810000-0x000000000584C000-memory.dmp
memory/2132-39-0x0000000005850000-0x000000000589C000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-09 14:29
Reported
2024-05-09 14:32
Platform
win7-20240508-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2480 wrote to memory of 2444 | N/A | C:\Users\Admin\AppData\Local\Temp\3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2480 wrote to memory of 2444 | N/A | C:\Users\Admin\AppData\Local\Temp\3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2480 wrote to memory of 2444 | N/A | C:\Users\Admin\AppData\Local\Temp\3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2480 wrote to memory of 2444 | N/A | C:\Users\Admin\AppData\Local\Temp\3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63.exe
"C:\Users\Admin\AppData\Local\Temp\3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 116
Network
Files
memory/2480-0-0x0000000000246000-0x0000000000248000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-09 14:29
Reported
2024-05-09 14:32
Platform
win10v2004-20240508-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1420.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1420.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1420.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1420.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1420.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1420.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un866970.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1420.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8957.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1420.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1420.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7f80787d38486459a9c104bc8c42dd78c68e0e27411be54897379c415c7c73fd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un866970.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1420.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1420.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1420.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1420.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8957.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7f80787d38486459a9c104bc8c42dd78c68e0e27411be54897379c415c7c73fd.exe
"C:\Users\Admin\AppData\Local\Temp\7f80787d38486459a9c104bc8c42dd78c68e0e27411be54897379c415c7c73fd.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un866970.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un866970.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1420.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1420.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4800 -ip 4800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1076
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8957.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8957.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| BE | 88.221.83.192:443 | www.bing.com | tcp |
| BE | 88.221.83.192:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 192.83.221.88.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| RU | 176.113.115.145:4125 | tcp | |
| RU | 176.113.115.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un866970.exe
| MD5 | a7fb15822f9fd5ad188bde64ac858066 |
| SHA1 | d43cf89daf58874fc10f0069ad15a1422afd1fdc |
| SHA256 | 1743aaa0c8da51a1f5dc1edbbe624d607b088ec127d12ba535d316fe7c999b90 |
| SHA512 | bebda16905e2ebc30ad91776c939c59488d159e84a3d01b298e1ad23a60e30c87d3110c99bd5e8f964e16ffd84ba7de7b85d66ba476847fc8c0fe1fef52e8bbd |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1420.exe
| MD5 | 24abf6b8ee223b90a885472a87ea4c31 |
| SHA1 | 7feba2b130ce89722d6794b90f3fe47ec757e6bd |
| SHA256 | 24e94aacf0fd547ad2853afa6f561340e7103fae7a8542620fc4bf93281f420f |
| SHA512 | 99839c767fa4f0d2450eda15fa3e8e59c7f75d270edaa4939a4238ecf0e676761e87050a514bcb39527ab4c0e55815fde66c04aeeea581b38185593670599252 |
memory/4800-16-0x0000000000900000-0x000000000092D000-memory.dmp
memory/4800-17-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4800-15-0x0000000000710000-0x0000000000810000-memory.dmp
memory/4800-18-0x0000000000400000-0x000000000070B000-memory.dmp
memory/4800-19-0x0000000002430000-0x000000000244A000-memory.dmp
memory/4800-20-0x0000000004EB0000-0x0000000005454000-memory.dmp
memory/4800-21-0x0000000002AA0000-0x0000000002AB8000-memory.dmp
memory/4800-41-0x0000000002AA0000-0x0000000002AB2000-memory.dmp
memory/4800-49-0x0000000002AA0000-0x0000000002AB2000-memory.dmp
memory/4800-47-0x0000000002AA0000-0x0000000002AB2000-memory.dmp
memory/4800-45-0x0000000002AA0000-0x0000000002AB2000-memory.dmp
memory/4800-43-0x0000000002AA0000-0x0000000002AB2000-memory.dmp
memory/4800-39-0x0000000002AA0000-0x0000000002AB2000-memory.dmp
memory/4800-37-0x0000000002AA0000-0x0000000002AB2000-memory.dmp
memory/4800-35-0x0000000002AA0000-0x0000000002AB2000-memory.dmp
memory/4800-33-0x0000000002AA0000-0x0000000002AB2000-memory.dmp
memory/4800-31-0x0000000002AA0000-0x0000000002AB2000-memory.dmp
memory/4800-29-0x0000000002AA0000-0x0000000002AB2000-memory.dmp
memory/4800-27-0x0000000002AA0000-0x0000000002AB2000-memory.dmp
memory/4800-25-0x0000000002AA0000-0x0000000002AB2000-memory.dmp
memory/4800-22-0x0000000002AA0000-0x0000000002AB2000-memory.dmp
memory/4800-23-0x0000000002AA0000-0x0000000002AB2000-memory.dmp
memory/4800-53-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4800-52-0x0000000000400000-0x000000000070B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8957.exe
| MD5 | 845cca2b2296b2b608ff5ad85ed25882 |
| SHA1 | e1eb059c3439f702262d7c333f916bf84830d69a |
| SHA256 | e8c6c67aec798ccaed270e5344ddaea84a165f4cea12167d6404ca00aeec40bd |
| SHA512 | da5d5e410719952365e5487dd9a7a28268a63d43b98d53c338728f9c42745f481c2ce72224e0465c7a043d705d859c28706338b5ef4c03b569e078679c00267a |
