Malware Analysis Report

2024-10-16 03:48

Sample ID 240509-rz1xzahf94
Target red.zip
SHA256 2fa961b375e2da330a3b514d2c64bff25f393a2a58adb19f2372609308426060
Tags
redline 1366220748 discovery infostealer spyware stealer amadey healer smokeloader welos backdoor dropper evasion persistence trojan lande nasa kira news zgrat rat krast lamp papik
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2fa961b375e2da330a3b514d2c64bff25f393a2a58adb19f2372609308426060

Threat Level: Known bad

The file red.zip was found to be: Known bad.

Malicious Activity Summary

redline 1366220748 discovery infostealer spyware stealer amadey healer smokeloader welos backdoor dropper evasion persistence trojan lande nasa kira news zgrat rat krast lamp papik

Modifies Windows Defender Real-time Protection settings

SmokeLoader

RedLine payload

Detects Healer an antivirus disabler dropper

Detect ZGRat V1

Amadey

Healer

ZGRat

RedLine

Executes dropped EXE

Windows security modification

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 14:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-09 14:38

Reported

2024-05-09 14:41

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25c57e67144c4603cb7936eb9ad62fb4a4b313d0acb99262c66c4792f6ecdf48.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\25c57e67144c4603cb7936eb9ad62fb4a4b313d0acb99262c66c4792f6ecdf48.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\25c57e67144c4603cb7936eb9ad62fb4a4b313d0acb99262c66c4792f6ecdf48.exe

"C:\Users\Admin\AppData\Local\Temp\25c57e67144c4603cb7936eb9ad62fb4a4b313d0acb99262c66c4792f6ecdf48.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 omnomnom.top udp
DE 195.201.252.28:443 omnomnom.top tcp
BE 88.221.83.203:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 28.252.201.195.in-addr.arpa udp
US 8.8.8.8:53 203.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/228-4-0x0000000000401000-0x0000000000402000-memory.dmp

memory/228-0-0x00000000006A0000-0x00000000006BE000-memory.dmp

memory/228-5-0x0000000000400000-0x000000000042E000-memory.dmp

memory/228-6-0x0000000004AD0000-0x00000000050E8000-memory.dmp

memory/228-7-0x00000000049D0000-0x00000000049E2000-memory.dmp

memory/228-8-0x00000000050F0000-0x00000000051FA000-memory.dmp

memory/228-9-0x0000000005C80000-0x0000000005CBC000-memory.dmp

memory/228-10-0x0000000005CD0000-0x0000000005D1C000-memory.dmp

memory/228-11-0x0000000005E50000-0x0000000006012000-memory.dmp

memory/228-12-0x0000000006040000-0x000000000656C000-memory.dmp

memory/228-13-0x0000000006620000-0x0000000006686000-memory.dmp

memory/228-14-0x0000000006870000-0x0000000006902000-memory.dmp

memory/228-15-0x0000000006910000-0x0000000006EB4000-memory.dmp

memory/228-16-0x0000000006F40000-0x0000000006F90000-memory.dmp

memory/228-17-0x0000000006F90000-0x0000000007006000-memory.dmp

memory/228-18-0x0000000007330000-0x000000000734E000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-09 14:38

Reported

2024-05-09 14:41

Platform

win7-20240221-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\604faa1b561362f508b03ad69516b2debf7434ce4ec5f42177ba41cf3907cbed.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\604faa1b561362f508b03ad69516b2debf7434ce4ec5f42177ba41cf3907cbed.exe

"C:\Users\Admin\AppData\Local\Temp\604faa1b561362f508b03ad69516b2debf7434ce4ec5f42177ba41cf3907cbed.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 116

Network

N/A

Files

memory/1976-0-0x0000000000B12000-0x0000000000B13000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-09 14:38

Reported

2024-05-09 14:41

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\61ec6f7f3198f2f73155461b5544c1c55e467d0faa1776e05504a411b0530974.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8400544.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8400544.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8400544.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8400544.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8400544.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8400544.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7161503.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8400544.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\61ec6f7f3198f2f73155461b5544c1c55e467d0faa1776e05504a411b0530974.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6078870.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8094658.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1890207.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9747003.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9747003.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9747003.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8400544.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8400544.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8400544.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4428 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\61ec6f7f3198f2f73155461b5544c1c55e467d0faa1776e05504a411b0530974.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6078870.exe
PID 4428 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\61ec6f7f3198f2f73155461b5544c1c55e467d0faa1776e05504a411b0530974.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6078870.exe
PID 4428 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\61ec6f7f3198f2f73155461b5544c1c55e467d0faa1776e05504a411b0530974.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6078870.exe
PID 3080 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6078870.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8094658.exe
PID 3080 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6078870.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8094658.exe
PID 3080 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6078870.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8094658.exe
PID 3616 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8094658.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1890207.exe
PID 3616 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8094658.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1890207.exe
PID 3616 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8094658.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1890207.exe
PID 3988 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1890207.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8400544.exe
PID 3988 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1890207.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8400544.exe
PID 3988 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1890207.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7161503.exe
PID 3988 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1890207.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7161503.exe
PID 3988 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1890207.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7161503.exe
PID 2968 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7161503.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 2968 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7161503.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 2968 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7161503.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 3616 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8094658.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9747003.exe
PID 3616 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8094658.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9747003.exe
PID 3616 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8094658.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9747003.exe
PID 3904 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3904 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3904 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3904 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3904 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3904 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3828 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3828 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3828 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3828 wrote to memory of 3948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3828 wrote to memory of 3948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3828 wrote to memory of 3948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3828 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3828 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3828 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3828 wrote to memory of 4212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3828 wrote to memory of 4212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3828 wrote to memory of 4212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3828 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3828 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3828 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3828 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3828 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3828 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3080 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6078870.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d7741225.exe
PID 3080 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6078870.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d7741225.exe
PID 3080 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6078870.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d7741225.exe

Processes

C:\Users\Admin\AppData\Local\Temp\61ec6f7f3198f2f73155461b5544c1c55e467d0faa1776e05504a411b0530974.exe

"C:\Users\Admin\AppData\Local\Temp\61ec6f7f3198f2f73155461b5544c1c55e467d0faa1776e05504a411b0530974.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6078870.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6078870.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8094658.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8094658.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1890207.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1890207.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8400544.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8400544.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7161503.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7161503.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9747003.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9747003.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d7741225.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d7741225.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.203:443 www.bing.com tcp
BE 88.221.83.203:443 www.bing.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 203.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
FI 77.91.68.61:80 tcp
FI 77.91.124.156:19071 tcp
FI 77.91.68.61:80 tcp
FI 77.91.124.156:19071 tcp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
FI 77.91.124.156:19071 tcp
FI 77.91.124.156:19071 tcp
FI 77.91.124.156:19071 tcp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6078870.exe

MD5 46a5f69bf60289bf73f38e1d9be85075
SHA1 8639931600b10364a4c823b701c00893c22aea6b
SHA256 65db5d7052987e7e8d814719a1e9c77b7d0f755b7f100a0b3f0b0d1b83d9b43e
SHA512 dbc4506574b8a92d600e60fd642f44942f2a19c3effbf284891da05751b5b6d82dab4122dab6abc758ec40eb366e3e042c3bc46aec3360440e113a550cd7ce29

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8094658.exe

MD5 eb475f3a8c4a25a19fa0abdc1e907952
SHA1 8988b40a69f6cb754a42bc5c7871ed839629b504
SHA256 40fbde6d35302d77db924d8a4db6569c23336d9205e82f12a82228cc100edb71
SHA512 3199b26a1ce8049c64556a2a9d0465c3ffa479594ca01d7ce052ba64fd128ab9da6302bf55baaaf59479e3a4c53f0569d93d7bb4d1566d1d65b4864b4a20af09

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1890207.exe

MD5 2dfe4d2812a48ddbf22392cc3a90970b
SHA1 4f1b63d32b90a492f98673c94646a42a6e853ac6
SHA256 9e6f3fd3f785137a445cbe56ff06c292a6df24180f53811fc86132a2bd4859c2
SHA512 8b30e6f60dc809e9411dd14439766ec61da1ce41170a987c6c917abfe8df3985d8d6870672b38e72c10317e178e032fdc94f1f36bc4c48cc79938ae9d7c9b6da

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8400544.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/1132-28-0x0000000000100000-0x000000000010A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7161503.exe

MD5 bc91e6e768fd91095e2345589ee83b4a
SHA1 8d1b66b836cb0e5134a3f807e6f552068ae3e049
SHA256 d0ad15538e2a3f9aedb1b72fcd30581d83b8ca9e8e044f1a404cd3a71cc601a4
SHA512 2d8766287f50a95994a2c4496f09114406faa469baeb3719c061e08b323dd359338ba0a8fe526c2f7138fa1c8fa3018743ce2a26203626ecc5901e179d5224b1

memory/920-46-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9747003.exe

MD5 6b8535ff7acd76f5a865bfa3e04fe4f7
SHA1 26d3dc99f638cf9cae4681dd14269fe9723c904b
SHA256 acf67950c3da59de03f145d42b15fb141395c524a091a46a0cc24d07e3e286da
SHA512 ea3a27b4bb1bb8050b593f64f9bb9bf6ba53de10fb7e12a1e6687e156d85fb5757a1797ad7a7b6cc966730c9fa9b713b8ec01f1e2c2b315977ed47441571f83a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d7741225.exe

MD5 a438c0ff74d4f3006dd94b497bae7179
SHA1 d6618c08840cea64523e48bde1f433731049876d
SHA256 7a183cd5079b87c635002449d16a0fe2b686f777b58f507a5825033214aba176
SHA512 6ab764d9268aac5902b8026b7c5eb31e3956c86711e3ca52ab3fef12b45ad59a56b3ceb9e671c2efdf7b34543aa263dffe236eada2c754f23aa2ff0b7484a342

memory/5004-50-0x0000000000750000-0x0000000000780000-memory.dmp

memory/5004-51-0x0000000002A30000-0x0000000002A36000-memory.dmp

memory/5004-52-0x000000000AB90000-0x000000000B1A8000-memory.dmp

memory/5004-53-0x000000000A700000-0x000000000A80A000-memory.dmp

memory/5004-54-0x000000000A640000-0x000000000A652000-memory.dmp

memory/5004-55-0x000000000A6A0000-0x000000000A6DC000-memory.dmp

memory/5004-56-0x00000000028E0000-0x000000000292C000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-09 14:38

