Malware Analysis Report

2024-10-16 03:52

Sample ID 240509-srkrfsbe99
Target red.zip
SHA256 2a57fa0e264c30123d79d5a18397ff8ecfce4d9f58a5938c968ad3a9dd12e935
Tags
amadey healer redline lande dropper evasion infostealer persistence trojan lamp smokeloader nasa backdoor krast lumma stealer papik roma masha darm crazy 5195552529 discovery spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a57fa0e264c30123d79d5a18397ff8ecfce4d9f58a5938c968ad3a9dd12e935

Threat Level: Known bad

The file red.zip was found to be: Known bad.

Malicious Activity Summary

amadey healer redline lande dropper evasion infostealer persistence trojan lamp smokeloader nasa backdoor krast lumma stealer papik roma masha darm crazy 5195552529 discovery spyware

Detects Healer an antivirus disabler dropper

RedLine payload

Modifies Windows Defender Real-time Protection settings

SmokeLoader

Amadey

RedLine

Lumma Stealer

Healer

Windows security modification

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of SetThreadContext

Launches sc.exe

Enumerates physical storage devices

Program crash

Unsigned PE

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 15:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-09 15:21

Reported

2024-05-09 15:24

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f86d48b3d0bdaa6f4d6e224cb3d78d45d0e5ff02992de35aad4053a747106df.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6601025.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6601025.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6601025.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6601025.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6601025.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6601025.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4486378.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6601025.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4f86d48b3d0bdaa6f4d6e224cb3d78d45d0e5ff02992de35aad4053a747106df.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8986811.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6601025.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6601025.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6601025.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3508 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\4f86d48b3d0bdaa6f4d6e224cb3d78d45d0e5ff02992de35aad4053a747106df.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8986811.exe
PID 3508 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\4f86d48b3d0bdaa6f4d6e224cb3d78d45d0e5ff02992de35aad4053a747106df.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8986811.exe
PID 3508 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\4f86d48b3d0bdaa6f4d6e224cb3d78d45d0e5ff02992de35aad4053a747106df.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8986811.exe
PID 2640 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8986811.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4486378.exe
PID 2640 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8986811.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4486378.exe
PID 2640 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8986811.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4486378.exe
PID 3668 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4486378.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 3668 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4486378.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 3668 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4486378.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 2640 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8986811.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6601025.exe
PID 2640 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8986811.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6601025.exe
PID 1480 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 1480 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 1480 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 1480 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 4168 wrote to memory of 4072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4168 wrote to memory of 4072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4168 wrote to memory of 4072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4168 wrote to memory of 4860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4168 wrote to memory of 4860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4168 wrote to memory of 4860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4168 wrote to memory of 3568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4168 wrote to memory of 3568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4168 wrote to memory of 3568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4168 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4168 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4168 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4168 wrote to memory of 4160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4168 wrote to memory of 4160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4168 wrote to memory of 4160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4168 wrote to memory of 4560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4168 wrote to memory of 4560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4168 wrote to memory of 4560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3508 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\4f86d48b3d0bdaa6f4d6e224cb3d78d45d0e5ff02992de35aad4053a747106df.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j9860776.exe
PID 3508 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\4f86d48b3d0bdaa6f4d6e224cb3d78d45d0e5ff02992de35aad4053a747106df.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j9860776.exe
PID 3508 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\4f86d48b3d0bdaa6f4d6e224cb3d78d45d0e5ff02992de35aad4053a747106df.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j9860776.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4f86d48b3d0bdaa6f4d6e224cb3d78d45d0e5ff02992de35aad4053a747106df.exe

"C:\Users\Admin\AppData\Local\Temp\4f86d48b3d0bdaa6f4d6e224cb3d78d45d0e5ff02992de35aad4053a747106df.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8986811.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8986811.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4486378.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4486378.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6601025.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6601025.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j9860776.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j9860776.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.106:443 www.bing.com tcp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 136.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.196.106:443 www.bing.com tcp
US 8.8.8.8:53 106.196.17.2.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8986811.exe

MD5 c12c6466ebe6c8c1c4bc9156d32e9637
SHA1 2f360c73257f69405f8befb746d6b9b3f3c95a2d
SHA256 cccd00c820897031823bb8b0f304addf0785f550d816f7b481aa255b675bb060
SHA512 cb87cca8160c2bbbae2b698cf4274f052ad92ba07f0e85e12484b35f6bc38168a98b025a61a22faae18d2d62237f241b2d8b375a6ff6d09d5691659c36dbd41b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4486378.exe

MD5 aea234064483f651010cf9d981f59fea
SHA1 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6
SHA256 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503
SHA512 eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6601025.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/1036-27-0x0000000000ED0000-0x0000000000EDA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j9860776.exe

MD5 27a8d5756753244460c22a644d9c41e6
SHA1 95fba907a63c8f7896d917251dc83522bb1d096f
SHA256 9453fe40a1441d4dac93222212aebecfc608fba5662352652fda549cb3c908aa
SHA512 96e60fea29d223b2f9e8f35b3a123333e8fe829eca8c6981e9e392fbc1c2d9ddacc43842977b415ee0f25c989f0eaf2c48ca9d40f27f052c38c3b0a16d3eac02

memory/1508-32-0x0000000000990000-0x00000000009C0000-memory.dmp

memory/1508-33-0x0000000005170000-0x0000000005176000-memory.dmp

memory/1508-34-0x000000000ADD0000-0x000000000B3E8000-memory.dmp

memory/1508-35-0x000000000A940000-0x000000000AA4A000-memory.dmp

memory/1508-36-0x000000000A880000-0x000000000A892000-memory.dmp

memory/1508-37-0x000000000A8E0000-0x000000000A91C000-memory.dmp

memory/1508-38-0x0000000004CA0000-0x0000000004CEC000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-09 15:21

Reported

2024-05-09 15:24

Platform

win10v2004-20240426-en

Max time kernel

140s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6bd55afbdee9bee40494e1ad8d221009af60fed046a9028662aea7d0d54f2d65.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0146032.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0146032.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0146032.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5988030.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5988030.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5988030.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5988030.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0146032.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0146032.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5988030.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5988030.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0146032.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5988030.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5988030.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0146032.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\6bd55afbdee9bee40494e1ad8d221009af60fed046a9028662aea7d0d54f2d65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3261112.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8396177.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7660413.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9350016.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5988030.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0146032.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1408 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\6bd55afbdee9bee40494e1ad8d221009af60fed046a9028662aea7d0d54f2d65.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3261112.exe
PID 1408 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\6bd55afbdee9bee40494e1ad8d221009af60fed046a9028662aea7d0d54f2d65.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3261112.exe
PID 1408 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\6bd55afbdee9bee40494e1ad8d221009af60fed046a9028662aea7d0d54f2d65.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3261112.exe
PID 2668 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3261112.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8396177.exe
PID 2668 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3261112.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8396177.exe
PID 2668 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3261112.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8396177.exe
PID 4712 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8396177.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7660413.exe
PID 4712 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8396177.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7660413.exe
PID 4712 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8396177.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7660413.exe
PID 1868 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7660413.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9350016.exe
PID 1868 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7660413.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9350016.exe
PID 1868 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7660413.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9350016.exe
PID 4948 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9350016.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5988030.exe
PID 4948 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9350016.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5988030.exe
PID 4948 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9350016.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5988030.exe
PID 4948 wrote to memory of 5656 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9350016.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0146032.exe
PID 4948 wrote to memory of 5656 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9350016.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0146032.exe
PID 1868 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7660413.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8756436.exe
PID 1868 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7660413.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8756436.exe
PID 1868 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7660413.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8756436.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6bd55afbdee9bee40494e1ad8d221009af60fed046a9028662aea7d0d54f2d65.exe

"C:\Users\Admin\AppData\Local\Temp\6bd55afbdee9bee40494e1ad8d221009af60fed046a9028662aea7d0d54f2d65.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3261112.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3261112.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8396177.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8396177.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7660413.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7660413.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9350016.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9350016.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5988030.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5988030.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0146032.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0146032.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8756436.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8756436.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.196.74:443 www.bing.com tcp
US 8.8.8.8:53 136.136.73.23.in-addr.arpa udp
BE 2.17.196.74:443 www.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 74.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.68.56:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3261112.exe

MD5 5b0a1d75eb5b073c0f5546a26c49d51e
SHA1 89d4817ca552bfe2ecdef9e823c6699c7b880afe
SHA256 09a0554fa3d047c4f2f1494b3e012c638c2bdb4cbe185aa65f27d32cba3c1ea5
SHA512 824fe30d813a8df2398454ac42ad8dd85c1deb60a23b02891e7e554d6a92691a8111b78314ed5578455a56ac4eb0948a58e423b2a5f334fd28f76f49aeb8dda8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8396177.exe

MD5 a8dc7323f27cb7e7ba583196ffab46c0
SHA1 1972d86b0a273a82b5c275ebea388cb9d17488b9
SHA256 fe144693974e5771dd392bfdc8fc666417cb8918a6547679b462223b317dc97e
SHA512 37d37d86e056faa6fc31c3907c8304f794eede48811944707a92f825d9430831a67d5f5f0cadc69b96d9d785cb2867a6999187264ac0eafa13e98516335bc12e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7660413.exe

MD5 c7da44387b6e483fc8c7283c754feaeb
SHA1 62338659663da5f57fb9bea10a8a05bce0b662c7
SHA256 30437c11e0762d86ebb451cd52b19b722db914d0317986dc378b8c9cf4207181
SHA512 3b6fee44cac10e5b758e1b69374c501b3d405525ab09798ea60e82a948e134f40a23a762bbe1c52c7abf29a3cbcb8bab987ec3fe8dcead6ae043d36ccc46d7ab

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9350016.exe

MD5 32183c923a2c040ff6fa9dce751c8700
SHA1 b24b19b55080485ee969dc7af137f953b2a4b65a
SHA256 51bb7d261804bbd97cd5b8accdb599e73f5b0ee1f843139f8cf6efbf309729e9
SHA512 96c535f6b5e198df2355ac1569b21d960a82e95357ed29dca9c7ba5165fb8ca7cf6fc36ffe1772a6a1177c95b4d9ba70aa80bb1ed125339b3a73cd7105d040eb

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5988030.exe

MD5 0f0f50dfecaf72d4e3ccedb1f94725e0
SHA1 872a0dc944df9796fd5971ef38343657dabc0847
SHA256 4552de282a6b63d84161f50de829ef817a211330a3e4b1f011eba44c0b36cad5
SHA512 2a631692d38a09177d03c518711152a40d7ab2e92ebc81e9f98d228832f7e48f5c3f04a42d14393573bc0a30e838b2943794ddbd046089a1df75d2a86aeb53c8

memory/5116-35-0x0000000000580000-0x00000000005BE000-memory.dmp

memory/5116-42-0x0000000002740000-0x0000000002741000-memory.dmp

memory/5116-41-0x0000000000580000-0x00000000005BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0146032.exe

MD5 225f76a6934bb90e542b61588977a84f
SHA1 bbb5cc365df0deea93ff6ff2cbafa3f2c7dc6eb9
SHA256 c98f0d1c4a7d88abce48355f9b9b10c40247af2b8bf5df2cd5754ebe19dfe2c3
SHA512 ca1057fac93b52b2c67be53defa90c60fde43c6efa09743820aac16a53d5aa0c13dbf8fabf20f994b8b60a1b258802e50ce24ba2c812b3156122d48f1d1dd081

memory/5656-48-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8756436.exe

MD5 dcbd259b2016baa7fccc09cdfe371f3c
SHA1 3cc03134e9e76764bcfb2a7a3dcbabd11df1cdf7
SHA256 a54abe0f1d95e89689d38c546be49b4ee22308732f5d2afde6e1358b39872f36
SHA512 a03ade1fadb841b74696b36821e6397d74c0312f1eb9284afc136b5d9900c42a7e22c81fcd8f8a86e389c3308071210ce0678b3c4a1adf02267d11ad2d62b185

memory/2980-53-0x0000000000620000-0x00000000006AC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/2980-60-0x0000000000620000-0x00000000006AC000-memory.dmp

memory/2980-62-0x00000000043C0000-0x00000000043C6000-memory.dmp

memory/2980-63-0x0000000004B20000-0x0000000005138000-memory.dmp

memory/2980-64-0x00000000051D0000-0x00000000052DA000-memory.dmp

memory/2980-65-0x0000000005300000-0x0000000005312000-memory.dmp

memory/2980-66-0x0000000005320000-0x000000000535C000-memory.dmp

memory/2980-67-0x0000000005390000-0x00000000053DC000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-09 15:21

