Analysis Overview
SHA256
5917339910bda68a91f92247578c308113ee6fce121896237213a864c446fcd8
Threat Level: Known bad
The file r.zip was found to be: Known bad.
Malicious Activity Summary
ZGRat
Modifies Windows Defender Real-time Protection settings
RedLine payload
RedLine
Detects Healer an antivirus disabler dropper
Amadey
Healer
Detect ZGRat V1
SmokeLoader
Windows security modification
Reads user/profile data of web browsers
Executes dropped EXE
Checks computer location settings
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Suspicious use of SetThreadContext
Launches sc.exe
Unsigned PE
Program crash
Enumerates physical storage devices
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 15:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-09 15:04
Reported
2024-05-09 15:07
Platform
win10v2004-20240508-en
Max time kernel
132s
Max time network
151s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0107547.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f7897423.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\27054c4ef87730930ab8bbec2331b567a7518f766c3e7f55e066fb7014ae3556.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0107547.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\27054c4ef87730930ab8bbec2331b567a7518f766c3e7f55e066fb7014ae3556.exe
"C:\Users\Admin\AppData\Local\Temp\27054c4ef87730930ab8bbec2331b567a7518f766c3e7f55e066fb7014ae3556.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0107547.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0107547.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f7897423.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f7897423.exe
Network
| Country | Destination | Domain | Proto |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.166.122.92.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0107547.exe
| MD5 | c665ba7f1cc0ab9951da7bf197b04c01 |
| SHA1 | 52a9a7b51d225fc7f8824e713043f5143cd98d85 |
| SHA256 | 20e5aeb19eafd1131b3f25dcb9216eecd4f38e69de3b61fc3cf290f387c2d998 |
| SHA512 | 03e97753a06da1cfd34c137ef0d158a5525508bfd7ce993816b772a2b60bb22f3c4676598be168a529202f8ee9e8790087a7708d9a92badc0eafc1945e7290fa |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f7897423.exe
| MD5 | 40236ff6ad5d86ba9af49e6aa8feb830 |
| SHA1 | 00c2712d3beecf509a295e340c5827db20f2e251 |
| SHA256 | e6a06e909f7d3e0117e5861c6ec36369f759bb0504e7f181c6ed74d997c5b25b |
| SHA512 | a8cdf9c4e8e2abcae17303c6fd7a62ac63ecf07d28a069f2e4e7311352404505536c287080f5a9b617c00a3c108d3f1fc5617033a848bdda8d4ec604a36c55a3 |
memory/536-14-0x0000000000520000-0x0000000000550000-memory.dmp
memory/536-18-0x0000000000401000-0x0000000000402000-memory.dmp
memory/536-19-0x0000000000400000-0x000000000043A000-memory.dmp
memory/536-20-0x0000000002160000-0x0000000002166000-memory.dmp
memory/536-21-0x00000000052B0000-0x00000000058C8000-memory.dmp
memory/536-22-0x0000000004C90000-0x0000000004D9A000-memory.dmp
memory/536-23-0x0000000004B20000-0x0000000004B32000-memory.dmp
memory/536-24-0x0000000004B40000-0x0000000004B7C000-memory.dmp
memory/536-25-0x0000000004E00000-0x0000000004E4C000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-09 15:04
Reported
2024-05-09 15:07
Platform
win10v2004-20240426-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5131175.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5131175.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5131175.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5131175.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5131175.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5131175.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7974264.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4610638.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5131175.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1966405.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5131175.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5131175.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7974264.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4610638.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\627c0990f7c6fa8cc9a276966f3e2b428f8323bdd73c68bdf8034799f948f0d9.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5131175.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5131175.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5131175.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\627c0990f7c6fa8cc9a276966f3e2b428f8323bdd73c68bdf8034799f948f0d9.exe
"C:\Users\Admin\AppData\Local\Temp\627c0990f7c6fa8cc9a276966f3e2b428f8323bdd73c68bdf8034799f948f0d9.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7974264.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7974264.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4610638.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4610638.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5131175.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5131175.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1966405.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1966405.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| BE | 2.17.107.107:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 107.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7974264.exe
| MD5 | dce92bfe290f2bfc8fcdaa8d79cfb428 |
| SHA1 | 821836e9a2a75af557dc76b876d24cd2f29402b2 |
| SHA256 | 1111e92ca559d16e157e3b9f162502a32061cfd7418cdf8da2ae2337b4a552d1 |
| SHA512 | bbe7210caa78acf6df00164ccee955ce79dc4c77fb71fc780243239936c7c1b7a01f59ccda25981bc3915ba127028bfc0c6ce6469c2a920fbc54fce6e01b73a6 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4610638.exe
| MD5 | c3a728452be74e46d86fcc43e340e0c7 |
| SHA1 | 398d2ea4ede704d9634e73d8050c9bf4c2e78931 |
| SHA256 | ac29c80de2d63a3c7aa65b0cc01240c9e3ca6d8d5c57a99cb2a24d4bad04d664 |
| SHA512 | f726c838bf300f0bb0a91cf88e1bd80aaee2e7f4b6e36b74a2df10407c8328a06b9f5e65ce856a94d88079b07139a78efcada57dde97048304eead99466f58f6 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5131175.exe
| MD5 | 0051f204743bf30a487630bccbe89d83 |
| SHA1 | bd044684a695e3b660e2caecc04c509547ffff6c |
| SHA256 | 1e47d6f87dad561d141323a430f88acaf6efdd7db516cf552a46d791454c49d5 |
| SHA512 | 821893692261d68a3e03c5bb6fd6bfcd483c2a3e09da6fae99b8880e6feb0bb55e3a379a3d7a93d6a601fc9d3a6fe05e989b2fdf316b8252787ceed4e574456f |
memory/4284-21-0x0000000000401000-0x0000000000404000-memory.dmp
memory/4284-22-0x0000000000680000-0x00000000006BE000-memory.dmp
memory/4284-29-0x0000000006BD0000-0x0000000006BD1000-memory.dmp
memory/4284-28-0x0000000000680000-0x00000000006BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1966405.exe
| MD5 | 4ea677b1f5913f8b1d657574f8d52fdb |
| SHA1 | 1758af24eacb654e8f89c70f156c8021c0252870 |
| SHA256 | 9322b7c8ce8041c56014fe9831c2127493924b1dd65468d994a76273f40ada58 |
| SHA512 | fa9418a8fca76d7780980c064ef5783046faa580587e9f88f8c439b15afba5984f44865341b45d20c97ac1df16a2e05a3c20ebc170fcb17e08adf5e9029e7544 |
memory/712-35-0x0000000001FF0000-0x000000000207C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/712-42-0x0000000001FF0000-0x000000000207C000-memory.dmp
memory/712-44-0x00000000023E0000-0x00000000023E6000-memory.dmp
memory/712-45-0x00000000050B0000-0x00000000056C8000-memory.dmp
memory/712-46-0x0000000004A90000-0x0000000004B9A000-memory.dmp
memory/712-47-0x0000000004BC0000-0x0000000004BD2000-memory.dmp
memory/712-48-0x0000000004BE0000-0x0000000004C1C000-memory.dmp
memory/712-49-0x0000000004C50000-0x0000000004C9C000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-09 15:04
Reported
2024-05-09 15:07
Platform
win10v2004-20240508-en
Max time kernel
94s
Max time network
98s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ZGRat
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2888 set thread context of 4964 | N/A | C:\Users\Admin\AppData\Local\Temp\677afbc18346258efc780d794cf589d9e949ec77c0f68fc663b38c6f663cf7fd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\677afbc18346258efc780d794cf589d9e949ec77c0f68fc663b38c6f663cf7fd.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\677afbc18346258efc780d794cf589d9e949ec77c0f68fc663b38c6f663cf7fd.exe
"C:\Users\Admin\AppData\Local\Temp\677afbc18346258efc780d794cf589d9e949ec77c0f68fc663b38c6f663cf7fd.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2888 -ip 2888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 304
Network
| Country | Destination | Domain | Proto |
| RU | 147.45.47.64:11837 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.47.45.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| BE | 2.17.107.112:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 112.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.166.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 247.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
memory/2888-0-0x0000000000800000-0x0000000000801000-memory.dmp
memory/4964-1-0x0000000000400000-0x000000000044A000-memory.dmp
memory/4964-2-0x000000007494E000-0x000000007494F000-memory.dmp
memory/4964-3-0x0000000005F60000-0x0000000006504000-memory.dmp
memory/4964-4-0x00000000058F0000-0x0000000005982000-memory.dmp
memory/4964-5-0x0000000074940000-0x00000000750F0000-memory.dmp
memory/4964-6-0x0000000005AC0000-0x0000000005ACA000-memory.dmp
memory/4964-7-0x0000000006F30000-0x0000000007548000-memory.dmp
memory/4964-8-0x0000000006A90000-0x0000000006B9A000-memory.dmp
memory/4964-9-0x00000000069C0000-0x00000000069D2000-memory.dmp
memory/4964-10-0x0000000006A20000-0x0000000006A5C000-memory.dmp
memory/4964-11-0x0000000006BA0000-0x0000000006BEC000-memory.dmp
memory/4964-12-0x0000000006D20000-0x0000000006D86000-memory.dmp
memory/4964-13-0x00000000077D0000-0x0000000007846000-memory.dmp
memory/4964-14-0x0000000007760000-0x000000000777E000-memory.dmp
memory/4964-15-0x0000000008620000-0x00000000087E2000-memory.dmp
memory/4964-16-0x0000000008FE0000-0x000000000950C000-memory.dmp
memory/4964-18-0x0000000074940000-0x00000000750F0000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-09 15:04
Reported
2024-05-09 15:07
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