Reported

2024-05-09 14:41

Platform

win10v2004-20240226-en

Max time kernel

166s

Max time network

177s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a72ed316bbd2e389eb2ecd7243e5841d041badae874aa11f831b452a7cff8b3.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3421041.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3421041.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3421041.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3421041.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3421041.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3421041.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9541649.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3421041.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\9a72ed316bbd2e389eb2ecd7243e5841d041badae874aa11f831b452a7cff8b3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9784938.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3421041.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3421041.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3421041.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9541649.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3604 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\9a72ed316bbd2e389eb2ecd7243e5841d041badae874aa11f831b452a7cff8b3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9784938.exe
PID 3604 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\9a72ed316bbd2e389eb2ecd7243e5841d041badae874aa11f831b452a7cff8b3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9784938.exe
PID 3604 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\9a72ed316bbd2e389eb2ecd7243e5841d041badae874aa11f831b452a7cff8b3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9784938.exe
PID 4584 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9784938.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9541649.exe
PID 4584 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9784938.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9541649.exe
PID 4584 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9784938.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9541649.exe
PID 2788 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9541649.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 2788 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9541649.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 2788 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9541649.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 4584 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9784938.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3421041.exe
PID 4584 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9784938.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3421041.exe
PID 2856 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 2856 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 2856 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 2856 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4284 wrote to memory of 408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4284 wrote to memory of 408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4284 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4284 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4284 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4284 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4284 wrote to memory of 788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4284 wrote to memory of 788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4284 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4284 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4284 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3604 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\9a72ed316bbd2e389eb2ecd7243e5841d041badae874aa11f831b452a7cff8b3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j4435350.exe
PID 3604 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\9a72ed316bbd2e389eb2ecd7243e5841d041badae874aa11f831b452a7cff8b3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j4435350.exe
PID 3604 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\9a72ed316bbd2e389eb2ecd7243e5841d041badae874aa11f831b452a7cff8b3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j4435350.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9a72ed316bbd2e389eb2ecd7243e5841d041badae874aa11f831b452a7cff8b3.exe

"C:\Users\Admin\AppData\Local\Temp\9a72ed316bbd2e389eb2ecd7243e5841d041badae874aa11f831b452a7cff8b3.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9784938.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9784938.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9541649.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9541649.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3936 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3421041.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3421041.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j4435350.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j4435350.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Network

Country Destination Domain Proto
N/A 10.127.0.1:12000 tcp
US 13.107.253.64:443 tcp
GB 172.217.169.74:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9784938.exe

MD5 87959c24901cbb68b1ed0d31e966bf21
SHA1 fe41e590bfc0981fb23824ffd5718fd8ab4e5f08
SHA256 b166360a21c7ca4e9f1d17451efc07ffc57fae78b2684eb443d6b811d97a5bf6
SHA512 80c637b9caa3eee5669979c3ba891dcde79937711f1dda5c15f1fedb8fef892e5f3ab12486b7869183d8effb61e394dff48539fa39eb2b4895a004413d66a532

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9541649.exe

MD5 aea234064483f651010cf9d981f59fea
SHA1 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6
SHA256 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503
SHA512 eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3421041.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3472-27-0x00000000002A0000-0x00000000002AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j4435350.exe

MD5 59828ae17439756d437ab117a703fed1
SHA1 b9ec9e8ed317695cf334ce9199108d9efce2b609
SHA256 3638d6290ee0e43d6fbb70ba10cf7b04168e2989f0dd1c7d843f4d34afd7c7cc
SHA512 b11bab3e7cc2f59a45dacbfaff48eed0233aec9015100336eecd215bf1ae01dab5ed74f420e9c0c0b10ea201ed1c8174c1d0c501106a4c958e780823ba5f6d51

memory/4604-32-0x00000000002C0000-0x00000000002F0000-memory.dmp

memory/4604-33-0x0000000002510000-0x0000000002516000-memory.dmp

memory/4604-34-0x000000000A760000-0x000000000AD78000-memory.dmp

memory/4604-35-0x000000000A270000-0x000000000A37A000-memory.dmp

memory/4604-36-0x000000000A1B0000-0x000000000A1C2000-memory.dmp

memory/4604-37-0x000000000A210000-0x000000000A24C000-memory.dmp

memory/4604-39-0x0000000004C70000-0x0000000004CBC000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-09 14:38

Reported

2024-05-09 14:41

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2abc74f29ed52ec7d83d19dcdda578b75bfabfe3cb6be161acad9d570a9601f.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6771550.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6771550.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6771550.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6771550.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6771550.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6771550.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6771550.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b2abc74f29ed52ec7d83d19dcdda578b75bfabfe3cb6be161acad9d570a9601f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7383000.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6771550.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6771550.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6771550.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b2abc74f29ed52ec7d83d19dcdda578b75bfabfe3cb6be161acad9d570a9601f.exe

"C:\Users\Admin\AppData\Local\Temp\b2abc74f29ed52ec7d83d19dcdda578b75bfabfe3cb6be161acad9d570a9601f.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7383000.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7383000.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6771550.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6771550.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4396,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=4288 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4522158.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4522158.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
BE 88.221.83.242:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 242.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
BE 88.221.83.242:443 www.bing.com tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7383000.exe

MD5 e3ed7f47e1410b7b8eb2abadf29e8ba9
SHA1 eaef8940de9977260629fa9eb19d89f19f195206
SHA256 cbe7e7cd0ef5d0f0de887cc968a0e337eb055609a57d6b8f12dc92889c825693
SHA512 fa6d6670fdd1fbfa25e7932556b443fdbf5a2de55245a329aa2e43e861dbf0b2d07ad4c019e459152fe9c2b04eedc3bbea3ae9f7d4dbc5ec102a3c5fe108a0a6

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6771550.exe

MD5 9c40063dc990863ba747046695b66de3
SHA1 768037d9239254b189798c6b10e6e92f99ab6377
SHA256 2a1812293ed1c85ce17438a90c5701f6cd74a623f64a34591df08bdcb473da1c
SHA512 2ad41fe48174717df9a3524d0833bcfd019065098a8f0272e2d4a116f09c42137942e414559e4395f53cfad34497d2f999784c3a100dd40be3626dd8b4ac4c51

memory/1048-14-0x00007FF98FA03000-0x00007FF98FA05000-memory.dmp

memory/1048-15-0x0000000000030000-0x000000000003A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4522158.exe

MD5 069ec3c24700c09e504cd327b8f1b640
SHA1 d5c8e3cbe2c04c724e06e9ec3ad0212266fd1893
SHA256 566bc2d705132076a334bbb608aee51d4624caab0a721492c9a6f34647876f43
SHA512 4c5730311b8e9a29089283c7807d68c6b1f8d70c6b7d3edf31bd7274fe4aedf23d7b84cfc42e8a8f1a73e1ed4f4a2f9793a98c848dc90a64ff728a16d3bc8392

memory/4728-20-0x0000000000DA0000-0x0000000000DD0000-memory.dmp

memory/4728-21-0x0000000001560000-0x0000000001566000-memory.dmp

memory/4728-22-0x000000000B130000-0x000000000B748000-memory.dmp

memory/4728-23-0x000000000AC20000-0x000000000AD2A000-memory.dmp

memory/4728-24-0x000000000AB50000-0x000000000AB62000-memory.dmp

memory/4728-25-0x000000000ABB0000-0x000000000ABEC000-memory.dmp

memory/4728-26-0x0000000002F90000-0x0000000002FDC000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-09 14:38

Reported

2024-05-09 14:41

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe

"C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.232:443 www.bing.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BE 88.221.83.232:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 232.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/1156-0-0x0000000000401000-0x0000000000404000-memory.dmp

memory/1156-1-0x00000000005B0000-0x00000000005EE000-memory.dmp

memory/1156-7-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1156-8-0x00000000005B0000-0x00000000005EE000-memory.dmp

memory/1156-9-0x0000000002370000-0x0000000002371000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-09 14:38

Reported

2024-05-09 14:41

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f66a0103e4528b09122b55cb248c3007154afc26e699fa5ddf5d3f200e810a71.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9617499.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f1016806.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9617499.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f66a0103e4528b09122b55cb248c3007154afc26e699fa5ddf5d3f200e810a71.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f66a0103e4528b09122b55cb248c3007154afc26e699fa5ddf5d3f200e810a71.exe

"C:\Users\Admin\AppData\Local\Temp\f66a0103e4528b09122b55cb248c3007154afc26e699fa5ddf5d3f200e810a71.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9617499.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9617499.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f1016806.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f1016806.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
FI 77.91.68.48:19071 tcp
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BE 2.17.107.107:443 www.bing.com tcp
US 8.8.8.8:53 107.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 77.91.68.48:19071 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
FI 77.91.68.48:19071 tcp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
FI 77.91.68.48:19071 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
FI 77.91.68.48:19071 tcp
FI 77.91.68.48:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9617499.exe

MD5 1e4d978f486733815fa2a74fe7d0e9f5
SHA1 87bf1dd3c55e3a265249970befb9c4d6675c7914
SHA256 d5a4727fc533918aa9f73ce0aec0a88a58221512fccfd54e935f339a79fb68ca
SHA512 0c61596597603da0b7d038b80da759fddbac119cbc8f3e3a26fbf60ded1c91092892482dc3038570b8d3b8ab939786e592a994f1ee059159e8b2f01f983645fd