Reported

2024-05-09 15:24

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\75ccbf328f1e4ec3537ebd63e6afcf1b951f8765d8b1c734b87a7073333332af.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\75ccbf328f1e4ec3537ebd63e6afcf1b951f8765d8b1c734b87a7073333332af.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6866899.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4779072.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\75ccbf328f1e4ec3537ebd63e6afcf1b951f8765d8b1c734b87a7073333332af.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6866899.exe
PID 2188 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\75ccbf328f1e4ec3537ebd63e6afcf1b951f8765d8b1c734b87a7073333332af.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6866899.exe
PID 2188 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\75ccbf328f1e4ec3537ebd63e6afcf1b951f8765d8b1c734b87a7073333332af.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6866899.exe
PID 2868 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6866899.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4779072.exe
PID 2868 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6866899.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4779072.exe
PID 2868 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6866899.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4779072.exe
PID 4500 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4779072.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8365769.exe
PID 4500 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4779072.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8365769.exe
PID 4500 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4779072.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8365769.exe

Processes

C:\Users\Admin\AppData\Local\Temp\75ccbf328f1e4ec3537ebd63e6afcf1b951f8765d8b1c734b87a7073333332af.exe

"C:\Users\Admin\AppData\Local\Temp\75ccbf328f1e4ec3537ebd63e6afcf1b951f8765d8b1c734b87a7073333332af.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6866899.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6866899.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4779072.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4779072.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8365769.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8365769.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
BE 2.17.196.177:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
BE 2.17.196.177:443 www.bing.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 177.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 52.111.227.11:443 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6866899.exe

MD5 0d74ab24e242b7cacf54e7df4ff3597e
SHA1 9f5ecfb7094dc3d1aabd10873a30cfb0001e4005
SHA256 9f6925744a1b8a4cd53b1ebed74368cf83102d0fac9558a5f0fbd18ff6b9bdb8
SHA512 fe371b5bd82fc59e5d4352bd79a6384591468cc3a019de11bdd970baacd9774d7d5d2611c2ab20a0b20fdc91ee438fb72edc58fe687016d4bab84ccbbf0e7d33

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4779072.exe

MD5 e91ac55b71e6d56bddac7d4e45064b1b
SHA1 abd7dcf468214d6da8ddde9e7e651c05da392122
SHA256 b0729c509d86fe1225f5e94aaf9e294af26b08bddc8e9540fbfff3d540a66dca
SHA512 88c64079dff803bdaf845645c20b42af5c24bb99499a737e9171e1ef8a14b01fa0e9aefda16e1269cc9e184816826b54f40e267f1f71956492fd244a5facf49f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8365769.exe

MD5 b7783cdc0396cd24a59e17372a37fc61
SHA1 804dee18f4a5c9c5c573e5e37701953eac30637c
SHA256 a9db81ad6c398811946bb2166ae1a87e4404a03debe5a97b75c080a23d712f4f
SHA512 ed445f8f69438af0827006f252354da7b485c31a99abe670c155a7c2a625d6e6cf34d1cfecf444f94788673a4cae33645c47da27a22698f1fefddc7503345f73

memory/4776-21-0x00000000005A0000-0x000000000062C000-memory.dmp

memory/4776-27-0x0000000000401000-0x0000000000404000-memory.dmp

memory/4776-29-0x0000000006B30000-0x0000000006B31000-memory.dmp

memory/4776-28-0x00000000005A0000-0x000000000062C000-memory.dmp

memory/4776-30-0x00000000024D0000-0x00000000024D6000-memory.dmp

memory/4776-31-0x00000000049F0000-0x0000000005008000-memory.dmp

memory/4776-32-0x00000000050A0000-0x00000000051AA000-memory.dmp

memory/4776-33-0x00000000051D0000-0x00000000051E2000-memory.dmp

memory/4776-34-0x00000000051F0000-0x000000000522C000-memory.dmp

memory/4776-35-0x0000000005260000-0x00000000052AC000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-09 15:21

Reported

2024-05-09 15:24

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\798aee8abbe13acdcba7ded2507144abfb3a7bdb36dfad1f88ebd752af5e0c5b.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6451227.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6451227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6451227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6451227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6451227.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6451227.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6866951.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6451227.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\798aee8abbe13acdcba7ded2507144abfb3a7bdb36dfad1f88ebd752af5e0c5b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5202844.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6451227.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6451227.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6451227.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4328 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\798aee8abbe13acdcba7ded2507144abfb3a7bdb36dfad1f88ebd752af5e0c5b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5202844.exe
PID 4328 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\798aee8abbe13acdcba7ded2507144abfb3a7bdb36dfad1f88ebd752af5e0c5b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5202844.exe
PID 4328 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\798aee8abbe13acdcba7ded2507144abfb3a7bdb36dfad1f88ebd752af5e0c5b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5202844.exe
PID 1100 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5202844.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6866951.exe
PID 1100 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5202844.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6866951.exe
PID 1100 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5202844.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6866951.exe
PID 2584 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6866951.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 2584 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6866951.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 2584 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6866951.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 1100 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5202844.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6451227.exe
PID 1100 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5202844.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6451227.exe
PID 3176 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3176 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3176 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3176 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4328 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\798aee8abbe13acdcba7ded2507144abfb3a7bdb36dfad1f88ebd752af5e0c5b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j0475644.exe
PID 4328 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\798aee8abbe13acdcba7ded2507144abfb3a7bdb36dfad1f88ebd752af5e0c5b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j0475644.exe
PID 4328 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\798aee8abbe13acdcba7ded2507144abfb3a7bdb36dfad1f88ebd752af5e0c5b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j0475644.exe

Processes

C:\Users\Admin\AppData\Local\Temp\798aee8abbe13acdcba7ded2507144abfb3a7bdb36dfad1f88ebd752af5e0c5b.exe

"C:\Users\Admin\AppData\Local\Temp\798aee8abbe13acdcba7ded2507144abfb3a7bdb36dfad1f88ebd752af5e0c5b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5202844.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5202844.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6866951.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6866951.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6451227.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6451227.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j0475644.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j0475644.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Network

Country Destination Domain Proto
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5202844.exe

MD5 ef72eac94a76f02fa426d2e47a1e6d46
SHA1 82b0a3ff90826638595691c684fcb3c19c275b10
SHA256 d50c2b597d884dcd8ef724ea9dd6a5ba558c90718918836749ebc0b2d1b4c6cd
SHA512 0736c2c4037be0d49e939cf3554c3118637c6c0cfab1c71cf7399a5ea90d97eece5bf788d4f50ef8fdda40c070c0215df151da8b7e28a4f12120abbf8b9f0e83

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6866951.exe

MD5 aea234064483f651010cf9d981f59fea
SHA1 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6
SHA256 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503
SHA512 eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6451227.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3888-27-0x0000000000090000-0x000000000009A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j0475644.exe

MD5 d8bd64f9adcb3b513c273ee69e33f5d1
SHA1 b11ae135f738a8a60f658934e0c8a9bdbd2735e4
SHA256 42362aad976846c09d7c94609ae8bd7ae11debb65de6079224d0bb683af1b1d9
SHA512 9c4b69a7ef3e29da3b596f6ed919bf5ccdd8a67613eacb24405eaa59047e2d59e4c2ae3554f448afce484a4f091a59b6112122afe76d85886176d6e7e0d2272f

memory/4188-32-0x0000000000E70000-0x0000000000EA0000-memory.dmp

memory/4188-33-0x0000000003120000-0x0000000003126000-memory.dmp

memory/4188-34-0x000000000B300000-0x000000000B918000-memory.dmp

memory/4188-35-0x000000000AE20000-0x000000000AF2A000-memory.dmp

memory/4188-36-0x000000000AD60000-0x000000000AD72000-memory.dmp

memory/4188-37-0x000000000ADC0000-0x000000000ADFC000-memory.dmp

memory/4188-38-0x0000000005170000-0x00000000051BC000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-09 15:21

Reported

2024-05-09 15:24

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7fe3c5296017a9495bcbb4b7a050afbb8dc455250cb5390bf962b0738814d69b.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4711850.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4711850.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4711850.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4711850.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4711850.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4711850.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7793400.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4711850.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7fe3c5296017a9495bcbb4b7a050afbb8dc455250cb5390bf962b0738814d69b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7700055.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4711850.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4711850.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4711850.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2432 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\7fe3c5296017a9495bcbb4b7a050afbb8dc455250cb5390bf962b0738814d69b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7700055.exe
PID 2432 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\7fe3c5296017a9495bcbb4b7a050afbb8dc455250cb5390bf962b0738814d69b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7700055.exe
PID 2432 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\7fe3c5296017a9495bcbb4b7a050afbb8dc455250cb5390bf962b0738814d69b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7700055.exe
PID 2952 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7700055.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4711850.exe
PID 2952 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7700055.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4711850.exe
PID 2952 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7700055.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7793400.exe
PID 2952 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7700055.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7793400.exe
PID 2952 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7700055.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7793400.exe
PID 2844 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7793400.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 2844 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7793400.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 2844 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7793400.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 2432 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\7fe3c5296017a9495bcbb4b7a050afbb8dc455250cb5390bf962b0738814d69b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8598838.exe
PID 2432 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\7fe3c5296017a9495bcbb4b7a050afbb8dc455250cb5390bf962b0738814d69b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8598838.exe
PID 2432 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\7fe3c5296017a9495bcbb4b7a050afbb8dc455250cb5390bf962b0738814d69b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8598838.exe
PID 4396 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 4396 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 4396 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 4396 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2264 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2264 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2264 wrote to memory of 2128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2264 wrote to memory of 2128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2264 wrote to memory of 2128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2264 wrote to memory of 3952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 3952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 3952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2264 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2264 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2264 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2264 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2264 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7fe3c5296017a9495bcbb4b7a050afbb8dc455250cb5390bf962b0738814d69b.exe

"C:\Users\Admin\AppData\Local\Temp\7fe3c5296017a9495bcbb4b7a050afbb8dc455250cb5390bf962b0738814d69b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7700055.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7700055.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4711850.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4711850.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7793400.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7793400.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8598838.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8598838.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 104.211.222.173.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.171:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 171.196.17.2.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BE 2.17.196.171:443 www.bing.com tcp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7700055.exe

MD5 158e2135c9da4c73f47493e5e7824907
SHA1 1cc755c0f852ae645ef8340ca2d4c1cb3fbdf76a
SHA256 a21adcd52495e2bb1c50634bc8a1b6e8dbb311d691623d1a1b2e7d996abf2a73
SHA512 78cdf47c2b85ad1dac92408aacdff75ce3b35fe0d2e9f3e80ad69133bfa0712fe5ca609d9a18ecb2c502f9a9f435861934cc4667da32ca9a714ec77bbcd682e6

memory/456-14-0x00000000004A0000-0x00000000004AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4711850.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/456-15-0x00007FFC743C3000-0x00007FFC743C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7793400.exe

MD5 aea234064483f651010cf9d981f59fea
SHA1 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6
SHA256 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503
SHA512 eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8598838.exe

MD5 a601b0c56aae0af61235b2231b70fb4d
SHA1 e36e24b8dc96fc76364f66399fb5c5791d264d50
SHA256 0685e8bee76b962565748a331dab09786581a95bda89c91492230ae80a831a56
SHA512 ec5d68b3f0efed787fb968f99cb26902f09aff08248b1903d02b6158404bc354b802c8ba69fac89be63f1296107b20f0642dc1159f3dbe4535e27e16141f49e9

memory/3140-33-0x0000000000980000-0x00000000009B0000-memory.dmp

memory/3140-34-0x0000000002E90000-0x0000000002E96000-memory.dmp

memory/3140-35-0x0000000005A20000-0x0000000006038000-memory.dmp

memory/3140-36-0x0000000005510000-0x000000000561A000-memory.dmp

memory/3140-37-0x0000000005450000-0x0000000005462000-memory.dmp

memory/3140-38-0x00000000054B0000-0x00000000054EC000-memory.dmp

memory/3140-39-0x0000000005620000-0x000000000566C000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-09 15:21