153s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2697586.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2697586.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2697586.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2697586.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2697586.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2697586.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6731967.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2130083.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2697586.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6731967.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n0091138.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2697586.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\c64d3873d4dbf74d0c6e28f27a09adb2a8c897e218d1a4a4f5822391bf80c92e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2130083.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2697586.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2697586.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2697586.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c64d3873d4dbf74d0c6e28f27a09adb2a8c897e218d1a4a4f5822391bf80c92e.exe
"C:\Users\Admin\AppData\Local\Temp\c64d3873d4dbf74d0c6e28f27a09adb2a8c897e218d1a4a4f5822391bf80c92e.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2130083.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2130083.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2697586.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2697586.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6731967.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6731967.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n0091138.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n0091138.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2130083.exe
| MD5 | 442435d72bf87c742d136fd0ee857aa7 |
| SHA1 | d5a5c1e0fec4bdb78ea9c78566f1d6ac2db289dc |
| SHA256 | 1d681c45e7362d1a2079e17c36d42a60307e7ab444cb7781129ed2e23567ef62 |
| SHA512 | 6cc423388674813d33117894f91550dbab27a8b09996e2c506e1fe179ebe51dce0dbd1308860364a8a12ef8a827153c4dfe832470968a2f60efa0cf8fb7eaab7 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2697586.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/2604-15-0x0000000000CB0000-0x0000000000CBA000-memory.dmp
memory/2604-14-0x00007FF9824D3000-0x00007FF9824D5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6731967.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n0091138.exe
| MD5 | 45f44d5c51aafc516cf8361354996963 |
| SHA1 | 1cac62d935987acdd12eefccba925e00429c8451 |
| SHA256 | e161c60286bae32f64473bc006d9b32759678e9a130be1491f95eb6f4308c48f |
| SHA512 | 3dbd14766f59278abd2bb286daff70001cd505d8cb5ac9b056cd1b98b31feb2caadddda7a54d84ad5ed0ef21ed67b2dccdd83fc187d2e7b0eff604982684ec52 |
memory/2508-33-0x0000000000F40000-0x0000000000F70000-memory.dmp
memory/2508-34-0x0000000003370000-0x0000000003376000-memory.dmp
memory/2508-35-0x0000000006030000-0x0000000006648000-memory.dmp
memory/2508-36-0x0000000005B20000-0x0000000005C2A000-memory.dmp
memory/2508-37-0x0000000005A10000-0x0000000005A22000-memory.dmp
memory/2508-38-0x0000000005A70000-0x0000000005AAC000-memory.dmp
memory/2508-39-0x0000000005AB0000-0x0000000005AFC000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-09 15:04
Reported
2024-05-09 15:07
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
151s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9850776.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9850776.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9850776.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9850776.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9850776.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9850776.exe | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6793074.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8196308.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9850776.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6793074.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c0831593.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9850776.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\ffa14d4c0be8bc789970a81ab0d1c4ceb689e261224f173a8dbd9609a9b45102.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8196308.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c0831593.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c0831593.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c0831593.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9850776.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9850776.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9850776.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9850776.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ffa14d4c0be8bc789970a81ab0d1c4ceb689e261224f173a8dbd9609a9b45102.exe
"C:\Users\Admin\AppData\Local\Temp\ffa14d4c0be8bc789970a81ab0d1c4ceb689e261224f173a8dbd9609a9b45102.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8196308.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8196308.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9850776.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9850776.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4028 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6793074.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6793074.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c0831593.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c0831593.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| BE | 88.221.83.217:443 | www.bing.com | tcp |
| BE | 88.221.83.217:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.83.221.88.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 13.73.50.20.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.3:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8196308.exe
| MD5 | ee03504d4df12f8504069171a5a7b538 |
| SHA1 | eb202a9a59b80577a3a4f7f1988fdec688f84d61 |
| SHA256 | c5b4910e7fa298cd6f52d6baa8f32cd68d40a48bc5d1ad0c73afcf8ee963a200 |
| SHA512 | 879fc98d6a6d726599987b334340934b148429d4871553e217befe9f636fc39c5f418717c3f80a7095fe8ae4f154db59707fced7931e7e4776f28afce8f35f67 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9850776.exe
| MD5 | b20f8d8ed9871d6bdc9521778966edda |
| SHA1 | d67137a8019d52c2b2ad602a3794520723a2f3cf |
| SHA256 | 5b41c00e640b6fd13a0b11698443188ed640c24d7d0ced938d8578759e2e2ab0 |
| SHA512 | 709545a06fb2fb46658147c397244a1e80baa08257a0547b29136c40175394d7974605ead8917d8168b76e1f18d050067457dc8240dfd535780a2811cc228b8a |
memory/676-14-0x00000000008D0000-0x00000000008DA000-memory.dmp
memory/676-15-0x00007FF938D03000-0x00007FF938D05000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6793074.exe
| MD5 | 32c3db3657c1b1f406f85913a2cfa133 |
| SHA1 | 6a7c1e1c0b4f121a0082b6f4f76ce31752ebc836 |
| SHA256 | 91b4b43f1de55e344cb418755aa6cef1c4bcb8fbd0b59495992e4ac1474c4b6e |
| SHA512 | 1d78376e57f06b10b250992857739d4e1e6b97d3bf4fa2e76874f6de9bdad185d24b3abeac197a3dd74ed6122e9a08001239ed05a98810740ea1e5214cb35817 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c0831593.exe
| MD5 | e0962336c2979b69b35e807b972ab7a7 |
| SHA1 | f0ffc3dd41cef5b927b09979d29ff19f8c5f29c2 |
| SHA256 | 51915b1d4671195490768c8d1353aed43ddf5905a602f40ed37e07aa22aa6617 |
| SHA512 | 559f9ed55177abd42ae20443ccfd0d2203be2d7422b856e13039c3128d68ad358946200c85add22f8a5888d0fc2ec78ccc01670968e1fc53a78a97b33fe7d86d |
memory/3116-33-0x0000000000400000-0x0000000000409000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-09 15:04
Reported
2024-05-09 15:07
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
152s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4970158.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4970158.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4970158.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4970158.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4970158.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4970158.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1092387.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4933227.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3623236.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4970158.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1092387.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4322296.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7564572.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4970158.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\9a0ecac5f61531b0c28426e6e97edeaa0c930397169075cb98b077174beb638e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4933227.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3623236.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4322296.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4322296.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4322296.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4970158.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4970158.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4970158.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1092387.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9a0ecac5f61531b0c28426e6e97edeaa0c930397169075cb98b077174beb638e.exe
"C:\Users\Admin\AppData\Local\Temp\9a0ecac5f61531b0c28426e6e97edeaa0c930397169075cb98b077174beb638e.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4933227.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4933227.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3623236.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3623236.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4970158.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4970158.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1092387.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1092387.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4322296.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4322296.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7564572.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7564572.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| BE | 88.221.83.217:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.83.221.88.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4933227.exe
| MD5 | d33c8dd5dda29e2ea9759873a2e3b3a1 |
| SHA1 | 509427faf68a39997bcef4397894e8ac9a89715b |
| SHA256 | c78049d14da228c4659d831031cc94fa3d1e253480dea1114b8ea9652835dc1c |
| SHA512 | 95daea4171fae18b782e5e9716e3fc8f46302dd6883a86e4f03bc80c5c2c7a4ab87c8f356df998c6cdcef735af0cf7dda6bfb82c2478d9ed0186c466c1fd13b3 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3623236.exe
| MD5 | c3ad2c9316385e72f6fdc34de05fefcb |
| SHA1 | cb78a11ba6eb5c458b9f19877dac42dccacf1d33 |
| SHA256 | 9080ecd6ed268534fadb6a6dbfa327fc64ec426ce249199e5059e154b1bc8b78 |
| SHA512 | 0943b21c02037aea583f799ef2e6fa271b48925c5d22af687b3ff217a7a968e2b5a456678678284b6a288c50a3c104dc728884f4390295ef0c79319f73b55724 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4970158.exe