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f1016806.exe

MD5 4675a01bc71e879926d8f743e3d0cc4e
SHA1 361547ce6a7ef526778697a74422f05d913cd4a7
SHA256 48a3b8d04d4ecce8fda7acbdf140fdfe0487b5d670f765fa67b3a9b476e683f1
SHA512 7334f76d51cddc0b8bb23b2d6960e6c70fbfed97e645f6ad993d26c78181f25bcb90323b40d64b5a5966aedebcce3ddec9032815de955d8eb21888ca395a2582

memory/1988-18-0x0000000000401000-0x0000000000402000-memory.dmp

memory/1988-14-0x0000000000440000-0x0000000000470000-memory.dmp

memory/1988-19-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1988-20-0x0000000002110000-0x0000000002116000-memory.dmp

memory/1988-21-0x0000000004C80000-0x0000000005298000-memory.dmp

memory/1988-22-0x00000000052A0000-0x00000000053AA000-memory.dmp

memory/1988-23-0x0000000004A20000-0x0000000004A32000-memory.dmp

memory/1988-24-0x00000000053B0000-0x00000000053EC000-memory.dmp

memory/1988-25-0x0000000005420000-0x000000000546C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 14:38

Reported

2024-05-09 14:41

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4024066.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5031831.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5473069.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9593912.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9593912.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9593912.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5024 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5031831.exe
PID 5024 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5031831.exe
PID 5024 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5031831.exe
PID 1320 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5031831.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5473069.exe
PID 1320 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5031831.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5473069.exe
PID 1320 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5031831.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5473069.exe
PID 4292 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5473069.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe
PID 4292 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5473069.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe
PID 4292 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5473069.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4024066.exe
PID 4292 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5473069.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4024066.exe
PID 4292 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5473069.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4024066.exe
PID 1060 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4024066.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 1060 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4024066.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 1060 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4024066.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 1320 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5031831.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9593912.exe
PID 1320 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5031831.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9593912.exe
PID 1320 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5031831.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9593912.exe
PID 5024 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6125712.exe
PID 5024 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6125712.exe
PID 5024 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6125712.exe
PID 4344 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 4344 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 4344 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 4344 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 4344 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 4344 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 3776 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3776 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3776 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3776 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3776 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3776 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3776 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3776 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3776 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3776 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3776 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3776 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3776 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3776 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3776 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3776 wrote to memory of 3708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3776 wrote to memory of 3708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3776 wrote to memory of 3708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe

"C:\Users\Admin\AppData\Local\Temp\2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5031831.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5031831.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5473069.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5473069.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4024066.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4024066.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9593912.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9593912.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6125712.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6125712.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.232:443 www.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
BE 88.221.83.232:443 www.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5031831.exe

MD5 64914ff9bf5be388b673a4c159e81f0d
SHA1 e50e480364a0efb07a0b3619a35706a338cec43d
SHA256 d86e1af67ea1610cd582ea0dee48a2b98bc078d11b39de4f18e1df0e2b904d06
SHA512 073712b4a0aa9be3e81d83aa8ed42366e4962b767846172b0e1b33a784d75776c62b703b324a126334aac3b787ba4f94aa592752ca9c98f3c3691649f5177b49

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5473069.exe

MD5 47c57a08974e981716c8ebc94e73cef6
SHA1 f3a2cc808f85bb7fc40c1814e76cf7ecbc3e76eb
SHA256 c42d18d5dcc41dd560469e1c68b7955501ec3b2545ee8322a1f7dde7d7a90ad8
SHA512 b6f25499399d4d5738e9b103fe1438705700236656d9242a62194228c69eb70945066fd829191d50e2d8f59aed12cc2bbb5e8daa7961864d81ccb1b8bf7e27e4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe

MD5 b9f7307f3344963173587f481cf79702
SHA1 d1771c11330d7f05b465837268f1993d16a50ef9
SHA256 3f1deb49ae3b7e8074b543490e6a24045c16a73102668c09729a4decb3260068
SHA512 ef449c472223eddfd606b5035962564da2b3b47e46dd7bb796e8565f14349bc1edd9e716d4b288d65dda044d47f1ee527554d130f0de6b6cf4d78a1b2e0741f5

memory/3576-22-0x00007FFB9C7C3000-0x00007FFB9C7C5000-memory.dmp

memory/3576-21-0x0000000000840000-0x000000000084A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4024066.exe

MD5 b4e48d49180a5de33de9a468850dd56d
SHA1 a813b19d1b7ca147c0bf19394d85dbb5e68e2499
SHA256 848b8ac51ed5492cc8dbf0db13d11166b3f40984d335c441ad0370fa1c6efaf4
SHA512 aeba44dbea2fd4d2cd72139e1f3a02be121237909bce8eef15fa36c66903bcae2231c0cb527e3aece354b50412a8ebae4dcce8898b66c1608a7643a45f49905f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9593912.exe

MD5 28b567d6d377880e6336770aa32966c6
SHA1 44e450e5488cd710318a62c30ecd3c2b0e5ce405
SHA256 970dc870f858c266ae0f4b8f2d1e8cdd971896b7ceba28f8edd18bd341b360b6
SHA512 1d7bbc36c404de957393268d1fba3a547b8a1b7535cc6f444bcba8393259e24db8144aeb85b2ca0de1e95196eba7d7693e35e2c7319886d42e5b6515b81bf7d5

memory/3596-40-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6125712.exe

MD5 5857ee0726d73781a91d8e82eaa75062
SHA1 2af364ed6f7f7612b5c7fdff981d547d13518a1d
SHA256 9b96fd6fb35d86dbf485be9d03649a67f4e19ec2eacf97b63c1ff5f71495ecc7
SHA512 50468fa0a187a446ce3e58aaa2c59ec04f8df55a588a7ae75674976cff5acf1f3c92b27bbe431ebad7f8dbd0125d664f38bade9df34a7fb79c658c5ec27dceb2

memory/3660-44-0x00000000000F0000-0x0000000000120000-memory.dmp

memory/3660-45-0x0000000002360000-0x0000000002366000-memory.dmp

memory/3660-46-0x0000000005010000-0x0000000005628000-memory.dmp

memory/3660-47-0x0000000004B40000-0x0000000004C4A000-memory.dmp

memory/3660-48-0x0000000004A80000-0x0000000004A92000-memory.dmp

memory/3660-49-0x0000000004AE0000-0x0000000004B1C000-memory.dmp

memory/3660-50-0x0000000004C50000-0x0000000004C9C000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-09 14:38

Reported

2024-05-09 14:41

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\604faa1b561362f508b03ad69516b2debf7434ce4ec5f42177ba41cf3907cbed.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2728 set thread context of 744 N/A C:\Users\Admin\AppData\Local\Temp\604faa1b561362f508b03ad69516b2debf7434ce4ec5f42177ba41cf3907cbed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2728 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\604faa1b561362f508b03ad69516b2debf7434ce4ec5f42177ba41cf3907cbed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2728 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\604faa1b561362f508b03ad69516b2debf7434ce4ec5f42177ba41cf3907cbed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2728 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\604faa1b561362f508b03ad69516b2debf7434ce4ec5f42177ba41cf3907cbed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2728 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\604faa1b561362f508b03ad69516b2debf7434ce4ec5f42177ba41cf3907cbed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2728 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\604faa1b561362f508b03ad69516b2debf7434ce4ec5f42177ba41cf3907cbed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2728 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\604faa1b561362f508b03ad69516b2debf7434ce4ec5f42177ba41cf3907cbed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2728 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\604faa1b561362f508b03ad69516b2debf7434ce4ec5f42177ba41cf3907cbed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2728 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\604faa1b561362f508b03ad69516b2debf7434ce4ec5f42177ba41cf3907cbed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\604faa1b561362f508b03ad69516b2debf7434ce4ec5f42177ba41cf3907cbed.exe

"C:\Users\Admin\AppData\Local\Temp\604faa1b561362f508b03ad69516b2debf7434ce4ec5f42177ba41cf3907cbed.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2728 -ip 2728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 332

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 147.45.47.64:11837 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.107:443 www.bing.com tcp
US 8.8.8.8:53 64.47.45.147.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 107.107.17.2.in-addr.arpa udp
BE 2.17.107.107:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp

Files

memory/2728-0-0x0000000000C52000-0x0000000000C53000-memory.dmp

memory/744-1-0x0000000000400000-0x000000000044A000-memory.dmp

memory/744-2-0x00000000744AE000-0x00000000744AF000-memory.dmp

memory/744-3-0x0000000005870000-0x0000000005E14000-memory.dmp

memory/744-4-0x0000000005210000-0x00000000052A2000-memory.dmp

memory/744-5-0x00000000744A0000-0x0000000074C50000-memory.dmp

memory/744-6-0x00000000051E0000-0x00000000051EA000-memory.dmp

memory/744-7-0x0000000006840000-0x0000000006E58000-memory.dmp

memory/744-8-0x0000000006370000-0x000000000647A000-memory.dmp

memory/744-9-0x00000000062A0000-0x00000000062B2000-memory.dmp

memory/744-10-0x0000000006300000-0x000000000633C000-memory.dmp

memory/744-11-0x0000000006480000-0x00000000064CC000-memory.dmp

memory/744-12-0x0000000006600000-0x0000000006666000-memory.dmp

memory/744-13-0x0000000006F60000-0x0000000006FD6000-memory.dmp

memory/744-14-0x00000000067E0000-0x00000000067FE000-memory.dmp

memory/744-15-0x0000000008570000-0x0000000008732000-memory.dmp

memory/744-16-0x0000000008C70000-0x000000000919C000-memory.dmp

memory/744-18-0x00000000744A0000-0x0000000074C50000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-09 14:38

