Analysis Overview
SHA256
b2e3ef893eb456057652ab4434c1204484055bd056354e8672fc45f069c32800
Threat Level: Known bad
The file red.zip was found to be: Known bad.
Malicious Activity Summary
RedLine payload
RedLine
SmokeLoader
Modifies Windows Defender Real-time Protection settings
Healer
Amadey
Detects Healer an antivirus disabler dropper
Windows security modification
Reads user/profile data of web browsers
Checks computer location settings
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Enumerates physical storage devices
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 15:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 15:28
Reported
2024-05-09 15:31
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5242522.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1359229.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5242522.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4765071.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\143e14de3ab20f2359132907b991db6a76d0d521ba132b83a736d149619409c5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1359229.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\143e14de3ab20f2359132907b991db6a76d0d521ba132b83a736d149619409c5.exe
"C:\Users\Admin\AppData\Local\Temp\143e14de3ab20f2359132907b991db6a76d0d521ba132b83a736d149619409c5.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1359229.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1359229.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5242522.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5242522.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4765071.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4765071.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| BE | 2.17.196.96:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.196.17.2.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1359229.exe
| MD5 | f5f946ac4583af832c2d637fd85246fb |
| SHA1 | dffad329cad828e547d1eb418a4fc709ba05fcc7 |
| SHA256 | 44e8ec63756866f0209362393b22273dd2106f5a207ff8f8e16f71ce45bf0455 |
| SHA512 | 0f5fbb1400818078d97964da427e24cedd8a998343cc2de79a28b0137c629070ba60f44ea0c03fa8424c03040fff403cf4b72597596917ca72ba1eed2a55e9b6 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/444-14-0x0000000000B40000-0x0000000000B4A000-memory.dmp
memory/444-15-0x00007FFB57A13000-0x00007FFB57A15000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5242522.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4765071.exe
| MD5 | 2e579346644673daa171cbfbbf226e92 |
| SHA1 | 15c654470dda2e03c3579cc06f02f01756b8f220 |
| SHA256 | e7fa30eaa844288719a635b40bfa1bce8aeb1bade6683915e00b71891453019a |
| SHA512 | b5a0a0c869447ab586dfcb512b646b409139eb2e086c0c46f777fecb84d417fef7c75be688a3f63eea0fc704649b683f10afa20b9243e4e8d7363883daebe995 |
memory/2268-33-0x0000000000220000-0x0000000000250000-memory.dmp
memory/2268-34-0x00000000025B0000-0x00000000025B6000-memory.dmp
memory/2268-35-0x0000000005240000-0x0000000005858000-memory.dmp
memory/2268-36-0x0000000004D30000-0x0000000004E3A000-memory.dmp
memory/2268-37-0x0000000004BA0000-0x0000000004BB2000-memory.dmp
memory/2268-38-0x0000000004C20000-0x0000000004C5C000-memory.dmp
memory/2268-39-0x0000000004C60000-0x0000000004CAC000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-09 15:28
Reported
2024-05-09 15:31
Platform
win7-20231129-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\499d652934b65eebaaa2d82a49a8810d8dbc1d3feb82c20d3193b41d1d599648.exe
"C:\Users\Admin\AppData\Local\Temp\499d652934b65eebaaa2d82a49a8810d8dbc1d3feb82c20d3193b41d1d599648.exe"
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-09 15:28
Reported
2024-05-09 15:31
Platform
win10v2004-20240426-en
Max time kernel
142s
Max time network
155s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5809110.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5809110.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5809110.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5809110.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5809110.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5809110.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4968097.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6551560.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4968097.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5809110.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j1734878.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5809110.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\53ecffef24ddea22780ff63e0224bd9c1bf9d8533760949fff138bd5c432ce36.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6551560.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5809110.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5809110.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5809110.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4968097.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\53ecffef24ddea22780ff63e0224bd9c1bf9d8533760949fff138bd5c432ce36.exe
"C:\Users\Admin\AppData\Local\Temp\53ecffef24ddea22780ff63e0224bd9c1bf9d8533760949fff138bd5c432ce36.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6551560.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6551560.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4968097.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4968097.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5809110.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5809110.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j1734878.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j1734878.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.196.176:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.196.17.2.in-addr.arpa | udp |
| BE | 2.17.196.176:443 | www.bing.com | tcp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6551560.exe
| MD5 | a2210d30b37a2eff48873119679e1fb5 |
| SHA1 | 734bd652beaf82b8ce053df8c163481581b4726f |
| SHA256 | 8f4e62d14ddd063a22c7de8d3d0dde17fe436077799fb6ad7ab187c2413bc72d |
| SHA512 | c7caf76cae083da89343b3956be85e0525b5a40f4d4d1be3449d14e86e299eae900c46563b90d2a46a01c2ca1899c3b089bf3b0ae6a8470c0091bcfa0635853f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4968097.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5809110.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/2876-27-0x0000000000360000-0x000000000036A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j1734878.exe
| MD5 | 0d0af4abacfe1c26bb788646ea00cc47 |
| SHA1 | 719378577f111b5571d483b3a727853d99b6e798 |
| SHA256 | 0905242cfa7a6a94c5cf38d06bb0fbb69123693b05993c6dd4102687201341ee |
| SHA512 | d7ef0313c89b0b178a346632a59fc991def5a5255dcbbaf2bfdf863905ac8e3e81da8097612988b0407e343e819e0a691201d4e2bfa6abc50fe4e7361410a789 |
memory/3832-33-0x0000000000860000-0x0000000000890000-memory.dmp
memory/3832-34-0x0000000001100000-0x0000000001106000-memory.dmp
memory/3832-35-0x000000000ABC0000-0x000000000B1D8000-memory.dmp
memory/3832-36-0x000000000A6D0000-0x000000000A7DA000-memory.dmp
memory/3832-37-0x000000000A610000-0x000000000A622000-memory.dmp
memory/3832-38-0x000000000A670000-0x000000000A6AC000-memory.dmp
memory/3832-39-0x0000000004BF0000-0x0000000004C3C000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-09 15:28
Reported
2024-05-09 15:31
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7479313.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7958004.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2151231.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8826700.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7479313.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7958004.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2151231.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b.exe
"C:\Users\Admin\AppData\Local\Temp\61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7479313.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7479313.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7958004.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7958004.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2151231.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2151231.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8826700.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8826700.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 144.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| BE | 2.17.196.96:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 96.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 98.56.20.217.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7479313.exe
| MD5 | f322468f7b64cecefaf9a0f0faccce20 |
| SHA1 | 3d70724ebe7a280468c06cec4aeff4723eb530be |
| SHA256 | d0d0aa49f6e37875f9b5dd0f21ab7ea9a9a366ff47cf69e224a1aa6e5089a24c |
| SHA512 | b73f96b0eae3a1ca5da4a964cf56c7a991e5d30796a0f56bd6729dd4dfe542ed1053b7e0d3284bac2d5a1c7e646002fdf11866c094543e2e94847a9ed16b1fff |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7958004.exe
| MD5 | 208b54dec1def07b191289f2f777b350 |
| SHA1 | 10bf86ca447e4aa9d59a244824788350d4b4f071 |
| SHA256 | 09b9055edb7d51a08a4b7a7b2ee1d982379fff43c34637084fdd32a412a20974 |
| SHA512 | 06ebe2071211a221f939aa666849012f4d6e1b7855ff8e0df4bda2c0fe1430b564ad1d4209b945cfead695f1503a2dc57af84fae7bd1cf62e71691184a772b2e |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2151231.exe
| MD5 | 4b1a2d09d57bf0b2fc99d5da960562d5 |
| SHA1 | d72c7391e795ee360ad860d870d03c58372e5d19 |
| SHA256 | df3d2938bcbf97d8977a8fe236a2471d529e1b484ba5090635dc3fec80b7b8e3 |
| SHA512 | 4a69463ab5fcb25140b9ce4fece0c2d0e7c3d2827d7d2addc26a38a8c9aeb1787837ade0084c578c46efa2d4b3c98b4fc0b645334796d40d2a73ea4e55d28684 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe
| MD5 | ae98a36da0e47b966ed93d845206ce38 |
| SHA1 | 1ea9b655c02f2073c92e4a010c25a2c5bcad1ed8 |
| SHA256 | 1c262ccffb16c31cdf0cc414038a3da52f58e209027e5a915f3b6e40be5d3bee |
| SHA512 | 975b325fdd9cf5f47778742bf53b10a2903caace94b69d59a16c7c8ade15e8bd7d29ed372269bdde0bf76ac8898771601549f993e69c9801ffc11da4168cb1dc |
memory/2488-28-0x0000000000530000-0x000000000053A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/4948-37-0x00000000006F0000-0x00000000006FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8826700.exe
| MD5 | 066240575f50b7f5987e95a3be5d62dc |
| SHA1 | 3edf9ff59b4ee474b5d828763d9c4df55bd51179 |
| SHA256 | 5d78ef153cc6b04717c89d059e6b2c6200834f3945d6e762603d53c118bddfd5 |
| SHA512 | 702b9df12dcfb2038eb71e0286f1c6d036df628fee3b9c44b295bf5089ce07c88fd70ac44091eb092c941217a7437210ff792190706568d8608f3a689450d76c |
memory/4036-42-0x00000000005B0000-0x00000000005E0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/4036-47-0x00000000021D0000-0x00000000021D6000-memory.dmp