| MD5 | b9f7307f3344963173587f481cf79702 |
| SHA1 | d1771c11330d7f05b465837268f1993d16a50ef9 |
| SHA256 | 3f1deb49ae3b7e8074b543490e6a24045c16a73102668c09729a4decb3260068 |
| SHA512 | ef449c472223eddfd606b5035962564da2b3b47e46dd7bb796e8565f14349bc1edd9e716d4b288d65dda044d47f1ee527554d130f0de6b6cf4d78a1b2e0741f5 |
memory/220-21-0x00007FFEF8333000-0x00007FFEF8335000-memory.dmp
memory/220-22-0x00000000001B0000-0x00000000001BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1092387.exe
| MD5 | 4ee04c7a61cb61464ec80dee700e8040 |
| SHA1 | e55aee97f689833c7800aac29bcec07933aa8c9e |
| SHA256 | 302755f30c53cbf31bb07d154f236ea3e8ee3c90b7770e95dfaf953fb8e01826 |
| SHA512 | 75f920345b8f2832606bf636f1586badcdab49b42c8b7053c214bb36e5c4996b37c08c015dcdb674bd2c568e8add18085510255001747e7442537064ea4df36b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4322296.exe
| MD5 | b201bc33c41cebb6d9b86d7224eac438 |
| SHA1 | 3549a2e2b561dd6bf68a9b7aa21d240c3d87a8db |
| SHA256 | fcc6ea0459be99bc3a272443ee71b1d520c1c88860222ce13fcadf7234ccd4a6 |
| SHA512 | ea5f1379a02f07161dbbbfd0a0c8b96f26dbcbd24fc9867d14c762cb9782beb8bcfed412ca69e1ad1f8a7b7669847c205b18bde309f9f7ec23f117d64a5368ab |
memory/3740-40-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3740-41-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7564572.exe
| MD5 | 199269ce88604882efe788faab582aa9 |
| SHA1 | 2f1f18318b7f895a99af1e2bc156156cda96e495 |
| SHA256 | 836375a91b2c9d90834283b30a84b968d3056ade7f0964f83b98e48a005509e4 |
| SHA512 | 8a6dcbe7e46ee1db540c2e24f0e48f173670076e21ebe906f09944bdb23623bc608f78b43671ed2a80a65572a330fcb72820da2fa5b718a844bce2f498b8ed6d |
memory/4692-45-0x0000000000DA0000-0x0000000000DD0000-memory.dmp
memory/4692-46-0x0000000007A50000-0x0000000007A56000-memory.dmp
memory/4692-47-0x0000000005CF0000-0x0000000006308000-memory.dmp
memory/4692-48-0x00000000057E0000-0x00000000058EA000-memory.dmp
memory/4692-49-0x0000000005720000-0x0000000005732000-memory.dmp
memory/4692-50-0x0000000005780000-0x00000000057BC000-memory.dmp
memory/4692-51-0x00000000058F0000-0x000000000593C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 15:04
Reported
2024-05-09 15:07
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
153s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4942992.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4942992.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4942992.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4942992.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4942992.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4942992.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0282367.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8561586.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4942992.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0282367.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8190518.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4942992.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\0f3fc05fe2db9d3b03c0b7d1c6af9353f3d7c1d340577a71dabad5617658cb99.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8561586.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4942992.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4942992.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4942992.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0282367.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0f3fc05fe2db9d3b03c0b7d1c6af9353f3d7c1d340577a71dabad5617658cb99.exe
"C:\Users\Admin\AppData\Local\Temp\0f3fc05fe2db9d3b03c0b7d1c6af9353f3d7c1d340577a71dabad5617658cb99.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8561586.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8561586.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4942992.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4942992.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0282367.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0282367.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8190518.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8190518.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| BE | 88.221.83.201:443 | www.bing.com | tcp |
| BE | 88.221.83.201:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.83.221.88.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8561586.exe
| MD5 | 9abc430a21ea238323d10dc935de0fef |
| SHA1 | edc663202e8f1b2396af1a350c03a0339139136a |
| SHA256 | a4b3674464ff3134da3edd7c6cefbb9b31b2de0d32b98ae67b2023f136da843c |
| SHA512 | bc0cf245c5315b4dc6463e7b07b01a73ce37399fea3544b40d96cdbc0a35f40320d294e637d30ab14efcfa2884b25b361b7f4873892dd4db58a952b6a2effa3e |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4942992.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/3456-14-0x0000000000340000-0x000000000034A000-memory.dmp
memory/3456-15-0x00007FFCACA73000-0x00007FFCACA75000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0282367.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8190518.exe
| MD5 | b2417f3b7a8bffc96a7e4beee4fc563a |
| SHA1 | b00d54026c202bc1efa63fe1082260ea7b69cf08 |
| SHA256 | f150b805ce7d93bb019e977b3eea334b415c1b60b54c6185b864aa9cb5fefb33 |
| SHA512 | 3f5e6d146181ef7cba186139b05bc86aca8c2f4ed24379d79dfc184426d560f539d9a66c9776c5b2a9712589c2c48a416758e86b80c9abdfe06a027618017fdc |
memory/864-33-0x00000000008F0000-0x0000000000920000-memory.dmp
memory/864-34-0x0000000002C40000-0x0000000002C46000-memory.dmp
memory/864-35-0x000000000ABE0000-0x000000000B1F8000-memory.dmp
memory/864-36-0x000000000A760000-0x000000000A86A000-memory.dmp
memory/864-37-0x000000000A6A0000-0x000000000A6B2000-memory.dmp
memory/864-38-0x000000000A700000-0x000000000A73C000-memory.dmp
memory/864-39-0x0000000002BC0000-0x0000000002C0C000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-09 15:04
Reported
2024-05-09 15:07
Platform
win10v2004-20240426-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5482627.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5482627.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5482627.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5482627.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5482627.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5482627.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9830090.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6722793.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0212287.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5482627.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9830090.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0555315.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2581591.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5482627.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\2b700615cbaa89c4d3e0272582a4db8e51bcfe6c3333a5be92e93784b2855ac1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6722793.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0212287.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0555315.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0555315.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0555315.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5482627.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5482627.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5482627.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2b700615cbaa89c4d3e0272582a4db8e51bcfe6c3333a5be92e93784b2855ac1.exe
"C:\Users\Admin\AppData\Local\Temp\2b700615cbaa89c4d3e0272582a4db8e51bcfe6c3333a5be92e93784b2855ac1.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6722793.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6722793.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0212287.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0212287.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5482627.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5482627.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9830090.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9830090.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0555315.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0555315.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2581591.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2581591.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 88.221.83.201:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.83.221.88.in-addr.arpa | udp |
| BE | 88.221.83.201:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6722793.exe
| MD5 | a84aec2543b96b819df1d6560a83b409 |
| SHA1 | 4746f87511f4a706b498ce4b00ce04ab2ee34a96 |
| SHA256 | 8e85fd1916d7aa4be4b6d5433fe4d7bfd6cc2b6345dc0e66944e47a32f53283e |
| SHA512 | 0d83d0790dc5103432caac5d3e8f099a24ef67e2c0f9da16a14611e0b515c12ee1da02b07b397863bbd0a1cd2983883d969ad900b093d0cb02a04526264db0e6 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0212287.exe
| MD5 | 7fb53a16038674b0ba753c48ce1c4d40 |
| SHA1 | d953a2339156d23dc5ae893aad21de6b5d30f749 |
| SHA256 | ab23c1eaa08a4c0824d555f3237b26870b9402e39a209383ba1b3a708b7c5fc0 |
| SHA512 | 416e81c736465104999c4e609b1d22b63e4d34c303dc4d495eb0c47bc59bee5616f63ad673029e4ee51c0e24031e6ae4938f640492f6deb58f8908b89ab268e9 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5482627.exe
| MD5 | 259bb29209ae2578fb8b7cc4a582acc1 |
| SHA1 | 068f6221e70d483abf48150bd735a2ee27549788 |
| SHA256 | d64ae6f3530eb8737ac7907d75b40e3f68e5a5dc43fd215cb1926fd6d31164d4 |
| SHA512 | b0c893cc008329afbec7faa5cba70c025c31d72304d0ea411d7f25bf893908bae698984683a4f87c6f6962329936b092a503bc523a1b1050833f4c4948314f0f |
memory/5084-21-0x0000000000CF0000-0x0000000000CFA000-memory.dmp
memory/5084-22-0x00007FFFE03F3000-0x00007FFFE03F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9830090.exe
| MD5 | 3084ee705552dca8fd17dd8edff172ad |
| SHA1 | 93bc086ad91b72a88b4a9f97b7e626e19735cb44 |
| SHA256 | 91363b4d41a2cfdb64c13bee2ff6c281fbf5ca0f72484beacbdb8182b31df29e |
| SHA512 | 3b49cee028c72e2ed6e0b5987a44fa93bdabc4e6e1012a6ebe76acef70cb1d27e31391f5b79eefff84603de3cce6b5156d2f12f50aaea80da4f55821d78493f3 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0555315.exe
| MD5 | f20d18cd6b20d015eb19b47c477e1069 |
| SHA1 | c49feb19e0a0285e9a4565bf59184ae951d07939 |
| SHA256 | 2f6378627677ef33a432850da660c8852b039ab0c2acfc11772d8cbe4b6a0bb8 |
| SHA512 | f26c33ba50517d39037f70764f0f032012bf378c8e7a75f65c7189a8b6a6f8857aaeda9c5ab0b9d1340a873e63715e05a239aa2b57a6bd4a387750b9a45f6ac2 |
memory/4068-40-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2581591.exe