Reported

2024-05-09 15:24

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c606fbb70c63714189a35096faef884c4cdff3a5f6572cd036c768cf51a7f67c.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8456713.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8456713.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8456713.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8456713.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8456713.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8456713.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4258974.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8456713.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c606fbb70c63714189a35096faef884c4cdff3a5f6572cd036c768cf51a7f67c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3902161.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7126104.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c8249291.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c8249291.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c8249291.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8456713.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8456713.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8456713.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 540 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\c606fbb70c63714189a35096faef884c4cdff3a5f6572cd036c768cf51a7f67c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3902161.exe
PID 540 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\c606fbb70c63714189a35096faef884c4cdff3a5f6572cd036c768cf51a7f67c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3902161.exe
PID 540 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\c606fbb70c63714189a35096faef884c4cdff3a5f6572cd036c768cf51a7f67c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3902161.exe
PID 1768 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3902161.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7126104.exe
PID 1768 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3902161.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7126104.exe
PID 1768 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3902161.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7126104.exe
PID 2912 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7126104.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8456713.exe
PID 2912 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7126104.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8456713.exe
PID 2912 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7126104.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4258974.exe
PID 2912 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7126104.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4258974.exe
PID 2912 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7126104.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4258974.exe
PID 2624 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4258974.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 2624 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4258974.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 2624 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4258974.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 1768 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3902161.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c8249291.exe
PID 1768 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3902161.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c8249291.exe
PID 1768 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3902161.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c8249291.exe
PID 3780 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 3780 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 3780 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 3780 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 3780 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 3780 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2352 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2352 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2352 wrote to memory of 3520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2352 wrote to memory of 3520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2352 wrote to memory of 3520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2352 wrote to memory of 3292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 3292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 3292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 4144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2352 wrote to memory of 4144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2352 wrote to memory of 4144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2352 wrote to memory of 3200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2352 wrote to memory of 3200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2352 wrote to memory of 3200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 540 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\c606fbb70c63714189a35096faef884c4cdff3a5f6572cd036c768cf51a7f67c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d5692899.exe
PID 540 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\c606fbb70c63714189a35096faef884c4cdff3a5f6572cd036c768cf51a7f67c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d5692899.exe
PID 540 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\c606fbb70c63714189a35096faef884c4cdff3a5f6572cd036c768cf51a7f67c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d5692899.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c606fbb70c63714189a35096faef884c4cdff3a5f6572cd036c768cf51a7f67c.exe

"C:\Users\Admin\AppData\Local\Temp\c606fbb70c63714189a35096faef884c4cdff3a5f6572cd036c768cf51a7f67c.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3902161.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3902161.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7126104.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7126104.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8456713.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8456713.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4258974.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4258974.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c8249291.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c8249291.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d5692899.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d5692899.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.145:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 145.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
BE 2.17.196.145:443 www.bing.com tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
IE 52.111.236.23:443 tcp
FI 77.91.68.3:80 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3902161.exe

MD5 b6b6cf87eac65c335890d9fd1d89c575
SHA1 09ee828f9b389b705bdc2fc64edca9843016d2ce
SHA256 9ac360e32e0933ad998ec356103f4ede1a336e96e827a2df7d23affb3969bf87
SHA512 458b477c351011a9298f44ff69895998bf6422fc07cd7653a44e914c4ba37c5854965dbd6b2d9e28afb8fe0038651a19e27fe7983a6f1d453b5e2e1d3db65376

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7126104.exe

MD5 15d5dfc1ba9df672db8de31fb6a354fc
SHA1 97a902f04e2a43bb3cbd2a95c5a6de085d4d6dca
SHA256 bc11d9414f2c1e23731e2bc67436e6abfa68d78a67ae78de9980af3e60517534
SHA512 7bd20d27929109a48c870d22f63d25edcf89f8609b627b82e879b837e2c4c3aed844c1fcddde93bfe2fdc47c0aaa4f89c9ed29e52ad16526544fb9542f331586

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8456713.exe

MD5 535fc052b402d82cd7777d2d3870d045
SHA1 204bdb3df1e259aaf361cce9a4b3619d91823121
SHA256 235b3efd965e487e7449e8ac25556edce52209411d65d265e28beb32ca8c28d6
SHA512 3ad3e1d48e1aeb6ce7c80a07a3839d913f24feb3ee01ac5f7d5adf24f469b6066c3f9461efd4102ce9d8dcdbdcc8d45660143d8d4ea89d044b659cc455c29d9a

memory/4032-21-0x0000000000200000-0x000000000020A000-memory.dmp

memory/4032-22-0x00007FFB53EB3000-0x00007FFB53EB5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4258974.exe

MD5 06152377e0aef018d98a791972e064a6
SHA1 ce9f468f37be3da7ee0a0839bed00e45c0ee8b94
SHA256 6c6d49fab7dcd627afca3332a3cdf19b4e4157e40af97bcf6730e7bbfbb8c661
SHA512 f22640f84c776c0c8188d3081cca5e1b963a4ad58169e9dd40b66eca4df643cf43cd0a66c2d4dd518a95e2b874f7da3cf6b50a8a0f0b3ec4659a5063853409a0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c8249291.exe

MD5 6730ca75691e640b557ce97ee0e00814
SHA1 75af9d26079baab5b905b6233072ef3e8d9fbb01
SHA256 f26bd54a582b8527acd3463e0d4265cd54c89af37ad4f2fccb37bba298cfd855
SHA512 999280742ca1c3570af5e8497da16e073dd5ff7aaf416795278ee3bdb7cf2a18662dbd8ecd82d64d60610fab52849a7a60c0b7bc9887f5c7c6c0d6af2b35bda3

memory/4872-40-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d5692899.exe

MD5 34ef4f81029267ba9ec9215ea8708c77
SHA1 56896a5c8c73edc04e6c06d296d9a147c58291e9
SHA256 d82612a97e9af5b993fd980c0ff88ea6aae412f468e767fa4dc5834f5eb097fc
SHA512 ea942464bd328de1d1ad3cc29bb2469b5a4911a82a10c9ded71e4b3e2453aa9fdf2d222b28b5777cfd281694ace97b738d43b804cb7de46aee3beeb76111026e

memory/744-44-0x0000000000440000-0x0000000000470000-memory.dmp

memory/744-45-0x00000000071F0000-0x00000000071F6000-memory.dmp

memory/744-46-0x000000000A870000-0x000000000AE88000-memory.dmp

memory/744-47-0x000000000A3F0000-0x000000000A4FA000-memory.dmp

memory/744-48-0x000000000A330000-0x000000000A342000-memory.dmp

memory/744-49-0x000000000A390000-0x000000000A3CC000-memory.dmp

memory/744-50-0x00000000048B0000-0x00000000048FC000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 15:21

Reported

2024-05-09 15:24

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b77ecaa1b47f7bc168f30b00531ca8aab8e8a58ed0985de288fe126c3d0fdbd.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7952601.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7952601.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7952601.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7952601.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7952601.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7952601.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4373075.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7952601.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0b77ecaa1b47f7bc168f30b00531ca8aab8e8a58ed0985de288fe126c3d0fdbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2509664.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7952601.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7952601.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7952601.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4544 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\0b77ecaa1b47f7bc168f30b00531ca8aab8e8a58ed0985de288fe126c3d0fdbd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2509664.exe
PID 4544 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\0b77ecaa1b47f7bc168f30b00531ca8aab8e8a58ed0985de288fe126c3d0fdbd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2509664.exe
PID 4544 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\0b77ecaa1b47f7bc168f30b00531ca8aab8e8a58ed0985de288fe126c3d0fdbd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2509664.exe
PID 3908 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2509664.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4373075.exe
PID 3908 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2509664.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4373075.exe
PID 3908 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2509664.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4373075.exe
PID 2536 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4373075.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 2536 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4373075.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 2536 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4373075.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 3908 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2509664.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7952601.exe
PID 3908 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2509664.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7952601.exe
PID 2948 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 2948 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 2948 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 2948 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3800 wrote to memory of 376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3800 wrote to memory of 376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3800 wrote to memory of 376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3800 wrote to memory of 4368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3800 wrote to memory of 4368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3800 wrote to memory of 4368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3800 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3800 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3800 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3800 wrote to memory of 4616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3800 wrote to memory of 4616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3800 wrote to memory of 4616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3800 wrote to memory of 4704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3800 wrote to memory of 4704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3800 wrote to memory of 4704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3800 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3800 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3800 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4544 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\0b77ecaa1b47f7bc168f30b00531ca8aab8e8a58ed0985de288fe126c3d0fdbd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j2336619.exe
PID 4544 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\0b77ecaa1b47f7bc168f30b00531ca8aab8e8a58ed0985de288fe126c3d0fdbd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j2336619.exe
PID 4544 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\0b77ecaa1b47f7bc168f30b00531ca8aab8e8a58ed0985de288fe126c3d0fdbd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j2336619.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0b77ecaa1b47f7bc168f30b00531ca8aab8e8a58ed0985de288fe126c3d0fdbd.exe

"C:\Users\Admin\AppData\Local\Temp\0b77ecaa1b47f7bc168f30b00531ca8aab8e8a58ed0985de288fe126c3d0fdbd.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2509664.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2509664.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4373075.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4373075.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7952601.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7952601.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j2336619.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j2336619.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 136.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
BE 2.17.196.145:443 www.bing.com tcp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
BE 2.17.196.145:443 www.bing.com tcp
US 8.8.8.8:53 145.196.17.2.in-addr.arpa udp
US 20.231.121.79:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 104.211.222.173.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
FI 77.91.68.61:80 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2509664.exe

MD5 579cca88772bbd4e58f42fe129c0c99a
SHA1 a58c887d1de5096d4e1830bfd84fbd71a091cc83
SHA256 1e63c21674a2fc3caf02bc9ee851983dfcb7dd55c10c5fc484fe76cdee21d990
SHA512 7b310ee162e5ef604c1a110bf6e7efeba5c3ce900df09a399874c2a5d9f75d2ccb7083323a028a38ae14d62bf8bb118527890a7214101e92016b5fc6a6553dee

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4373075.exe

MD5 aea234064483f651010cf9d981f59fea
SHA1 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6
SHA256 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503
SHA512 eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7952601.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/5084-27-0x00000000003A0000-0x00000000003AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j2336619.exe

MD5 c9ff23e87abbcaf48933bf1109a33e8c
SHA1 6a23c5eae207c8229f595b6392108654d535cd6d
SHA256 a6bfa36ebad734de3b81cb4ee7b3b9eb884365a0b8ffd81a89550a94ad2e5e55
SHA512 89f539dfa226caefeda701d590fa07e790e1d36df1b0d28dd143400af85102de5b7edba602a37ed5d5c1beb628a5ece550c596f61801739a9fc7c9f2b7ff0626

memory/4144-32-0x0000000000E00000-0x0000000000E30000-memory.dmp

memory/4144-33-0x00000000033D0000-0x00000000033D6000-memory.dmp

memory/4144-34-0x000000000B310000-0x000000000B928000-memory.dmp

memory/4144-35-0x000000000AE00000-0x000000000AF0A000-memory.dmp

memory/4144-36-0x000000000ACF0000-0x000000000AD02000-memory.dmp

memory/4144-37-0x000000000AD50000-0x000000000AD8C000-memory.dmp

memory/4144-38-0x00000000031E0000-0x000000000322C000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-09 15:21

Reported

2024-05-09 15:24

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\371f83e057f13466e2fea9ea5acee438ac49fa63875096d8859e4b0dd31df2f2.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5036762.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5036762.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5036762.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5036762.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5036762.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5036762.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0226590.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5036762.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\371f83e057f13466e2fea9ea5acee438ac49fa63875096d8859e4b0dd31df2f2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1544910.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5036762.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5036762.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5036762.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1844 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\371f83e057f13466e2fea9ea5acee438ac49fa63875096d8859e4b0dd31df2f2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1544910.exe
PID 1844 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\371f83e057f13466e2fea9ea5acee438ac49fa63875096d8859e4b0dd31df2f2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1544910.exe
PID 1844 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\371f83e057f13466e2fea9ea5acee438ac49fa63875096d8859e4b0dd31df2f2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1544910.exe
PID 2324 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1544910.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0226590.exe
PID 2324 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1544910.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0226590.exe
PID 2324 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1544910.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0226590.exe
PID 3344 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0226590.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 3344 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0226590.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 3344 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0226590.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 2324 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1544910.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5036762.exe
PID 2324 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1544910.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5036762.exe
PID 4320 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 4320 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 4320 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 4320 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 3992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 3992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 3992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 1464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1784 wrote to memory of 1464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1784 wrote to memory of 1464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1784 wrote to memory of 1264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1784 wrote to memory of 1264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1784 wrote to memory of 1264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1784 wrote to memory of 776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1784 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1784 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1784 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1784 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1784 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1844 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\371f83e057f13466e2fea9ea5acee438ac49fa63875096d8859e4b0dd31df2f2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j0492927.exe
PID 1844 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\371f83e057f13466e2fea9ea5acee438ac49fa63875096d8859e4b0dd31df2f2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j0492927.exe
PID 1844 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\371f83e057f13466e2fea9ea5acee438ac49fa63875096d8859e4b0dd31df2f2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j0492927.exe

Processes

C:\Users\Admin\AppData\Local\Temp\371f83e057f13466e2fea9ea5acee438ac49fa63875096d8859e4b0dd31df2f2.exe

"C:\Users\Admin\AppData\Local\Temp\371f83e057f13466e2fea9ea5acee438ac49fa63875096d8859e4b0dd31df2f2.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1544910.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1544910.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0226590.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0226590.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5036762.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5036762.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j0492927.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j0492927.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4212,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=3916 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
FI 77.91.68.3:80 tcp
BE 2.17.196.82:443 www.bing.com tcp
BE 2.17.196.82:443 www.bing.com tcp
US 8.8.8.8:53 82.196.17.2.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1544910.exe