memory/4036-48-0x0000000005180000-0x0000000005798000-memory.dmp
memory/4036-49-0x0000000004B60000-0x0000000004C6A000-memory.dmp
memory/4036-50-0x0000000004AE0000-0x0000000004AF2000-memory.dmp
memory/4036-51-0x0000000004B00000-0x0000000004B3C000-memory.dmp
memory/4036-52-0x0000000004CC0000-0x0000000004D0C000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-09 15:28
Reported
2024-05-09 15:31
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4656 set thread context of 1344 | N/A | C:\Users\Admin\AppData\Local\Temp\71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe
"C:\Users\Admin\AppData\Local\Temp\71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4656 -ip 4656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 320
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | omnomnom.top | udp |
| DE | 195.201.252.28:443 | omnomnom.top | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.196.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.252.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| BE | 2.17.196.115:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 115.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 24.173.189.20.in-addr.arpa | udp |
Files
memory/1344-0-0x0000000000400000-0x0000000000422000-memory.dmp
memory/4656-1-0x0000000000578000-0x0000000000579000-memory.dmp
memory/1344-2-0x00000000744FE000-0x00000000744FF000-memory.dmp
memory/1344-3-0x0000000005690000-0x00000000056F6000-memory.dmp
memory/1344-4-0x00000000061E0000-0x00000000067F8000-memory.dmp
memory/1344-5-0x0000000005C20000-0x0000000005C32000-memory.dmp
memory/1344-6-0x0000000005D50000-0x0000000005E5A000-memory.dmp
memory/1344-7-0x00000000744F0000-0x0000000074CA0000-memory.dmp
memory/1344-8-0x0000000006A00000-0x0000000006A3C000-memory.dmp
memory/1344-9-0x0000000006A40000-0x0000000006A8C000-memory.dmp
memory/1344-10-0x0000000006D80000-0x0000000006F42000-memory.dmp
memory/1344-11-0x0000000007480000-0x00000000079AC000-memory.dmp
memory/1344-12-0x0000000007F60000-0x0000000008504000-memory.dmp
memory/1344-13-0x00000000070F0000-0x0000000007182000-memory.dmp
memory/1344-14-0x0000000006F50000-0x0000000006FA0000-memory.dmp
memory/1344-15-0x0000000007020000-0x0000000007096000-memory.dmp
memory/1344-16-0x0000000006FA0000-0x0000000006FBE000-memory.dmp
memory/1344-18-0x00000000744F0000-0x0000000074CA0000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-09 15:28
Reported
2024-05-09 15:31
Platform
win10v2004-20240508-en
Max time kernel
126s
Max time network
145s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4884083.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7923935.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7923935.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7923935.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7923935.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4884083.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4884083.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4884083.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4884083.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4884083.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7923935.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7923935.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0578791.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3556398.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7879489.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4884083.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7923935.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4901763.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4884083.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4884083.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7923935.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3556398.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7879489.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\ea3dd01036351608cfd1a08d2d7331439b7acea2492116d550411f5e93529f9e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0578791.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4884083.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4884083.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4884083.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7923935.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7923935.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7923935.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4884083.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7923935.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ea3dd01036351608cfd1a08d2d7331439b7acea2492116d550411f5e93529f9e.exe
"C:\Users\Admin\AppData\Local\Temp\ea3dd01036351608cfd1a08d2d7331439b7acea2492116d550411f5e93529f9e.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0578791.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0578791.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3556398.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3556398.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7879489.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7879489.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4884083.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4884083.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4196,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4032 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7923935.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7923935.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4901763.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4901763.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| BE | 2.17.196.96:443 | www.bing.com | tcp |
| BE | 2.17.196.96:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 96.196.17.2.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0578791.exe
| MD5 | 631ed72f62ec0529a2ae8c950db257d0 |
| SHA1 | 52ae6745c638f0906cb9d8eaae3c0d46c27c35ce |
| SHA256 | ebde318f043b9e4926b01981d12ae91079793f5f9e2b0bb829c546750c8fb1f7 |
| SHA512 | 01705c553bb1eede9a6040cc36ce47f75f522fc09667ba3d420d435bf060a21d63eff1f79c46824594d5d779e90e67327c8e80475f74577eb64dc297b82f8079 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3556398.exe
| MD5 | e5776501a9148055f957f5386e3ecbef |
| SHA1 | 59011d27e29c91969953fa34da83e5187c51beca |
| SHA256 | 29f74e1800a68a08176cb3c5ccc169fca9cf58c9d9198f1090676e713c029607 |
| SHA512 | 17ca6c0f12ce30c085f76f280f8950d1bbc195ea913b3c44cdcb6a8dcfd8794729b2fa3493f6f4fd450287f64dc2d15a37e01713cb8444acee9125c6423c47b8 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7879489.exe
| MD5 | ba78117b9e92e3a2402a5da59990515f |
| SHA1 | d2e5579097b67e78ab394139ef310f79649f2fb9 |
| SHA256 | 3a2a91d3842ab8ac000b7de5270f2e96dc7db51e4ef216d1232ebd0042d71708 |
| SHA512 | 94447010a08d9fddf06e516a029fb12aa43289931339d4f4da494bb6eb94c08715a93af879825335590081584c7ad6ef6a672ebcf3f5bdc6fb4f3bd11a170107 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4884083.exe
| MD5 | dbb355595fadb1a82c4ebb2c34f9d78b |
| SHA1 | 249981224e8809f05b6ea4a9839c7247461ee02a |
| SHA256 | be3e1a18c76614255f9c6293f53286f7579243d8bbc17aac74d51d824a63d976 |
| SHA512 | cfe4e1831fdbd6b3d34a6cd42a801dca44062b5e30d391fd5f89a7aedada97186b027dfd192c990b4a4b10e4cc6a3eb872387f1dd404feec55182cb09c5dbb5e |
memory/4044-28-0x0000000000420000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7923935.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/520-37-0x0000000000B00000-0x0000000000B0A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4901763.exe
| MD5 | d8d4f1edc3eb447f88fc132375c41f6f |
| SHA1 | f8eb3bd34be6372087738a7f9ee063755ed3589d |
| SHA256 | 28fe55b2b9f42577744381f456c9b29a56cd27b167fdc68acc4ac152f3f3f483 |
| SHA512 | c1308f7ebe94affd2f6f2203c65e1540d230a486a393c6f76c59fef81b7d1cce0981ab04970a724f0bd7ecbca9a2a53f5eeda32e6e3656bba0582caaa803615b |
memory/3028-42-0x0000000000620000-0x0000000000650000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/3028-47-0x0000000002290000-0x0000000002296000-memory.dmp
memory/3028-48-0x000000000A500000-0x000000000AB18000-memory.dmp
memory/3028-49-0x0000000009EE0000-0x0000000009FEA000-memory.dmp
memory/3028-50-0x000000000A020000-0x000000000A032000-memory.dmp
memory/3028-51-0x000000000A040000-0x000000000A07C000-memory.dmp
memory/3028-52-0x0000000002210000-0x000000000225C000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-09 15:28
Reported
2024-05-09 15:31
Platform
win10v2004-20240508-en
Max time kernel
126s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7472544.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9263224.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1805423.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5289050.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4849613.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7472544.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9263224.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1805423.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5289050.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\2e0a9b6a39ce81b93beb155ac3c237f4a6b9248d6b872ed22bfdf8851796b19b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2e0a9b6a39ce81b93beb155ac3c237f4a6b9248d6b872ed22bfdf8851796b19b.exe
"C:\Users\Admin\AppData\Local\Temp\2e0a9b6a39ce81b93beb155ac3c237f4a6b9248d6b872ed22bfdf8851796b19b.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7472544.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7472544.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9263224.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9263224.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1805423.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1805423.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5289050.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5289050.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4849613.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4849613.exe
Network
| Country | Destination | Domain | Proto |
| BE | 2.17.196.107:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.196.17.2.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7472544.exe
| MD5 | 4f42b9b022fd8d85dcdd9f017b90ff04 |
| SHA1 | 676ba0ae4538adddc2b07f55a48cd628d12b7633 |
| SHA256 | b02ee275800185a8058ae8d737a10aa7ef514f4d772b4d85a2d65b2239545d4f |
| SHA512 | 38f9a1db8fb1505cb1ff738dc29aa61599c4e23a3b5fdd3cb75bfb8bfd3a300132e7c5b476e8bcaa36f5db240f3c6188e5b1028610e2f8d9ebc53f0932187c97 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9263224.exe
| MD5 | 9d65e889dc6cdf70ab7a92689cf92af2 |