| MD5 | c53789658163743507e59840354aa22e |
| SHA1 | 5a338d9ef7b29ee707f808f61e2de07410d15e03 |
| SHA256 | e9d542fcd0f849685e817f35600986a37a2886f95c52f55f52988e40bdb225d1 |
| SHA512 | fafc23ac41d62c1a938ac2b277fd4ac0d7fdefcf9d0e1a9891c6ceca60e2f9ab3ac09f4f6e29607f6aa64db948a5b9d77f5e6d8f049371584cce7cb078b8c0bd |
memory/1556-44-0x0000000000AC0000-0x0000000000AF0000-memory.dmp
memory/1556-45-0x00000000053E0000-0x00000000053E6000-memory.dmp
memory/1556-46-0x000000000AF00000-0x000000000B518000-memory.dmp
memory/1556-47-0x000000000AA70000-0x000000000AB7A000-memory.dmp
memory/1556-48-0x000000000A9B0000-0x000000000A9C2000-memory.dmp
memory/1556-49-0x000000000AA10000-0x000000000AA4C000-memory.dmp
memory/1556-50-0x0000000004EE0000-0x0000000004F2C000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-09 15:04
Reported
2024-05-09 15:07
Platform
win7-20240221-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\677afbc18346258efc780d794cf589d9e949ec77c0f68fc663b38c6f663cf7fd.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2844 wrote to memory of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\677afbc18346258efc780d794cf589d9e949ec77c0f68fc663b38c6f663cf7fd.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2844 wrote to memory of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\677afbc18346258efc780d794cf589d9e949ec77c0f68fc663b38c6f663cf7fd.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2844 wrote to memory of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\677afbc18346258efc780d794cf589d9e949ec77c0f68fc663b38c6f663cf7fd.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2844 wrote to memory of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\677afbc18346258efc780d794cf589d9e949ec77c0f68fc663b38c6f663cf7fd.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\677afbc18346258efc780d794cf589d9e949ec77c0f68fc663b38c6f663cf7fd.exe
"C:\Users\Admin\AppData\Local\Temp\677afbc18346258efc780d794cf589d9e949ec77c0f68fc663b38c6f663cf7fd.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 88
Network
Files
memory/2844-0-0x00000000002E0000-0x00000000002E1000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-09 15:04
Reported
2024-05-09 15:07
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6356050.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6356050.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6356050.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6356050.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6356050.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6356050.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1576714.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6356050.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8445185.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6356050.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6356050.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\85594a9dffbaaedca9ea95760b5683bb9ed199e29a54525ac755697a6e18aaab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1576714.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6356050.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6356050.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6356050.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\85594a9dffbaaedca9ea95760b5683bb9ed199e29a54525ac755697a6e18aaab.exe
"C:\Users\Admin\AppData\Local\Temp\85594a9dffbaaedca9ea95760b5683bb9ed199e29a54525ac755697a6e18aaab.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1576714.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1576714.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6356050.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6356050.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8445185.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8445185.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.211.222.173.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.201:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| BE | 88.221.83.201:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.83.221.88.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1576714.exe
| MD5 | a0cb6a2e979429d1975720ea106f3f81 |
| SHA1 | 4148b212ec6b8501f17ee853818f95243eaba9e2 |
| SHA256 | d7c2948f835301ed1bd3cb90c7ece4820ea7ec474e71bece56212117881a549f |
| SHA512 | e70f0916d25438cc0227ab191e4d8c47269c89fcd05ca914c0943262006c7aa1eb269b66ac54dd175219972765980c9a2616644b1445bcd5429b5de80b3d5e16 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6356050.exe
| MD5 | 08b44020365b0a89c0d98f76fa754473 |
| SHA1 | 776dd783ee54525f05457ce18fbe72868bc10e20 |
| SHA256 | 52cbb6fbdbc28f4f974bfb08d2ccc53bf5bd7f7e99eba7dc401132b85a350811 |
| SHA512 | 34d149eb3c08db15b9b8c065ce3b3be524b30355a8b70fd95223cbc75317b1633e0092a2053db56b0d243b08f99cfebc1df0c19bd7027c417843c98ff5819381 |
memory/4148-14-0x0000000000401000-0x0000000000402000-memory.dmp
memory/4148-15-0x00000000004F0000-0x00000000004FA000-memory.dmp
memory/4148-19-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8445185.exe
| MD5 | d510d1d0f042bcb5c8eed24d7637449f |
| SHA1 | fe41b9d586964d8c5dfa5f65459ee729e4cc87bd |
| SHA256 | 1acabda21ca778c49cc766317cf13db0f8bbe3ac38e8f5374e3500fa9deed454 |
| SHA512 | 0dbfcf37485c58e02a2171e1ea29012c998ef39c987496e87f2cce3b8af1199a49ff5c8d9febeff8880dcee0fc72dd06b7489ac038b564c3d1e331d60d921550 |
memory/2444-25-0x0000000000510000-0x0000000000540000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/2444-30-0x00000000006F0000-0x00000000006F6000-memory.dmp
memory/2444-31-0x0000000004B00000-0x0000000005118000-memory.dmp
memory/2444-32-0x0000000005120000-0x000000000522A000-memory.dmp
memory/2444-33-0x0000000005230000-0x0000000005242000-memory.dmp
memory/2444-34-0x0000000005250000-0x000000000528C000-memory.dmp
memory/2444-35-0x00000000052E0000-0x000000000532C000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-09 15:04
Reported
2024-05-09 15:07
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3866968.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3866968.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3866968.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3866968.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3866968.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3866968.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4846081.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1925105.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3866968.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4584379.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3866968.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3866968.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4846081.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1925105.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\8c7a2623ea0bfbad72a17add57243068958fa7289cd1319d5cbc3af84eeac07d.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3866968.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3866968.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3866968.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8c7a2623ea0bfbad72a17add57243068958fa7289cd1319d5cbc3af84eeac07d.exe
"C:\Users\Admin\AppData\Local\Temp\8c7a2623ea0bfbad72a17add57243068958fa7289cd1319d5cbc3af84eeac07d.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4846081.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4846081.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1925105.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1925105.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3866968.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3866968.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4584379.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4584379.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| BE | 88.221.83.227:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| BE | 88.221.83.227:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 227.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.166.122.92.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4846081.exe
| MD5 | 02f4833c0c6516c5cfef394d3b9eb7ec |
| SHA1 | fe78922d829ff5d0c1321fc6a82c2e0022fffd7d |
| SHA256 | 00e6ec6ca0ea5d14532e2f75af89658dad92a777d76023b9b56f02366e10baeb |
| SHA512 | 0959074ad192f172928111239a7584d55ed6a434d88f193327386c2a603d09b7dba0ab06f8d6dccdfcc2c48a84f227e95140cb73d516b8c3b4f86624c809ae13 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1925105.exe
| MD5 | aefd88bf78d38520127335f71ce127e6 |
| SHA1 | 556478abe734493103cbaea50f7debb2c1d81694 |
| SHA256 | b52531c03cf4d2369515c81b7d0b5991c5bcc9fad953d224fb5b7fabf753b96a |
| SHA512 | 1fe416f984c321aa49c37774287e6dbbbf4b31c49c89a62e884ee9183de3a657bdc78fe68f76cd2092e044c57809d8c9e74a288acc5534bc0b2ff25d38d856f2 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3866968.exe
| MD5 | a591f6df7b933436a7cb019fe4f2d67d |
| SHA1 | 87d9b91e6d1ff08b2d9b3f24bd9f737f93a6eefd |
| SHA256 | b943a4dad97943ca50984fa33a55c9dcd7ef0d3aa9d4b17e7f3acd1a15cfc3c7 |
| SHA512 | 6916702db6a8e459277a0051883f0d01ed95ebef24301625ceff4ec06e17ca62ea412c376b832891dc16e3929ab328db9b30c4a5060b576a91349ea9fb941c24 |
memory/1040-24-0x0000000000401000-0x0000000000404000-memory.dmp
memory/1040-22-0x0000000000570000-0x00000000005AE000-memory.dmp
memory/1040-28-0x0000000000570000-0x00000000005AE000-memory.dmp
memory/1040-29-0x00000000024C0000-0x00000000024C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4584379.exe
| MD5 | 3a8c9ba37b9448ebda8303351a3d9aaf |
| SHA1 | 1eab9447cdb12a312d0c43ff2b74d9906dcc7cb9 |
| SHA256 | 2444d26a0a4996437fe72fdb2e128a20bebb8eee11c40c78f5bf15de0e58aebe |
| SHA512 | 1470b5849946293b16b5afdec3319d56348e3768ad415acc0c4310216ec2ff2aee0b7439da67070f6aaa90b10083f35f9f67e2bb19daee1f5f0fd72945148f0f |
memory/2024-35-0x0000000000700000-0x000000000078C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/2024-42-0x0000000000700000-0x000000000078C000-memory.dmp
memory/2024-44-0x0000000002260000-0x0000000002266000-memory.dmp
memory/2024-45-0x0000000007270000-0x0000000007888000-memory.dmp
memory/2024-46-0x0000000006CE0000-0x0000000006DEA000-memory.dmp
memory/2024-47-0x0000000006E10000-0x0000000006E22000-memory.dmp
memory/2024-48-0x0000000006E30000-0x0000000006E6C000-memory.dmp
memory/2024-49-0x0000000005A00000-0x0000000005A4C000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-09 15:04
Reported
2024-05-09 15:07
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