memory/628-58-0x0000000004C40000-0x0000000004C86000-memory.dmp
memory/628-59-0x0000000004CF0000-0x0000000004D34000-memory.dmp
memory/628-61-0x0000000004CF0000-0x0000000004D2F000-memory.dmp
memory/628-69-0x0000000004CF0000-0x0000000004D2F000-memory.dmp
memory/628-93-0x0000000004CF0000-0x0000000004D2F000-memory.dmp
memory/628-91-0x0000000004CF0000-0x0000000004D2F000-memory.dmp
memory/628-89-0x0000000004CF0000-0x0000000004D2F000-memory.dmp
memory/628-87-0x0000000004CF0000-0x0000000004D2F000-memory.dmp
memory/628-85-0x0000000004CF0000-0x0000000004D2F000-memory.dmp
memory/628-81-0x0000000004CF0000-0x0000000004D2F000-memory.dmp
memory/628-79-0x0000000004CF0000-0x0000000004D2F000-memory.dmp
memory/628-77-0x0000000004CF0000-0x0000000004D2F000-memory.dmp
memory/628-75-0x0000000004CF0000-0x0000000004D2F000-memory.dmp
memory/628-73-0x0000000004CF0000-0x0000000004D2F000-memory.dmp
memory/628-71-0x0000000004CF0000-0x0000000004D2F000-memory.dmp
memory/628-67-0x0000000004CF0000-0x0000000004D2F000-memory.dmp
memory/628-65-0x0000000004CF0000-0x0000000004D2F000-memory.dmp
memory/628-63-0x0000000004CF0000-0x0000000004D2F000-memory.dmp
memory/628-83-0x0000000004CF0000-0x0000000004D2F000-memory.dmp
memory/628-60-0x0000000004CF0000-0x0000000004D2F000-memory.dmp
memory/628-966-0x0000000005350000-0x0000000005968000-memory.dmp
memory/628-967-0x00000000059F0000-0x0000000005AFA000-memory.dmp
memory/628-968-0x0000000005B30000-0x0000000005B42000-memory.dmp
memory/628-969-0x0000000005B50000-0x0000000005B8C000-memory.dmp
memory/628-970-0x0000000005CA0000-0x0000000005CEC000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-09 14:29
Reported
2024-05-09 14:32
Platform
win7-20240221-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\cbd8058875fbf90f6f6a3c6825fab01a2bac4ffb1903f2a0405d451060ea1a48.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2072 wrote to memory of 2108 | N/A | C:\Users\Admin\AppData\Local\Temp\cbd8058875fbf90f6f6a3c6825fab01a2bac4ffb1903f2a0405d451060ea1a48.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2072 wrote to memory of 2108 | N/A | C:\Users\Admin\AppData\Local\Temp\cbd8058875fbf90f6f6a3c6825fab01a2bac4ffb1903f2a0405d451060ea1a48.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2072 wrote to memory of 2108 | N/A | C:\Users\Admin\AppData\Local\Temp\cbd8058875fbf90f6f6a3c6825fab01a2bac4ffb1903f2a0405d451060ea1a48.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2072 wrote to memory of 2108 | N/A | C:\Users\Admin\AppData\Local\Temp\cbd8058875fbf90f6f6a3c6825fab01a2bac4ffb1903f2a0405d451060ea1a48.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\cbd8058875fbf90f6f6a3c6825fab01a2bac4ffb1903f2a0405d451060ea1a48.exe
"C:\Users\Admin\AppData\Local\Temp\cbd8058875fbf90f6f6a3c6825fab01a2bac4ffb1903f2a0405d451060ea1a48.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 116
Network
Files
memory/2072-0-0x0000000001306000-0x0000000001307000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-09 14:29
Reported
2024-05-09 14:32
Platform
win10v2004-20240508-en
Max time kernel
108s
Max time network
122s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4628 set thread context of 1440 | N/A | C:\Users\Admin\AppData\Local\Temp\cbd8058875fbf90f6f6a3c6825fab01a2bac4ffb1903f2a0405d451060ea1a48.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\cbd8058875fbf90f6f6a3c6825fab01a2bac4ffb1903f2a0405d451060ea1a48.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cbd8058875fbf90f6f6a3c6825fab01a2bac4ffb1903f2a0405d451060ea1a48.exe
"C:\Users\Admin\AppData\Local\Temp\cbd8058875fbf90f6f6a3c6825fab01a2bac4ffb1903f2a0405d451060ea1a48.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4628 -ip 4628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 320
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | omnomnom.top | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| DE | 195.201.252.28:443 | omnomnom.top | tcp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 28.252.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| BE | 2.17.107.104:443 | www.bing.com | tcp |
| BE | 2.17.107.104:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 104.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
memory/4628-0-0x0000000000F36000-0x0000000000F37000-memory.dmp
memory/1440-1-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1440-2-0x00000000743DE000-0x00000000743DF000-memory.dmp
memory/1440-3-0x00000000051C0000-0x0000000005226000-memory.dmp
memory/1440-4-0x0000000005C90000-0x00000000062A8000-memory.dmp
memory/1440-5-0x00000000056E0000-0x00000000056F2000-memory.dmp
memory/1440-6-0x0000000005810000-0x000000000591A000-memory.dmp
memory/1440-7-0x00000000743D0000-0x0000000074B80000-memory.dmp
memory/1440-8-0x00000000064F0000-0x000000000652C000-memory.dmp
memory/1440-9-0x0000000006530000-0x000000000657C000-memory.dmp
memory/1440-10-0x0000000006850000-0x0000000006A12000-memory.dmp
memory/1440-11-0x0000000006F50000-0x000000000747C000-memory.dmp
memory/1440-12-0x0000000006A20000-0x0000000006AB2000-memory.dmp
memory/1440-13-0x0000000007A30000-0x0000000007FD4000-memory.dmp
memory/1440-14-0x0000000006CC0000-0x0000000006D36000-memory.dmp
memory/1440-15-0x0000000006D60000-0x0000000006D7E000-memory.dmp
memory/1440-16-0x00000000074D0000-0x0000000007520000-memory.dmp
memory/1440-18-0x00000000743D0000-0x0000000074B80000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-09 14:29
Reported
2024-05-09 14:32
Platform