Reported

2024-05-09 14:41

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6c15f1899ddb76b31fda1ef8a7d18f02ebe3c6f0dc3202cb51c180fecb4fcfed.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5617583.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5617583.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5617583.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5617583.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5617583.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5617583.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5327652.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5617583.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\6c15f1899ddb76b31fda1ef8a7d18f02ebe3c6f0dc3202cb51c180fecb4fcfed.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5787480.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5617583.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5617583.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5617583.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\6c15f1899ddb76b31fda1ef8a7d18f02ebe3c6f0dc3202cb51c180fecb4fcfed.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5787480.exe
PID 2192 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\6c15f1899ddb76b31fda1ef8a7d18f02ebe3c6f0dc3202cb51c180fecb4fcfed.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5787480.exe
PID 2192 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\6c15f1899ddb76b31fda1ef8a7d18f02ebe3c6f0dc3202cb51c180fecb4fcfed.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5787480.exe
PID 2372 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5787480.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5617583.exe
PID 2372 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5787480.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5617583.exe
PID 2372 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5787480.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5327652.exe
PID 2372 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5787480.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5327652.exe
PID 2372 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5787480.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5327652.exe
PID 4044 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5327652.exe C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
PID 4044 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5327652.exe C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
PID 4044 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5327652.exe C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
PID 2192 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\6c15f1899ddb76b31fda1ef8a7d18f02ebe3c6f0dc3202cb51c180fecb4fcfed.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4172059.exe
PID 2192 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\6c15f1899ddb76b31fda1ef8a7d18f02ebe3c6f0dc3202cb51c180fecb4fcfed.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4172059.exe
PID 2192 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\6c15f1899ddb76b31fda1ef8a7d18f02ebe3c6f0dc3202cb51c180fecb4fcfed.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4172059.exe
PID 2868 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe C:\Windows\SysWOW64\schtasks.exe
PID 2868 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe C:\Windows\SysWOW64\schtasks.exe
PID 2868 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe C:\Windows\SysWOW64\schtasks.exe
PID 2868 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe C:\Windows\SysWOW64\cmd.exe
PID 900 wrote to memory of 3164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 900 wrote to memory of 3164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 900 wrote to memory of 3164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 900 wrote to memory of 3264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 900 wrote to memory of 3264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 900 wrote to memory of 3264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 900 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 900 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 900 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 900 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 900 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 900 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 900 wrote to memory of 3972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 900 wrote to memory of 3972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 900 wrote to memory of 3972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 900 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 900 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 900 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6c15f1899ddb76b31fda1ef8a7d18f02ebe3c6f0dc3202cb51c180fecb4fcfed.exe

"C:\Users\Admin\AppData\Local\Temp\6c15f1899ddb76b31fda1ef8a7d18f02ebe3c6f0dc3202cb51c180fecb4fcfed.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5787480.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5787480.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5617583.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5617583.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5327652.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5327652.exe

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

"C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4172059.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4172059.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legola.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legola.exe" /P "Admin:N"&&CACLS "legola.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legola.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legola.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\ebb444342c" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\ebb444342c" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.209:443 www.bing.com tcp
BE 88.221.83.209:443 www.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
SE 5.42.92.67:80 tcp
FI 77.91.124.84:19071 tcp
SE 5.42.92.67:80 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
SE 5.42.92.67:80 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5787480.exe

MD5 694b7729637837e43eb014d4d2c968a6
SHA1 c2bba306b840849aa140633836ced0605db95793
SHA256 dd7b0e511c99d37d76ec1481d6d6b7c2ce687b548941818de00975b112032114
SHA512 d178e85ee9b3b72af324dceae997a1c056e0e5f4e13a36eb2c0fdbf8cf343798c43f128bd459a5e5f31520ddc7128ac949bd78c92d22476edb18ec43249cd0d1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5617583.exe

MD5 93bcba22f06df8fb86c113973eb20f15
SHA1 a8eed1517b821fe413cba650de349607f73b8c69
SHA256 8322ca1167bd88052e7a2c26eaf5b0d34494d1b899aa5efa4c4f0aaf515151fc
SHA512 14cb24f0c2539160764d932a3f7a43c72acb95a7b4009f975f7f2fb04749735151fc5fb84f2599de162cabe37f43ac1ec4fbe51c14f3e049329a377720f52960

memory/1076-14-0x0000000000410000-0x000000000041A000-memory.dmp

memory/1076-15-0x00007FF8E5713000-0x00007FF8E5715000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5327652.exe

MD5 823b21cc3d3a79887e49212dac643a4f
SHA1 f37b4e8f86bc68eaf50362865799270d972f27b9
SHA256 7aab0b2e1ab9e3d05b1e84b50d502f69f540d07da3143db53e636343997deb12
SHA512 e57c6fca50b51d336cd38019db71c0f557690305d5f6dacd248d97a1710a36c7ae5a5bd388353227f789316bb672ae7390ca4782222408b569bf5e24a904b184

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4172059.exe

MD5 e0593e8679d77ab968e27b829f45bcbd
SHA1 a00272b2457e7b03075eb4ee1793613295396d76
SHA256 08fbfc3da43662389a9f28a0bf7447814929bb85401e1249326fdb62ec4a5d61
SHA512 f58274b538abe162be7625b5596fd6920201460e513b41f6ddcb25bbf9a31df1862b7e0051748588ffb0d9dbb2ace8c1570e5e55ce297c898bf9179195da94e4

memory/4188-33-0x00000000005E0000-0x0000000000610000-memory.dmp

memory/4188-34-0x0000000005040000-0x0000000005046000-memory.dmp

memory/4188-35-0x00000000056B0000-0x0000000005CC8000-memory.dmp

memory/4188-36-0x00000000051A0000-0x00000000052AA000-memory.dmp

memory/4188-37-0x00000000050B0000-0x00000000050C2000-memory.dmp

memory/4188-38-0x0000000005110000-0x000000000514C000-memory.dmp

memory/4188-39-0x0000000005150000-0x000000000519C000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-09 14:38

Reported

2024-05-09 14:41

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7b22e6cc31710809bbb88f27afa15ad45784dd0ccd3da27be9b6ca3b039a15ce.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7283205.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7283205.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7283205.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7283205.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7283205.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7283205.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4383584.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7283205.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7b22e6cc31710809bbb88f27afa15ad45784dd0ccd3da27be9b6ca3b039a15ce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0440533.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7283205.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7283205.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7283205.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5104 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\7b22e6cc31710809bbb88f27afa15ad45784dd0ccd3da27be9b6ca3b039a15ce.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0440533.exe
PID 5104 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\7b22e6cc31710809bbb88f27afa15ad45784dd0ccd3da27be9b6ca3b039a15ce.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0440533.exe
PID 5104 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\7b22e6cc31710809bbb88f27afa15ad45784dd0ccd3da27be9b6ca3b039a15ce.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0440533.exe
PID 4136 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0440533.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7283205.exe
PID 4136 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0440533.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7283205.exe
PID 4136 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0440533.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4383584.exe
PID 4136 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0440533.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4383584.exe
PID 4136 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0440533.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4383584.exe
PID 416 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4383584.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 416 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4383584.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 416 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4383584.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 5104 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\7b22e6cc31710809bbb88f27afa15ad45784dd0ccd3da27be9b6ca3b039a15ce.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5166286.exe
PID 5104 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\7b22e6cc31710809bbb88f27afa15ad45784dd0ccd3da27be9b6ca3b039a15ce.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5166286.exe
PID 5104 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\7b22e6cc31710809bbb88f27afa15ad45784dd0ccd3da27be9b6ca3b039a15ce.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5166286.exe
PID 4804 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 4804 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 4804 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 4804 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 4804 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 4804 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 4404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 4404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 4404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5096 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5096 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5096 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5096 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5096 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5096 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5096 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5096 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5096 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5096 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5096 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7b22e6cc31710809bbb88f27afa15ad45784dd0ccd3da27be9b6ca3b039a15ce.exe

"C:\Users\Admin\AppData\Local\Temp\7b22e6cc31710809bbb88f27afa15ad45784dd0ccd3da27be9b6ca3b039a15ce.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0440533.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0440533.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7283205.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7283205.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4383584.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4383584.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5166286.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5166286.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
BE 88.221.83.242:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 242.83.221.88.in-addr.arpa udp
FI 77.91.68.61:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
FI 77.91.68.61:80 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0440533.exe

MD5 4089a38e574f75f6d5f6b7c2b21a41d4
SHA1 187466ddf9a12449dbb9f4d73aa2acba40dc5750
SHA256 251ef86b068c66e5640c3e89c6443737e485c33ac06d9d0e4f15b9823abf3616
SHA512 58de48818277d2490be4f687a3773b3062338fa5d518f64e280609b2deb4550e934a203b2ce8fb4771dc1e335ffe306cd8e223fd4a44f49f0c65844560851239

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7283205.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3892-14-0x0000000000B20000-0x0000000000B2A000-memory.dmp

memory/3892-15-0x00007FF9F5F73000-0x00007FF9F5F75000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4383584.exe

MD5 aea234064483f651010cf9d981f59fea
SHA1 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6
SHA256 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503
SHA512 eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5166286.exe

MD5 f1bc764701a030324f770e7e3e2d4f7a
SHA1 617be6505219183a506c618d70709eb29c01db9c
SHA256 8cbf7b4f01bbcd28bd44ed39a95a7009112c0421f2c4fc846470910cf6606ac4
SHA512 4e22af28e37a1d48ea90567ff79370b71faa144c030ce86eb13c861855ea70e68b157383cada39062b50dd8e70c62f9e3195fd393169fba4f1b991410c469ddb

memory/4412-33-0x0000000000D80000-0x0000000000DB0000-memory.dmp

memory/4412-34-0x0000000002F60000-0x0000000002F66000-memory.dmp

memory/4412-35-0x0000000005DF0000-0x0000000006408000-memory.dmp

memory/4412-36-0x00000000058E0000-0x00000000059EA000-memory.dmp

memory/4412-37-0x0000000005610000-0x0000000005622000-memory.dmp

memory/4412-38-0x0000000005670000-0x00000000056AC000-memory.dmp

memory/4412-39-0x00000000057D0000-0x000000000581C000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-09 14:38