| SHA1 | 507fd511af4528e94e1d2c6d37855380afb4a426 |
| SHA256 | 2203e5e15c34017bdb5d5dac6cba15f8d99920c65ef189076a1ce7d3af478ad1 |
| SHA512 | db30bd0c8afe77d711e58f68fb755e4cb4e762a90ed3aa6319ff4dda932abbd0b067dd9090cc87dac6e2a3b1c27a58bdad18836d609240d7f53714d699a2624c |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1805423.exe
| MD5 | 8592a6dc936028a99ace4532cd770d5d |
| SHA1 | 7e44db68b7ec9a089b8a4937ed6ebb5d84860656 |
| SHA256 | d1285e5b0d41a774b9207d576b7f7843892698c455ef32b279164721daefa805 |
| SHA512 | d433730289a88f71bc6ac17faae51ff07fa32e9398c84a00dfe54e70b158fa5d94d2e73a9a2bed44f45e36ae357c6a82c5f4b6e20d487529f3b43842f98510cd |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5289050.exe
| MD5 | edc75ffe5fa9ffa372060ebd5c09c2b3 |
| SHA1 | 1c075856c81f5648acc34d08fa5a41debd9387ae |
| SHA256 | 92d61909555ed2bddf1f59506648e79a53e769014afc63405405cbfea6979340 |
| SHA512 | 27943feab8ffb5635b6b886202f75d4f839a7bc4f326df0af1ea92560ee51a167a2d8aabe341b3861876fc7766abd1c8bab3d0dcad9cf69af81dabc89b797c13 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe
| MD5 | 068c37a137de97b4569270eb0fd08b27 |
| SHA1 | 9cef9ddd66a3c3a18a6993eff25304d29e95bf6d |
| SHA256 | f9adeb967c811f699984b5a9d12d7d5c7090827a0c1ab3bea159c7d04f41286b |
| SHA512 | 98f1d6795cadb5ffe4f95c05fa3590832fe64cf1ea539199557fba0b4183c50ec7c0fdd210af23d4c769beb1158eca495e5b176d883ee29501334e88c0139cf1 |
memory/1232-35-0x0000000001F60000-0x0000000001F9E000-memory.dmp
memory/1232-41-0x0000000001F60000-0x0000000001F9E000-memory.dmp
memory/1232-42-0x0000000006A90000-0x0000000006A91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe
| MD5 | 698c2c19db2d75dda748684546023df8 |
| SHA1 | f03d654d2459c82f0fbd407289c2b2f6458cfbfd |
| SHA256 | e27ddbbb48705cb0790690d176d326b1e68fac8960b25b65e56582c552d6a749 |
| SHA512 | b937e05949307bbf8da79c416c1ab9c844bab3065e2fcd690f6ff5bb403caebc89997b6d050eb82339dd9181a8842629602794bbda2436404381d0cf68f340e4 |
memory/1800-48-0x0000000000D10000-0x0000000000D1A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4849613.exe
| MD5 | da6ff81c6f67611413531f823ea93e2b |
| SHA1 | 8e4244fe534ab3ae1ea22dc12f0665bcec0db34a |
| SHA256 | 69220a693e0059f35711ed1e66ec35c9b62de85afe4cdb9c282c2d24d9483193 |
| SHA512 | f4af9745c5dab137c04b0e86f34fc696c1a9d7fcb9ca9733fcd75256981aa6835f3aeffd4f3fc1fce1c07109096c2835a2b6c83bc246ccfd719372059ebe5d36 |
memory/3100-53-0x0000000002060000-0x00000000020EC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/3100-60-0x0000000002060000-0x00000000020EC000-memory.dmp
memory/3100-62-0x0000000002500000-0x0000000002506000-memory.dmp
memory/3100-63-0x0000000006D50000-0x0000000007368000-memory.dmp
memory/3100-64-0x0000000007370000-0x000000000747A000-memory.dmp
memory/3100-65-0x0000000006BF0000-0x0000000006C02000-memory.dmp
memory/3100-66-0x0000000007480000-0x00000000074BC000-memory.dmp
memory/3100-67-0x00000000074C0000-0x000000000750C000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-09 15:28
Reported
2024-05-09 15:31
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6370349.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6370349.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6370349.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6370349.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8770774.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8770774.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8770774.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6370349.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8770774.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8770774.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8770774.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6370349.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9405994.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6384948.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1040822.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1586501.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6370349.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8770774.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6121207.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6370349.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6370349.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8770774.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6384948.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1040822.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1586501.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\4b8eb941853bd390287dbcbe8dae61e1b226baa6661172eff6766605a0047ec3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9405994.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6370349.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6370349.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8770774.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8770774.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6370349.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8770774.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4b8eb941853bd390287dbcbe8dae61e1b226baa6661172eff6766605a0047ec3.exe
"C:\Users\Admin\AppData\Local\Temp\4b8eb941853bd390287dbcbe8dae61e1b226baa6661172eff6766605a0047ec3.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9405994.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9405994.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6384948.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6384948.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1040822.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1040822.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1586501.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1586501.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6370349.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6370349.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8770774.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8770774.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6121207.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6121207.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.196.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| BE | 2.17.196.160:443 | www.bing.com | tcp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9405994.exe
| MD5 | aef04ccd0641dc9a63df41e25aa4273e |
| SHA1 | c3b0d2a04a795babc21c810ad46f5217dca34137 |
| SHA256 | 0abea631e220741b291754699d5545449a059ca4d2d0559fdc465c92f045b2eb |
| SHA512 | 0942a1dfb0901b7a214be0ebb577de1b590189e5d7d5830e577acd4c7455181283a771db7dfce93eab98b67c2cd53bdb2eaf5a645c9e4aee5dcdcca39b382804 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6384948.exe
| MD5 | 44c832fc392e51418fc15c39ab3de1e7 |
| SHA1 | fbc66040168e7f66f4d4398bfa975cac696cb388 |
| SHA256 | 0a78c5e4410205c3c84531e625507722c41af9a104962a80e3ed6058b5199dd9 |
| SHA512 | c6b12e389eca96a1775e558ab4d448f72a2a22721fc3518fd321e97e6a7798db0201257d91770bd452ae84b2cfc6ccce08445c1ade5bf149448f7dcb4d4e86df |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1040822.exe
| MD5 | 7b46cc038ef86adcd4c68aca30e827ab |
| SHA1 | de3f3ea3efee57d4cd7adbef9967dc70d9e374cb |
| SHA256 | c9cd1e8b266848f88a108ecc30abbce1812e7d05412f6795394141ec3e103d8e |
| SHA512 | 6fc5f1db66030c616c695402a1df40185fee44aca2cacd6bd76a02046d65f228df5cf38981230e0352fb52e515b877cf2a76efec70f33e63331fb344ddbc7240 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1586501.exe
| MD5 | 7ca527243bc8f6db1462a860ec57aac2 |
| SHA1 | 30737b8e360dc4eddd7492f9a1a86cf10bf405ad |
| SHA256 | 189417b41216990025f5be820a972769f9a333878ad2256a9f014d546954851a |
| SHA512 | 396f444648527207fdef07281fd1b3d98e84180d1687c3270e2927b792d566c130df5c345cfbc29236d3e093ff6847ac979401c1b8d67e29e2ff96591c79f5a9 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6370349.exe
| MD5 | 69738532f97ce2ea62f220d38452732f |
| SHA1 | 213a12ed7882f306067521c38c63d5557e0f070a |
| SHA256 | e66db8d1b573b77c498d1e8c93eaaa52ca975b34d81da8a0d9702484a8edabfa |
| SHA512 | 9dc45f205ec73471c02ff7f021f6bedfc825c8674fef572dfadecf503993b53f07d12ea1f51cf38dd930d5a3a9415e04ff2e9b317865b1c7ab25cad682848578 |
memory/2876-35-0x0000000000570000-0x00000000005AE000-memory.dmp
memory/2876-41-0x0000000000570000-0x00000000005AE000-memory.dmp
memory/2876-42-0x0000000002360000-0x0000000002361000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8770774.exe
| MD5 | eed9c4f01f76dfcb47c381e467c156b6 |
| SHA1 | ae4d42d1975f4ac968aa781243efdf580c58d58e |
| SHA256 | ac26f5d95655a7e285a64813dff4ebba5fb9fdbe8bc3268c9c0d0b452b502b61 |
| SHA512 | 273de9dcccadab14684fe2e959d25f9833a639fb41942f6ecf5304de50fab8215183197feeb03f7f4bb09031fc19aaac13b5dad66096ce1f3d81a74bf0cbec06 |
memory/3720-48-0x0000000000D90000-0x0000000000D9A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6121207.exe
| MD5 | 5adb87d97c20867c329ebfc6df1c490e |
| SHA1 | 1bf2dabf26f4358ba354f223cc103a76445b0eb4 |
| SHA256 | 77f6716e92a77c63bc2d9249a0b3caf1f47fd9131f6b8e0159545e40fe8bb38c |
| SHA512 | 2c2f0e2884e62a133a570ef440f3addf1d320f22b0ff914827014d2ae4812772e4a29f9dcebb2fe00969f412be3430ed4749ff7ec11022c2f30be064b9723b83 |
memory/5488-54-0x00000000005A0000-0x000000000062C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/5488-60-0x00000000005A0000-0x000000000062C000-memory.dmp
memory/5488-62-0x0000000004520000-0x0000000004526000-memory.dmp
memory/5488-63-0x000000000B4F0000-0x000000000BB08000-memory.dmp
memory/5488-64-0x000000000AF50000-0x000000000B05A000-memory.dmp
memory/5488-65-0x000000000B080000-0x000000000B092000-memory.dmp
memory/5488-66-0x000000000B0A0000-0x000000000B0DC000-memory.dmp
memory/5488-67-0x0000000006A00000-0x0000000006A4C000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-09 15:28
Reported
2024-05-09 15:31
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2737969.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2737969.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2737969.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2737969.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2737969.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2737969.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7840011.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6426330.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2737969.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3380806.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2737969.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2737969.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6426330.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\59a57474ebe62f572bb724c334e3f51070b9605bdb8a26ca62aa328af1683a06.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7840011.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2737969.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2737969.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2737969.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\59a57474ebe62f572bb724c334e3f51070b9605bdb8a26ca62aa328af1683a06.exe