win7-20240508-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7dbf05d83f893a3fd85e266599155069e13d532333012d62fa0a41a625878965.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1276 wrote to memory of 1144 | N/A | C:\Users\Admin\AppData\Local\Temp\7dbf05d83f893a3fd85e266599155069e13d532333012d62fa0a41a625878965.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1276 wrote to memory of 1144 | N/A | C:\Users\Admin\AppData\Local\Temp\7dbf05d83f893a3fd85e266599155069e13d532333012d62fa0a41a625878965.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1276 wrote to memory of 1144 | N/A | C:\Users\Admin\AppData\Local\Temp\7dbf05d83f893a3fd85e266599155069e13d532333012d62fa0a41a625878965.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1276 wrote to memory of 1144 | N/A | C:\Users\Admin\AppData\Local\Temp\7dbf05d83f893a3fd85e266599155069e13d532333012d62fa0a41a625878965.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\7dbf05d83f893a3fd85e266599155069e13d532333012d62fa0a41a625878965.exe
"C:\Users\Admin\AppData\Local\Temp\7dbf05d83f893a3fd85e266599155069e13d532333012d62fa0a41a625878965.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 116
Network
Files
memory/1276-0-0x0000000001422000-0x0000000001423000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-09 14:29
Reported
2024-05-09 14:32
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6556348.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6556348.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6556348.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6556348.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6556348.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6556348.exe | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9359268.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6225106.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6556348.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9359268.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3031791.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6556348.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\9176ff0f1ca08377671891eab2e7fd1bad29e129985b386e1486b543767b2721.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6225106.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3031791.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3031791.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3031791.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6556348.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6556348.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6556348.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9176ff0f1ca08377671891eab2e7fd1bad29e129985b386e1486b543767b2721.exe
"C:\Users\Admin\AppData\Local\Temp\9176ff0f1ca08377671891eab2e7fd1bad29e129985b386e1486b543767b2721.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6225106.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6225106.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6556348.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6556348.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9359268.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9359268.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3031791.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3031791.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.235:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.83.221.88.in-addr.arpa | udp |
| BE | 88.221.83.235:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.3:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6225106.exe
| MD5 | c338d063ef1eb67b49ffd7437ffa4ea9 |
| SHA1 | 2ae2a4e6c800dd2970725303bcdafd7c1d8c91bc |
| SHA256 | f69f4c41ab2a6935bb663f7f5cd0e778a483f46ae98210f226e02840523f3836 |
| SHA512 | 660bc5267d1c1c00861e69fafdfd0590138935758be29ef6674839889613aedcaccd2cd44ce5a9aeacc7f408f01b6f907d0a0646b704f0faa3311ee40a21fc97 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a6556348.exe
| MD5 | 9cf2bf8a201a763a00db36e5da4e4929 |
| SHA1 | 8635dfc65785f7fa005652a35fc071d76b6cc796 |
| SHA256 | cbe1d3beefbbc07cd02b3130bd956aed35a02e0bc43c28e1e93a182bf227c6a0 |
| SHA512 | 672fe991fb67fffe073d02f74e56c57e3366c38e2aa2103b01a0c7945bf0e576ac43c2ee98fd7fd8a69f245637d507dac4391451cee57bfa7dd856bd9d091366 |
memory/540-14-0x00007FFB352F3000-0x00007FFB352F5000-memory.dmp
memory/540-15-0x00000000009B0000-0x00000000009BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b9359268.exe
| MD5 | 98d62a29dc66d9bae1278850f74601e9 |
| SHA1 | 6a22a9e53a9fe3a85b69498302511827f7c53b6e |
| SHA256 | 7d17c12f208248eca7999690e2eece7d5528b6e3a8ae9bd6101ee4385d5bbb76 |
| SHA512 | 4cddabd2c6635e6ee5f8356ab62ce6e0d0bf716325c6b984be8bf7c80b15db228c53af7a6eb2e99628ff80e0dfe8491f1cbf8cefd8ee0d9316120b0b613da09a |
memory/2092-33-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3031791.exe
| MD5 | 075e2533974f7c2387b8e1777c018bc2 |
| SHA1 | d34cd3c07cb30ae542a551b18b02ab305ea631b2 |
| SHA256 | d60bca4f62746a0560052216a13830ed48269cc83802c5c9ef43125f3c6d4642 |
| SHA512 | a87570b61b925defa1e5975d1b6d51f6cc4f1874fe628536c8f1829e2810c6b32ecbd6d42afb22e4fcb9c8d3da1ad4b6ca96c8fdd1ab11468e69fca668e6d1e8 |
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-09 14:29
Reported
2024-05-09 14:32
Platform
win10v2004-20240426-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8059560.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8059560.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8059560.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8059560.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8059560.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8059560.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2825939.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4675697.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7326392.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8059560.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2825939.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1779118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6340897.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8059560.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4675697.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7326392.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\babd836631e288a3898e6b871ded792269de5c0014085887296a642d03a14d1d.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1779118.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1779118.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1779118.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8059560.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8059560.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8059560.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\babd836631e288a3898e6b871ded792269de5c0014085887296a642d03a14d1d.exe