Reported

2024-05-09 14:41

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba769ab00897d4fb55dffd961262aca94281c6efccb3b806cc40b3c0bfa64fcb.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2954616.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2954616.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2954616.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2954616.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2954616.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2954616.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4036840.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2954616.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ba769ab00897d4fb55dffd961262aca94281c6efccb3b806cc40b3c0bfa64fcb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6943361.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2954616.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2954616.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2954616.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1584 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\ba769ab00897d4fb55dffd961262aca94281c6efccb3b806cc40b3c0bfa64fcb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6943361.exe
PID 1584 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\ba769ab00897d4fb55dffd961262aca94281c6efccb3b806cc40b3c0bfa64fcb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6943361.exe
PID 1584 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\ba769ab00897d4fb55dffd961262aca94281c6efccb3b806cc40b3c0bfa64fcb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6943361.exe
PID 2576 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6943361.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4036840.exe
PID 2576 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6943361.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4036840.exe
PID 2576 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6943361.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4036840.exe
PID 4424 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4036840.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 4424 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4036840.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 4424 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4036840.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 2576 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6943361.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2954616.exe
PID 2576 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6943361.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2954616.exe
PID 3040 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3040 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3040 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3040 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3688 wrote to memory of 3432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3688 wrote to memory of 3432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3688 wrote to memory of 3432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3688 wrote to memory of 660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3688 wrote to memory of 660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3688 wrote to memory of 660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3688 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3688 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3688 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3688 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3688 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3688 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3688 wrote to memory of 488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3688 wrote to memory of 488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3688 wrote to memory of 488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3688 wrote to memory of 3176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3688 wrote to memory of 3176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3688 wrote to memory of 3176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1584 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\ba769ab00897d4fb55dffd961262aca94281c6efccb3b806cc40b3c0bfa64fcb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j8567322.exe
PID 1584 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\ba769ab00897d4fb55dffd961262aca94281c6efccb3b806cc40b3c0bfa64fcb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j8567322.exe
PID 1584 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\ba769ab00897d4fb55dffd961262aca94281c6efccb3b806cc40b3c0bfa64fcb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j8567322.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ba769ab00897d4fb55dffd961262aca94281c6efccb3b806cc40b3c0bfa64fcb.exe

"C:\Users\Admin\AppData\Local\Temp\ba769ab00897d4fb55dffd961262aca94281c6efccb3b806cc40b3c0bfa64fcb.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6943361.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6943361.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4036840.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4036840.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2954616.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2954616.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j8567322.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j8567322.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
BE 2.17.107.112:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 112.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6943361.exe

MD5 f5a97c904b3ad7b593cee2f7c29e0773
SHA1 73f3eb4a8add3d1283caa3a764a41fc0479356a6
SHA256 904d21987199721169e7b86bbd054ffd7ad714ce2c0873a9ceeb9e96f5809cd4
SHA512 cf4cca4dc801b996de1c6eea1ed1580403cdf7aacdb63aa6d7755ea671aff22acac67391dd7683d1b9583fd0800390fb382840a16b037914a23cfa28b1ff57fc

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4036840.exe

MD5 aea234064483f651010cf9d981f59fea
SHA1 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6
SHA256 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503
SHA512 eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2954616.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4828-27-0x00000000007E0000-0x00000000007EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j8567322.exe

MD5 70ca9c33838b1ee6064e6dcf644561a4
SHA1 a49eeac940e551865ce58db85e35d07eb23e902d
SHA256 edac60eccc6a5e6b23dc809fe3bd662eec9c502e5ac41ae2b33ccc7e5e46e605
SHA512 1f47e5516d772eeb19ee4d6cfd3f5a3086e5fe920c9b59432046cef5b01dd8b1d772ff1a9940eabbd4a0b591739c0a8c64a9d9a103b6975eb52eb811b3e9a7c8

memory/3060-32-0x0000000000860000-0x0000000000890000-memory.dmp

memory/3060-33-0x0000000002CF0000-0x0000000002CF6000-memory.dmp

memory/3060-34-0x000000000AD00000-0x000000000B318000-memory.dmp

memory/3060-35-0x000000000A810000-0x000000000A91A000-memory.dmp

memory/3060-36-0x000000000A750000-0x000000000A762000-memory.dmp

memory/3060-37-0x000000000A7B0000-0x000000000A7EC000-memory.dmp

memory/3060-38-0x0000000002C30000-0x0000000002C7C000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-09 14:38

Reported

2024-05-09 14:41

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0555264.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9244876.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 920 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9244876.exe
PID 920 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9244876.exe
PID 920 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9244876.exe
PID 4808 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9244876.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe
PID 4808 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9244876.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe
PID 4808 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9244876.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0555264.exe
PID 4808 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9244876.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0555264.exe
PID 4808 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9244876.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0555264.exe
PID 3892 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0555264.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 3892 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0555264.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 3892 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0555264.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 920 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n0393861.exe
PID 920 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n0393861.exe
PID 920 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n0393861.exe
PID 3552 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3552 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3552 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3552 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 5012 wrote to memory of 5048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5012 wrote to memory of 5048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5012 wrote to memory of 5048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5012 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5012 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5012 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5012 wrote to memory of 4544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5012 wrote to memory of 4544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5012 wrote to memory of 4544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5012 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5012 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5012 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5012 wrote to memory of 3612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5012 wrote to memory of 3612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5012 wrote to memory of 3612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5012 wrote to memory of 3948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5012 wrote to memory of 3948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5012 wrote to memory of 3948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe.exe

"C:\Users\Admin\AppData\Local\Temp\c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9244876.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9244876.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0555264.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0555264.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n0393861.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n0393861.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
BE 2.17.107.120:443 www.bing.com tcp
US 8.8.8.8:53 120.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9244876.exe

MD5 93ffa00468934287166af15b60356eeb
SHA1 35e9d895a966d897ba33251c2d2b5a7014319ee7
SHA256 6bc35ed67d1cea02ceff4819bc69c44423c7d1a8436a72eeb44b7f1af9651176
SHA512 4c9ceb360842454e36d5f13b6d9b5bdc9325406079bc12805af8d56013b00af5d5c84f83e4ee608f6fa8758527cb6086bd4f484860ddc49a8f11bf758d85c23f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3104-14-0x0000000000090000-0x000000000009A000-memory.dmp

memory/3104-15-0x00007FFA4BAE3000-0x00007FFA4BAE5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0555264.exe

MD5 aea234064483f651010cf9d981f59fea
SHA1 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6
SHA256 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503
SHA512 eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n0393861.exe

MD5 443987a4df011c617c5d95030a35ae8c
SHA1 417d2f919c5bc29b0705b8ddc640d9f9eb3b55f8
SHA256 04dd9bfbb295c80b65c5b4d5c8cc70f97f8567d3448397efacb6c4062e1ad749
SHA512 04a494d1afa814adff7297f4be8a7753ab5569aed1f5f6601e207b7edd0d325174e904e47a6645adaf8fd46522d0c0e877431a7bc0e18ccd11845eab3360e984

memory/1724-33-0x00000000009C0000-0x00000000009F0000-memory.dmp

memory/1724-34-0x0000000005420000-0x0000000005426000-memory.dmp

memory/1724-35-0x0000000005AA0000-0x00000000060B8000-memory.dmp

memory/1724-36-0x0000000005590000-0x000000000569A000-memory.dmp

memory/1724-37-0x00000000054A0000-0x00000000054B2000-memory.dmp

memory/1724-38-0x0000000005500000-0x000000000553C000-memory.dmp

memory/1724-39-0x0000000005540000-0x000000000558C000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-09 14:38

Reported

2024-05-09 14:41

Platform

win7-20240220-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25c57e67144c4603cb7936eb9ad62fb4a4b313d0acb99262c66c4792f6ecdf48.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\25c57e67144c4603cb7936eb9ad62fb4a4b313d0acb99262c66c4792f6ecdf48.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\25c57e67144c4603cb7936eb9ad62fb4a4b313d0acb99262c66c4792f6ecdf48.exe

"C:\Users\Admin\AppData\Local\Temp\25c57e67144c4603cb7936eb9ad62fb4a4b313d0acb99262c66c4792f6ecdf48.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 omnomnom.top udp
DE 195.201.252.28:443 omnomnom.top tcp

Files

memory/1992-1-0x0000000000250000-0x000000000026E000-memory.dmp

memory/1992-4-0x0000000000400000-0x000000000042E000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-09 14:38

Reported

2024-05-09 14:41

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\611b640fd7c9e06cb4ffde1db21b1f9ace29ac4c504fc14569faf426b234ec5e.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1797481.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1797481.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1797481.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1797481.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1797481.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1797481.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1983558.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1797481.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\611b640fd7c9e06cb4ffde1db21b1f9ace29ac4c504fc14569faf426b234ec5e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3540017.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1797481.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1797481.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1797481.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1983558.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 220 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\611b640fd7c9e06cb4ffde1db21b1f9ace29ac4c504fc14569faf426b234ec5e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3540017.exe
PID 220 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\611b640fd7c9e06cb4ffde1db21b1f9ace29ac4c504fc14569faf426b234ec5e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3540017.exe
PID 220 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\611b640fd7c9e06cb4ffde1db21b1f9ace29ac4c504fc14569faf426b234ec5e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3540017.exe
PID 3220 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3540017.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1983558.exe
PID 3220 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3540017.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1983558.exe
PID 3220 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3540017.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1983558.exe
PID 3932 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1983558.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 3932 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1983558.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 3932 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1983558.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 3220 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3540017.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1797481.exe
PID 3220 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3540017.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1797481.exe
PID 2092 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 2092 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 2092 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 2092 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 3492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 3492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 3492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2340 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2340 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2340 wrote to memory of 4792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2340 wrote to memory of 4792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2340 wrote to memory of 4792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2340 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 4476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2340 wrote to memory of 4476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2340 wrote to memory of 4476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2340 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2340 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2340 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 220 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\611b640fd7c9e06cb4ffde1db21b1f9ace29ac4c504fc14569faf426b234ec5e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j9677534.exe
PID 220 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\611b640fd7c9e06cb4ffde1db21b1f9ace29ac4c504fc14569faf426b234ec5e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j9677534.exe
PID 220 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\611b640fd7c9e06cb4ffde1db21b1f9ace29ac4c504fc14569faf426b234ec5e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j9677534.exe