MD5 0c83a0a39c50f5bc7783e51bf2398d10
SHA1 a1394081a3cff13581a2c07168c03e800b4b4196
SHA256 2b990f76ba4ad95dfa3d01daa6463e15dad5039a239b0737ee1f823cad1752b3
SHA512 fe0603c341c8f602f4d2264c430cd8ed926c22f9de185371bf1677ff603ead15288032be6d9aca07d2830e586ef78c9bd833de88ef0b0fdd340c3a8f21b068e7

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0226590.exe

MD5 8c6b79ec436d7cf6950a804c1ec7d3e9
SHA1 4a589d5605d8ef785fdc78b0bf64e769e3a21ad6
SHA256 4e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d
SHA512 06f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5036762.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3784-27-0x00000000003A0000-0x00000000003AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j0492927.exe

MD5 68a7a34de48345420cb49f0ccfcddd52
SHA1 00e69fd597423c11c4e774baa6dbf62433b15018
SHA256 a30faf1c13aedb0de8524b6103046b331b81f89f725feaa7f333aeb7ed65b171
SHA512 81bf6c4d36d663e78229ed9b928b58f6ac78bd1d8b167251cf4f115c64080c6ff52d1a40f82bd20023dc3b5a9a073c3765cbdeaa6916b2100caaee01b815018e

memory/1996-32-0x0000000000C60000-0x0000000000C90000-memory.dmp

memory/1996-33-0x00000000030F0000-0x00000000030F6000-memory.dmp

memory/1996-34-0x000000000B0A0000-0x000000000B6B8000-memory.dmp

memory/1996-35-0x000000000AC10000-0x000000000AD1A000-memory.dmp

memory/1996-36-0x000000000AB50000-0x000000000AB62000-memory.dmp

memory/1996-37-0x000000000ABB0000-0x000000000ABEC000-memory.dmp

memory/1996-38-0x0000000002EF0000-0x0000000002F3C000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-09 15:21

Reported

2024-05-09 15:24

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\613e8de3b5eba303bd2dc0b5d2f2f3df3586c0f63c31eb1f2c60f4e30e70dda6.exe"

Signatures

Lumma Stealer

stealer lumma

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4856 set thread context of 2972 N/A C:\Users\Admin\AppData\Local\Temp\613e8de3b5eba303bd2dc0b5d2f2f3df3586c0f63c31eb1f2c60f4e30e70dda6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4856 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\613e8de3b5eba303bd2dc0b5d2f2f3df3586c0f63c31eb1f2c60f4e30e70dda6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\613e8de3b5eba303bd2dc0b5d2f2f3df3586c0f63c31eb1f2c60f4e30e70dda6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\613e8de3b5eba303bd2dc0b5d2f2f3df3586c0f63c31eb1f2c60f4e30e70dda6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\613e8de3b5eba303bd2dc0b5d2f2f3df3586c0f63c31eb1f2c60f4e30e70dda6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\613e8de3b5eba303bd2dc0b5d2f2f3df3586c0f63c31eb1f2c60f4e30e70dda6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\613e8de3b5eba303bd2dc0b5d2f2f3df3586c0f63c31eb1f2c60f4e30e70dda6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\613e8de3b5eba303bd2dc0b5d2f2f3df3586c0f63c31eb1f2c60f4e30e70dda6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\613e8de3b5eba303bd2dc0b5d2f2f3df3586c0f63c31eb1f2c60f4e30e70dda6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\613e8de3b5eba303bd2dc0b5d2f2f3df3586c0f63c31eb1f2c60f4e30e70dda6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\613e8de3b5eba303bd2dc0b5d2f2f3df3586c0f63c31eb1f2c60f4e30e70dda6.exe

"C:\Users\Admin\AppData\Local\Temp\613e8de3b5eba303bd2dc0b5d2f2f3df3586c0f63c31eb1f2c60f4e30e70dda6.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4856 -ip 4856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 320

Network

Country Destination Domain Proto
US 8.8.8.8:53 sideindexfollowragelrew.pw udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 productivelookewr.shop udp
US 104.21.11.250:443 productivelookewr.shop tcp
US 8.8.8.8:53 tolerateilusidjukl.shop udp
US 172.67.147.41:443 tolerateilusidjukl.shop tcp
BE 2.17.196.106:443 www.bing.com tcp
US 8.8.8.8:53 shatterbreathepsw.shop udp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 136.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 250.11.21.104.in-addr.arpa udp
US 8.8.8.8:53 41.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 106.196.17.2.in-addr.arpa udp
US 172.67.169.43:443 shatterbreathepsw.shop tcp
US 8.8.8.8:53 shortsvelventysjo.shop udp
US 188.114.97.2:443 shortsvelventysjo.shop tcp
US 8.8.8.8:53 incredibleextedwj.shop udp
US 172.67.218.63:443 incredibleextedwj.shop tcp
US 8.8.8.8:53 alcojoldwograpciw.shop udp
US 104.21.48.243:443 alcojoldwograpciw.shop tcp
US 8.8.8.8:53 43.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 63.218.67.172.in-addr.arpa udp
US 8.8.8.8:53 liabilitynighstjsko.shop udp
US 188.114.96.2:443 liabilitynighstjsko.shop tcp
US 8.8.8.8:53 demonstationfukewko.shop udp
US 172.67.147.169:443 demonstationfukewko.shop tcp
US 8.8.8.8:53 243.48.21.104.in-addr.arpa udp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 169.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp

Files

memory/2972-1-0x0000000000400000-0x000000000044F000-memory.dmp

memory/4856-0-0x0000000000146000-0x0000000000147000-memory.dmp

memory/2972-3-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2972-4-0x0000000000400000-0x000000000044F000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-09 15:21

Reported

2024-05-09 15:24

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\74991b8b0544fa500ea5cb196e746fa3f4d98c5d0623c46470044b2710b5da38.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5537611.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5537611.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5537611.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5537611.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5537611.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5537611.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8545807.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5537611.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9906445.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3094225.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\74991b8b0544fa500ea5cb196e746fa3f4d98c5d0623c46470044b2710b5da38.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3275973.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9373749.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9373749.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9373749.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5537611.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5537611.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5537611.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1432 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\74991b8b0544fa500ea5cb196e746fa3f4d98c5d0623c46470044b2710b5da38.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3275973.exe
PID 1432 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\74991b8b0544fa500ea5cb196e746fa3f4d98c5d0623c46470044b2710b5da38.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3275973.exe
PID 1432 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\74991b8b0544fa500ea5cb196e746fa3f4d98c5d0623c46470044b2710b5da38.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3275973.exe
PID 4068 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3275973.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9906445.exe
PID 4068 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3275973.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9906445.exe
PID 4068 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3275973.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9906445.exe
PID 4836 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9906445.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3094225.exe
PID 4836 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9906445.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3094225.exe
PID 4836 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9906445.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3094225.exe
PID 4256 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3094225.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5537611.exe
PID 4256 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3094225.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5537611.exe
PID 4256 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3094225.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8545807.exe
PID 4256 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3094225.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8545807.exe
PID 4256 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3094225.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8545807.exe
PID 3952 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8545807.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 3952 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8545807.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 3952 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8545807.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 4836 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9906445.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9373749.exe
PID 4836 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9906445.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9373749.exe
PID 4836 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9906445.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9373749.exe
PID 3376 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3376 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3376 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3376 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 4016 wrote to memory of 4804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4016 wrote to memory of 4804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4016 wrote to memory of 4804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4016 wrote to memory of 3172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4016 wrote to memory of 3172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4016 wrote to memory of 3172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4016 wrote to memory of 1424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4016 wrote to memory of 1424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4016 wrote to memory of 1424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4016 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4016 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4016 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4016 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4016 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4016 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4016 wrote to memory of 3180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4016 wrote to memory of 3180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4016 wrote to memory of 3180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4068 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3275973.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2527041.exe
PID 4068 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3275973.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2527041.exe
PID 4068 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3275973.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2527041.exe

Processes

C:\Users\Admin\AppData\Local\Temp\74991b8b0544fa500ea5cb196e746fa3f4d98c5d0623c46470044b2710b5da38.exe

"C:\Users\Admin\AppData\Local\Temp\74991b8b0544fa500ea5cb196e746fa3f4d98c5d0623c46470044b2710b5da38.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3275973.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3275973.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9906445.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9906445.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3094225.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3094225.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5537611.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5537611.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8545807.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8545807.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9373749.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9373749.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2527041.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2527041.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
BE 2.17.196.74:443 www.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
BE 2.17.196.74:443 www.bing.com tcp
US 8.8.8.8:53 74.196.17.2.in-addr.arpa udp
FI 77.91.68.61:80 tcp
FI 77.91.124.156:19071 tcp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
FI 77.91.124.156:19071 tcp
FI 77.91.68.61:80 tcp
FI 77.91.124.156:19071 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.124.156:19071 tcp
FI 77.91.124.156:19071 tcp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3275973.exe

MD5 0c217f89099eda433b9cf3f5e4cf38db
SHA1 35a474a669acf1f1d0003faf3070f373851346d1
SHA256 36f21f0823382d0ec4e031f21139eb69ad36a8fa2dea1e793d35ae932c5e97d8
SHA512 cb8dd763f2cc18fefe7712d369edf22582eda6cec006f2e6b2aae16f214c2a1592868e1a80d970aef672e2342227e2138a8bdb422948aa3aa91f550024066ef9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9906445.exe

MD5 82a0189b51579796f5af643cdd64b219
SHA1 58266c9f5286827e9818f6de26240394f414d1f2
SHA256 7fc2fc7a4a54a24e857b93dbe9ea59171a4b1ec85201f57e9bf5763f85570f8a
SHA512 655f371c6edbb589c79c885be93a32a4d96a55ce22c342dc49f60ffb05327bbcfb5e1f8c78f206f6f9311278ce7173222b6993f46a9832a17d3981c15852f73f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3094225.exe

MD5 2175823686be6b3356cd784e86eb3acb
SHA1 9a0fa52f2a3c32756e07dc3699f235f399a0698f
SHA256 a34660ea0ed56a821719a17b6b81955353848de7996151da5e69b442032f400f
SHA512 7f4f4aa03f58d4dd3ae1ec21e914488a1fd468c30c8b07b46fba1c9ae173c9bd4fae7c25839e9e9fc666b3a9ec46876cdb710eca7e63c086489ef6159608eb52

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5537611.exe

MD5 72f6e5b3d37f8e459aa8d443f0dee42c
SHA1 b2bf68250386a762387d32d12fe9034773b3b274
SHA256 177dfde9f2a767310111bd9e285cf0b4134bb0753af04033a561fee4d45b817f
SHA512 323188ab51bc45876a804acaa2585522a1fd20a468d2b0112f5c90ec439ee63212036e1d892941766ec5abb23c8c2c9b93a8258129767b37455efa78a4230ea4

memory/5044-28-0x0000000000260000-0x000000000026A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8545807.exe

MD5 56bb2a170eef8548aaf7e46ae9378b4a
SHA1 6f7a6cfbfaec571bb944eba344403ad85df09960
SHA256 8a6310e8dad47a438c3ad1e54864144a779ee80db19000604daafd367f4fe740
SHA512 a54fb145d5b23683a2ae1467ce9b07cd77c0b7d06553c7d18786da9885c0c1be29e0b60e173027675899eaa08ee94b4b617577c3503dfbb58365b0e413a28ed4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9373749.exe

MD5 ad76331cb3e0ba1ef3282e942ab0897a
SHA1 7fe032b40c5c00187925f057285020287b95b776
SHA256 8673193d10d77511c07dfd6d04b1bc2efffe69c6a5b01f35a145bdf1aaae48f2
SHA512 c712e922476ec30d00c16656009a9c964153303508144cd235859bfa57dc7bcef28a9db06cc8ca5f631468c4d7a9837a07282f3bedc537a82aa4aeda9cfa5b57

memory/4252-46-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2527041.exe

MD5 e47e3aba018821e3af6ad1ca7e340bcc
SHA1 7a30646566fdfd7e2fb8101f8d8d3c0e5ec63db1
SHA256 65a354189fb0c95c75197e6ac71e870c8ede662ccac0b5589277e04180110857
SHA512 4cced0461ed7f28e1f6081cbcbe7907c2ba932f758bdfa6cc339e2bb7fb04277c05e929a046f2e98e7748174413ffadae56afd1d2c0e4af24e71664cb98bf248

memory/1572-50-0x0000000000DC0000-0x0000000000DF0000-memory.dmp

memory/1572-51-0x0000000005720000-0x0000000005726000-memory.dmp

memory/1572-52-0x000000000B240000-0x000000000B858000-memory.dmp

memory/1572-53-0x000000000AD70000-0x000000000AE7A000-memory.dmp

memory/1572-54-0x000000000ACB0000-0x000000000ACC2000-memory.dmp

memory/1572-55-0x000000000AD10000-0x000000000AD4C000-memory.dmp

memory/1572-56-0x00000000031A0000-0x00000000031EC000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-09 15:21