"C:\Users\Admin\AppData\Local\Temp\babd836631e288a3898e6b871ded792269de5c0014085887296a642d03a14d1d.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4675697.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4675697.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7326392.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7326392.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8059560.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8059560.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2825939.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2825939.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1779118.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1779118.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6340897.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6340897.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| BE | 88.221.83.192:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.83.221.88.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4675697.exe
| MD5 | 6487e63a9d712c9fa4d43f4a1e2f4982 |
| SHA1 | d011ea1e23ad4260301bb9be131fa210022abc61 |
| SHA256 | 708bf3f153528e994c22e31d4fee21bf042db76d29a0ff0e316d160acbfa151a |
| SHA512 | 8ee62e03d6b4f0329089961fdf0fc44a4e2cfc7b1eb40b3d13aa9996acdd74c34e933ffbe543ae704e4ffa6bdb9cbc4cf717c83ea20c62e727bd78adcb5034f0 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7326392.exe
| MD5 | c054ad5e93bdcfadd05df7b9d5c9d1fd |
| SHA1 | 626454188298c47baa73b1c85203b63a7ed8b019 |
| SHA256 | 2fa3a71f8055f97d0c268f4fbc4e3a2a600baadd81b8c3ace9e873aa201736a0 |
| SHA512 | 6be92d13d4e76c2fbbc4706606021d37cf2e78f0702939cec50c88b735d0e56dcd4083db38d10efbd8e1938b5a1c3736bfcc8ce439b3df426973ff2b062c8b9a |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8059560.exe
| MD5 | 0913129b2b0beaa40070423febcfba62 |
| SHA1 | cbc9a68bf89a7faafcac16593ac039543d80febb |
| SHA256 | bcaf2cd3a1a5f66e51213ffe6aa72d337e1d242e3e9f1cdf1b82112eac0452b7 |
| SHA512 | 24b936caf6f32bb93cedfd0be129cacc854c6cda05f5ffb4c24a0af4a71d2d31e397fdaf4e4e6b2d79119d1d685301649dabbda0e7b71332b5e431882fe32116 |
memory/4648-22-0x00007FF9F0423000-0x00007FF9F0425000-memory.dmp
memory/4648-21-0x00000000000B0000-0x00000000000BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2825939.exe
| MD5 | 022f119365c3e54ec3c0058b088c26fb |
| SHA1 | a705014c3750ec7b439f11ac18d3291c3fb642e8 |
| SHA256 | 4d74d06559a558324a63784710905e0095e450cf86dac862160dc3e348eed6a6 |
| SHA512 | 65b4c54cb6c047928a0749e546bfbe80f694e3cc1722a80147dd7a4f20c7cda66db56cddbf51c21f9171c6b379cc1dadb980e53667f3dff0e8d381d5d0682724 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1779118.exe
| MD5 | e3a5f3ad2ee89b7cb1a0e2e5c5274667 |
| SHA1 | 7efb31b3e242bcce37e17c56ba4e3765958c767f |
| SHA256 | 7736da43f91d1f15c359b3aeeae237747a2368c6b3b9b01752ba31bc2be9bd06 |
| SHA512 | fe63f532d6d37ac7a0309d44f45aa4236fef03c8e7def37b222ee7e645f21b312963c5754f41044194feafa9ae0715bc4e6581a8c29d85222c3e93f54ba45993 |
memory/5112-40-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6340897.exe
| MD5 | b2abbe4f59e4fe593b58a729449f8258 |
| SHA1 | f33bbc3c39b34f0d092332d9b1dfa3411405b048 |
| SHA256 | 04bf72986315202b300985bbaf94dbad03bc231a186c8ccf185d566910114a70 |
| SHA512 | 643b1ea32fa7eab6647a985283f05b6c91fa991ed9bd8b551892d556f620898ed55ad88abd21f947ac0a8fab958188030ba93227bdd20abb2f43ccd86ea1b52a |
memory/2684-46-0x0000000000ED0000-0x0000000000F00000-memory.dmp
memory/5112-42-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2684-47-0x0000000003160000-0x0000000003166000-memory.dmp
memory/2684-49-0x000000000AEB0000-0x000000000AFBA000-memory.dmp
memory/2684-48-0x000000000B3C0000-0x000000000B9D8000-memory.dmp
memory/2684-50-0x000000000ADC0000-0x000000000ADD2000-memory.dmp
memory/2684-51-0x000000000AE20000-0x000000000AE5C000-memory.dmp
memory/2684-52-0x0000000003060000-0x00000000030AC000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-09 14:29
Reported
2024-05-09 14:32
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3864613.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3864613.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3864613.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3864613.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3864613.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3864613.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0194772.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9845214.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9681722.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3864613.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0194772.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1633986.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d0287623.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3864613.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9845214.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9681722.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\3b8cd7306bcee474040656c20f071e99345caea6d53f3bae9bb55dfbe680b571.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1633986.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1633986.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1633986.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3864613.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3864613.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3864613.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3b8cd7306bcee474040656c20f071e99345caea6d53f3bae9bb55dfbe680b571.exe