Processes

C:\Users\Admin\AppData\Local\Temp\611b640fd7c9e06cb4ffde1db21b1f9ace29ac4c504fc14569faf426b234ec5e.exe

"C:\Users\Admin\AppData\Local\Temp\611b640fd7c9e06cb4ffde1db21b1f9ace29ac4c504fc14569faf426b234ec5e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3540017.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3540017.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1983558.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1983558.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1797481.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1797481.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j9677534.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j9677534.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.112:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 112.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
BE 2.17.107.112:443 www.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3540017.exe

MD5 684a924cf19cf1e37fed377bd6c055f7
SHA1 b5826a8f627e10b1a8e5b05650707c2bd6301a8e
SHA256 c0d368903bcc1ca5fabac8802a6f54dd1f5ffb913fc89fe4060051c6d01d4604
SHA512 1f40469450fdbfc5b7bd67f1cf89e9c38aa4cdddd4828f365170e78f5f38fa9488a751c3e59a37a5270f60a669df9f438af6557fb799da960eba0b8160f5f632

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1983558.exe

MD5 aea234064483f651010cf9d981f59fea
SHA1 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6
SHA256 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503
SHA512 eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1797481.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3924-27-0x00000000008F0000-0x00000000008FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j9677534.exe

MD5 14fa33a7cb56f35ca61a60b179310b74
SHA1 1db14aaec5fdd2ba20822922fe9dffb3707bf9ec
SHA256 44c5e4fee6e9721f929603425aa856ae73ade30c1759321c1d473558a62b0d20
SHA512 583a7249b19837f2a78577a60de28f3ee761d27f5142a7f3387998f7bf01a222509893e89486c8d229fb4b002eb24a27626a89022840a976f7a7d4adb26be1d8

memory/3296-32-0x0000000000F30000-0x0000000000F60000-memory.dmp

memory/3296-33-0x0000000003180000-0x0000000003186000-memory.dmp

memory/3296-34-0x000000000B230000-0x000000000B848000-memory.dmp

memory/3296-35-0x000000000ADA0000-0x000000000AEAA000-memory.dmp

memory/3296-36-0x000000000ACE0000-0x000000000ACF2000-memory.dmp

memory/3296-37-0x000000000AD40000-0x000000000AD7C000-memory.dmp

memory/3296-38-0x0000000003080000-0x00000000030CC000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-09 14:38

Reported

2024-05-09 14:41

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\654aa4d5e8d49043a4c5b40ef9c1b2fde8bd371386fd43ed6b7c1d719f41533b.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7572284.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7572284.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7572284.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7572284.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7572284.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7572284.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7237472.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7572284.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6755417.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2587500.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\654aa4d5e8d49043a4c5b40ef9c1b2fde8bd371386fd43ed6b7c1d719f41533b.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5022085.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5022085.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5022085.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7572284.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7572284.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7572284.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7237472.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4092 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\654aa4d5e8d49043a4c5b40ef9c1b2fde8bd371386fd43ed6b7c1d719f41533b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6755417.exe
PID 4092 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\654aa4d5e8d49043a4c5b40ef9c1b2fde8bd371386fd43ed6b7c1d719f41533b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6755417.exe
PID 4092 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\654aa4d5e8d49043a4c5b40ef9c1b2fde8bd371386fd43ed6b7c1d719f41533b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6755417.exe
PID 3572 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6755417.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2587500.exe
PID 3572 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6755417.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2587500.exe
PID 3572 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6755417.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2587500.exe
PID 2124 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2587500.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7572284.exe
PID 2124 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2587500.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7572284.exe
PID 2124 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2587500.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7237472.exe
PID 2124 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2587500.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7237472.exe
PID 2124 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2587500.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7237472.exe
PID 4516 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7237472.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 4516 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7237472.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 4516 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7237472.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 3572 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6755417.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5022085.exe
PID 3572 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6755417.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5022085.exe
PID 3572 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6755417.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5022085.exe
PID 4092 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\654aa4d5e8d49043a4c5b40ef9c1b2fde8bd371386fd43ed6b7c1d719f41533b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9832152.exe
PID 4092 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\654aa4d5e8d49043a4c5b40ef9c1b2fde8bd371386fd43ed6b7c1d719f41533b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9832152.exe
PID 4092 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\654aa4d5e8d49043a4c5b40ef9c1b2fde8bd371386fd43ed6b7c1d719f41533b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9832152.exe
PID 3904 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 3904 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 3904 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 3904 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 3904 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 3904 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 4680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2340 wrote to memory of 4680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2340 wrote to memory of 4680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2340 wrote to memory of 3304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2340 wrote to memory of 3304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2340 wrote to memory of 3304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2340 wrote to memory of 4948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 4948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 4948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2340 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2340 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2340 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2340 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2340 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\654aa4d5e8d49043a4c5b40ef9c1b2fde8bd371386fd43ed6b7c1d719f41533b.exe

"C:\Users\Admin\AppData\Local\Temp\654aa4d5e8d49043a4c5b40ef9c1b2fde8bd371386fd43ed6b7c1d719f41533b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6755417.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6755417.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2587500.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2587500.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7572284.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7572284.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7237472.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7237472.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5022085.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5022085.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9832152.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9832152.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

Network

Country Destination Domain Proto
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6755417.exe

MD5 20a461e7d991d6c885b03fbdc9e5b3b7
SHA1 30e0195427693c8260ef770662f35f23c4ca443f
SHA256 653c97fa8ec15eec96e7a1f4beeeb050e9f50aa6c1e5ce5df4c2263eb6dea437
SHA512 50d503ef4ac5e60fda82a3f6cca24f794c4bce843fab516fc806ff1a8252a5314c0bfe48c0fdff95bb446e78aa50317dc5f1a655e3feb8e901ebed6082727c9e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2587500.exe

MD5 f7eef894fec935791018acdbc76be540
SHA1 ecb9c5e7e59e23a94b334cbbad0cae9a3dd4fbc8
SHA256 b3c4fe6df97d9176da72d1c43f14a9d7e17a0ceb54c5d6484b8f0efdf4de4dac
SHA512 bedc8c5a123861f0fd010a674074fd99160b5b8c51bf5f31f2efce04a381d0c96ebb1455561ab3caed395c7ce422177cb9639acdbbbcc6798bb429ce61b389f4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7572284.exe

MD5 372c645aaebe1317c8abd1b3cb07a9c8
SHA1 7ae5f6ccbfdd090dcad3b0b42348334dad0cb088
SHA256 71ee2c84d850725d9b823d031b8738cac2dd4c3415d7563db32880bd5d7eaac8
SHA512 28213c2ad45c2db75da52201cb1def1313a07084b96d6b8b8eedaef89f5ca190738b8e3c29ec66f4dcc3ae9aabb0b552f40c7ef7ac7dab69cee9738333321500

memory/4940-21-0x00007FF9FF703000-0x00007FF9FF705000-memory.dmp

memory/4940-22-0x0000000000A00000-0x0000000000A0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7237472.exe

MD5 5da544a0a458ff5ab127e6f315afd32b
SHA1 89fc3d62af1aee2b54a5cf3a8250dc17c220aff3
SHA256 e8632950db05ace2b19055cdba0dec60a681d04bd788ff99784d9df0354ca456
SHA512 64fa91eebd8114be4ecdef0215eeae33d8b03c34e64cf2fea83d0be1b9a8bd5a029bc3f2c60ac28b2659242b6f358b00247256b527293e73bfbe929d98fcbb20

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5022085.exe

MD5 cb9bbd4b11ad5758700da13e6572e36f
SHA1 3d87175a25a93e1b5e8d6b5709ceb992057bff66
SHA256 d7f0388d0e3073dee185bf13374239d3abb402249b8ebf340453bdf74912c9f6
SHA512 14d8f936add65adbf28e92d1eab8bb2fa2f2dbd2b87910fc3514a6fe3f628e8b43e1b121ccac73ab4b27a0450b25949690ae6bd42e372c2ee9feb1d54062f6bf

memory/2432-40-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2432-41-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9832152.exe

MD5 f9134fe199fe40d3840de7c2d1cf7626
SHA1 71e84180ecc47673bba3756dc82831c8ca7703d8
SHA256 c185cbb3f086aa9438a168501878f157ee09772c206e1f696c156287ace76601
SHA512 c206352ac9174758c4ff6dbbd87db05ea2221b3f7fe10812f44ab82f04ff83f71003d1bd0c984bf42851411b67112d49a8500dc56fb0d156152b1f810b9eaef6

memory/1208-45-0x0000000000A60000-0x0000000000A90000-memory.dmp

memory/1208-46-0x0000000001270000-0x0000000001276000-memory.dmp

memory/1208-47-0x0000000005A10000-0x0000000006028000-memory.dmp

memory/1208-48-0x0000000005500000-0x000000000560A000-memory.dmp

memory/1208-49-0x00000000053F0000-0x0000000005402000-memory.dmp

memory/1208-50-0x0000000005450000-0x000000000548C000-memory.dmp

memory/1208-51-0x0000000005490000-0x00000000054DC000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-09 14:38

Reported

2024-05-09 14:41

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1200585.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5437816.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1200585.exe
PID 1224 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1200585.exe
PID 1224 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1200585.exe
PID 832 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1200585.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5437816.exe
PID 832 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1200585.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5437816.exe
PID 832 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1200585.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5437816.exe
PID 3636 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5437816.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0536891.exe
PID 3636 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5437816.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0536891.exe
PID 3636 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5437816.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0536891.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171.exe

"C:\Users\Admin\AppData\Local\Temp\8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1200585.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1200585.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5437816.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5437816.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0536891.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0536891.exe

Network

Country Destination Domain Proto
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
BE 88.221.83.203:443 www.bing.com tcp
US 8.8.8.8:53 203.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1200585.exe

