Analysis Overview
SHA256
e22a5cadeacc1a9d95354d85bdc17f6ab2dc5d23efe7df6d3d4683fb7b881a52
Threat Level: Known bad
The file red.zip was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Detects Healer an antivirus disabler dropper
RedLine
Healer
SmokeLoader
Modifies Windows Defender Real-time Protection settings
Amadey
RedLine payload
Windows security modification
Executes dropped EXE
Checks computer location settings
Reads user/profile data of web browsers
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Enumerates physical storage devices
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 18:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-09 18:26
Reported
2024-05-09 18:29
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
152s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9600155.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9600155.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9600155.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9600155.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9600155.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9600155.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1368932.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9600155.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7637580.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9600155.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\16b83c892688e1869a75fcf88075e1a7a0983c284c41a7ff721e23cb6b9c9f86.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1368932.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9600155.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9600155.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9600155.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9600155.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\16b83c892688e1869a75fcf88075e1a7a0983c284c41a7ff721e23cb6b9c9f86.exe
"C:\Users\Admin\AppData\Local\Temp\16b83c892688e1869a75fcf88075e1a7a0983c284c41a7ff721e23cb6b9c9f86.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1368932.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1368932.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9600155.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9600155.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4208,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7637580.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7637580.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| BE | 88.221.83.192:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.83.221.88.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1368932.exe
| MD5 | f389811e3e6c0afdba444f02db669093 |
| SHA1 | 2f67d8c13e1477415f6ef5408a2940c7739b21dc |
| SHA256 | 48da474cb540b3f33c0b78853f06ed9249618db3e5c4670d45b18a1a6180e0f2 |
| SHA512 | 49c9acb85f437e75a43cb215e96fe13dc56f05595b27c57ecdb73516a5e53cfb21cb6a0faf38e32af69f72d1a4a358f08ad4e819e8944bf77ae9f46050e7787a |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9600155.exe
| MD5 | d3ed7b336677ab4edb046bcaadbf972f |
| SHA1 | d8a6e54a5a4431f985a3157b93aaae0e04bb1325 |
| SHA256 | 1109e4e67a017af633fad9733479bf067a924c950974c946c381958801a6d5bc |
| SHA512 | 6e2a47a5729043b9708f5a781159853b5b0f4c0a228309a7c427c5f4afcdff4f82f1f56e1f0a1defbcf15f5eb1ae4c8db22f84295c5ed3c8dbe3c82d8331cfc2 |
memory/4732-14-0x00007FFE9F703000-0x00007FFE9F705000-memory.dmp
memory/4732-15-0x0000000000150000-0x000000000015A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7637580.exe
| MD5 | e4232b49c9b6f09e99407fd03ad1a93d |
| SHA1 | c6ed2f7d1587e1970b0f566ad5e5ade07404d9ae |
| SHA256 | 462107d8de1bad294f86e326dea00e9a1f04b9045f2370e57fe4948ed3688802 |
| SHA512 | ec8c6cfbe8d15468a5797eb15263d69cd129aae064b44350b0f641906dd745011df5f56831badaa725fc77f37882b5144452f9f811d1fa00594984bbff6f75f6 |
memory/3248-20-0x0000000000580000-0x00000000005B0000-memory.dmp
memory/3248-21-0x00000000027C0000-0x00000000027C6000-memory.dmp
memory/3248-22-0x000000000A9E0000-0x000000000AFF8000-memory.dmp
memory/3248-23-0x000000000A530000-0x000000000A63A000-memory.dmp
memory/3248-24-0x000000000A470000-0x000000000A482000-memory.dmp
memory/3248-25-0x000000000A4D0000-0x000000000A50C000-memory.dmp
memory/3248-26-0x0000000002720000-0x000000000276C000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-09 18:26
Reported
2024-05-09 18:29
Platform
win10v2004-20240426-en
Max time kernel
141s
Max time network
153s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6442050.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6442050.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6442050.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6442050.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6442050.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6442050.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2173233.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6442050.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1441731.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6442050.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\1e756c3dd2f7e40b65e81817bfdb8988cb9c718ec0f522915ca3dcd647e2f017.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2173233.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6442050.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6442050.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6442050.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1e756c3dd2f7e40b65e81817bfdb8988cb9c718ec0f522915ca3dcd647e2f017.exe