Reported

2024-05-09 15:24

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e6c08ec1ca5a8b0e5817eb7d07c526a20804925c4c4b8bc94ce28ad3f6abd56.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5821790.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5821790.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5821790.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5821790.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5821790.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5821790.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4791839.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5821790.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\8e6c08ec1ca5a8b0e5817eb7d07c526a20804925c4c4b8bc94ce28ad3f6abd56.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0304301.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2564128.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1886683.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1886683.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1886683.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5821790.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5821790.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5821790.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4852 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\8e6c08ec1ca5a8b0e5817eb7d07c526a20804925c4c4b8bc94ce28ad3f6abd56.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0304301.exe
PID 4852 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\8e6c08ec1ca5a8b0e5817eb7d07c526a20804925c4c4b8bc94ce28ad3f6abd56.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0304301.exe
PID 4852 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\8e6c08ec1ca5a8b0e5817eb7d07c526a20804925c4c4b8bc94ce28ad3f6abd56.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0304301.exe
PID 624 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0304301.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2564128.exe
PID 624 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0304301.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2564128.exe
PID 624 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0304301.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2564128.exe
PID 4700 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2564128.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5821790.exe
PID 4700 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2564128.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5821790.exe
PID 4700 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2564128.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4791839.exe
PID 4700 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2564128.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4791839.exe
PID 4700 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2564128.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4791839.exe
PID 3680 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4791839.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 3680 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4791839.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 3680 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4791839.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 624 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0304301.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1886683.exe
PID 624 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0304301.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1886683.exe
PID 624 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0304301.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1886683.exe
PID 4716 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 4716 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 4716 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 4716 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 4716 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 4716 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 4032 wrote to memory of 4244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4032 wrote to memory of 4244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4032 wrote to memory of 4244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4032 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4032 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4032 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4032 wrote to memory of 4560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4032 wrote to memory of 4560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4032 wrote to memory of 4560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4032 wrote to memory of 4864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4032 wrote to memory of 4864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4032 wrote to memory of 4864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4032 wrote to memory of 3972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4032 wrote to memory of 3972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4032 wrote to memory of 3972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4032 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4032 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4032 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4852 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\8e6c08ec1ca5a8b0e5817eb7d07c526a20804925c4c4b8bc94ce28ad3f6abd56.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d1535399.exe
PID 4852 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\8e6c08ec1ca5a8b0e5817eb7d07c526a20804925c4c4b8bc94ce28ad3f6abd56.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d1535399.exe
PID 4852 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\8e6c08ec1ca5a8b0e5817eb7d07c526a20804925c4c4b8bc94ce28ad3f6abd56.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d1535399.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8e6c08ec1ca5a8b0e5817eb7d07c526a20804925c4c4b8bc94ce28ad3f6abd56.exe

"C:\Users\Admin\AppData\Local\Temp\8e6c08ec1ca5a8b0e5817eb7d07c526a20804925c4c4b8bc94ce28ad3f6abd56.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0304301.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0304301.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2564128.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2564128.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5821790.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5821790.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4791839.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4791839.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1886683.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1886683.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d1535399.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d1535399.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.196.91:443 www.bing.com tcp
BE 2.17.196.91:443 www.bing.com tcp
US 8.8.8.8:53 91.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
FI 77.91.68.3:80 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.3:80 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.3:80 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.56:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0304301.exe

MD5 2e41f2a430cce32e84bbb77f07f6589e
SHA1 3e1c81d37f8f83ec43ef2a5754039f91fc4e8ca3
SHA256 1dbdac866984a1cee3e2ea04cff7c23e899b4d989a3e5c2b9700d23fd103ada9
SHA512 3ac1ea6ff33c0ea808f58286b02ae99790e105763e5e2315435e1455f8bd74c1bd46cf99e6493d6e452c9af11e652ada233473d1b4de697e481a4aa8ba6a4e20

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2564128.exe

MD5 f1991d74748a69ce5acf943f8682c836
SHA1 7f9ac32fdf92fe71eac19de74799f2c8a6772b4a
SHA256 2c53ed60c6a65f2ed015481ea87d1d5af0ecc07c89aa4ee932e293272710a884
SHA512 3aaf7be811374c82306c3b99393d4f85eb29577839ea408440f90bfbc1445022c1e75df13a6a6488443020340e1754bfe1ea41eca9a9facabdd06bd7262476f6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5821790.exe

MD5 d905bd599ee4de7c8ea88c112d93f965
SHA1 7305dca89d8ed403a9eceb83041114f669e67abf
SHA256 29addb5d38931432a48ce1588ef11094e8c7dcc4e64b662d5120319e14d87290
SHA512 c6fb15c5cb6bbe52eacc4707eec34530df7e92ba0ba00c1b9383e692172184de22b5b78f616869b83dfc000ec748b3d7ae39f9ccb22bc8bb26ea78c0c5d689cb

memory/3472-21-0x00000000007A0000-0x00000000007AA000-memory.dmp

memory/3472-22-0x00007FFD6E5B3000-0x00007FFD6E5B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4791839.exe

MD5 0b709099bf7962dc76d35605473338bd
SHA1 289263beab380d51c7a39ac1b6f9ea4b7fd5d637
SHA256 fc25b074739f7e60c0135646cc17b2cc63976dcf459d3ce86cf12235ae6fa483
SHA512 57a801b7bdbeaa269890bdefaae487117247389f4d57921af9e40b329da71d7dbea2f4f11038dfc3483ab36c86f22c5e38c9babf108d8265127e92d76ad9e990

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1886683.exe

MD5 2f15badba6517410d55efa1738f8af01
SHA1 93259c2a88beb2efd789d2e175bb80550e73d3ad
SHA256 f0411dadb92a7778d5e59d3226cef80bdab49e4796b524bbe13340826d30eb7c
SHA512 e7e3a984e08c2c5a3ed4ee99f4f176219ae72ce38963a58d7a4505cbd82db2309742e2f61514755dbc621815ce2b8055c4f06a3a9f38eaa2cf0e86b755e8986e

memory/4968-40-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d1535399.exe

MD5 7e8c91b12710a7d96a786e0217b8fa77
SHA1 abb4dc437d3984044caa7780089547e47b81b61b
SHA256 2f35869a275c161caa2bf13bbdcaef03498f88d4b4e5bd813384539328e1e706
SHA512 6e8327a0c9304741870f4e3455280b22d0ca0136eaccfc9914b67b80f9dfabb89add86f42126b98f4909d83312b228d92ee9baacb0100fb5a8802b67723b0a10

memory/4776-44-0x0000000000500000-0x0000000000530000-memory.dmp

memory/4776-45-0x0000000004E60000-0x0000000004E66000-memory.dmp

memory/4776-46-0x000000000A980000-0x000000000AF98000-memory.dmp

memory/4776-47-0x000000000A4B0000-0x000000000A5BA000-memory.dmp

memory/4776-48-0x000000000A3F0000-0x000000000A402000-memory.dmp

memory/4776-49-0x000000000A450000-0x000000000A48C000-memory.dmp

memory/4776-50-0x0000000004960000-0x00000000049AC000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-09 15:21

Reported

2024-05-09 15:24

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5bd0160df71694767fdadc369e0582970a1182d88c7fea774ca4d3bdb503e49.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9717694.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9717694.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3967201.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3967201.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3967201.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3967201.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9717694.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9717694.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9717694.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9717694.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3967201.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3967201.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3967201.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9717694.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9717694.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a5bd0160df71694767fdadc369e0582970a1182d88c7fea774ca4d3bdb503e49.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1914298.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4762413.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1073985.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9717694.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3967201.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1092 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\a5bd0160df71694767fdadc369e0582970a1182d88c7fea774ca4d3bdb503e49.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1914298.exe
PID 1092 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\a5bd0160df71694767fdadc369e0582970a1182d88c7fea774ca4d3bdb503e49.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1914298.exe
PID 1092 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\a5bd0160df71694767fdadc369e0582970a1182d88c7fea774ca4d3bdb503e49.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1914298.exe
PID 3452 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1914298.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4762413.exe
PID 3452 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1914298.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4762413.exe
PID 3452 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1914298.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4762413.exe
PID 3836 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4762413.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1073985.exe
PID 3836 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4762413.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1073985.exe
PID 3836 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4762413.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1073985.exe
PID 3064 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1073985.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9717694.exe
PID 3064 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1073985.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9717694.exe
PID 3064 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1073985.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9717694.exe
PID 3064 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1073985.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3967201.exe
PID 3064 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1073985.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3967201.exe
PID 3836 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4762413.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2363283.exe
PID 3836 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4762413.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2363283.exe
PID 3836 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4762413.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2363283.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a5bd0160df71694767fdadc369e0582970a1182d88c7fea774ca4d3bdb503e49.exe

"C:\Users\Admin\AppData\Local\Temp\a5bd0160df71694767fdadc369e0582970a1182d88c7fea774ca4d3bdb503e49.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1914298.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1914298.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4762413.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4762413.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1073985.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1073985.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9717694.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9717694.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3967201.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3967201.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2363283.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2363283.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.129:443 www.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 129.196.17.2.in-addr.arpa udp
BE 2.17.196.129:443 www.bing.com tcp
FI 77.91.68.48:19071 tcp
FI 77.91.68.48:19071 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
FI 77.91.68.48:19071 tcp
FI 77.91.68.48:19071 tcp
FI 77.91.68.48:19071 tcp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1914298.exe

MD5 b23e03f55fb665ef3a7c1b59ba25905c
SHA1 aa41f769ab64582e1580634ecbb93413fe8faf01
SHA256 f384aa634281296fab2d70b2976f5f6ecd6d095088753ca0d9d9818b0ac8c90a
SHA512 9b09d2694a52d85f8600119740ccf5f376bc990e440fe2d5dd419e6d560d5604f87821eed040c3ef9cbc29cbe76e36f565808a3353f0303f9ac3182c8022b6f1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4762413.exe

MD5 6e1ec15bc7923022df460c3b3717b9f1
SHA1 5ffe926fe0f7e839c1d92789c12a10bb36569fe5
SHA256 fba0fce9dbf4e0fb93079728682e5b253bdf24a5490d20850fe61e848a7652f3
SHA512 6a1588b3cfe74f8cd8d2056fbd5ed4aa0478f1010a1f4251a98ea07317f6a71b7bbbf0cd494d4684286a252b16d129256b509be7cc9a3fdb8d98fb2c699f501c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1073985.exe

MD5 523410329da6810d2c34721fefeec97a
SHA1 4958236c7f287066d076053441437c844301108b
SHA256 f7082f4eb966435fac581a7d8229543628dba662c68ef5fe8d47ec47ea83f80b
SHA512 db15359004d1a72d2dc7c9784ad876a4b1fda6b14aca104faccd877d0094a5ff93740858f80de92af51f77bf1e1441ac0a2ba5eb5880066809208fa170a8a193

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9717694.exe

MD5 473158cb77f1c5092427ace743c57e6a
SHA1 81cea8ee25a9d99f0e192a76b13703dfa53e9554
SHA256 c55380f69ac05a426382a0cac0fd03dfb9096a0342d30351c13040072a77a0c9
SHA512 5d66c4dfc312369c147cdb675700336139ca878ab5ab6ebb4f175010a8ee1040becba8b0a97c045cd874c01238b38f11e06d863bd2df89548bf3914282dc182b

memory/3404-28-0x0000000000530000-0x000000000053A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3967201.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4324-37-0x0000000000EB0000-0x0000000000EBA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2363283.exe

MD5 baf9493d9c73890f8d4f4f091fd9eca6
SHA1 f54abf5bf95c1f8483f5d32ee202b20dcdba29cc
SHA256 329ab5497737e82ec1b2d6d6f6942d674dbaa2199074baaacca5b09418131749
SHA512 f967a7db1ffbad2c720c179a2a2aa7b464fc1534bca41f4205d06094f2bb9ba4e83a374efafc8c2d422d243d50f0c22ab954f783c2c8dedec9bfd89d24a5d088

memory/216-42-0x00000000006C0000-0x00000000006F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/216-47-0x0000000004960000-0x0000000004966000-memory.dmp

memory/216-48-0x0000000004AE0000-0x00000000050F8000-memory.dmp

memory/216-49-0x0000000005100000-0x000000000520A000-memory.dmp

memory/216-50-0x0000000005220000-0x0000000005232000-memory.dmp

memory/216-51-0x0000000005240000-0x000000000527C000-memory.dmp

memory/216-52-0x00000000052E0000-0x000000000532C000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-09 15:21