"C:\Users\Admin\AppData\Local\Temp\59a57474ebe62f572bb724c334e3f51070b9605bdb8a26ca62aa328af1683a06.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7840011.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7840011.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6426330.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6426330.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2737969.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2737969.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3380806.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3380806.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.196.138:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 3.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| BE | 2.17.196.138:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 138.196.17.2.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7840011.exe
| MD5 | 78f324849aa7b1f850517cf94be2ef54 |
| SHA1 | 143654cbf93522937131f0a56f6ffdb94d62b693 |
| SHA256 | d37e270ae2e841d2d7e02bca9b2b8722ee36bc8634203dd51a26a7768448c774 |
| SHA512 | 6e82a48af65e3bd4211e9e10913bfcbe98506e5a34c66ff0077b5e4ce841c739365461f9995c5bba442e0805e64a5d5b04e1a4ed5dbdf7039305ca190a1a2083 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6426330.exe
| MD5 | 26efa76c4c09af119b5cf26ba265bd6a |
| SHA1 | f9211e30771cda4c1e33d39414e62c077225e6cb |
| SHA256 | 2188d5c86aa35a1374137c1f2757f2d21b66e47e7649886cd9717ad6f858fef2 |
| SHA512 | 44e72b50b0cfea2255f5cd10716ab02b3dd336679cec9307866a47c14a609c6271c217d396009456fd1f1b2bbfee06b1c2a645e7887d2faf2495ab87b5de9644 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2737969.exe
| MD5 | 97bedc3847c2a75396c6c97cf29285ac |
| SHA1 | e55c17be6b028426f3580337facd941e456cb060 |
| SHA256 | f4787b70b2a4f6e0b9350ddbdddbbca942b8a2f4d48a9f82e43d1cde06fa8759 |
| SHA512 | b99680cb988118acf40b417048fd99dad120409da63f110bf9100b43aa16d124aa83e266f4db5585681dd90ec442eda9bf04d81eaa835e095ff4438cf531983f |
memory/5116-21-0x0000000000690000-0x00000000006CE000-memory.dmp
memory/5116-27-0x0000000000401000-0x0000000000404000-memory.dmp
memory/5116-28-0x0000000000690000-0x00000000006CE000-memory.dmp
memory/5116-29-0x0000000002350000-0x0000000002351000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3380806.exe
| MD5 | dfb42870a5a35dc280f750653cd769c5 |
| SHA1 | 835406a72260124183d0968490f41e22f43a3a2f |
| SHA256 | 0e00c1394a7c5563999d0fa119b0be98739dc40619cf0cc133244a06f99bc6de |
| SHA512 | 469f45c6640402704251c00a32758c5c78b0a596b8b437f7765d101c81cb1bcd05cff30b7347f03464c963ac4200c82171bd4c8f7d7826f14a54c4c180c86663 |
memory/2508-35-0x0000000000510000-0x000000000059C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/2508-42-0x0000000000510000-0x000000000059C000-memory.dmp
memory/2508-44-0x0000000002270000-0x0000000002276000-memory.dmp
memory/2508-45-0x0000000007EF0000-0x0000000008508000-memory.dmp
memory/2508-46-0x0000000008580000-0x000000000868A000-memory.dmp
memory/2508-47-0x00000000086B0000-0x00000000086C2000-memory.dmp
memory/2508-48-0x00000000086D0000-0x000000000870C000-memory.dmp
memory/2508-49-0x0000000005A00000-0x0000000005A4C000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-09 15:28
Reported
2024-05-09 15:31
Platform
win10v2004-20240426-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2849983.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2849983.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2849983.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2849983.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2849983.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2849983.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1238236.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7323087.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2849983.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1238236.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8078707.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2849983.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\6aec183a583bea0012704d51b860a5d4dc2eaa2d5a1b16c1b991a8fb1cc86e31.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7323087.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2849983.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2849983.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2849983.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6aec183a583bea0012704d51b860a5d4dc2eaa2d5a1b16c1b991a8fb1cc86e31.exe
"C:\Users\Admin\AppData\Local\Temp\6aec183a583bea0012704d51b860a5d4dc2eaa2d5a1b16c1b991a8fb1cc86e31.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7323087.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7323087.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2849983.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2849983.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1238236.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1238236.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8078707.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8078707.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| BE | 2.17.196.107:443 | www.bing.com | tcp |
| BE | 2.17.196.107:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 107.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7323087.exe
| MD5 | 0435486b9d9871070086926637255bf7 |
| SHA1 | 8b8f3d4896a6484e78730dbc25485f9ea17c30ce |
| SHA256 | 5f69fbc55ea7dbefaeea3b35ed6fdc98c7358153c52827e5a2983475185adf12 |
| SHA512 | 89c229e1efe174f6615a9f4c5a7050a5128c7d44de887ae98a41d3bf241ed17c97eff056b457caa9f8815272dcb32e8a28e23e611a08c55d1320136812562c54 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2849983.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/1916-14-0x00007FFB34E53000-0x00007FFB34E55000-memory.dmp
memory/1916-15-0x0000000000FB0000-0x0000000000FBA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1238236.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8078707.exe
| MD5 | e5eb6311982d4fd0552762390f25bc8d |
| SHA1 | b0bbb3c76e54608b90668a558b464b52e56e495e |
| SHA256 | bc63562f2cd6157558bdb0ef95c0060644de3b2b200709137ba2bd99d2850d0e |
| SHA512 | d1cc6b86af9a80b1541d128c2043dc5f9b77635de6207460947b286095e1d2e87a0662b927ed958506cc789b652143010a7b888923b48c6479149c127409daf4 |
memory/876-33-0x0000000000A00000-0x0000000000A30000-memory.dmp
memory/876-34-0x0000000005360000-0x0000000005366000-memory.dmp
memory/876-35-0x0000000005B40000-0x0000000006158000-memory.dmp
memory/876-36-0x0000000005630000-0x000000000573A000-memory.dmp
memory/876-37-0x00000000053C0000-0x00000000053D2000-memory.dmp
memory/876-38-0x0000000005560000-0x000000000559C000-memory.dmp
memory/876-39-0x00000000055A0000-0x00000000055EC000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-09 15:28
Reported
2024-05-09 15:31
Platform
win7-20240221-en
Max time kernel
122s
Max time network
128s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2216 wrote to memory of 3036 | N/A | C:\Users\Admin\AppData\Local\Temp\71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2216 wrote to memory of 3036 | N/A | C:\Users\Admin\AppData\Local\Temp\71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2216 wrote to memory of 3036 | N/A | C:\Users\Admin\AppData\Local\Temp\71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2216 wrote to memory of 3036 | N/A | C:\Users\Admin\AppData\Local\Temp\71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe
"C:\Users\Admin\AppData\Local\Temp\71829948467d2f16aa6d5c19d4887b4da3a316c3778ff88b4130bc047d02f5ce.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 88
Network
Files
memory/2216-0-0x0000000000908000-0x0000000000909000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-09 15:28
Reported
2024-05-09 15:31
Platform
win10v2004-20240426-en
Max time kernel
142s
Max time network
156s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1005072.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1005072.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1005072.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1005072.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1005072.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1005072.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1505391.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3037748.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1005072.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1505391.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5126994.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1005072.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7506757ba820d7ae28d178498db7124eb1c6e346d4700098f7492a46d5e851b0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3037748.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1005072.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1005072.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1005072.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7506757ba820d7ae28d178498db7124eb1c6e346d4700098f7492a46d5e851b0.exe
"C:\Users\Admin\AppData\Local\Temp\7506757ba820d7ae28d178498db7124eb1c6e346d4700098f7492a46d5e851b0.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3037748.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3037748.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1005072.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1005072.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1505391.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1505391.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5126994.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5126994.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| BE | 2.17.196.83:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 83.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 2.17.196.83:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3037748.exe
| MD5 | a1264c633cf306e9ea91bfb90fe2d00f |
| SHA1 | ebb50fece413df7d62a29559c8010fa76893fa01 |
| SHA256 | c9ab327c854c05355e87798ef2ed0d6463d33584b2517f883650320ac356b6bc |
| SHA512 | 2fb9c7f16c090bea587bfa3e057069680b35f70409ed4f4e38a5ea7d7b148211b420f2e7de8ba11ed6ac12e587a6eef5ef956246e8ccc14d76cd1ff7d7ced504 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1005072.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/1336-14-0x0000000000830000-0x000000000083A000-memory.dmp