"C:\Users\Admin\AppData\Local\Temp\3b8cd7306bcee474040656c20f071e99345caea6d53f3bae9bb55dfbe680b571.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9845214.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9845214.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9681722.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9681722.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3864613.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3864613.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0194772.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0194772.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1633986.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1633986.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d0287623.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d0287623.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.107.112:443 | www.bing.com | tcp |
| BE | 2.17.107.112:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.107.17.2.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9845214.exe
| MD5 | 89a9f2210a41c41e73468243aafe7ce0 |
| SHA1 | 876015cb4aa5fa59f834557eec21f9e9ff71171c |
| SHA256 | 3c2caa36eae05ef361fc9c6eea23ff221c0a0e4f51b56c32eec059cde5de848f |
| SHA512 | fa56caff7e81916deee34218daaec74acab8e94945cb5541b341f954e137725663e77fec26591f8ec705bff405f62f085d9e7adb783d1163bf0458e587606404 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9681722.exe
| MD5 | b80c73707e7ee97621ab0bec7cadc344 |
| SHA1 | 3438fef840e2b7a311d86a10c01595ac5ce91095 |
| SHA256 | 26da8507f7687477b1bd17eca7d62575eb23c2f2f4cb1823392540fed9bea888 |
| SHA512 | dee7011a57ead8cdc26745862d868929fabdddeed3c7ed54b0053d50d9c3f90b328faa9b093e5ef575299958e8afcdb08819bd634af4933b2b4ce93cc0c9c2b8 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3864613.exe
| MD5 | 3fd53ec59642118b77772907ed0d4655 |
| SHA1 | cbdc0d9ba299b8ac2a8858d6067f942f043fa5bb |
| SHA256 | 1693df72caf6205a729eb607574ef81a8ad454b2db4a774c8f8b7d949564e082 |
| SHA512 | 398c4fe14c49665bfebfe1850c4debd77511c1fda87cdfd6659d5dd37b4e1715f02ea87ffc419a9cdc76c07cc421dbe6ea8c1e5615a0f1b8e33ead976b45d304 |
memory/3992-21-0x0000000000E90000-0x0000000000E9A000-memory.dmp
memory/3992-22-0x00007FFF8C9E3000-0x00007FFF8C9E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0194772.exe
| MD5 | e5c89f82237e81a362f2fa532e9a8579 |
| SHA1 | 0336cee2fdb31b0454e93238d5e948c9a36d233f |
| SHA256 | c424989204e88bdb5c0219ed1427cb0ea405f95cb3328994c234ba340f1264ab |
| SHA512 | c5ca1aa06868399fab3a6e4909c29e754341b117d97b877af27647a8bea4e7c734f4b538782cd4766ca02afc2358d1b9141874a01820f7ac1f66665a2c7e4ac1 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1633986.exe
| MD5 | 254fa0abe1f76f20e10a1dc009280971 |
| SHA1 | ec57a1f39a4fe1c1e09fc4eca62604e51538b517 |
| SHA256 | 4f2f9163b5811ffe45585cc8731f380f7cae91a97a565f08e5e47454b030646c |
| SHA512 | d33950c3fce6b64057527a90465674ad334ea46f83250c4293b41f0c48479d563be16f063b8446c6af7b6c0528b5869d8793bd75bed8bb4a12f0e352d74574dc |
memory/1620-40-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d0287623.exe
| MD5 | cf45b941e3ed7d9ca42bf6b416b2ad98 |
| SHA1 | f64c8b08eaa3883021afdd4103b8ef178c4afd47 |
| SHA256 | 8f7c10902c052c8ab3ae56a0e082a784518017019416f598ad255949dce48fb0 |
| SHA512 | 11486c360657bcf363cf10efc35bdfea0c0477927274cc492aa9a2e10aabaf2533c555c0dbf4e35046026c6e873a3aa7e48a4f4d56b4a6db56f6d89261321a3e |
memory/2608-45-0x0000000000990000-0x00000000009C0000-memory.dmp
memory/2608-46-0x0000000002D10000-0x0000000002D16000-memory.dmp
memory/2608-47-0x000000000AD30000-0x000000000B348000-memory.dmp
memory/2608-48-0x000000000A820000-0x000000000A92A000-memory.dmp
memory/2608-49-0x000000000A740000-0x000000000A752000-memory.dmp
memory/2608-50-0x000000000A7A0000-0x000000000A7DC000-memory.dmp
memory/2608-51-0x0000000002C90000-0x0000000002CDC000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-09 14:29
Reported
2024-05-09 14:32
Platform
win10v2004-20240508-en
Max time kernel
125s
Max time network
130s
Command Line
Signatures
Lumma Stealer
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5040 set thread context of 212 | N/A | C:\Users\Admin\AppData\Local\Temp\3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63.exe
"C:\Users\Admin\AppData\Local\Temp\3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5040 -ip 5040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 324
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3440,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4444 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sideindexfollowragelrew.pw | udp |
| US | 8.8.8.8:53 | productivelookewr.shop | udp |
| US | 172.67.150.207:443 | productivelookewr.shop | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tolerateilusidjukl.shop | udp |
| US | 172.67.147.41:443 | tolerateilusidjukl.shop | tcp |
| US | 8.8.8.8:53 | shatterbreathepsw.shop | udp |
| US | 104.21.95.19:443 | shatterbreathepsw.shop | tcp |
| US | 8.8.8.8:53 | shortsvelventysjo.shop | udp |
| US | 188.114.97.2:443 | shortsvelventysjo.shop | tcp |
| US | 8.8.8.8:53 | incredibleextedwj.shop | udp |
| US | 104.21.86.106:443 | incredibleextedwj.shop | tcp |
| US | 8.8.8.8:53 | 207.150.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.95.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | alcojoldwograpciw.shop | udp |