Reported

2024-05-09 15:24

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d637403a7a8d4f4e55e3bd56e000ee3668faae9137eaa6efbcd8dfdcc4744709.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g1340199.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\d637403a7a8d4f4e55e3bd56e000ee3668faae9137eaa6efbcd8dfdcc4744709.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d637403a7a8d4f4e55e3bd56e000ee3668faae9137eaa6efbcd8dfdcc4744709.exe

"C:\Users\Admin\AppData\Local\Temp\d637403a7a8d4f4e55e3bd56e000ee3668faae9137eaa6efbcd8dfdcc4744709.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g1340199.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g1340199.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.113:443 www.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 217.196.96.56:4138 tcp
BE 2.17.196.113:443 www.bing.com tcp
US 8.8.8.8:53 113.196.17.2.in-addr.arpa udp
DE 217.196.96.56:4138 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
DE 217.196.96.56:4138 tcp
US 8.8.8.8:53 104.211.222.173.in-addr.arpa udp
DE 217.196.96.56:4138 tcp
DE 217.196.96.56:4138 tcp
DE 217.196.96.56:4138 tcp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g1340199.exe

MD5 1713407b17523d6fc4e5bb0c8224dc99
SHA1 a7d93f158db51fdae389110c4db7a09ac8e47857
SHA256 f56b8bee3041e40eb529a840f8eee89a536c282e29c5df448d6eee87bc87eda7
SHA512 dbd31ce690b92202ff507140a215abcb0f9f580afd288d2ac684233b67cc4f0d26d150c6e2986ccaba93f858cf62ee7ff455fc464ff5dc93725d7246e8d6c43b

memory/4428-7-0x00000000743CE000-0x00000000743CF000-memory.dmp

memory/4428-8-0x0000000000B30000-0x0000000000B60000-memory.dmp

memory/4428-9-0x0000000005350000-0x0000000005356000-memory.dmp

memory/4428-10-0x000000000AEB0000-0x000000000B4C8000-memory.dmp

memory/4428-11-0x000000000A9A0000-0x000000000AAAA000-memory.dmp

memory/4428-12-0x000000000A8D0000-0x000000000A8E2000-memory.dmp

memory/4428-13-0x00000000743C0000-0x0000000074B70000-memory.dmp

memory/4428-14-0x000000000A930000-0x000000000A96C000-memory.dmp

memory/4428-15-0x0000000002E00000-0x0000000002E4C000-memory.dmp

memory/4428-16-0x00000000743CE000-0x00000000743CF000-memory.dmp

memory/4428-17-0x00000000743C0000-0x0000000074B70000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 15:21

Reported

2024-05-09 15:24

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\15a93b61b0f1091ffed5e2a2a442e7fe5060b5674f75443efcb362de169b83e6.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3812480.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3812480.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3812480.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3812480.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3812480.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3812480.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7163822.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3812480.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\15a93b61b0f1091ffed5e2a2a442e7fe5060b5674f75443efcb362de169b83e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1724091.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2093715.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1316668.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1316668.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1316668.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3812480.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3812480.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3812480.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4764 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\15a93b61b0f1091ffed5e2a2a442e7fe5060b5674f75443efcb362de169b83e6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1724091.exe
PID 4764 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\15a93b61b0f1091ffed5e2a2a442e7fe5060b5674f75443efcb362de169b83e6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1724091.exe
PID 4764 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\15a93b61b0f1091ffed5e2a2a442e7fe5060b5674f75443efcb362de169b83e6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1724091.exe
PID 2764 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1724091.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2093715.exe
PID 2764 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1724091.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2093715.exe
PID 2764 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1724091.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2093715.exe
PID 436 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2093715.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3812480.exe
PID 436 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2093715.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3812480.exe
PID 436 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2093715.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7163822.exe
PID 436 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2093715.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7163822.exe
PID 436 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2093715.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7163822.exe
PID 3016 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7163822.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 3016 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7163822.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 3016 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7163822.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 2764 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1724091.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1316668.exe
PID 2764 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1724091.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1316668.exe
PID 2764 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1724091.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1316668.exe
PID 4764 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\15a93b61b0f1091ffed5e2a2a442e7fe5060b5674f75443efcb362de169b83e6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7854914.exe
PID 4764 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\15a93b61b0f1091ffed5e2a2a442e7fe5060b5674f75443efcb362de169b83e6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7854914.exe
PID 4764 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\15a93b61b0f1091ffed5e2a2a442e7fe5060b5674f75443efcb362de169b83e6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7854914.exe
PID 3284 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3284 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3284 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3284 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3284 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3284 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 4372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 4372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 4372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1604 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1604 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1604 wrote to memory of 4768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1604 wrote to memory of 4768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1604 wrote to memory of 4768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1604 wrote to memory of 780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 4116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1604 wrote to memory of 4116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1604 wrote to memory of 4116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1604 wrote to memory of 4900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1604 wrote to memory of 4900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1604 wrote to memory of 4900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\15a93b61b0f1091ffed5e2a2a442e7fe5060b5674f75443efcb362de169b83e6.exe

"C:\Users\Admin\AppData\Local\Temp\15a93b61b0f1091ffed5e2a2a442e7fe5060b5674f75443efcb362de169b83e6.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1724091.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1724091.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2093715.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2093715.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3812480.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3812480.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7163822.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7163822.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1316668.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1316668.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7854914.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7854914.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 136.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.196.129:443 www.bing.com tcp
US 8.8.8.8:53 129.196.17.2.in-addr.arpa udp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1724091.exe

MD5 af7f218420e9d5ab1e99d3a642fafa8e
SHA1 f3349d96ab6bc892d7cb651ff82e74ca02010898
SHA256 919014d9f3842604a06a5615b7ed36159bcd3d060b3a93ded5eeab3089f68866
SHA512 f2a58c5e965a1aaefb8247e48a35082f6ed0686c26b37a68aac74937253ee367c18845518df621c998f32b8efbe99d5531f7208257484867d181c0b31d5dbbb7

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2093715.exe

MD5 13a95be0059026b0d0a1a37f4541b6d3
SHA1 96d00dcab1ae281291041f0ce384daa4aa070742
SHA256 00ebd65d5a46d5dddbf06c02fbf12ddb0446e06ad684d797ee6288a4b3343688
SHA512 1f2db2bc86a74eb29c974304cfabf6b2e7151ee920058462f4eec9d7f8202b5721e0a55e90534fbabac2ef33b2ca7e8739b2833e4579016ea7c98e710c95beb5

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3812480.exe

MD5 abfb70b9f2fced3102c42d8a9c97f74b
SHA1 d4621e3bb842279fb9ec0e120d10dfca964f609e
SHA256 06cfc65a799b4e53e5f912662fa3e590a8a4da0b6bd09de279213d58d03da31f
SHA512 2fd8d741ce83adbd3e44ad434a1273ab169511531158bea4c40ee3bdddd79595850c696c7be85d005c8e344b1bddeb3fdbd8025b3e30896c183a0703998bc306

memory/440-22-0x00007FF96EC70000-0x00007FF96EE65000-memory.dmp

memory/440-21-0x00000000004A0000-0x00000000004AA000-memory.dmp

memory/440-24-0x00007FF96EC70000-0x00007FF96EE65000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7163822.exe

MD5 f1a5715e12568b54b1c9835359977a39
SHA1 4fc97f1fe4084ec03141e4ca919c2cc48143b278
SHA256 ab8b6ab7718880f71f2aeec25021f6d0c992f0d6970e2ec34e7e017c6709e93c
SHA512 463fc82581cdab3c221a845a3725d0a8abf622a0dc663874a99ec9566c0df9ab52821cc29a518bc4e100344d3820e49b4c77a1348ec36d5b8f93d24e946e8d6c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1316668.exe

MD5 85315409731f32755d481a3ed2129e98
SHA1 b1370a7669f7a7db6e8d04601a3bc1a1cd4cc572
SHA256 9cc6b1048750a812d3e79d5d5c4bb93c51340cbd49aa4d401b3fe54c95cc7182
SHA512 3a30e302770dfe381a863ec362b6f6f97d6bd91df10b2792cc0627d3907f6b1a2c1978da564d9f29315a4841d40ba234aa873c18329708404c8d11b0de082909

memory/4276-40-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4276-42-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7854914.exe

MD5 b367b2922d12cf5ca9e99d8fc5eb23e1
SHA1 44c8b97486fd5c2444664e3ea72b8cd4e5a293f2
SHA256 f0b29ee081c3f90fd394305fff6eee553374695425ed23d234042e0bcf98e1d1
SHA512 1a28fb764268ae0c9d34e8b54075d3eec6a6d252c2883a2b0b4e3ebd502231b69b0532c8ab229b9e604b94c73de171f7b215eb9ec95848f3b790876a900ffa57

memory/532-46-0x0000000000C20000-0x0000000000C50000-memory.dmp

memory/532-47-0x00000000078D0000-0x00000000078D6000-memory.dmp

memory/532-48-0x0000000005B70000-0x0000000006188000-memory.dmp

memory/532-49-0x0000000005660000-0x000000000576A000-memory.dmp

memory/532-50-0x00000000055A0000-0x00000000055B2000-memory.dmp

memory/532-51-0x0000000005600000-0x000000000563C000-memory.dmp

memory/532-52-0x0000000005770000-0x00000000057BC000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-09 15:21

Reported

2024-05-09 15:24

Platform

win7-20240221-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\209703dd4d6bb2be31fbd67713bc66dc1dd589baac7c01ca04d37e7c8d823793.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\209703dd4d6bb2be31fbd67713bc66dc1dd589baac7c01ca04d37e7c8d823793.exe

"C:\Users\Admin\AppData\Local\Temp\209703dd4d6bb2be31fbd67713bc66dc1dd589baac7c01ca04d37e7c8d823793.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 116

Network

N/A

Files

memory/2032-0-0x00000000010EA000-0x00000000010EB000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-09 15:21

Reported

2024-05-09 15:24

Platform

win7-20240221-en

Max time kernel

120s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\613e8de3b5eba303bd2dc0b5d2f2f3df3586c0f63c31eb1f2c60f4e30e70dda6.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\613e8de3b5eba303bd2dc0b5d2f2f3df3586c0f63c31eb1f2c60f4e30e70dda6.exe

"C:\Users\Admin\AppData\Local\Temp\613e8de3b5eba303bd2dc0b5d2f2f3df3586c0f63c31eb1f2c60f4e30e70dda6.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 116

Network

N/A

Files

memory/1412-0-0x00000000012C6000-0x00000000012C7000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-09 15:21

Reported

2024-05-09 15:24

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9cb8e2b1548adfff7c012acfadb576ae6e5f0fdcfc0942eeb26b4c9fb8613e93.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6501916.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6501916.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6501916.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6501916.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6501916.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6501916.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7904425.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6501916.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\9cb8e2b1548adfff7c012acfadb576ae6e5f0fdcfc0942eeb26b4c9fb8613e93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6082825.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6501916.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6501916.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6501916.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 696 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\9cb8e2b1548adfff7c012acfadb576ae6e5f0fdcfc0942eeb26b4c9fb8613e93.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6082825.exe
PID 696 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\9cb8e2b1548adfff7c012acfadb576ae6e5f0fdcfc0942eeb26b4c9fb8613e93.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6082825.exe
PID 696 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\9cb8e2b1548adfff7c012acfadb576ae6e5f0fdcfc0942eeb26b4c9fb8613e93.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6082825.exe
PID 3772 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6082825.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6501916.exe
PID 3772 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6082825.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6501916.exe
PID 3772 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6082825.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7904425.exe
PID 3772 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6082825.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7904425.exe
PID 3772 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6082825.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7904425.exe
PID 1056 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7904425.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 1056 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7904425.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 1056 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7904425.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 696 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\9cb8e2b1548adfff7c012acfadb576ae6e5f0fdcfc0942eeb26b4c9fb8613e93.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4866427.exe
PID 696 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\9cb8e2b1548adfff7c012acfadb576ae6e5f0fdcfc0942eeb26b4c9fb8613e93.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4866427.exe
PID 696 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\9cb8e2b1548adfff7c012acfadb576ae6e5f0fdcfc0942eeb26b4c9fb8613e93.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4866427.exe
PID 2304 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 2304 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 2304 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 2304 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 232 wrote to memory of 528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 232 wrote to memory of 528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 232 wrote to memory of 528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 232 wrote to memory of 4648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 232 wrote to memory of 4648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 232 wrote to memory of 4648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 232 wrote to memory of 3704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 232 wrote to memory of 3704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 232 wrote to memory of 3704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 232 wrote to memory of 3084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 232 wrote to memory of 3084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 232 wrote to memory of 3084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 232 wrote to memory of 4756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 232 wrote to memory of 4756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 232 wrote to memory of 4756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 232 wrote to memory of 3496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 232 wrote to memory of 3496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 232 wrote to memory of 3496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9cb8e2b1548adfff7c012acfadb576ae6e5f0fdcfc0942eeb26b4c9fb8613e93.exe