memory/1336-15-0x00007FFF46CF3000-0x00007FFF46CF5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1505391.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5126994.exe
| MD5 | 42a31f715b5f173d46b4f61f19f23b47 |
| SHA1 | c4c85355538aada727a757a191346a1e499720c4 |
| SHA256 | 3015c82eb4bdc9ee3224c94e7ce93e7ec5d4908bee057a2859c6e419b913aa23 |
| SHA512 | 2df89cdcebdb0ced32f5d3ae5e28b2a566a4d3a9f638fc598d6ec52cb7f1b89c6c3774d721a5a55538be29f64a5e3eb8acc88236454465d11a3cfcc4782f4f74 |
memory/2372-33-0x0000000000360000-0x0000000000390000-memory.dmp
memory/2372-34-0x00000000026F0000-0x00000000026F6000-memory.dmp
memory/2372-35-0x0000000005350000-0x0000000005968000-memory.dmp
memory/2372-36-0x0000000004E40000-0x0000000004F4A000-memory.dmp
memory/2372-37-0x0000000004CE0000-0x0000000004CF2000-memory.dmp
memory/2372-38-0x0000000004D70000-0x0000000004DAC000-memory.dmp
memory/2372-39-0x0000000004DB0000-0x0000000004DFC000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-09 15:28
Reported
2024-05-09 15:31
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8356638.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8356638.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8356638.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8356638.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3075474.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3075474.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3075474.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8356638.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3075474.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3075474.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3075474.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8356638.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6358775.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2959190.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3996029.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5535719.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8356638.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3075474.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7127075.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8356638.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8356638.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3075474.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\9e8418826f07274a00f90b02756f693711350696a60867c9adff98b6c0268e52.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6358775.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2959190.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3996029.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5535719.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8356638.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8356638.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3075474.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3075474.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8356638.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3075474.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9e8418826f07274a00f90b02756f693711350696a60867c9adff98b6c0268e52.exe
"C:\Users\Admin\AppData\Local\Temp\9e8418826f07274a00f90b02756f693711350696a60867c9adff98b6c0268e52.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6358775.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6358775.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2959190.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2959190.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3996029.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3996029.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5535719.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5535719.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8356638.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8356638.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3075474.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3075474.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7127075.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7127075.exe
Network
| Country | Destination | Domain | Proto |
| BE | 2.17.196.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.196.17.2.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6358775.exe
| MD5 | bb3db59eea1df96380edfe10ea55b5f4 |
| SHA1 | 64a4227004fc84f2653fa31cbd7bc0d4c3a1d9c1 |
| SHA256 | 9a9a452c6475ecaa9bcd866384134ff1adfe53dc87dceefcdc4c4c3a5dfa42b6 |
| SHA512 | f5170408fd453750bf84107ef39b1756dd5f11a1277ad6732c0f10a7bb2087d569b60f325cf8bf16cccb01ea46c591cf6e189613d7653fc7180232f6ac94e292 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2959190.exe
| MD5 | 209c8e0c8e3e1001cb812be59c8a2cc2 |
| SHA1 | 786903379ef92b8da7c21879c07fc195726a791c |
| SHA256 | 22e93a4b9b088c2734e2e683ed4aeb9835e6bb7c2715e64d73239994afba93e9 |
| SHA512 | d1b68a2f26e338c3f367bafc0c6488a9fcfcda44582b5bacbb7473f1a795250e458f5adc7c63b2c138e82879853d349be50b24b79c3f74f8a6b05507f91b0214 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3996029.exe
| MD5 | b70af505efaf18e5111b7f0872af4327 |
| SHA1 | 657b1fa0e8d7471d41f15c42f5667f66cf75444d |
| SHA256 | 1a48f593f8655695612dfd5829661808652b01d27d84591307fe340ff93d4cfc |
| SHA512 | 7b3fbb54fdee78a92d6988bcedfed62a3a898bbb923cc47959ed783b546649f9a3d26158ac30e951c3afe77b2927613f8c2abb22eeefb423bb4e90634ff2cac5 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5535719.exe
| MD5 | 960a0885cbbfa23cd3a310929248ec8d |
| SHA1 | 0e0b415f6ea22a9fa4ff6b25d2cfd1b8e73442cb |
| SHA256 | 4af789aec86e09f8bc7af1b818c791f3733d5900a706b52d25634e4a60f723b3 |
| SHA512 | f1414072f542f27aa057ccd493243e725943396fcf25fffcdd654f2dad19dc66b4302d19d65032c460a3436d9687cc97a0fc8cfd6007e8f07142ba91595434fc |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8356638.exe
| MD5 | 7e9f2cb217f3e911cbf490e250a81d85 |
| SHA1 | 161b42b6e4d08f752be8b70bc1b1e405f71b9d15 |
| SHA256 | 62f459126461c28fdfe1c4bae75d7d14ef9742a56c08f4b7679b86e20bf79eaa |
| SHA512 | 28f1929ee1905381f6f608bb6b446e09ec03b73f6a5475fe8b8a28fc7566561a3fb058c8242f0219958571d1b6d495422a7c215d71947d8b54841fb2ff7cefae |
memory/1428-35-0x00000000006C0000-0x00000000006FE000-memory.dmp
memory/1428-42-0x0000000002450000-0x0000000002451000-memory.dmp
memory/1428-41-0x00000000006C0000-0x00000000006FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3075474.exe
| MD5 | 7dec748a03906160dfe516141a43e841 |
| SHA1 | 2078f0c87593907a7a4acade058838878324e062 |
| SHA256 | 5ba4774ca85ec41c74081da5ff04c679e4bc6b846e43a9a913d1fdc753673baa |
| SHA512 | e6e1dcb78200ebb571865286d46052f6c901ebb3b7b34b8a0f81cb9c78bd33ab2e088ab6ac91fcd0729abcbddd09e19a236e4d3d3a2456bdffb185b5c231eb16 |
memory/2176-48-0x0000000000F00000-0x0000000000F0A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7127075.exe
| MD5 | fbf0c53dbe9d08426544a73809b99663 |
| SHA1 | 8a69324d6cec182396da32e1d1225142b51d891a |
| SHA256 | 69ed32190d50c45e26723f296ae93ce4cc32ae1e2a13d5268c15b5224e31c0a1 |
| SHA512 | bb37e0c38cd128a48453223af82e8965b5dfa007b79a80ba015a12089ade1f29553eaa20b53afaa558396e4a670bbfdecc4263b728f364096820f61d55a8e057 |
memory/4612-53-0x0000000001F80000-0x000000000200C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/4612-60-0x0000000001F80000-0x000000000200C000-memory.dmp
memory/4612-62-0x00000000024E0000-0x00000000024E6000-memory.dmp
memory/4612-63-0x0000000006DC0000-0x00000000073D8000-memory.dmp
memory/4612-64-0x00000000073E0000-0x00000000074EA000-memory.dmp
memory/4612-65-0x0000000006CF0000-0x0000000006D02000-memory.dmp
memory/4612-66-0x0000000006D10000-0x0000000006D4C000-memory.dmp
memory/4612-67-0x00000000074F0000-0x000000000753C000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-09 15:28
Reported
2024-05-09 15:31
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0325083.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0325083.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0325083.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0325083.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0325083.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0325083.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8518801.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5122173.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0325083.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8518801.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t6871409.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0325083.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\291dafd2314b673e9b81ee6bd583911db702f910a342dc716c49ce5922bcefe9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5122173.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0325083.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0325083.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0325083.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\291dafd2314b673e9b81ee6bd583911db702f910a342dc716c49ce5922bcefe9.exe
"C:\Users\Admin\AppData\Local\Temp\291dafd2314b673e9b81ee6bd583911db702f910a342dc716c49ce5922bcefe9.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5122173.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5122173.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0325083.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0325083.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8518801.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8518801.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
"C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t6871409.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t6871409.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legola.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legola.exe" /P "Admin:N"&&CACLS "legola.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "legola.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "legola.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\ebb444342c" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\ebb444342c" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
Network
| Country | Destination | Domain | Proto |
| SE | 5.42.92.67:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| SE | 5.42.92.67:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| SE | 5.42.92.67:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5122173.exe
| MD5 | 7a4f386b3f970a49ff029fb30c6a4fa6 |
| SHA1 | 3f00f04552f530acabbceff7efc92bc6b183adf0 |
| SHA256 | 05cd256ee302eae28d56eefb16769d804ab1f5e1b7139a66326424e0f57d828f |