| US | 172.67.157.23:443 | alcojoldwograpciw.shop | tcp |
| US | 8.8.8.8:53 | liabilitynighstjsko.shop | udp |
| US | 188.114.97.2:443 | liabilitynighstjsko.shop | tcp |
| US | 8.8.8.8:53 | demonstationfukewko.shop | udp |
| US | 172.67.147.169:443 | demonstationfukewko.shop | tcp |
| US | 8.8.8.8:53 | 106.86.21.104.in-addr.arpa | udp |
| BE | 2.17.107.107:443 | www.bing.com | tcp |
| BE | 2.17.107.107:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 23.157.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
Files
memory/5040-0-0x0000000000A66000-0x0000000000A68000-memory.dmp
memory/212-1-0x0000000000400000-0x000000000044F000-memory.dmp
memory/212-3-0x0000000000400000-0x000000000044F000-memory.dmp
memory/212-4-0x0000000000400000-0x000000000044F000-memory.dmp
memory/212-5-0x0000000000400000-0x000000000044F000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-09 14:29
Reported
2024-05-09 14:32
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4350346.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4350346.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4350346.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4350346.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4350346.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4350346.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4242672.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3635371.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4873105.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8727024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4350346.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4242672.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1719717.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3589664.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4350346.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3635371.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4873105.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8727024.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\51c9916d6f5b5ac66aa9b7e4343b3d5a2fa54d57996f9b7bb0d4b18987afd8bf.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1719717.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1719717.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1719717.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4350346.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4350346.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4350346.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\51c9916d6f5b5ac66aa9b7e4343b3d5a2fa54d57996f9b7bb0d4b18987afd8bf.exe
"C:\Users\Admin\AppData\Local\Temp\51c9916d6f5b5ac66aa9b7e4343b3d5a2fa54d57996f9b7bb0d4b18987afd8bf.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3635371.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3635371.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4873105.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4873105.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8727024.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8727024.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4350346.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4350346.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4242672.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4242672.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1719717.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1719717.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3589664.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3589664.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 2.17.107.121:443 | www.bing.com | tcp |
| BE | 2.17.107.121:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.107.17.2.in-addr.arpa | udp |
| FI | 77.91.124.156:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.156:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| FI | 77.91.124.156:19071 | tcp | |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.156:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FI | 77.91.124.156:19071 | tcp | |
| FI | 77.91.124.156:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3635371.exe
| MD5 | 36c1eafd6f7fac3289a2ad10902214c7 |
| SHA1 | 3ff125f846161d490e86aa1dc2a9130fdf9fd79a |
| SHA256 | d214bcc70876290c7f60d745d572ab3679e71b2389056c2049e00cf379979a4e |
| SHA512 | 6e06ebe7ffa04eecd535b70c8aaedcd4215fcec8c23cc121a9294077a3d4b845abf5333ceb319aa72473008fde7d754027bddedfc47a42aed26ef54701c8c851 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4873105.exe
| MD5 | 997e3acf55722532483c24d4a42018bd |
| SHA1 | 999874b95eefe4f4a596cb651784d5433ed59602 |
| SHA256 | 9e5a9a1f8cf6212a3ff80db93b3b95a80581db8db8cca62e2767ef942c1cc0ef |
| SHA512 | 826dd2a0fade9daec8435eb86804f26422ae42ad46c546d574503cd3247d8876be1a1e76945b459ed00ebc40bce2a2328bfda7fdd978689571a6958bd6f26533 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8727024.exe
| MD5 | 20a66ecc613784a21da380e50bd9d8da |
| SHA1 | 29a18e71e8d0b0e3715d6d6197db85148005a458 |
| SHA256 | ec09abd890dc124b5d8d05b239a433d4eadb0fe616361640b1f3fbfaaf26fd70 |
| SHA512 | cec5a26e112d39fff7ffffaf1aea846b3135f658f8a602d2efacf758876bee8aa00b5a00c207df4cf503daf6cce1fd6cc9a45fb0bd071c9d9cee6d3a1396354e |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4350346.exe
| MD5 | 77c06d90742d8a47aaa9a0de251e354c |
| SHA1 | 7093e1dfd6707015b4d55e0cae3bd895de53ef97 |
| SHA256 | d26e443a261981f9b6d556f0ffa0afea82e397b727b99910706252cb1b3bd012 |
| SHA512 | 3e10d699112f347f9e1706339222a3ae1776b8540480466f065d208be9283bd52492387c80e713ec2dca576093c24e889a63150683853798b46535dbd509268f |
memory/2808-28-0x0000000000260000-0x000000000026A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4242672.exe