156s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9418416.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9418416.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9418416.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9418416.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9418416.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9418416.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2951219.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9699231.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2951219.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9418416.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j3752822.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9418416.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\35d50aca923965e5a644e1735c8cd657d562282a8fddd8a654982c84f9258342.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9699231.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9418416.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9418416.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9418416.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2951219.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\35d50aca923965e5a644e1735c8cd657d562282a8fddd8a654982c84f9258342.exe
"C:\Users\Admin\AppData\Local\Temp\35d50aca923965e5a644e1735c8cd657d562282a8fddd8a654982c84f9258342.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9699231.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9699231.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2951219.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2951219.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9418416.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9418416.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j3752822.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j3752822.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9699231.exe
| MD5 | 68cc2c63cf25d7c3b3256fb94672fe31 |
| SHA1 | fe239b914f1416e52daaf280f8037d80c6cf8446 |
| SHA256 | 2b08b09d1f156ce5575e606054b368a0abd74b7202b020d7452e16d3ad5d3b9e |
| SHA512 | 5c71017b221c19dfac3f73c86b56e8180bdeb25e6e93fd6fd506f635edfa0e39192c92fb9e257c351ee2eab07b021d2e13bf6b5fcf05c1866896e28163a0cb45 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2951219.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9418416.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/4640-27-0x00000000003C0000-0x00000000003CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j3752822.exe
| MD5 | d39ea4685ebd66ffa101cf84bbce6b28 |
| SHA1 | 41fb7d084660a4fcbb8da2c1f404a0976989100a |
| SHA256 | d5d5ad09f45f741b0c27ee80315115f6a3846a27f4e20b5541b7355420c66df0 |
| SHA512 | 3e270a78f8f7471ef03ade82cec9cd34329db803554ccff74f859846433e5a6b5e6ac6af0a412f04c3466392486ef55b2da8ec9bfa372dbf302b39a6355fe82f |
memory/2044-33-0x00000000005D0000-0x0000000000600000-memory.dmp
memory/2044-34-0x0000000002880000-0x0000000002886000-memory.dmp
memory/2044-35-0x000000000AA00000-0x000000000B018000-memory.dmp
memory/2044-36-0x000000000A580000-0x000000000A68A000-memory.dmp
memory/2044-37-0x000000000A4C0000-0x000000000A4D2000-memory.dmp
memory/2044-38-0x000000000A520000-0x000000000A55C000-memory.dmp
memory/2044-39-0x0000000004DA0000-0x0000000004DEC000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-09 15:04
Reported
2024-05-09 15:07
Platform
win10v2004-20240426-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8400544.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8400544.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8400544.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8400544.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8400544.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8400544.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7161503.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8094658.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1890207.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8400544.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7161503.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9747003.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7741225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8400544.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\65db5d7052987e7e8d814719a1e9c77b7d0f755b7f100a0b3f0b0d1b83d9b43e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8094658.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1890207.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9747003.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9747003.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9747003.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8400544.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8400544.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8400544.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7161503.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\65db5d7052987e7e8d814719a1e9c77b7d0f755b7f100a0b3f0b0d1b83d9b43e.exe
"C:\Users\Admin\AppData\Local\Temp\65db5d7052987e7e8d814719a1e9c77b7d0f755b7f100a0b3f0b0d1b83d9b43e.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8094658.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8094658.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1890207.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1890207.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8400544.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8400544.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7161503.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7161503.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9747003.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9747003.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7741225.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7741225.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| BE | 2.17.107.107:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 107.107.17.2.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.156:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| FI | 77.91.124.156:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| FI | 77.91.124.156:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.124.156:19071 | tcp | |
| FI | 77.91.124.156:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8094658.exe
| MD5 | eb475f3a8c4a25a19fa0abdc1e907952 |
| SHA1 | 8988b40a69f6cb754a42bc5c7871ed839629b504 |
| SHA256 | 40fbde6d35302d77db924d8a4db6569c23336d9205e82f12a82228cc100edb71 |
| SHA512 | 3199b26a1ce8049c64556a2a9d0465c3ffa479594ca01d7ce052ba64fd128ab9da6302bf55baaaf59479e3a4c53f0569d93d7bb4d1566d1d65b4864b4a20af09 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1890207.exe
| MD5 | 2dfe4d2812a48ddbf22392cc3a90970b |
| SHA1 | 4f1b63d32b90a492f98673c94646a42a6e853ac6 |
| SHA256 | 9e6f3fd3f785137a445cbe56ff06c292a6df24180f53811fc86132a2bd4859c2 |
| SHA512 | 8b30e6f60dc809e9411dd14439766ec61da1ce41170a987c6c917abfe8df3985d8d6870672b38e72c10317e178e032fdc94f1f36bc4c48cc79938ae9d7c9b6da |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8400544.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/1740-21-0x00000000001E0000-0x00000000001EA000-memory.dmp
memory/1740-22-0x00007FF8E8253000-0x00007FF8E8255000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7161503.exe
| MD5 | bc91e6e768fd91095e2345589ee83b4a |
| SHA1 | 8d1b66b836cb0e5134a3f807e6f552068ae3e049 |
| SHA256 | d0ad15538e2a3f9aedb1b72fcd30581d83b8ca9e8e044f1a404cd3a71cc601a4 |
| SHA512 | 2d8766287f50a95994a2c4496f09114406faa469baeb3719c061e08b323dd359338ba0a8fe526c2f7138fa1c8fa3018743ce2a26203626ecc5901e179d5224b1 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9747003.exe
| MD5 | 6b8535ff7acd76f5a865bfa3e04fe4f7 |
| SHA1 | 26d3dc99f638cf9cae4681dd14269fe9723c904b |
| SHA256 | acf67950c3da59de03f145d42b15fb141395c524a091a46a0cc24d07e3e286da |
| SHA512 | ea3a27b4bb1bb8050b593f64f9bb9bf6ba53de10fb7e12a1e6687e156d85fb5757a1797ad7a7b6cc966730c9fa9b713b8ec01f1e2c2b315977ed47441571f83a |
memory/4436-39-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4436-41-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7741225.exe
| MD5 | a438c0ff74d4f3006dd94b497bae7179 |
| SHA1 | d6618c08840cea64523e48bde1f433731049876d |
| SHA256 | 7a183cd5079b87c635002449d16a0fe2b686f777b58f507a5825033214aba176 |
| SHA512 | 6ab764d9268aac5902b8026b7c5eb31e3956c86711e3ca52ab3fef12b45ad59a56b3ceb9e671c2efdf7b34543aa263dffe236eada2c754f23aa2ff0b7484a342 |
memory/4720-45-0x00000000004E0000-0x0000000000510000-memory.dmp
memory/4720-46-0x00000000028B0000-0x00000000028B6000-memory.dmp
memory/4720-47-0x000000000A820000-0x000000000AE38000-memory.dmp
memory/4720-48-0x000000000A350000-0x000000000A45A000-memory.dmp
memory/4720-49-0x000000000A290000-0x000000000A2A2000-memory.dmp
memory/4720-50-0x000000000A2F0000-0x000000000A32C000-memory.dmp
memory/4720-51-0x0000000002680000-0x00000000026CC000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-09 15:04
Reported
2024-05-09 15:07
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
157s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8983836.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8983836.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8983836.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8983836.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8983836.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8983836.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9197754.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8899110.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8983836.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6713466.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8983836.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8983836.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\841ea03e181082fcf7f5533397a6731021c045058047518f2795b78fd69dda82.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9197754.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8899110.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8983836.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8983836.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8983836.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\841ea03e181082fcf7f5533397a6731021c045058047518f2795b78fd69dda82.exe