| SHA512 | 4bced7ddf5e041e9856e625ba5bb04a0308d2f2628817f49e03176095f5b161e505e11d82bc0e79e4a3b78149164e242757e0ab7940da40a1d29807707bcadd3 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0325083.exe
| MD5 | 6c98170d0c9c87557809d76e3100fc77 |
| SHA1 | b882e2a85d27983ad9a5426247b38d1166348ef2 |
| SHA256 | 8ba8f5ed83112bcd9d068b859be2909df8e495bf9aedaae69207cbef1e4a4dd2 |
| SHA512 | 24f97d2a55f3f763d336ddab65c708ee4878cc511be9b9971e6ed416462e2a4fce1cd2d6a4883f037527e92d3221e6b1791cd7a8b2e9953bb20c23e913b6a088 |
memory/5072-15-0x0000000000CD0000-0x0000000000CDA000-memory.dmp
memory/5072-14-0x00007FFB79123000-0x00007FFB79125000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8518801.exe
| MD5 | 18287e3811909c07a3c9a83fee583ff4 |
| SHA1 | e23b57a71eb77aad1ed53f41e8d71f8f3cee2329 |
| SHA256 | 659097b813a97ae1fd10b02af8bc7c7e00e0e173eaf74c98018d8845606c047e |
| SHA512 | 1814baa2b58779e2bb6a3548ea54d0afc6ddfeaab11716c36655af0697cbb7537ad0a1b99c5f75aa29137cf2d339ab1e8501aebee1f0ded5726ad46d8abc7bad |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t6871409.exe
| MD5 | 970e3821ef9afd1524f5b33eaea8e55e |
| SHA1 | aa2b5030fb5b5f25444fb93ca4898e221cb1aff8 |
| SHA256 | 1b35e9e69ec0b6d0ade01d02b0286aaa650de52baa762f4ca16ae7883cd7f383 |
| SHA512 | f18a1f9cae5adfff1db15494b95e9fc38bff58c3b8a04c7cf5fb78fc7d2a178e63bf5295d6736f1cff47630f57e489eff102c2ea83abdd7067bb41d2479ea3cb |
memory/2572-33-0x0000000000960000-0x0000000000990000-memory.dmp
memory/2572-34-0x0000000002C80000-0x0000000002C86000-memory.dmp
memory/2572-35-0x0000000005A40000-0x0000000006058000-memory.dmp
memory/2572-36-0x0000000005530000-0x000000000563A000-memory.dmp
memory/2572-37-0x0000000005440000-0x0000000005452000-memory.dmp
memory/2572-38-0x00000000054A0000-0x00000000054DC000-memory.dmp
memory/2572-39-0x00000000054E0000-0x000000000552C000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-09 15:28
Reported
2024-05-09 15:31
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\499d652934b65eebaaa2d82a49a8810d8dbc1d3feb82c20d3193b41d1d599648.exe
"C:\Users\Admin\AppData\Local\Temp\499d652934b65eebaaa2d82a49a8810d8dbc1d3feb82c20d3193b41d1d599648.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-09 15:28
Reported
2024-05-09 15:31
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
155s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9430155.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9430155.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9430155.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9430155.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9430155.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9430155.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5492609.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5418005.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9430155.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5492609.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t1301951.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9430155.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\4fbcb0a2f45aaeb44239e2e00233d34f6efb6c46aa551acf21567602c1b83573.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5418005.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9430155.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9430155.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9430155.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4fbcb0a2f45aaeb44239e2e00233d34f6efb6c46aa551acf21567602c1b83573.exe
"C:\Users\Admin\AppData\Local\Temp\4fbcb0a2f45aaeb44239e2e00233d34f6efb6c46aa551acf21567602c1b83573.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5418005.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5418005.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9430155.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9430155.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5492609.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5492609.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
"C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t1301951.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t1301951.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legola.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legola.exe" /P "Admin:N"&&CACLS "legola.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "legola.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "legola.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\ebb444342c" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\ebb444342c" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
Network
| Country | Destination | Domain | Proto |
| SE | 5.42.92.67:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| SE | 5.42.92.67:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| SE | 5.42.92.67:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5418005.exe
| MD5 | e49f20e120b351d247a3626f4fbf176b |
| SHA1 | 42692af535e023d014dc59cecb1a98d38382f71f |
| SHA256 | e3e33451a995d8947da9f4d6e4ffb6df566fcc0d0b6ae342b03b2d7732117ed8 |
| SHA512 | 07e05b4aa5fa600714bb7d73539387b5b9aa18040c1fd027329405abc4d9587d1defc910aa371429ff133f10a8e5d437a917ca4f455a8fa70a19f6144351ad8a |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9430155.exe
| MD5 | d856e2a54c40acf61645d4fc57858e06 |
| SHA1 | 4adda083305872bca81e5bcbe8b919870021ebf7 |
| SHA256 | b037083ba5bd964e0da761a64efa0793fa1141cc3213a0dddeb2d0ba0fc9f13b |
| SHA512 | 78d7c7912a9c551f6177a93704f29671bb84f5dee90705313881236dbff948a297f780c9d4fde102e91f28fc3dbe4d1b9f2f6a634d00e2319da17eea1d4c6caf |
memory/1808-14-0x00007FFD61033000-0x00007FFD61035000-memory.dmp
memory/1808-15-0x00000000000C0000-0x00000000000CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5492609.exe
| MD5 | 783083e6c9816b1112c31a2a5921565a |
| SHA1 | 74060d022fbee34f9c3349f534342baf0425ec48 |
| SHA256 | f9077e17260577e42c0b09d55c9e173f28f06e054fcedcdff2141de81f8c7646 |
| SHA512 | ae93484ed26ce7e6717d54c2734eaaeebfe760604adc0ce62b9fd6ff5313b9cc25c2a6a4a034a18b1d436269d63382cd85428a72d78c0418b9450c975129a08f |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t1301951.exe
| MD5 | 932ca9a7128632211c16057323fde623 |
| SHA1 | 1c92154c5c71e5d381a2915d17a6bb7f09db6a7b |
| SHA256 | ede47de65ed2c68e25ca49820dc425066f61d0e83c5fe05987e2741320787ff8 |
| SHA512 | b7e20e60734f73220c196b6d7140add8db458f282452a71585d85114316c6903dc04d756aafa1f2bf4536b35938d9cbad4f22690890a6f066825916690461294 |
memory/2340-33-0x0000000000490000-0x00000000004C0000-memory.dmp
memory/2340-34-0x00000000027E0000-0x00000000027E6000-memory.dmp
memory/2340-35-0x0000000005570000-0x0000000005B88000-memory.dmp
memory/2340-36-0x0000000005060000-0x000000000516A000-memory.dmp
memory/2340-37-0x0000000004F70000-0x0000000004F82000-memory.dmp
memory/2340-38-0x0000000004FD0000-0x000000000500C000-memory.dmp
memory/2340-39-0x0000000005010000-0x000000000505C000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-09 15:28
Reported
2024-05-09 15:31
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3037363.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7830559.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7830559.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7830559.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3037363.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3037363.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3037363.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7830559.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7830559.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3037363.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3037363.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7830559.exe | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d7235466.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0356475.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0049823.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6232922.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3037363.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7830559.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8174554.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d7235466.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5765358.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3037363.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3037363.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7830559.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\e6baad5a7e5385bc92311bc785faeabed25354b22d90f6422ffc65d07a913c5c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0356475.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0049823.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6232922.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8174554.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5765358.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5765358.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5765358.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3037363.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3037363.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7830559.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7830559.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3037363.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7830559.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e6baad5a7e5385bc92311bc785faeabed25354b22d90f6422ffc65d07a913c5c.exe
"C:\Users\Admin\AppData\Local\Temp\e6baad5a7e5385bc92311bc785faeabed25354b22d90f6422ffc65d07a913c5c.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0356475.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0356475.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0049823.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0049823.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6232922.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6232922.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3037363.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3037363.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7830559.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7830559.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8174554.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8174554.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1652 -ip 1652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 136
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d7235466.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d7235466.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5765358.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5765358.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.196.99:443 | www.bing.com | tcp |