MD5 4b68535d9ae7b13cf3ff2f073670fb2d
SHA1 3ab1babe56d11fa75a053a052cc21eae84258cf6
SHA256 ccf88160200e2eef59471125da41cf531f00d6be48b568e48f89373a12f76a32
SHA512 e7239d21f30c08b4676f08a26d5ecc6c469e9933fa3913039a9ab11c810c52c3599ee00bb4a660fdf1028736d48dd7fb05f8e7b04bfe663ff40b0596e5b98b76

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5437816.exe

MD5 32956c577b9a017f545b468acd8a5ae8
SHA1 b507c3abdcefdf7496d5e7548ffe076967f4a043
SHA256 4343f9ba64b5d33cde391141404af6dbe47608e4fb6c56ff20c43a1c1329bf1a
SHA512 fdec719616daeddf386e91c279430699a23debe9318a9717d940963b43b9175ae6bdfad1c17251f698769a30dd4466ff4a45854bd34784f9544f88f3476097df

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0536891.exe

MD5 f172d470fc8f5a1f32456a418bcb6517
SHA1 7cedee0bcbcdb6ec4d0aa1c96cb781b58085c020
SHA256 29637e8c1a1ec7bffd145a7e2d3c0dd547d367d43c1a611fac2d21ebac4996b9
SHA512 f8f43a4c3ef3e7d0d79ad23ad29956d3a2c8d4e8bebbae7cdce7f0ca4ae5dd28408e3c0725ac65173a6b6bafb7c2b38e64f58b0339f4a4754eab76eadc21cc22

memory/664-21-0x0000000000401000-0x0000000000404000-memory.dmp

memory/664-23-0x0000000001FB0000-0x000000000203C000-memory.dmp

memory/664-28-0x0000000001FB0000-0x000000000203C000-memory.dmp

memory/664-29-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/664-30-0x00000000023B0000-0x00000000023B6000-memory.dmp

memory/664-31-0x0000000004B60000-0x0000000005178000-memory.dmp

memory/664-32-0x00000000051F0000-0x00000000052FA000-memory.dmp

memory/664-33-0x0000000005320000-0x0000000005332000-memory.dmp

memory/664-34-0x0000000005340000-0x000000000537C000-memory.dmp

memory/664-35-0x00000000053B0000-0x00000000053FC000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-09 14:38

Reported

2024-05-09 14:41

Platform

win7-20240221-en

Max time kernel

117s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe

"C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe"

Network

N/A

Files

memory/2732-1-0x0000000000230000-0x000000000026E000-memory.dmp

memory/2732-6-0x0000000000401000-0x0000000000404000-memory.dmp

memory/2732-7-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2732-8-0x0000000000230000-0x000000000026E000-memory.dmp

memory/2732-9-0x0000000001F20000-0x0000000001F21000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-09 14:38

Reported

2024-05-09 14:41

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fd5bd6afc507aad0acace57fc3b77a0de443e12efcdb3857d899395a962a3b4f.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2571427.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7110096.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\fd5bd6afc507aad0acace57fc3b77a0de443e12efcdb3857d899395a962a3b4f.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1264 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\fd5bd6afc507aad0acace57fc3b77a0de443e12efcdb3857d899395a962a3b4f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2571427.exe
PID 1264 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\fd5bd6afc507aad0acace57fc3b77a0de443e12efcdb3857d899395a962a3b4f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2571427.exe
PID 1264 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\fd5bd6afc507aad0acace57fc3b77a0de443e12efcdb3857d899395a962a3b4f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2571427.exe
PID 3140 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2571427.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7110096.exe
PID 3140 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2571427.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7110096.exe
PID 3140 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2571427.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7110096.exe
PID 1808 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7110096.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe
PID 1808 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7110096.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe
PID 1808 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7110096.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe
PID 1808 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7110096.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2146173.exe
PID 1808 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7110096.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2146173.exe
PID 1808 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7110096.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2146173.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fd5bd6afc507aad0acace57fc3b77a0de443e12efcdb3857d899395a962a3b4f.exe

"C:\Users\Admin\AppData\Local\Temp\fd5bd6afc507aad0acace57fc3b77a0de443e12efcdb3857d899395a962a3b4f.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2571427.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2571427.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7110096.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7110096.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2146173.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2146173.exe

Network

Country Destination Domain Proto
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2571427.exe

MD5 e8bfe83276b8cf0523f7cdb5c09d1ccd
SHA1 25ea0b55076d042b75d8518feacc7acee94db71b
SHA256 0b91ab3aeed8bf8d36d1d8f9b621ea7419c15705c44a722b707cce7034057966
SHA512 a12562de993ff37f37738f808fc1ecfb36e79b64442a348196a3d2ea3c3b8fb32c25ff217abfd19246d3a2193d4eae9ee4d580065c3542697f959832ad843935

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7110096.exe

MD5 7e16642af0542f98e53a83ef26011162
SHA1 e3a5d8e9f82a94a78dc8627d0471c5edd4e2953c
SHA256 f09c37ee6dec059ef49483c9da0634b64ea289848a507e331a0bfb8caa65a750
SHA512 a75bc33c5d2ff76bb6eb17053d3a2f37d89f75189bcbd1c2b0671df3fb32a75bfc464b822b4a35c8869a0eb50a55149b5a7aa204f83d034749acf025d8b3b60e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe

MD5 efade657e753c1afa9934e5810c6c45d
SHA1 69fc060c17e0b19599e31cf883f695f3172fe00d
SHA256 6c5fd398bae2c753bcbc4bdeb0bcdc53ef76c009021e2a082a3bbc022b9f8635
SHA512 b1d5e80adf2ba11bd855a93172c761c1f660dad9f3f3c80ba335d8fe668026c6e2337028fd1fa90f35c2cda2778e03f1cf6d26d91a1f376f4fffe380e283e724

memory/4272-21-0x0000000000560000-0x000000000059E000-memory.dmp

memory/4272-27-0x0000000000401000-0x0000000000404000-memory.dmp

memory/4272-28-0x0000000000560000-0x000000000059E000-memory.dmp

memory/4272-29-0x0000000002340000-0x0000000002341000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2146173.exe

MD5 92afdf44d1c33960ab452a8c274282db
SHA1 60c7376a52f74f0799ee2a574782e9855af28efe
SHA256 e12a3d43b1f8a35e75f3bf09ea5422ef10bccfa19a8b2e131259f7b4be5333d2
SHA512 31ee981dd21ffe2498d74cf7713df410d55b6a9f9894c571b6d05bd372402362f051b0f87cbcb62d9723c145593eb53dd8c04cdb72836adf9c71b82170a83e1f

memory/3512-35-0x0000000001FD0000-0x000000000205C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/3512-42-0x0000000001FD0000-0x000000000205C000-memory.dmp

memory/3512-44-0x0000000002420000-0x0000000002426000-memory.dmp

memory/3512-45-0x000000000BB00000-0x000000000C118000-memory.dmp

memory/3512-46-0x000000000B560000-0x000000000B66A000-memory.dmp

memory/3512-47-0x000000000B690000-0x000000000B6A2000-memory.dmp

memory/3512-48-0x000000000B6B0000-0x000000000B6EC000-memory.dmp

memory/3512-49-0x00000000069F0000-0x0000000006A3C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 14:38

Reported

2024-05-09 14:41

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1238663077477c73376048d8230b1c33b6f5f6a62da8a6c1274721591dac70be.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9618800.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7994942.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1238663077477c73376048d8230b1c33b6f5f6a62da8a6c1274721591dac70be.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1028 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\1238663077477c73376048d8230b1c33b6f5f6a62da8a6c1274721591dac70be.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9618800.exe
PID 1028 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\1238663077477c73376048d8230b1c33b6f5f6a62da8a6c1274721591dac70be.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9618800.exe
PID 1028 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\1238663077477c73376048d8230b1c33b6f5f6a62da8a6c1274721591dac70be.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9618800.exe
PID 4656 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9618800.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7994942.exe
PID 4656 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9618800.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7994942.exe
PID 4656 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9618800.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7994942.exe
PID 4972 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7994942.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe
PID 4972 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7994942.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe
PID 4972 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7994942.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe
PID 4972 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7994942.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2565488.exe
PID 4972 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7994942.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2565488.exe
PID 4972 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7994942.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2565488.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1238663077477c73376048d8230b1c33b6f5f6a62da8a6c1274721591dac70be.exe

"C:\Users\Admin\AppData\Local\Temp\1238663077477c73376048d8230b1c33b6f5f6a62da8a6c1274721591dac70be.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9618800.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9618800.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7994942.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7994942.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4332,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2565488.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2565488.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.232:443 www.bing.com tcp
BE 88.221.83.232:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 232.83.221.88.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9618800.exe

MD5 90ddc71aad47f855293aac8fb6cc3155
SHA1 fd7c1a778a3b152efc0191abb4d9850d3d16c27d
SHA256 b5e4572305046a1e2cb098917210151587637b9c36e569e865604c2ac9c44a89
SHA512 7e245ae5d1719e0d5b602daab25e5909ce69ac7043e86484bb4f78dcca330388e3a5d2ac107a2461034f6d4516114be2e57fd7a870d1e12c3d57b4200ac38e2a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7994942.exe

MD5 99a8d9274cc4137b35ba4257b8656bde
SHA1 1bc53a1ba6f9ba68e72e4b0633cf6cd4906f03a6
SHA256 97c5f5178025c0394c7da0b0e07572cdbe125ba415d6287691a24385bd78d8ac
SHA512 a8b8d287d8ea83079e778a0825c78c8a0e8eaa4762f49f57548cbf57c9199b023505061318c9bb3d34af62349d81626f027d3463926b849206302a9caa934b7b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe

MD5 e16312c7c9a868625867d1b890aca6a4
SHA1 df0ab37d89638f7b20a5dae626e443d6cdd7e7de
SHA256 52ee36c62392f58e1477cdc63784fd76c34beb00f228e5a53cf87061f92d0f54
SHA512 875849af8dc45f53f1c8b71ba7a6487268618c145f10c2d817fcd7aa517e0aff174e14bd7067712e14141248ef4754fcf5c6339ae3a4c1eb80f982353543cbb1

memory/3312-21-0x0000000000401000-0x0000000000404000-memory.dmp

memory/3312-22-0x0000000000560000-0x000000000059E000-memory.dmp

memory/3312-28-0x0000000000560000-0x000000000059E000-memory.dmp

memory/3312-29-0x0000000004A80000-0x0000000004A81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2565488.exe

MD5 a3e8dfc21a7b47a0c350c9ac0d531045
SHA1 04e9e262d60a6d12621605556a886d79454a2f8f
SHA256 92d96d740fe1e575f6ad6b93af64e0e4d47ebd6c5e70d2f6fa5892e8c1548124
SHA512 fef294ca2691dde614b44d79b7f67b44984f43ea201e3b352ee8ab38346fbc02b711c8e7ff47dad7eca0e445df34adcc9493c61f9f9128cb12f08dc685941cc6

memory/3472-35-0x00000000005F0000-0x000000000067C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/3472-42-0x00000000005F0000-0x000000000067C000-memory.dmp

memory/3472-44-0x0000000004510000-0x0000000004516000-memory.dmp

memory/3472-45-0x0000000004B30000-0x0000000005148000-memory.dmp

memory/3472-46-0x00000000051E0000-0x00000000052EA000-memory.dmp

memory/3472-47-0x0000000005310000-0x0000000005322000-memory.dmp

memory/3472-48-0x0000000005330000-0x000000000536C000-memory.dmp

memory/3472-49-0x00000000053A0000-0x00000000053EC000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-09 14:38

Reported

2024-05-09 14:41

Platform

win10v2004-20240426-en

Max time kernel

144s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba5c9d840c93ebc6710e647c2536f2c811d7af83c76d5eda892fe21495932d7b.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3521331.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3521331.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3521331.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3521331.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3521331.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3521331.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2378669.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3521331.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ba5c9d840c93ebc6710e647c2536f2c811d7af83c76d5eda892fe21495932d7b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9871070.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0469683.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3521331.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3521331.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3521331.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4472 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\ba5c9d840c93ebc6710e647c2536f2c811d7af83c76d5eda892fe21495932d7b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9871070.exe
PID 4472 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\ba5c9d840c93ebc6710e647c2536f2c811d7af83c76d5eda892fe21495932d7b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9871070.exe
PID 4472 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\ba5c9d840c93ebc6710e647c2536f2c811d7af83c76d5eda892fe21495932d7b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9871070.exe
PID 1492 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9871070.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0469683.exe
PID 1492 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9871070.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0469683.exe
PID 1492 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9871070.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0469683.exe
PID 3344 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0469683.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3521331.exe
PID 3344 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0469683.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3521331.exe
PID 3344 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0469683.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2378669.exe
PID 3344 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0469683.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2378669.exe
PID 3344 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0469683.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2378669.exe
PID 2396 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2378669.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 2396 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2378669.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 2396 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2378669.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 1492 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9871070.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m5980958.exe
PID 1492 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9871070.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m5980958.exe
PID 1492 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9871070.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m5980958.exe
PID 688 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 688 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 688 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 688 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 688 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 688 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 1188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 1188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 1188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3060 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3060 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3060 wrote to memory of 4864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3060 wrote to memory of 4864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3060 wrote to memory of 4864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3060 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 3492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3060 wrote to memory of 3492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3060 wrote to memory of 3492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3060 wrote to memory of 428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3060 wrote to memory of 428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3060 wrote to memory of 428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ba5c9d840c93ebc6710e647c2536f2c811d7af83c76d5eda892fe21495932d7b.exe

"C:\Users\Admin\AppData\Local\Temp\ba5c9d840c93ebc6710e647c2536f2c811d7af83c76d5eda892fe21495932d7b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9871070.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9871070.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0469683.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0469683.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3521331.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3521331.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2378669.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2378669.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m5980958.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m5980958.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
BE 88.221.83.209:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.209:443 www.bing.com tcp
US 8.8.8.8:53 209.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 77.91.124.156:19071 tcp
FI 77.91.68.61:80 tcp
FI 77.91.124.156:19071 tcp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
FI 77.91.124.156:19071 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
FI 77.91.68.61:80 tcp
FI 77.91.124.156:19071 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.124.156:19071 tcp
FI 77.91.124.156:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9871070.exe

MD5 ff902d672312916358101ed7de623554
SHA1 715da6fa7a64cd74506bb2c694b79ef244f5ad97
SHA256 a25e95a0a483c22e4a43f7a7bdd429276f32d46fc1fb2ccf878ae459e7bc72d5
SHA512 eaee1d509fa533fd085a2f42de8f874670ab460b33d61cbcf0ac0f638f0408ad267041efe24ca5d932d19a33a76d044261e05f55bdb06a1362c932ce7c24e7a9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0469683.exe

MD5 a50df7e97cfd900aa018fa21ee85881e
SHA1 d91e9b2e098bb65ae6879052c5c37d416a063b1c
SHA256 f1cdfaaefe0d91938057b073bf4008e0958e6d0f274572d0e88594bb2d8216e3
SHA512 75bcdd478f11728e8840d819178acbca77486de2881a1d93de1278ee5d3ab9302dbd929230e9f90b27b506841c8b0da0cc617e99244711cfab661fe2d64651cc

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3521331.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/628-22-0x00007FF920703000-0x00007FF920705000-memory.dmp

memory/628-21-0x00000000008B0000-0x00000000008BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2378669.exe

MD5 aea234064483f651010cf9d981f59fea
SHA1 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6
SHA256 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503
SHA512 eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m5980958.exe

MD5 84420d75df50b6a2c80263485b903e70
SHA1 9083bc5b102dad30703c513da08a306f8b666624
SHA256 0faffaceb13cf22c2a3a276dc373ee03b0fa95ef8e7443230f84d563a355a9d3
SHA512 ddf14b82fb62e467f8640e2673a3e8fd942fa234de33819199fc97f22de311842898a9f7c5bfd66f184c3f0955630822d9a986832551812af9950b92a99a829a

memory/1740-40-0x00000000003C0000-0x00000000003F0000-memory.dmp

memory/1740-41-0x0000000004BA0000-0x0000000004BA6000-memory.dmp

memory/1740-42-0x0000000005340000-0x0000000005958000-memory.dmp

memory/1740-43-0x0000000004E30000-0x0000000004F3A000-memory.dmp

memory/1740-44-0x0000000004D50000-0x0000000004D62000-memory.dmp

memory/1740-45-0x0000000004DB0000-0x0000000004DEC000-memory.dmp

memory/1740-46-0x0000000004F40000-0x0000000004F8C000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-09 14:38

Reported

2024-05-09 14:39

Platform

win10v2004-20240426-en

Max time kernel

0s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-09 14:38

Reported

2024-05-09 14:41

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0fb625894c32db0094ce88fe51ad9ddb2db188124af7a638cf184eccf3d1203.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0494750.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0494750.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0494750.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0494750.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0494750.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0494750.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0494750.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f0fb625894c32db0094ce88fe51ad9ddb2db188124af7a638cf184eccf3d1203.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0683912.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0494750.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0494750.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0494750.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f0fb625894c32db0094ce88fe51ad9ddb2db188124af7a638cf184eccf3d1203.exe

"C:\Users\Admin\AppData\Local\Temp\f0fb625894c32db0094ce88fe51ad9ddb2db188124af7a638cf184eccf3d1203.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0683912.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0683912.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0494750.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0494750.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0205907.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0205907.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.107.107:443 www.bing.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 107.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
BE 2.17.107.107:443 www.bing.com tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0683912.exe

MD5 939d6f1624acdf247b27e417461f6fc2
SHA1 ababd4e5b9de14e4db986e9ce35439f8a5b29386
SHA256 006b489b6a848040e6f48669e137288e8d58d22f75e6068f32a1b1e7c1c168d8
SHA512 b67ae62b285f9e4888ab9081b5a8a1e58d4135bfee3e10782b44ab9250a259078b59b16457cbba3ebd34649b50db6c448c0e1c80a4e0c0358e29568d8735d034

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0494750.exe

MD5 6bdbfe0e106a0b46337cc348201232fc
SHA1 9456f1008994ed07207269bf7fba4d7c5b075820
SHA256 552c2745a35630d97283d469214d8b3276ad11187106a62bb22a8363246b2c02
SHA512 5b1e96a8760b7c45edd7857a12039eeb64f5f25bc1f7d216a63661b0933589c5fe3a2075f666947fb2c3a32f27a4077c99d971f8d5c8373e26baed004af663a5

memory/540-14-0x00007FFF636C3000-0x00007FFF636C5000-memory.dmp

memory/540-15-0x0000000000C30000-0x0000000000C3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0205907.exe

MD5 0a6b4b6dc4ea62763a5d60c97a069bc0
SHA1 59c43e0db270ec2bdb287d6fc2f6782df3fb6763
SHA256 db4738b7198f819e211e04cd15957e5dc3e8a63d37f9f985f2decb7963d156b3
SHA512 85f48a2c1ae7e0b59c821de75ba85086377d72ed7bdd0bcacb9af620a18a02af1e91547b2fbbd8823e3b1dcdb11a907ef1fe187285c8299c1cd54b68f41cd445

memory/4988-20-0x0000000000C30000-0x0000000000C60000-memory.dmp

memory/4988-21-0x0000000005410000-0x0000000005416000-memory.dmp

memory/4988-22-0x000000000B060000-0x000000000B678000-memory.dmp

memory/4988-23-0x000000000ABE0000-0x000000000ACEA000-memory.dmp

memory/4988-24-0x000000000AB20000-0x000000000AB32000-memory.dmp

memory/4988-25-0x000000000AB80000-0x000000000ABBC000-memory.dmp

memory/4988-26-0x0000000004EB0000-0x0000000004EFC000-memory.dmp