"C:\Users\Admin\AppData\Local\Temp\841ea03e181082fcf7f5533397a6731021c045058047518f2795b78fd69dda82.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9197754.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9197754.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8899110.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8899110.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8983836.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8983836.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6713466.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6713466.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.166.122.92.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 247.211.222.173.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 95.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9197754.exe
| MD5 | ede57962f295bf08f53a8ecb2a5ff527 |
| SHA1 | 867a158e8ccc7e1ed3172b9a72376016475fb52a |
| SHA256 | 84888a9705747c4916947eb0c2a267a0b7f52298ab150fccc5fb14e3610e6fff |
| SHA512 | 0c368c5f97be6769f4802983c2cf6bd91119eaa53a3ca54c6ebd3b53ca21d3b34ad68341fc8d6b2c2475841487b6ee14a47d7501e82e47134cf857273879f5c6 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8899110.exe
| MD5 | 850e3bf170ef064bb7e3dc1878dcf38d |
| SHA1 | 5f17fbe509d9f62686fe1ad9e291e1cfd44fea94 |
| SHA256 | 98e3d735da5e971cd256f503e99738c519c7324a63383259db25b493e81f7721 |
| SHA512 | 00e7c117b916047cef13eab346b576cbb2f5da926a1ace8bfb0fc3098e3a42b89d3cb75c246141fccc9e830cc31bfc28461e19f26bca1c5191d73f61a12936f6 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8983836.exe
| MD5 | 71c4479e9cce36f0d305e966896ecc45 |
| SHA1 | 4a96d92d6a305841fc6aeaf8c52935137b3e8a02 |
| SHA256 | b542aa2cd85a09f28526016d538789c2b65e2c428140ed2b8972216f27233480 |
| SHA512 | b0af086e5cb159dbc52539dc9cf7ec95b86a062ca086c43bba4b65cd1538c5943ba5140145a48e53e55e9be19922cf67fb76dd38af87f2700acac209cff7db36 |
memory/2232-22-0x0000000001F90000-0x0000000001FCE000-memory.dmp
memory/2232-21-0x0000000000401000-0x0000000000404000-memory.dmp
memory/2232-28-0x0000000001F90000-0x0000000001FCE000-memory.dmp
memory/2232-29-0x00000000045D0000-0x00000000045D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6713466.exe
| MD5 | 2bef8c25cdf5d7bc8f17e76423af8637 |
| SHA1 | bab3f4c91612360b11c61ba7cde47da6c20d0071 |
| SHA256 | aba3dada1170f6501dd720eb390cd2ac3c88429a60fa570c5b5303615c9fa599 |
| SHA512 | ff294ffeb4a6a7cd22ceb291faec91e1a176cfe90e5ff9bea95e8ebbd28d143d2f4b9b150d2aef87993f760d7031940a3e16b6da645623f82c77fc85ecf47879 |
memory/3356-35-0x0000000000740000-0x00000000007CC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/3356-42-0x0000000000740000-0x00000000007CC000-memory.dmp
memory/3356-44-0x0000000002310000-0x0000000002316000-memory.dmp
memory/3356-45-0x000000000A040000-0x000000000A658000-memory.dmp
memory/3356-46-0x000000000A660000-0x000000000A76A000-memory.dmp
memory/3356-47-0x0000000006CF0000-0x0000000006D02000-memory.dmp
memory/3356-48-0x0000000006D10000-0x0000000006D4C000-memory.dmp
memory/3356-49-0x000000000A770000-0x000000000A7BC000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 15:04
Reported
2024-05-09 15:07
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7646583.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7646583.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7646583.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7646583.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7646583.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7646583.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6580300.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5604764.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6688999.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7646583.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6580300.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7436710.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d5368676.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7646583.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\0e13a10fd67a47892e598c6953856fd7786d3e7b1f70c519cae5cfe6b7ce37cb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5604764.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6688999.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7436710.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7436710.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7436710.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7646583.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7646583.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7646583.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0e13a10fd67a47892e598c6953856fd7786d3e7b1f70c519cae5cfe6b7ce37cb.exe
"C:\Users\Admin\AppData\Local\Temp\0e13a10fd67a47892e598c6953856fd7786d3e7b1f70c519cae5cfe6b7ce37cb.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5604764.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5604764.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6688999.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6688999.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7646583.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7646583.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6580300.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6580300.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7436710.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7436710.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d5368676.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d5368676.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| BE | 88.221.83.227:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.83.221.88.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| US | 52.111.227.11:443 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5604764.exe
| MD5 | ff2bc7466e2a69adeffa80573a2863f3 |
| SHA1 | 23e9edf6576ae08657cba11cf2438f071cbe14c6 |
| SHA256 | 12cba7d6abb8561c08742ec932c7fdc78ad76ccad94556632c66762eda6da82f |
| SHA512 | c46067a68431aeee98a47e8b8f0695d86df1d107987970189f00533be398c06479f4b491030805616bb72571c5c8ab231404e7831d375982e55a90fb006ed562 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6688999.exe
| MD5 | 76adc546940e2fbe4b272b4b0dd2d0b6 |
| SHA1 | ca0f12a2e12af0374651433e58f9c3458e332d83 |
| SHA256 | bd7f4f4a9b2c4a55fa0a581511aacfd7aa344109781495f1e917d46d5a1e30a5 |
| SHA512 | 1c7b9ea4f67e2695eb2b78b797c6126bbebcf098f4142573450d86db819f04974e83991aed1770b0d4ad697980576c8b539dedd0487ccaed5a41ef23a411e382 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7646583.exe
| MD5 | 8d794ec6788ec9977612c5af8a92e54f |
| SHA1 | ad6df589c13c8cb32a1b8181044eef1e74efa00b |
| SHA256 | 747320658b08f63fbda639aba46168dcce108c0c128e8547433323164321b776 |
| SHA512 | 0a8b05518cef01bbc118e3a8ca055990a6c8f5cd2ae1a5ac6e2158e7370fd9c3cb5913ca222997b3fd259e04a24b92fb31b9bcf2591229626146ce47e0c7dc61 |
memory/2448-21-0x0000000000020000-0x000000000002A000-memory.dmp
memory/2448-22-0x00007FFBF76A3000-0x00007FFBF76A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6580300.exe
| MD5 | 0709d929d383a7b7e0c0bc1b46c208f9 |
| SHA1 | c25f2c24b5e6a03116feb48832fe673927a4c347 |
| SHA256 | 8e0ce2743cb2e2ce038b92ac7e4234a432279dcce4c892555b9440aa8b16265e |
| SHA512 | 92cde8147bf7dc9208261a2a1ce8c5536c28b710bc520afc5e9916920f8b9d1ba4c66b243e56a1a48c06df6c29280d76d3d5d8b2845cc158c2264b0df2b24029 |
memory/4960-40-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7436710.exe
| MD5 | 4182358508f31573bfe16653fc4254f7 |
| SHA1 | 84a13671c10f424820448e4f8f2d217a2b26aee3 |
| SHA256 | 416b74e9fa5acd43201dd05e318606d054c19782b18998b3200e34fc77a585c2 |
| SHA512 | cde43e1bc1a68833364225fd7bfa34452ad53552a3a021820688c58effd121820aa3d27039d599f6cb5d3b84f011604d3b44e51db0f020e3fe85f343e8aea3f1 |
memory/4960-41-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d5368676.exe
| MD5 | 1272ec8af1ad9f02655955e08488ae80 |
| SHA1 | 394c39542e26d47a55bc30070a77a8942018ddaf |
| SHA256 | 492cb324680be830704365bfda0edba86b85202cbc26d809aae6923d1c303a73 |
| SHA512 | 7eedc9c92fa747a49cf3df5660c4eacf8edad2c882d9272f87065ffefe3c4c456ef3b848e84d7445fffa21fc733224d5dcc766fc0a7feb03efdb1fff76012813 |
memory/5036-45-0x0000000000FC0000-0x0000000000FF0000-memory.dmp
memory/5036-46-0x00000000031F0000-0x00000000031F6000-memory.dmp
memory/5036-47-0x0000000006000000-0x0000000006618000-memory.dmp
memory/5036-48-0x0000000005AF0000-0x0000000005BFA000-memory.dmp
memory/5036-49-0x0000000005840000-0x0000000005852000-memory.dmp
memory/5036-50-0x00000000059E0000-0x0000000005A1C000-memory.dmp
memory/5036-51-0x0000000005A20000-0x0000000005A6C000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-09 15:04
Reported
2024-05-09 15:07
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3786087.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3786087.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3786087.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3786087.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3786087.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3786087.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4077298.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6287530.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3786087.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4077298.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4795198.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3786087.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\1437361c67b59d113cebaa24a142650e8b8b3172ab6a6714c71515ad86d9fa55.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6287530.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3786087.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3786087.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3786087.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1437361c67b59d113cebaa24a142650e8b8b3172ab6a6714c71515ad86d9fa55.exe
"C:\Users\Admin\AppData\Local\Temp\1437361c67b59d113cebaa24a142650e8b8b3172ab6a6714c71515ad86d9fa55.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6287530.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6287530.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3786087.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3786087.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4077298.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4077298.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
"C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4795198.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4795198.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legola.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legola.exe" /P "Admin:N"&&CACLS "legola.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "legola.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "legola.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\ebb444342c" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\ebb444342c" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| BE | 88.221.83.224:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.83.221.88.in-addr.arpa | udp |