| BE | 2.17.196.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.3:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0356475.exe
| MD5 | f382efdfc967e54ad6d69d654a1f6dbd |
| SHA1 | a658e94051eff667f98b7bb3490d84f663d4d225 |
| SHA256 | 522d181c4776d45f68a55cb460a37e655b2aceefce4f3008e6a7310bb940cfb9 |
| SHA512 | d882b887c13a8b07ff67f041ebede7d436701e950ad089e1ad9e196f90ca45cb03d0599ce8ad3cb177243e76f85b9e022d202f3dc67ab78c812e20a9c7ef021f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0049823.exe
| MD5 | 07e1bbd66441aa75478099202da495db |
| SHA1 | 22fccd9668ec761dc23a0718b69709fba1be9f29 |
| SHA256 | 25bda4872402b7cfc2bdea4230b3b812ef40966bf1c036b75d83ad8fc7b8a822 |
| SHA512 | 717957d512f226d7e5724688b19880653dd68cc468337163436c8a3315940cf9c3045b5332996a158205e8307a1974508b1a60ab0c0ecd67811afceb2b841d40 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6232922.exe
| MD5 | 6f9872b9ee277485776014b2ae724bf8 |
| SHA1 | 4fd191fdb208519b10f91057ea10bb0508a08a8e |
| SHA256 | 3c7191c67465c0d47fa12894187819a08cc1f99661d5d6e223beac8bbc17efdc |
| SHA512 | 426c890041e088afb012efd7d8188632c1831d24f8755575c1f20ed21fc70ace742dcd8baa98ae2504e93a5837a70bf762dee2894705f3b9ba47d623fb629639 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3037363.exe
| MD5 | 2c0ec464007c2e5047ac97046169069a |
| SHA1 | b80ac13ca4381cf9508e7ed9089200b769e5c233 |
| SHA256 | 7461bee1038fcaf654fa8fcb046fb22259bb71b17dd6b89acc130803a910cebc |
| SHA512 | 6766d09e99452a0bee7c52b106f8b5bbc8505b78834cec02f8677228581025d23d9f637782b9ac84b9df9055c2969e8486608f93616384188317132b9a97b55a |
memory/1888-28-0x0000000000500000-0x000000000050A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7830559.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/1964-37-0x00000000009D0000-0x00000000009DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8174554.exe
| MD5 | d640ffc91c33fe1ca15aadd7c5e4a247 |
| SHA1 | a89733a4c9e64cc2fe281b441f093a09444326bf |
| SHA256 | 7ffcb35638bf8d254780433c98684c16a1a063aeab92014256802d20c8feff6a |
| SHA512 | 5ec3532d3dd62810d06453d0ad394613d07e4118719b0f7d8dd58822cbbd76721696c8a7d18a08942fff523253d7ea39473aeead659d567996d8b523c1d14be9 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d7235466.exe
| MD5 | 8c6b79ec436d7cf6950a804c1ec7d3e9 |
| SHA1 | 4a589d5605d8ef785fdc78b0bf64e769e3a21ad6 |
| SHA256 | 4e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d |
| SHA512 | 06f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5765358.exe
| MD5 | 35a15fad3767597b01a20d75c3c6889a |
| SHA1 | eef19e2757667578f73c4b5720cf94c2ab6e60c8 |
| SHA256 | 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc |
| SHA512 | c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577 |
memory/4608-58-0x0000000000400000-0x0000000000409000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 15:28
Reported
2024-05-09 15:31
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
156s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6278655.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6278655.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6278655.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6278655.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6278655.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6278655.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9513237.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9893320.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6278655.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9513237.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n7607885.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6278655.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9893320.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\22c5bd0a3e3c03e512f45c0ebd81b9cf7695279360a1c40cec90cf3efea5f219.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6278655.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6278655.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6278655.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\22c5bd0a3e3c03e512f45c0ebd81b9cf7695279360a1c40cec90cf3efea5f219.exe
"C:\Users\Admin\AppData\Local\Temp\22c5bd0a3e3c03e512f45c0ebd81b9cf7695279360a1c40cec90cf3efea5f219.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9893320.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9893320.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6278655.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6278655.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9513237.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9513237.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n7607885.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n7607885.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.196.137:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| BE | 2.17.196.137:443 | www.bing.com | tcp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9893320.exe
| MD5 | db38560b159f0e2cce961315b8969044 |
| SHA1 | 913add1383ff200cbf73c5133457f896f1abe9da |
| SHA256 | a4eed61c21e05a58763c3384dc7715692d41c1df587adeec3b4d39964fb3ab2d |
| SHA512 | dad27468bf468456faf57d5215d9c61dad5e12ae3f5e52eeae1641ee1e85a7e83c390995c1eb613656b26f2cac4f88165590c3d7c0d94641139c711b4acb2510 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6278655.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/1436-14-0x00007FFB469F3000-0x00007FFB469F5000-memory.dmp
memory/1436-15-0x0000000000F00000-0x0000000000F0A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9513237.exe
| MD5 | 8c6b79ec436d7cf6950a804c1ec7d3e9 |
| SHA1 | 4a589d5605d8ef785fdc78b0bf64e769e3a21ad6 |
| SHA256 | 4e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d |
| SHA512 | 06f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n7607885.exe
| MD5 | a723640e41b27d3d5ba370a1ad175f8e |
| SHA1 | a96bda541ae35685a92e647d3093e8f45047dc02 |
| SHA256 | 5c6158f58b1083059b7f0802da775c36dccad82939d52de0e815f4d29dc677dd |
| SHA512 | a11529f5b5e7c2f6fc0e4d88b22115355018f18fe456610c2f5cef0f9d2af4892ed3aad930ccae4910b4e4e3d2b95eb13115e7d8f2ce3febc8d9bda3fe0d7791 |
memory/1984-33-0x00000000007C0000-0x00000000007F0000-memory.dmp
memory/1984-34-0x00000000029D0000-0x00000000029D6000-memory.dmp
memory/1984-35-0x0000000005750000-0x0000000005D68000-memory.dmp
memory/1984-36-0x0000000005240000-0x000000000534A000-memory.dmp
memory/1984-37-0x0000000005150000-0x0000000005162000-memory.dmp
memory/1984-38-0x00000000051B0000-0x00000000051EC000-memory.dmp
memory/1984-39-0x00000000051F0000-0x000000000523C000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-09 15:28
Reported
2024-05-09 15:31
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
167s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1426625.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4288450.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0931522.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0829334.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1783125.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1426625.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4288450.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0931522.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0829334.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf.exe
"C:\Users\Admin\AppData\Local\Temp\4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1426625.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1426625.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4288450.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4288450.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0931522.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0931522.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0829334.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0829334.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1783125.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1783125.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.201.106:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 106.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1426625.exe
| MD5 | 0ffebb1f8e07e9e177551ddfe1e5deb3 |
| SHA1 | 126013412bc3d49f5c8e3beafe9cfd92fdf59c65 |
| SHA256 | cd6bdea7c7a6c6ade538cf5d4567881d67e82dd72d473179cb47986367bae628 |
| SHA512 | 1a23a319a9d8c4f025ede357e008d6ee0a656f88e7efa0901a46eef7b6c56248dad5a4b251f82b3d7c1aa73562ff5fa00e5ae2f9262554232badebe4dc71918a |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4288450.exe
| MD5 | 05b31cc1f873f663da8a3673ee1c1e70 |
| SHA1 | da64bfd433ce785b9d26fb0f6fe4883d9d790b09 |
| SHA256 | 2a5782027e95953e6a505c58e691fc2324135b202c38c437ad4dc8ced47a2feb |
| SHA512 | d902b06aebe522c883f782dd299f57d3d1925ab3e4955b8ce6882e53523bd63b9d3f35b8c0f0c6ad8aea0a5e9f9e3ad01fd2bc2096dbe62196ce38bb0f6f40d8 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0931522.exe
| MD5 | 50f2ebe7886d7ecf35f81f720ac270ed |
| SHA1 | 59f616bc7d655575d54e58c256de026dd0c82c6e |
| SHA256 | e127f2e8fb3406e6ce6497ebf04e41c01b95f4a7c2d3c89ecc5fe462dfa62ffd |
| SHA512 | d685afabb0bb488b1d6d0c3d69b0175593658f5920d25841086759be73ed79ee426883485013fa5b6f5398372c36145c559404ac7892e559d75846fbaf5adf44 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0829334.exe
| MD5 | c045adc356c9935a873d1cd91cd54989 |
| SHA1 | 06b1b8c34e396a09a69a425af0f8b00671a4f953 |
| SHA256 | bb2374a0251dd291e217e7c74eac6881cc229a2778ba0047f54e014bebc75a62 |
| SHA512 | bcab8a6331c4ceb7beeff395fc6d3b8d0ae7e1ae3ea0c45692870aad586563ed8313d24b02d45c69cb0496f7115f6580422637edcb4c188575960819e86f54f0 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe
| MD5 | c43930fbf73244831a96682aba907e8c |
| SHA1 | 44db4ec9c11a04d56d2bfab7f993abf37a23e6fe |
| SHA256 | 9beeaf6651baa5e2597a933df6eee18cf168ba41865e18001185613e0949bba3 |
| SHA512 | 6cb91d5c9317f693a04eec12cddef55760619ed65944df60986b009eb1c782833d121788d4352519e6391bed2a06f0f602b1f4a753623c7ac92dd0440dd307af |
memory/4180-35-0x00000000005A0000-0x00000000005DE000-memory.dmp
memory/4180-41-0x00000000005A0000-0x00000000005DE000-memory.dmp
memory/4180-42-0x0000000006A90000-0x0000000006A91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe
| MD5 | f77d78af12b9628421ed4e1dfb7deb13 |
| SHA1 | 9b6fa06af3564e2fe4724d8b5ebfdfd2a7ec0fd5 |
| SHA256 | 10d806abe4d088bbb95c43a04c91f68a10888bd256de9c9a58c4c7642a9572ab |
| SHA512 | 6c01f44fdb412a58a19ddb4caf73a502a5aae10aecb959a67142ab267ef6732a7e5e6346c1a5ce5aa52823ae5b50372c083e4e59f650c835a38c75d334303e00 |
memory/3992-48-0x00000000002D0000-0x00000000002DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1783125.exe
| MD5 | 1bc0f3239045d44d169496f3b247f881 |
| SHA1 | 1884266973607585ec1b134f6009c17e54f3b18f |