| MD5 | 2440a5f6bec87a6ee29cbca62f765c6e |
| SHA1 | a2b08b1b3205429e13da332f697b8a2f50f1f75f |
| SHA256 | 6ad91da98a7fa15322e15b887b4409165c70b752e65efd830bcd113c5be97f59 |
| SHA512 | 9078fcd7456d254e463ffd78700c410fd60d98d3a8c0a3bfd9f0fc5928ff95e36eba6b1c4af82c1f36899162ce1871eed85b44f29700e6415ff2d028d8280f25 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1719717.exe
| MD5 | 09dd91c0db272565e91d72f057db3875 |
| SHA1 | 4ec3dce96293580b7dd7b7daec38d67b61a88ce8 |
| SHA256 | df26e4fe0aecb23e5ae430e765f004d6fd680cdcd2e35a93deb77110b0cf9b0d |
| SHA512 | 1da34e535d01107c16a76658e72ca8ed451521732f4d7266c68b27e7f96f12ecb9da5485e66629dc5830de1e9c82723b0cfd56126fe462c0f264d0122034ef80 |
memory/1832-46-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3589664.exe
| MD5 | 917f94f6028c80c28cf5088711eecd7e |
| SHA1 | 3be68ffb766d9f2d5684591e15ed29cc3c0708ae |
| SHA256 | e8090ca6653f22816f4342681c55f9a37a294c1171f84b2f2d1468ade4edc501 |
| SHA512 | d337d66c91a9f1fc7847cf8a91dd1bf6d986add1beb74bb765783cf9d122e68e63321b707e63cab0b573b69f751a627ef917ba7c50a73d3fd093537e3be3483a |
memory/2164-50-0x0000000000010000-0x0000000000040000-memory.dmp
memory/2164-51-0x0000000002200000-0x0000000002206000-memory.dmp
memory/2164-52-0x0000000004F50000-0x0000000005568000-memory.dmp
memory/2164-53-0x0000000004A60000-0x0000000004B6A000-memory.dmp
memory/2164-54-0x00000000049A0000-0x00000000049B2000-memory.dmp
memory/2164-55-0x0000000004A00000-0x0000000004A3C000-memory.dmp
memory/2164-56-0x0000000004B70000-0x0000000004BBC000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-09 14:29
Reported
2024-05-09 14:32
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2141193.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2141193.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2141193.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2141193.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2141193.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2141193.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4366386.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8266423.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0782272.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2141193.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4366386.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3646519.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8228646.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2141193.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8266423.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0782272.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3646519.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3646519.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3646519.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2141193.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2141193.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2141193.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exe
"C:\Users\Admin\AppData\Local\Temp\7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8266423.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8266423.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0782272.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0782272.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2141193.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2141193.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4366386.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4366386.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3646519.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3646519.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8228646.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8228646.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.56:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8266423.exe
| MD5 | 718ccdae6522b3565b00d5b5115a54a3 |
| SHA1 | 2791911108e9025489c6a38e53a2d4647ae82ece |
| SHA256 | 41ce2351f24593197ae25dd9ebdcd3c80ba4fae58ab0da8bed75214c7090d3fc |
| SHA512 | 1c49c00dd8244dfe894531ffb34cf18db9d3067b0fe4471d3b049d7900933268b7290af53fe401db951746c800692b55b7222c56cf1c5d2ba7f9578e8cad6e05 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0782272.exe
| MD5 | 3a307272bdc873647e125f30374ad454 |
| SHA1 | ec3832c7facaf5951522ccda4873ddb9c6a66734 |
| SHA256 | d1470ff18fc503704258b59863b706ddc9dd0b9ebddc89c3dcd6f37386590b9b |
| SHA512 | 2ec0adcf2b9fac89e9c14f75b71af6c0b4669c0571c64ff552c301b9f0f81c31c3dd048fdd68de5a450b6675a7d406fa7645b91d9f589936a971b3ac65871cd3 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2141193.exe
| MD5 | 7fcbf387238b1edd626f4438f4754e56 |
| SHA1 | fc497bfd4594da7fc54580773335d14e676672fc |
| SHA256 | f426ef07d2b5c8c64227e1d8d6ec1bc609e228255c341a1ac37ef90d4b477d7d |
| SHA512 | 3f6021efd6a3a696bf654c713a4fbb1f7e1e7aaf4c5f03769faa772e895268152654b00fe02f5b6c88efa4eed86e1bcb122a385714ec0ccce4d5c61b7efd5176 |
memory/3040-22-0x00007FFBFB043000-0x00007FFBFB045000-memory.dmp
memory/3040-21-0x00000000009F0000-0x00000000009FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4366386.exe
| MD5 | c44455cce9ce61149ee6633001620646 |
| SHA1 | c5e1b8ae1ad1490e76eccfaaa9381921afe6e86c |
| SHA256 | 18ab09cc53d5236f8e572106e31040ff62f192115dad1518ea43ceb36c675730 |
| SHA512 | d2cd6db8246ab5ce4285035ece5a9290759a5f309240afcdc0f5ab0592bca44e46e39e9c7fac3387d571e0a532c5af3b091348ae5b58750911ffc889b64ba50d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3646519.exe
| MD5 | 314fa0836479755b541b458a7c348818 |
| SHA1 | e19844a55994fe5b8b89eb9615b1b97f92836025 |
| SHA256 | b4514de3acdd6e051b3bb0aa10353c14310c726bb338a007ab9d46b3843341a7 |
| SHA512 | eb8d39b7cfe1b1a847549518b14b4ea85b98ec40bdfce423239560e48aee4cd6ea7f393ee81c916ab7aaa19024dfb33211c1991759a1a54f9a89afca0e98afd9 |