"C:\Users\Admin\AppData\Local\Temp\9cb8e2b1548adfff7c012acfadb576ae6e5f0fdcfc0942eeb26b4c9fb8613e93.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6082825.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6082825.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6501916.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6501916.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7904425.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7904425.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4866427.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4866427.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
BE 2.17.196.113:443 www.bing.com tcp
BE 2.17.196.113:443 www.bing.com tcp
US 8.8.8.8:53 136.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 113.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6082825.exe

MD5 562a2542bce75ba323abcd92a9d5aba2
SHA1 b8c47d237b46c0af3ffc8f98d859249c0e9dd3f5
SHA256 2bd43fcb209ce923405245e7e9bdaf9c5c8de317f17cbf410466b9d9b754e21f
SHA512 1eafab6c9c080bbd814a18726635f8455d21d58e292aa7bbe87fc519c6e3f6663028a6a2a452cbd6f27a114cc44c8ad97bdd5ddcd81c5ee3ece6c2ef3c64ef99

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6501916.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2456-15-0x00007FFA70A83000-0x00007FFA70A85000-memory.dmp

memory/2456-14-0x0000000000150000-0x000000000015A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7904425.exe

MD5 8c6b79ec436d7cf6950a804c1ec7d3e9
SHA1 4a589d5605d8ef785fdc78b0bf64e769e3a21ad6
SHA256 4e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d
SHA512 06f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4866427.exe

MD5 58b7dd067d533e8f280dba6b7b4b18c0
SHA1 9a038951ba4f7aa041d5a0f2de720c5e8330d1ea
SHA256 dd832f3331bdad53a3aebd7df112fa6344cf5620bb757e238af222fa2c2ffdd9
SHA512 1bd6b9501e73d5be4c67717a72b6a90d7acac77c2a7129092abda49fb1b70dce4d7541d4321235d4653ff51b1b2d4c4f68c5ba96cd784db14c80cf3b42e2863c

memory/1628-33-0x0000000000BB0000-0x0000000000BE0000-memory.dmp

memory/1628-34-0x0000000007820000-0x0000000007826000-memory.dmp

memory/1628-35-0x0000000005AC0000-0x00000000060D8000-memory.dmp

memory/1628-36-0x00000000055F0000-0x00000000056FA000-memory.dmp

memory/1628-37-0x0000000005530000-0x0000000005542000-memory.dmp

memory/1628-38-0x0000000005590000-0x00000000055CC000-memory.dmp

memory/1628-39-0x0000000005700000-0x000000000574C000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-09 15:21

Reported

2024-05-09 15:24

Platform

win10v2004-20240426-en

Max time kernel

143s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a62a548ffb1dcb9166d2336968bea9011a44039f391a1a7ef70364f4a0e131a0.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9751033.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b2585981.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a62a548ffb1dcb9166d2336968bea9011a44039f391a1a7ef70364f4a0e131a0.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 512 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\a62a548ffb1dcb9166d2336968bea9011a44039f391a1a7ef70364f4a0e131a0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9751033.exe
PID 512 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\a62a548ffb1dcb9166d2336968bea9011a44039f391a1a7ef70364f4a0e131a0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9751033.exe
PID 512 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\a62a548ffb1dcb9166d2336968bea9011a44039f391a1a7ef70364f4a0e131a0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9751033.exe
PID 4740 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9751033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4740 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9751033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4740 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9751033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4740 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9751033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4740 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9751033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 512 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\a62a548ffb1dcb9166d2336968bea9011a44039f391a1a7ef70364f4a0e131a0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b2585981.exe
PID 512 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\a62a548ffb1dcb9166d2336968bea9011a44039f391a1a7ef70364f4a0e131a0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b2585981.exe
PID 512 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\a62a548ffb1dcb9166d2336968bea9011a44039f391a1a7ef70364f4a0e131a0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b2585981.exe
PID 5104 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b2585981.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5104 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b2585981.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5104 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b2585981.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5104 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b2585981.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5104 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b2585981.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a62a548ffb1dcb9166d2336968bea9011a44039f391a1a7ef70364f4a0e131a0.exe

"C:\Users\Admin\AppData\Local\Temp\a62a548ffb1dcb9166d2336968bea9011a44039f391a1a7ef70364f4a0e131a0.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9751033.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9751033.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4740 -ip 4740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 152

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b2585981.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b2585981.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5104 -ip 5104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 152

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
RU 83.97.73.129:19068 tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.91:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 91.196.17.2.in-addr.arpa udp
BE 2.17.196.91:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
RU 83.97.73.129:19068 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
RU 83.97.73.129:19068 tcp
US 8.8.8.8:53 104.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 83.97.73.129:19068 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
RU 83.97.73.129:19068 tcp
RU 83.97.73.129:19068 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9751033.exe

MD5 c0e3f771bcbb789d734e7d3e1b1f4e65
SHA1 02e6e5e508188955181ac98bb1b9c414d2c1aa9e
SHA256 53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02
SHA512 c983b76772a50aece42107a39c828abfa768fc33c8865df73de57e1beca2919e8cc7b8afe1d5ae3e7556273519e311d5e49ed6d52eaf895c3c3d7c34608d2118

memory/4740-7-0x0000000000177000-0x0000000000178000-memory.dmp

memory/2748-8-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2748-13-0x0000000073F2E000-0x0000000073F2F000-memory.dmp

memory/2748-14-0x0000000002BE0000-0x0000000002BE6000-memory.dmp

memory/2748-15-0x000000000AE10000-0x000000000B428000-memory.dmp

memory/2748-16-0x000000000A900000-0x000000000AA0A000-memory.dmp

memory/2748-18-0x000000000A7F0000-0x000000000A802000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b2585981.exe

MD5 cd5a529d645436b72dc72ebc19950ef3
SHA1 5f571b5fce5b5e210e812e28dad02b80bb1f5d80
SHA256 887d08bb7735494fa22a46935055d0c2d612f70e97ecdd07bccf427d8e49efa3
SHA512 b314a9d61340e1cafd67aef45b5151721a6100ca0f7d6ec787e4fc4d83d1cdb571cfafcd1cc1cee681f3016bfb3fc8074681633607221711163e7da2c2e6b123

memory/2748-20-0x000000000A850000-0x000000000A88C000-memory.dmp

memory/2748-21-0x0000000073F20000-0x00000000746D0000-memory.dmp

memory/2340-23-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2748-28-0x0000000004D50000-0x0000000004D9C000-memory.dmp

memory/2748-30-0x0000000073F2E000-0x0000000073F2F000-memory.dmp

memory/2748-31-0x0000000073F20000-0x00000000746D0000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-09 15:21

Reported

2024-05-09 15:24

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bfe644d3bd33f0f28361b0b64f6fba6444cbce7ffc0fb0746a6226305bffb229.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4194493.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4194493.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4194493.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4194493.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4194493.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4194493.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4381627.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4194493.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2494307.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\bfe644d3bd33f0f28361b0b64f6fba6444cbce7ffc0fb0746a6226305bffb229.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4194493.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4194493.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4194493.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4381627.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\bfe644d3bd33f0f28361b0b64f6fba6444cbce7ffc0fb0746a6226305bffb229.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2494307.exe
PID 2332 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\bfe644d3bd33f0f28361b0b64f6fba6444cbce7ffc0fb0746a6226305bffb229.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2494307.exe
PID 2332 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\bfe644d3bd33f0f28361b0b64f6fba6444cbce7ffc0fb0746a6226305bffb229.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2494307.exe
PID 4576 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2494307.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4194493.exe
PID 4576 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2494307.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4194493.exe
PID 4576 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2494307.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4381627.exe
PID 4576 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2494307.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4381627.exe
PID 4576 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2494307.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4381627.exe
PID 1400 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4381627.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 1400 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4381627.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 1400 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4381627.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 2332 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\bfe644d3bd33f0f28361b0b64f6fba6444cbce7ffc0fb0746a6226305bffb229.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n0777759.exe
PID 2332 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\bfe644d3bd33f0f28361b0b64f6fba6444cbce7ffc0fb0746a6226305bffb229.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n0777759.exe
PID 2332 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\bfe644d3bd33f0f28361b0b64f6fba6444cbce7ffc0fb0746a6226305bffb229.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n0777759.exe
PID 3996 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3996 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3996 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3996 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 4916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 4916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 4916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1976 wrote to memory of 656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1976 wrote to memory of 656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1976 wrote to memory of 3868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1976 wrote to memory of 3868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1976 wrote to memory of 3868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1976 wrote to memory of 3552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 3552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 3552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 3964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1976 wrote to memory of 3964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1976 wrote to memory of 3964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1976 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1976 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1976 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bfe644d3bd33f0f28361b0b64f6fba6444cbce7ffc0fb0746a6226305bffb229.exe

"C:\Users\Admin\AppData\Local\Temp\bfe644d3bd33f0f28361b0b64f6fba6444cbce7ffc0fb0746a6226305bffb229.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2494307.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2494307.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4194493.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4194493.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4381627.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4381627.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n0777759.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n0777759.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Network

Country Destination Domain Proto
GB 142.250.200.42:443 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2494307.exe

MD5 c595e391a6c2d8292b85ce9a79fa9883
SHA1 97d613132aa62df943470481766f3d5601a29b17
SHA256 11bbce44c061f0fbfcb9264c7f5255414bbe4e23988aa79e6f132d07ea498653
SHA512 046a14c4537530d56cafac2608a9199cc8ec0287922f136d06768fde086e0efbe70c08fce9532be168b8f1537e81fe1be1383affede1ee6adfa64f6de5e438a5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4194493.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4628-14-0x00007FFA360F3000-0x00007FFA360F5000-memory.dmp

memory/4628-15-0x0000000000C20000-0x0000000000C2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4381627.exe

MD5 aea234064483f651010cf9d981f59fea
SHA1 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6
SHA256 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503
SHA512 eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n0777759.exe

MD5 aaf6bfab945e6d0876f5ad39b900a0a1
SHA1 961f4b11b2e842899251859736529041cb7b2d40
SHA256 a67205ca871f9e817c446f8902e781b5fa730f7715640426171af105ffb5cf87
SHA512 027211fda3063e2f5d96b7ff4627af0cb5e351cf1fc215a33651f8d6d120273f03496603ee15dc7256845958af1888f5f7b7d9ba835ad9f5822ffbd13233be79

memory/1328-33-0x0000000000060000-0x0000000000090000-memory.dmp

memory/1328-34-0x0000000002430000-0x0000000002436000-memory.dmp

memory/1328-35-0x000000000A500000-0x000000000AB18000-memory.dmp

memory/1328-36-0x000000000A010000-0x000000000A11A000-memory.dmp

memory/1328-37-0x0000000009F50000-0x0000000009F62000-memory.dmp

memory/1328-38-0x0000000009FB0000-0x0000000009FEC000-memory.dmp

memory/1328-39-0x000000000A120000-0x000000000A16C000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-09 15:21

Reported

2024-05-09 15:24

Platform

win10v2004-20240426-en

Max time kernel

136s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\209703dd4d6bb2be31fbd67713bc66dc1dd589baac7c01ca04d37e7c8d823793.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2168 set thread context of 4012 N/A C:\Users\Admin\AppData\Local\Temp\209703dd4d6bb2be31fbd67713bc66dc1dd589baac7c01ca04d37e7c8d823793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\209703dd4d6bb2be31fbd67713bc66dc1dd589baac7c01ca04d37e7c8d823793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2168 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\209703dd4d6bb2be31fbd67713bc66dc1dd589baac7c01ca04d37e7c8d823793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2168 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\209703dd4d6bb2be31fbd67713bc66dc1dd589baac7c01ca04d37e7c8d823793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2168 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\209703dd4d6bb2be31fbd67713bc66dc1dd589baac7c01ca04d37e7c8d823793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2168 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\209703dd4d6bb2be31fbd67713bc66dc1dd589baac7c01ca04d37e7c8d823793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2168 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\209703dd4d6bb2be31fbd67713bc66dc1dd589baac7c01ca04d37e7c8d823793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2168 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\209703dd4d6bb2be31fbd67713bc66dc1dd589baac7c01ca04d37e7c8d823793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2168 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\209703dd4d6bb2be31fbd67713bc66dc1dd589baac7c01ca04d37e7c8d823793.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\209703dd4d6bb2be31fbd67713bc66dc1dd589baac7c01ca04d37e7c8d823793.exe