| SHA256 | 8d09dd356bd29f5d38121849999e828d955e116d03542444d0b4f40073596e7f |
| SHA512 | dc3a2358d4d2613bb82c60362c409590a8699d53625efd9fd8b853f5e19afed07c798cf66b59d38bd526a80559bc4cc486b23b0f40f3fb120bd61a67946f87a9 |
memory/4468-53-0x0000000000740000-0x00000000007CC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/4468-60-0x0000000000740000-0x00000000007CC000-memory.dmp
memory/4468-62-0x0000000002400000-0x0000000002406000-memory.dmp
memory/4468-63-0x00000000080A0000-0x00000000086B8000-memory.dmp
memory/4468-64-0x00000000086C0000-0x00000000087CA000-memory.dmp
memory/4468-65-0x0000000006B80000-0x0000000006B92000-memory.dmp
memory/4468-66-0x0000000006C20000-0x0000000006C5C000-memory.dmp
memory/4468-67-0x00000000089D0000-0x0000000008A1C000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-09 15:28
Reported
2024-05-09 15:31
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3946096.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3946096.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9970516.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9970516.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9970516.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9970516.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9970516.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3946096.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3946096.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3946096.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3946096.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9970516.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8090310.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9647761.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8497582.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3946096.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9970516.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0603818.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3946096.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3946096.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9970516.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8497582.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\80ada740ebfd0573ea8825fc2b499a0d326897ebf254fc015852802a58a05452.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8090310.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9647761.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3946096.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3946096.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9970516.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9970516.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3946096.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9970516.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\80ada740ebfd0573ea8825fc2b499a0d326897ebf254fc015852802a58a05452.exe
"C:\Users\Admin\AppData\Local\Temp\80ada740ebfd0573ea8825fc2b499a0d326897ebf254fc015852802a58a05452.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8090310.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8090310.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9647761.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9647761.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8497582.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8497582.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3946096.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3946096.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9970516.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9970516.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0603818.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0603818.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.196.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.196.17.2.in-addr.arpa | udp |
| BE | 2.17.196.97:443 | www.bing.com | tcp |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 109.116.69.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8090310.exe
| MD5 | 38c200369a04519fac5b3dcf4ebff331 |
| SHA1 | ff91709a4270db05e8dc066f98b4183a934b3dfd |
| SHA256 | 9a0a6c0da259644cdffc971f307aa355c30e2f3b3b5432a1cc160833657d7cb9 |
| SHA512 | d4fa2fb01a1971560c29a4a8d3e31924477f17f43befd56cd872b011200937dcf55adf9da65a214fa2f358f5b398ef205303052b7474dde41a06ae48a0199eb7 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9647761.exe
| MD5 | e6bbcdaa2e24195d332b8d33f5c3c735 |
| SHA1 | 18e3f00e89839e508ce56af566b8342c0694ca98 |
| SHA256 | 9b0ce5a11bf7d6a365ddf391615dd64ff0bbb20d7233b2e47daf2969ad665c9d |
| SHA512 | f2816aa283529403bf734ae4a54b95ac65bcdab49d63f8f7ba8c32f0cdc7f0e8f2db78c7ce991956cc3f4dfd03d3a2e53da5b71437f6465b8e4a5e206892a683 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8497582.exe
| MD5 | c311fe993ae5852b8d3884a385443b91 |
| SHA1 | cf3c1b692e6fb7953c200ab5aa9952dc8e898070 |
| SHA256 | 06f50cc8c2530511d29e83c704132b3981d1bd93c70e5c01a79107894ba06ed0 |
| SHA512 | d62ba67a09721def6306f70e27dcedc236ee7fbcf4fecae2e461adcdc93a96e089129a278cde956edf29d9de2b00975144263fabe56e0a50e0ec91adf21c48c4 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3946096.exe
| MD5 | 849938a7566cc3392c8de12b3f58e43f |
| SHA1 | 45f699e0713aa0b80ed12d1ce1e1d46e77b03e98 |
| SHA256 | 36d27a57c260e9e2cda09be256605aa4e0e95ede7c7764951e1d575f6192c706 |
| SHA512 | 86192b5aa19d7b5c0902200f3b849d22749b07dc2ca174a5a5a4a37c0aeafd6088e51a0e7a8335dda498099e74345be08b8c7f63bd1e36c9e07d09867e907e48 |
memory/4424-28-0x0000000000490000-0x00000000004CE000-memory.dmp
memory/4424-34-0x0000000000490000-0x00000000004CE000-memory.dmp
memory/4424-35-0x0000000002330000-0x0000000002331000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9970516.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/3968-41-0x0000000000C20000-0x0000000000C2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0603818.exe
| MD5 | 5970af2c3b0603e1dd319e8842c90b23 |
| SHA1 | 61ec8e4179e9e6a897dca4f2000f59f164095a8a |
| SHA256 | 8bfdcc0c67963381921087eb22dda3b54c37eaf799fdc0dbfc25ea0fd6b987c5 |
| SHA512 | 20279989de39b520f929579aeebf9c2bc1ae90189922611b7fbfc7a682c0b788883350978ef8b616b6a7fac30196ffce35c6910318701e3edba20fb9b91190d7 |
memory/2348-46-0x0000000000960000-0x00000000009EC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/2348-53-0x0000000000960000-0x00000000009EC000-memory.dmp
memory/2348-55-0x0000000002390000-0x0000000002396000-memory.dmp
memory/2348-56-0x0000000009F60000-0x000000000A578000-memory.dmp
memory/2348-57-0x000000000A580000-0x000000000A68A000-memory.dmp
memory/2348-58-0x000000000A6A0000-0x000000000A6B2000-memory.dmp
memory/2348-59-0x000000000A6C0000-0x000000000A6FC000-memory.dmp
memory/2348-60-0x000000000A730000-0x000000000A77C000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-09 15:28
Reported
2024-05-09 15:31
Platform
win10v2004-20240426-en
Max time kernel
142s
Max time network
154s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9086194.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9086194.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9086194.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9086194.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9086194.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9086194.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3221701.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4497750.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9086194.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3221701.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n3168008.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9086194.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\a898d72b49cc00c36f48fd52d4f754e3c8b758780323239ea18208abf91a9b84.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4497750.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9086194.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9086194.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9086194.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3221701.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a898d72b49cc00c36f48fd52d4f754e3c8b758780323239ea18208abf91a9b84.exe
"C:\Users\Admin\AppData\Local\Temp\a898d72b49cc00c36f48fd52d4f754e3c8b758780323239ea18208abf91a9b84.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4497750.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4497750.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9086194.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9086194.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3221701.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3221701.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n3168008.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n3168008.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 144.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| BE | 2.17.196.131:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.196.17.2.in-addr.arpa | udp |
| BE | 2.17.196.131:443 | www.bing.com | tcp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4497750.exe
| MD5 | 9a022d4014886e1f3340c275f308b337 |
| SHA1 | 28c9d5bceb642e7a841659ec9b9f9319596df57b |
| SHA256 | cf9d1ac3283355aa6446c0dc6b2dad8a96bc1ca7d14ba92f20965a3e24564976 |
| SHA512 | 000f7ef072b080677ccf78a9f860b8ac81eea05e056b49e8a17bc6b67bfbaf205022d7fb0831e7d5451e63cbc1154809b10e143345cfc62f11dd13fd1a35c484 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9086194.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/2788-14-0x00007FF8C01E3000-0x00007FF8C01E5000-memory.dmp
memory/2788-15-0x0000000000900000-0x000000000090A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3221701.exe
| MD5 | 8c6b79ec436d7cf6950a804c1ec7d3e9 |
| SHA1 | 4a589d5605d8ef785fdc78b0bf64e769e3a21ad6 |
| SHA256 | 4e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d |
| SHA512 | 06f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n3168008.exe
| MD5 | d2c139b9404055c46938b2284a8d055c |
| SHA1 | 97e61929f30d479295f898b31da1d02c2061dbbd |
| SHA256 | 7c3b9277d763519314b0057e02e9eab74aa8dda72a97d6d85879ec34a71bdefe |
| SHA512 | 32bc5be53b4b149be240077c80d0386f8d4a2386dc8158717ce43fe0bfb30bff1ee2299d705f39337f8e3ec52d514153c961e610b9ddc5e329748c43e28df642 |
memory/3032-33-0x0000000000440000-0x0000000000470000-memory.dmp
memory/3032-34-0x0000000004D60000-0x0000000004D66000-memory.dmp
memory/3032-35-0x0000000005520000-0x0000000005B38000-memory.dmp
memory/3032-36-0x0000000005010000-0x000000000511A000-memory.dmp
memory/3032-37-0x0000000004F20000-0x0000000004F32000-memory.dmp
memory/3032-38-0x0000000004F80000-0x0000000004FBC000-memory.dmp
memory/3032-39-0x0000000004FC0000-0x000000000500C000-memory.dmp