memory/3192-40-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3192-41-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8228646.exe
| MD5 | 497cc12633c7b690fc84fe172ff0a210 |
| SHA1 | 7e9536fcd70a4c9ad1648b6b6c03f73402d72839 |
| SHA256 | 53acb8295d1517e6cd156542b43e84bf57713a7962aa2feb2c787e5aa5603f5f |
| SHA512 | 699c014824c4ddd1ff9eb0f3cc669ee626645f098687bf8e54bd3f4c780eb7adb72e92789f078fb3ebfa872e308e09727914ad3913ad21162fcadbe033020629 |
memory/2588-45-0x0000000000230000-0x0000000000260000-memory.dmp
memory/2588-46-0x0000000002540000-0x0000000002546000-memory.dmp
memory/2588-47-0x0000000005230000-0x0000000005848000-memory.dmp
memory/2588-48-0x0000000004D20000-0x0000000004E2A000-memory.dmp
memory/2588-49-0x0000000004AB0000-0x0000000004AC2000-memory.dmp
memory/2588-50-0x0000000004C50000-0x0000000004C8C000-memory.dmp
memory/2588-51-0x0000000004C90000-0x0000000004CDC000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-09 14:29
Reported
2024-05-09 14:32
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8168654.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8168654.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8168654.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8168654.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8168654.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8168654.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3450874.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9877402.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8168654.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3450874.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t8743232.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8168654.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\f5957f382ef0f17bbf1d83cc0b5d4f133ae56c9c5a3101548b66b2462dbe9b6a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9877402.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8168654.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8168654.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8168654.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f5957f382ef0f17bbf1d83cc0b5d4f133ae56c9c5a3101548b66b2462dbe9b6a.exe
"C:\Users\Admin\AppData\Local\Temp\f5957f382ef0f17bbf1d83cc0b5d4f133ae56c9c5a3101548b66b2462dbe9b6a.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9877402.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9877402.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8168654.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8168654.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3450874.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3450874.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
"C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t8743232.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t8743232.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legola.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legola.exe" /P "Admin:N"&&CACLS "legola.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "legola.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "legola.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\ebb444342c" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\ebb444342c" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.107.107:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| BE | 2.17.107.107:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 107.107.17.2.in-addr.arpa | udp |
| SE | 5.42.92.67:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| SE | 5.42.92.67:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| SE | 5.42.92.67:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9877402.exe
| MD5 | 9ddbabccd941667b18109039f29dac16 |
| SHA1 | b519c3f38a63686cab156656c1bb3a5e299c29c5 |
| SHA256 | d4070d43dcc271b3f33575f847919c067d09b1d48e929a278d0f50ddeab193c6 |
| SHA512 | 48afa6624d421db57c83660dd0fbd8640a65479e47fc6f0099977c8203758cbbac6b2c3870ed9a6b7c73fb49ed433985d181e4e33c73a91ff5e09d7d6e72451a |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8168654.exe
| MD5 | e9b9d26d878a906b7699fe61f74dc6a2 |
| SHA1 | 44fccab27267aa0d45a9c974d815065591ecd2ac |
| SHA256 | a41c0d5d2802ffc46ba39f133b0980615307bcaf76e58d650ae5b2065b289cbe |
| SHA512 | e1c969bfce0e862c3f18d0347f0e7eb949650323b1140bc543a56425cc78c888942ea75b00be0a4af1cc608ff8f8f0735a22ac3a82d55a1c7a67f6546303cf8d |
memory/2012-14-0x0000000000530000-0x000000000053A000-memory.dmp
memory/2012-15-0x00007FFBF6C83000-0x00007FFBF6C85000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3450874.exe
| MD5 | d0fc3ff3b8a33ddf0833f2ffbab8e74c |
| SHA1 | 202e6dbbc6b40542fd78a0b469653163c5b1e290 |
| SHA256 | 7c64a174841606d9776e2cb5ea7aa5cdb09f8167471c7c37ac683b78ed7dfbc7 |
| SHA512 | 6dc10bfb310bbce1ed2a31d39d0a6ee2d76e30b5b1a42131b34b60d9ab297fab169835d148cc3a1c298f701cb984db8f5b46120a51bad06d4f6d78481a9a05c2 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t8743232.exe
| MD5 | 9ed0b72f9d16b56aee6fea22c56a5d79 |
| SHA1 | 3326591f1daddf527f3d024e4ec0474aa693de22 |
| SHA256 | b6ab281c52a6a40a0f833e3670ee18988499cbc592b33516e00b91006701a2a6 |
| SHA512 | e3b940e6a0d4827d9bba09f2236e828c3b3d44348f89eb26bfc250dcad46aebee4c9b420a634652ae6c1d16673d629f339551d6130adc18fa71606daf0c2c73b |
memory/4908-33-0x0000000000BD0000-0x0000000000C00000-memory.dmp
memory/4908-34-0x00000000053B0000-0x00000000053B6000-memory.dmp
memory/4908-35-0x0000000005BC0000-0x00000000061D8000-memory.dmp
memory/4908-36-0x00000000056B0000-0x00000000057BA000-memory.dmp
memory/4908-37-0x0000000005450000-0x0000000005462000-memory.dmp
memory/4908-38-0x00000000055E0000-0x000000000561C000-memory.dmp
memory/4908-39-0x0000000005620000-0x000000000566C000-memory.dmp