| BE | 88.221.83.224:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| SE | 5.42.92.67:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| SE | 5.42.92.67:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| SE | 5.42.92.67:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6287530.exe
| MD5 | 25cb0b8858e09d787c3ebdfedb3a3c00 |
| SHA1 | 494d389aa2c8562749b61261c58bfd86487fe489 |
| SHA256 | 8018e1b6a8a774d26b17404f0efd8e921ffc3d98d759b8ef4a379416bea956d2 |
| SHA512 | ba6d310809ffce0489777f563bcd334183dfce169e6ae55d6dc265f9c54d1faf4dd7780ee1823c28c4c91e1d12f4171a9bae4cd9078649e52089253a07710684 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3786087.exe
| MD5 | ebc18c0930b24f701d6a53185a72939c |
| SHA1 | 1049cec9e7bb27d735ae447286aa18d7e1993dad |
| SHA256 | b2501b84803871c8fdef2b7f65de00ac2480d84da05515f29b299cfc6585657e |
| SHA512 | 5ceca9604513b89dbed91f154ff4151368c686804b27cdc1acdaa9ffaddf1a32e47189a5160c22597a97fefbcc76de24e260e89bfabb0936702ebb9a411c0470 |
memory/3180-14-0x00007FF990463000-0x00007FF990465000-memory.dmp
memory/3180-15-0x0000000000F60000-0x0000000000F6A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4077298.exe
| MD5 | 4541e5a1e02ea96db339a8751deba945 |
| SHA1 | 45169ee283e91af3450a06ca7488aee3e1541ee0 |
| SHA256 | 76a230e48a3d7015f378a294877f2f76f7cd9345e3638d760318a1a8689d818d |
| SHA512 | b43f6733b30b52d62d33a761eea3ef69d6372fc441101a3393217bd5256085296d3113e1435afbd3c362928c79cfd0608974bff71d4e5beb6443b6069808871f |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4795198.exe
| MD5 | 13bfd044f0c8e0094d8d3034ab2e0799 |
| SHA1 | 5085edca67bb69cda5293df2f6b7e4dc34d28ca2 |
| SHA256 | 6cac6f1c34de64aee0f3c06ac59ca03dfe13ed95d54424e4324f43e1543450b3 |
| SHA512 | c28f3b8cf22afcdde6199fb74df2ecf4b71ada46d7ba4ac74e36d912c2d90dcc7c03784247305a2051e0d74a94abbd2dcd2613591f6cde86a8e3b9f290a26f49 |
memory/4804-33-0x0000000000330000-0x0000000000360000-memory.dmp
memory/4804-34-0x0000000004C10000-0x0000000004C16000-memory.dmp
memory/4804-35-0x0000000005270000-0x0000000005888000-memory.dmp
memory/4804-36-0x0000000004D80000-0x0000000004E8A000-memory.dmp
memory/4804-37-0x0000000004CC0000-0x0000000004CD2000-memory.dmp
memory/4804-38-0x0000000004D20000-0x0000000004D5C000-memory.dmp
memory/4804-39-0x0000000004E90000-0x0000000004EDC000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-09 15:04
Reported
2024-05-09 15:07
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5169616.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5169616.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5169616.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5169616.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5169616.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5169616.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5305162.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1617966.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5169616.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6331740.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5169616.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5169616.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\30fb90dbd15d7cf28cd8c2c3ac256de3f63d31799b3d6452d6448ff5fc3a88b4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5305162.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1617966.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5169616.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5169616.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5169616.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\30fb90dbd15d7cf28cd8c2c3ac256de3f63d31799b3d6452d6448ff5fc3a88b4.exe
"C:\Users\Admin\AppData\Local\Temp\30fb90dbd15d7cf28cd8c2c3ac256de3f63d31799b3d6452d6448ff5fc3a88b4.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5305162.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5305162.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1617966.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1617966.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5169616.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5169616.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6331740.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6331740.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| BE | 88.221.83.217:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 88.221.83.217:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 217.83.221.88.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.166.122.92.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 199.111.78.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5305162.exe
| MD5 | 142b2563a130640853430901606b99af |
| SHA1 | 12ac772d03a0eb98dd34bd6aecd823a1cff00ca1 |
| SHA256 | f0b5555b9348081b0c8f3e4e61c16aafe0b8af10b2f6e02b4b090e4f45ffa20d |
| SHA512 | 876d8bf6c59edf1910b6994e288aa855e8df45519ef1199655ebb522675c6630ac92cbea721b81131315cb4294663908a3832ff551716c0ee1b8f11c22cf18dc |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1617966.exe
| MD5 | 8e7f899b8ab608038500e0c78a70115e |
| SHA1 | a3e291f1dcbe51eacf6f8cdea24b9f7a0be812d6 |
| SHA256 | be3ab99dcc950d8bfb7d79f9e58f05759f4c3a71de593e3658e1efbe5eae0db8 |
| SHA512 | ce73151d53a857fc52e0cefb6de9c49ea76e3da110b2e7738649156bb1bd4eaa1e5ae3b16ecb616c6fa51a0d47957a3152b40912857c7c446ba5f70c95a3f707 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5169616.exe
| MD5 | a90830ec8a9d52853a0ad94fe435522b |
| SHA1 | cffc1af38e50ae1572ba08d281c158f8946feaf3 |
| SHA256 | bc481e30776d05343a46b4fb4b47f71091c18605e3ab797907d7629e1b0091f7 |
| SHA512 | dd15dc41f4667cc1ade3c37b8bbfb52d3ba8bfdcac782b203302bba6fcc8c373693ee9afaa257b71cdede3eef87e2edd705d5f387fbd8cd7a75b16f9d0c77de8 |
memory/2972-21-0x0000000000401000-0x0000000000404000-memory.dmp
memory/2972-22-0x00000000005A0000-0x00000000005DE000-memory.dmp
memory/2972-28-0x00000000005A0000-0x00000000005DE000-memory.dmp
memory/2972-29-0x0000000002430000-0x0000000002431000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6331740.exe
| MD5 | 0ec5b6d7f5b4c71c52af2eeb8a41e197 |
| SHA1 | b908a2657af8267385fb7038a7e476792eeba7c1 |
| SHA256 | ab74ba8710093b55fae108b29b5b1dadff926dbe95682cb0cc9068f8e9330de0 |
| SHA512 | ce9d56698d41d09a4b582d54ccc8da11130670f3f0ba0e278970ab2254e509c0e79ead8ebff7ac3cf44c7e4fac2c9bc75b8c81609aeae0cb518aee8b3555ada9 |
memory/3756-35-0x0000000000720000-0x00000000007AC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/3756-42-0x0000000000720000-0x00000000007AC000-memory.dmp
memory/3756-44-0x00000000023F0000-0x00000000023F6000-memory.dmp
memory/3756-45-0x0000000005170000-0x0000000005788000-memory.dmp
memory/3756-46-0x0000000004BD0000-0x0000000004CDA000-memory.dmp
memory/3756-47-0x0000000004D00000-0x0000000004D12000-memory.dmp
memory/3756-48-0x0000000004D20000-0x0000000004D5C000-memory.dmp
memory/3756-49-0x0000000004D90000-0x0000000004DDC000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-09 15:04
Reported
2024-05-09 15:07
Platform
win7-20240221-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\312c299a844cf7520e53edede1e26057b44acb35e70aba017a6e87804cd037a6.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1136 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\312c299a844cf7520e53edede1e26057b44acb35e70aba017a6e87804cd037a6.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1136 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\312c299a844cf7520e53edede1e26057b44acb35e70aba017a6e87804cd037a6.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1136 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\312c299a844cf7520e53edede1e26057b44acb35e70aba017a6e87804cd037a6.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1136 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\312c299a844cf7520e53edede1e26057b44acb35e70aba017a6e87804cd037a6.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\312c299a844cf7520e53edede1e26057b44acb35e70aba017a6e87804cd037a6.exe
"C:\Users\Admin\AppData\Local\Temp\312c299a844cf7520e53edede1e26057b44acb35e70aba017a6e87804cd037a6.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 120
Network
Files
memory/1136-0-0x00000000001D1000-0x00000000001D2000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-09 15:04
Reported
2024-05-09 15:07
Platform
win10v2004-20240426-en
Max time kernel
146s
Max time network
146s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6119097.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6119097.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6119097.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0183381.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0183381.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0183381.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6119097.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6119097.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0183381.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0183381.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6119097.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0183381.exe | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d8609279.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1202527.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4802210.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8979879.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6119097.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0183381.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8888861.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d8609279.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7762602.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6119097.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6119097.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0183381.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\adaea581d959a8c0e4a570708711cc0a4112daa9ef8d47d1f5dafe486a1b32c2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1202527.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4802210.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8979879.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8888861.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7762602.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7762602.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7762602.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6119097.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6119097.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0183381.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0183381.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6119097.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0183381.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\adaea581d959a8c0e4a570708711cc0a4112daa9ef8d47d1f5dafe486a1b32c2.exe