"C:\Users\Admin\AppData\Local\Temp\209703dd4d6bb2be31fbd67713bc66dc1dd589baac7c01ca04d37e7c8d823793.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2168 -ip 2168

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 332

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 omnomnom.top udp
US 204.79.197.237:443 g.bing.com tcp
DE 195.201.252.28:443 omnomnom.top tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
BE 2.17.196.113:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 28.252.201.195.in-addr.arpa udp
US 8.8.8.8:53 113.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
BE 2.17.196.113:443 www.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

memory/2168-0-0x000000000088A000-0x000000000088B000-memory.dmp

memory/4012-1-0x0000000000400000-0x0000000000422000-memory.dmp

memory/4012-2-0x000000007474E000-0x000000007474F000-memory.dmp

memory/4012-3-0x0000000005060000-0x00000000050C6000-memory.dmp

memory/4012-4-0x0000000005B30000-0x0000000006148000-memory.dmp

memory/4012-5-0x0000000005580000-0x0000000005592000-memory.dmp

memory/4012-6-0x00000000056B0000-0x00000000057BA000-memory.dmp

memory/4012-7-0x0000000074740000-0x0000000074EF0000-memory.dmp

memory/4012-8-0x0000000006390000-0x00000000063CC000-memory.dmp

memory/4012-9-0x00000000063D0000-0x000000000641C000-memory.dmp

memory/4012-10-0x00000000066F0000-0x00000000068B2000-memory.dmp

memory/4012-11-0x0000000006DF0000-0x000000000731C000-memory.dmp

memory/4012-12-0x00000000068C0000-0x0000000006952000-memory.dmp

memory/4012-13-0x00000000078D0000-0x0000000007E74000-memory.dmp

memory/4012-14-0x0000000006960000-0x00000000069B0000-memory.dmp

memory/4012-15-0x0000000006A90000-0x0000000006B06000-memory.dmp

memory/4012-16-0x00000000069E0000-0x00000000069FE000-memory.dmp

memory/4012-18-0x0000000074740000-0x0000000074EF0000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-09 15:21

Reported

2024-05-09 15:24

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7b57226b37b29e8c8fc26bb0a8f5f069da16548a19709cb24661efa4e037303e.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4106329.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4106329.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4106329.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4106329.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4106329.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4106329.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5418397.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4106329.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7b57226b37b29e8c8fc26bb0a8f5f069da16548a19709cb24661efa4e037303e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9388032.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8945346.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1541210.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1541210.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1541210.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4106329.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2476 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\7b57226b37b29e8c8fc26bb0a8f5f069da16548a19709cb24661efa4e037303e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9388032.exe
PID 2476 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\7b57226b37b29e8c8fc26bb0a8f5f069da16548a19709cb24661efa4e037303e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9388032.exe
PID 2476 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\7b57226b37b29e8c8fc26bb0a8f5f069da16548a19709cb24661efa4e037303e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9388032.exe
PID 3864 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9388032.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8945346.exe
PID 3864 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9388032.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8945346.exe
PID 3864 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9388032.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8945346.exe
PID 2920 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8945346.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4106329.exe
PID 2920 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8945346.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4106329.exe
PID 2920 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8945346.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5418397.exe
PID 2920 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8945346.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5418397.exe
PID 2920 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8945346.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5418397.exe
PID 728 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5418397.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 728 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5418397.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 728 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5418397.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 3864 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9388032.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1541210.exe
PID 3864 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9388032.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1541210.exe
PID 3864 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9388032.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1541210.exe
PID 2476 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\7b57226b37b29e8c8fc26bb0a8f5f069da16548a19709cb24661efa4e037303e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4653379.exe
PID 2476 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\7b57226b37b29e8c8fc26bb0a8f5f069da16548a19709cb24661efa4e037303e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4653379.exe
PID 2476 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\7b57226b37b29e8c8fc26bb0a8f5f069da16548a19709cb24661efa4e037303e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4653379.exe
PID 2500 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 2500 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 2500 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 2500 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 3720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 3720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 3720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2944 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2944 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2944 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2944 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2944 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2944 wrote to memory of 5028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 5028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 5028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 1244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2944 wrote to memory of 1244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2944 wrote to memory of 1244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2944 wrote to memory of 1692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2944 wrote to memory of 1692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2944 wrote to memory of 1692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7b57226b37b29e8c8fc26bb0a8f5f069da16548a19709cb24661efa4e037303e.exe

"C:\Users\Admin\AppData\Local\Temp\7b57226b37b29e8c8fc26bb0a8f5f069da16548a19709cb24661efa4e037303e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9388032.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9388032.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8945346.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8945346.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4106329.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4106329.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4216,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=4072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5418397.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5418397.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1541210.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1541210.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4653379.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4653379.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
BE 2.17.196.91:443 www.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.91:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 91.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9388032.exe

MD5 c83f9d17470f70d854cf61584b7b9d6b
SHA1 008b2d72fc7bb5880133cff8da93940f6f27ee9d
SHA256 5be7d8a73a15ef936280f0c027d3589377bae3c537abc8fc3b7afdfd10760df6
SHA512 4281a3717d4ac4b62489e6477a9ea1dc458ddfefa5620c91b062cf88c67aa2e89a0449849a82dbdd107f4624b9a60fe22437e9ed1ae00b8e2fc338f22b0a70fc

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8945346.exe

MD5 ae04ae8f82ef7c5c18a122e988955911
SHA1 f9d4e359e3d606ecba052f1ad164032f3ea3508a
SHA256 07d79376f4928c9646f92b27bb20846aa423bcdc7449d9e62536c32c668b7796
SHA512 ab110f326e1e8f00191dba0712e04020ff1e8d1dc89b144a14572b00b2a9e883d1b0ce088a2235186a8221ee92ecd84fe396f8847386c01976f7bf4c909cc0dc

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4106329.exe

MD5 692007d2606bdf905dcb3bb4b84cbc62
SHA1 0fdf5885f237df7c841080dd84aa17007bd8b3a8
SHA256 d04192febd6695ec19e9b9e81ba4c645e52543959784fe2e5bf709a640911618
SHA512 b5b140855638d16aa07f480cf65fcf22dca75126c1158c4967255ae5024ee600d7210eca10318e6f7fb4829d9097e72a055fd5fc81d0f8c0eb33b717856dfcd5

memory/212-21-0x0000000000F40000-0x0000000000F4A000-memory.dmp

memory/212-22-0x00007FFF15BE3000-0x00007FFF15BE5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5418397.exe

MD5 0b906be516f3f396f75658e1cf9575ab
SHA1 3111e750196ca48bd29d0390e54bf9d11785de9c
SHA256 08d1cc127541e1e558cb004b7c53e3808c41970b0b7645ea0b74d134cda2125f
SHA512 5bc965f3cae439d9dd47b8449e26b9ad1aa6214395a601a713bb2c00f23f22a2b64e54323f052ef3e1e3948eed48346de754b30ed8dff5c97978e38894baafb4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1541210.exe

MD5 fd17878796266b1fb103f7f9f25c6465
SHA1 afb817e72c5ebeebaecb23d78f354ae042c493fc
SHA256 c4ec40856d6f3fcbb8e3913a8e6e796182ef0c15024e3bd297ed75396b317e61
SHA512 0796bf8724f391d7d7aa2bb7b3303cfa55ba9a5ff3bc55d8de10f319d72523b2e0098b80e7cdd4f267461289e8817c386b1c7d5756beac43314b52e87a3eb66f

memory/2288-39-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2288-41-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4653379.exe

MD5 f929cf45e5696adf5666926d12ea97c7
SHA1 3640bdf242887dd0ddb3db105ff7ce45c8c116fb
SHA256 881be44b46f7a81fe38f97b33e89dce6ef6cabd81325d64051d664a51014365e
SHA512 ec47cb258ac27c982f40721b297d37c725efd0b0399ee115df8e89542f08ff6e0512846506ebfbba7b586f58ed44459c312f84f345f2c907cce0378f60ad1562

memory/3684-45-0x0000000000F50000-0x0000000000F80000-memory.dmp

memory/3684-46-0x0000000003100000-0x0000000003106000-memory.dmp

memory/3684-47-0x0000000005E90000-0x00000000064A8000-memory.dmp

memory/3684-48-0x00000000059A0000-0x0000000005AAA000-memory.dmp

memory/3684-49-0x00000000058E0000-0x00000000058F2000-memory.dmp

memory/3684-50-0x0000000005940000-0x000000000597C000-memory.dmp

memory/3684-51-0x0000000005AB0000-0x0000000005AFC000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-09 15:21

Reported

2024-05-09 15:24

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c84d7a88c396b7e327907984474a5b186f4adf86792a273b4ded750f4b893ca4.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1975793.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1975793.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1975793.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1975793.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1975793.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1975793.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3860331.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1975793.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7870127.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c84d7a88c396b7e327907984474a5b186f4adf86792a273b4ded750f4b893ca4.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1975793.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1975793.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1975793.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4872 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\c84d7a88c396b7e327907984474a5b186f4adf86792a273b4ded750f4b893ca4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7870127.exe
PID 4872 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\c84d7a88c396b7e327907984474a5b186f4adf86792a273b4ded750f4b893ca4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7870127.exe
PID 4872 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\c84d7a88c396b7e327907984474a5b186f4adf86792a273b4ded750f4b893ca4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7870127.exe
PID 424 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7870127.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3860331.exe
PID 424 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7870127.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3860331.exe
PID 424 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7870127.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3860331.exe
PID 2968 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3860331.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 2968 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3860331.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 2968 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3860331.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 424 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7870127.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1975793.exe
PID 424 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7870127.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1975793.exe
PID 620 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 620 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 620 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 620 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 620 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 620 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4908 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4908 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4908 wrote to memory of 3808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4908 wrote to memory of 3808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4908 wrote to memory of 3808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4908 wrote to memory of 3600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 3600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 3600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4908 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4908 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4908 wrote to memory of 1332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4908 wrote to memory of 1332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4908 wrote to memory of 1332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4872 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\c84d7a88c396b7e327907984474a5b186f4adf86792a273b4ded750f4b893ca4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j1187629.exe
PID 4872 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\c84d7a88c396b7e327907984474a5b186f4adf86792a273b4ded750f4b893ca4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j1187629.exe
PID 4872 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\c84d7a88c396b7e327907984474a5b186f4adf86792a273b4ded750f4b893ca4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j1187629.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c84d7a88c396b7e327907984474a5b186f4adf86792a273b4ded750f4b893ca4.exe

"C:\Users\Admin\AppData\Local\Temp\c84d7a88c396b7e327907984474a5b186f4adf86792a273b4ded750f4b893ca4.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7870127.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7870127.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3860331.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3860331.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1975793.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1975793.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j1187629.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j1187629.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 136.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
FI 77.91.68.3:80 tcp
BE 2.17.196.145:443 www.bing.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 145.196.17.2.in-addr.arpa udp
BE 2.17.196.145:443 www.bing.com tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 104.211.222.173.in-addr.arpa udp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7870127.exe

MD5 7a8364296e7c43d3ea3bd0a90095bb42
SHA1 79194c764908acfac8bfc04c24a27abf4530b321
SHA256 160d6a2b8125e280a55521ef6b5bb6e76a49c2c8d543d5f43166695a3d71f03f
SHA512 34ad642bbd8434897c103ae33443d854a323727bd45e2a6719f386181583cddc36b349716b7a74910db6ca7f295ead1296ed558bdfe34e08522f0acf4c455ba9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3860331.exe

MD5 8c6b79ec436d7cf6950a804c1ec7d3e9
SHA1 4a589d5605d8ef785fdc78b0bf64e769e3a21ad6
SHA256 4e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d
SHA512 06f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1975793.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4840-27-0x00000000005F0000-0x00000000005FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j1187629.exe

MD5 07f0f4a954fb670cd088321b6c49c637
SHA1 9622931b58b3a80a70a5b5bc1fb37b11c11f9ab2
SHA256 538fd5bf93d15e8fbcc75e18a9769d8c57fcec81c05c8a9c2ab84c61e20e7124
SHA512 11e4da592e07f4746807c8848bfaf3ae4001bd76f4870d084bfba785190ec78b607cc298a1b97fdef51b3844b2e7cea141edfd14965d2dae7df9c68b7f2aba94

memory/856-32-0x0000000000FD0000-0x0000000001000000-memory.dmp

memory/856-33-0x00000000034A0000-0x00000000034A6000-memory.dmp

memory/856-34-0x000000000B480000-0x000000000BA98000-memory.dmp

memory/856-35-0x000000000AF80000-0x000000000B08A000-memory.dmp

memory/856-36-0x000000000AEC0000-0x000000000AED2000-memory.dmp

memory/856-37-0x000000000AF20000-0x000000000AF5C000-memory.dmp

memory/856-38-0x0000000003370000-0x00000000033BC000-memory.dmp