"C:\Users\Admin\AppData\Local\Temp\adaea581d959a8c0e4a570708711cc0a4112daa9ef8d47d1f5dafe486a1b32c2.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1202527.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1202527.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4802210.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4802210.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8979879.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8979879.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6119097.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6119097.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0183381.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0183381.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8888861.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8888861.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1216 -ip 1216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 148
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d8609279.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d8609279.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7762602.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7762602.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.250:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 88.221.83.250:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 250.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1202527.exe
| MD5 | cb7a2554fb2b765632fe3a9c4ebce6e3 |
| SHA1 | 4972388f68dbee65f5dd1941fac90c4a58cfa146 |
| SHA256 | 17e110f9f9aeee0ca458f4c60e214edbc0b310719cb127349fcb445b653c9d35 |
| SHA512 | 0654e8b74351bf42732a28c64d56df2c4d391403015844e44c2757865129854b0f08c1e72bf4315773666d73cc79ca789660d12699a3584294003b32d30ce266 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4802210.exe
| MD5 | 5ee7b440bfb7ed6e41ac15cd0c59a282 |
| SHA1 | 9a27695dd66c3454b69f075ca852368797ae61b2 |
| SHA256 | d3851c04fcaa8fd9a039fc7874d1451be02d3c088b03fd54ac0edb0fbb794474 |
| SHA512 | a023d0a2320a0bee0e9c8860cd41f75e7b5bc431695fb82ded48ca8780ebde421580b651aecc017078ba81c88e3a0cfc086d801c9721849740a97fdc355e82bb |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8979879.exe
| MD5 | 939da3a8acf63172b86e98df6e7b1d50 |
| SHA1 | 69c3a789f223602dffe3958b8bff0fc75cc53b83 |
| SHA256 | bb864d2c0171c8628a9b51aabef46f56251c95aa489e4784ff9b5a84da64ef12 |
| SHA512 | ee83b5744cda8c81ca8006540a490a485cae93c2bb85277abeb5020af7ce65d0244895d50a9804e4244310c0b16f72f3bed4ff40e0cc951eb0fee164f3ed11bb |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6119097.exe
| MD5 | 5e788c3d4a9db00e12973ce338bb7c05 |
| SHA1 | 262aa9d58aae2fc67e6935101f92f9268a4205f2 |
| SHA256 | dd946b1e81b024eed237aae13b34e1d7799d6810d6b521b90600449b3706a238 |
| SHA512 | 70aa295e2beeccce5aa3deb34689c8558fe662e967c5f6301746a76e654c2c48fa76275f5802e9a668908d5a8a500633c0b75ccc942f1bb5ff5cd4733b1a1da9 |
memory/2640-28-0x0000000000430000-0x000000000043A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0183381.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/3512-37-0x0000000000600000-0x000000000060A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8888861.exe
| MD5 | 2e319413641dae3d798286b018aad963 |
| SHA1 | ab76ad4f1f306f4ab491f685a3fa8482ba623220 |
| SHA256 | 06ef38736742a0be4b4fed0d386a7c6116f313dd4f3178ec9c6d45f02acc6839 |
| SHA512 | b478cf9a20258349df8dd27be4186744d24f18ebf0aa66838ec3a359080e37d7b6f51f6cd730cf2dd26ec35103c566a4b88768b32f2f1b6bc550fd5c10720242 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d8609279.exe
| MD5 | 8c6b79ec436d7cf6950a804c1ec7d3e9 |
| SHA1 | 4a589d5605d8ef785fdc78b0bf64e769e3a21ad6 |
| SHA256 | 4e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d |
| SHA512 | 06f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7762602.exe
| MD5 | 35a15fad3767597b01a20d75c3c6889a |
| SHA1 | eef19e2757667578f73c4b5720cf94c2ab6e60c8 |
| SHA256 | 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc |
| SHA512 | c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577 |
memory/4408-58-0x0000000000400000-0x0000000000409000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-09 15:04
Reported
2024-05-09 15:07
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
155s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7524451.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7524451.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7524451.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7524451.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7524451.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7524451.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8522121.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2421310.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7524451.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8522121.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8405677.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7524451.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\23bea5b85d6bafc9a62fa8bb8337d9c39b8f4f7d139c32113e8eaa6099afc933.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2421310.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7524451.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7524451.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7524451.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\23bea5b85d6bafc9a62fa8bb8337d9c39b8f4f7d139c32113e8eaa6099afc933.exe
"C:\Users\Admin\AppData\Local\Temp\23bea5b85d6bafc9a62fa8bb8337d9c39b8f4f7d139c32113e8eaa6099afc933.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2421310.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2421310.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7524451.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7524451.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8522121.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8522121.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8405677.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8405677.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 247.211.222.173.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2421310.exe
| MD5 | 669440f73bd2fe5782d92a52a5d35b21 |
| SHA1 | ced1fd430750e2132225a09c8eacf9e495d26ca0 |
| SHA256 | 9bc4ae44ed225a650e22c4b06d6b4e756780cea14dc89fb5524594fcf2a3c2f2 |
| SHA512 | 7ccd587724c67e8236370148f3a59a09094a2b72e1eeb992e6d0dce0c7d4396c3cf46fcfcc4632439155cc15617192ce24b382882a62dfe40a86a820b82f8760 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7524451.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/4244-15-0x00000000004A0000-0x00000000004AA000-memory.dmp
memory/4244-14-0x00007FFAE55B3000-0x00007FFAE55B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8522121.exe
| MD5 | 8c6b79ec436d7cf6950a804c1ec7d3e9 |
| SHA1 | 4a589d5605d8ef785fdc78b0bf64e769e3a21ad6 |
| SHA256 | 4e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d |
| SHA512 | 06f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8405677.exe
| MD5 | 325999c1047059aa928a32cfeefc18e5 |
| SHA1 | 5c5892573805f97a07604de0aec0dcb054303d43 |
| SHA256 | 6c25a646b2e866b6a967a43dd55ec00eaa09c965689d4ec3909a9e0b5253e045 |
| SHA512 | e0294b1560d8455f548c499bd7447f618b3ae815365af3fc315fd99b2169f0ca3817e1c394f3a08b9b662bc6249b2178ed7a16430490015419835a12418e3720 |
memory/3988-33-0x0000000000CC0000-0x0000000000CF0000-memory.dmp
memory/3988-34-0x0000000002F90000-0x0000000002F96000-memory.dmp
memory/3988-35-0x0000000005CE0000-0x00000000062F8000-memory.dmp
memory/3988-36-0x00000000057D0000-0x00000000058DA000-memory.dmp
memory/3988-37-0x0000000005640000-0x0000000005652000-memory.dmp
memory/3988-38-0x00000000056C0000-0x00000000056FC000-memory.dmp
memory/3988-39-0x0000000005700000-0x000000000574C000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-09 15:04
Reported
2024-05-09 15:07
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
95s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4456 set thread context of 2216 | N/A | C:\Users\Admin\AppData\Local\Temp\312c299a844cf7520e53edede1e26057b44acb35e70aba017a6e87804cd037a6.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\312c299a844cf7520e53edede1e26057b44acb35e70aba017a6e87804cd037a6.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\312c299a844cf7520e53edede1e26057b44acb35e70aba017a6e87804cd037a6.exe
"C:\Users\Admin\AppData\Local\Temp\312c299a844cf7520e53edede1e26057b44acb35e70aba017a6e87804cd037a6.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4456 -ip 4456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 356
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | omnomnom.top | udp |
| DE | 195.201.252.28:443 | omnomnom.top | tcp |
| BE | 88.221.83.242:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.252.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/2216-0-0x0000000000400000-0x0000000000422000-memory.dmp
memory/4456-1-0x0000000000E31000-0x0000000000E32000-memory.dmp
memory/2216-2-0x000000007474E000-0x000000007474F000-memory.dmp
memory/2216-3-0x00000000056E0000-0x0000000005746000-memory.dmp
memory/2216-4-0x0000000006250000-0x0000000006868000-memory.dmp
memory/2216-5-0x0000000005C50000-0x0000000005C62000-memory.dmp
memory/2216-6-0x0000000005D80000-0x0000000005E8A000-memory.dmp
memory/2216-7-0x0000000074740000-0x0000000074EF0000-memory.dmp
memory/2216-8-0x0000000006A70000-0x0000000006AAC000-memory.dmp
memory/2216-9-0x0000000006200000-0x000000000624C000-memory.dmp
memory/2216-10-0x0000000006DC0000-0x0000000006F82000-memory.dmp
memory/2216-11-0x00000000074C0000-0x00000000079EC000-memory.dmp
memory/2216-12-0x0000000006F90000-0x0000000007022000-memory.dmp
memory/2216-13-0x0000000007FA0000-0x0000000008544000-memory.dmp
memory/2216-14-0x0000000007030000-0x00000000070A6000-memory.dmp
memory/2216-15-0x00000000070D0000-0x00000000070EE000-memory.dmp
memory/2216-16-0x0000000007370000-0x00000000073C0000-memory.dmp
memory/2216-18-0x0000000074740000-0x0000000074EF0000-memory.dmp