"C:\Users\Admin\AppData\Local\Temp\1e756c3dd2f7e40b65e81817bfdb8988cb9c718ec0f522915ca3dcd647e2f017.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2173233.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2173233.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6442050.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6442050.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1441731.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1441731.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.234:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| BE | 88.221.83.234:443 | www.bing.com | tcp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2173233.exe
| MD5 | 971ca87b8c12a44ec00f4f9dc151e7f3 |
| SHA1 | 2374e4d1043058bdbdcc4a9884af619db6cc5a66 |
| SHA256 | 4c36ae66f563d8c94fa7a743d5c04f35729fef202ce81ab3af108f8e3ded5935 |
| SHA512 | f17babcb2f1c906f8a0d30607a9ed299557f9c67ae71af3ae8d3342d14a3a1a2265b89cbc3940688d71a8e304c5d64e68e6286d232ec32c7ab0f92b4fea7da2c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6442050.exe
| MD5 | 50e8953fc1401eb7e323d9a61f2d0769 |
| SHA1 | ad41c2180fd1b3f153373fb0af4a27e4d66557bf |
| SHA256 | 3b69e4dc1b9148c473c943bb802bf945a04b049aae4b2d67b538e097b0529c58 |
| SHA512 | 8dafb1800659608272e026f9846e32e9dabc78334e77f2e531a0cc7c1475223752de138c4188f6e8ff65bd63c7e3a77c99958718e34e47219190ecc62d124e0f |
memory/4652-14-0x00007FF91AFE3000-0x00007FF91AFE5000-memory.dmp
memory/4652-15-0x00000000009B0000-0x00000000009BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1441731.exe
| MD5 | bc6ec2bf638faa5d5ceedc2e21cf5dec |
| SHA1 | b89bcf06374aedc314457fa402b6543c1596b805 |
| SHA256 | de4e60553c2e37ac6ffa79f9e97a40865df6c4aa0844d10f6a3cea740ce406d8 |
| SHA512 | 0b47116d7524248b91e30799620ad2626248acbfded08d89697e13ef04d195ae09e16baac49ff5171ccb62d9d55fad6e268a533078426ce8760d82cd024d68ae |
memory/2336-20-0x0000000000FA0000-0x0000000000FD0000-memory.dmp
memory/2336-21-0x00000000058C0000-0x00000000058C6000-memory.dmp
memory/2336-22-0x000000000B2F0000-0x000000000B908000-memory.dmp
memory/2336-23-0x000000000AE10000-0x000000000AF1A000-memory.dmp
memory/2336-24-0x000000000AD50000-0x000000000AD62000-memory.dmp
memory/2336-25-0x000000000ADB0000-0x000000000ADEC000-memory.dmp
memory/2336-26-0x0000000005280000-0x00000000052CC000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-09 18:26
Reported
2024-05-09 18:29
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
155s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8697821.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8697821.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8697821.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8697821.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8697821.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8697821.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7297296.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2156243.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4542108.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8697821.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7297296.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6702400.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4301600.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8697821.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\678b5c88fa07f2f823b7edf52683e4214bda0273e380b7a5d2d8c4b6bac35f33.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2156243.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4542108.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6702400.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6702400.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6702400.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8697821.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8697821.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8697821.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\678b5c88fa07f2f823b7edf52683e4214bda0273e380b7a5d2d8c4b6bac35f33.exe
"C:\Users\Admin\AppData\Local\Temp\678b5c88fa07f2f823b7edf52683e4214bda0273e380b7a5d2d8c4b6bac35f33.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2156243.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2156243.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4542108.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4542108.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8697821.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8697821.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7297296.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7297296.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6702400.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6702400.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4212,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=1428 /prefetch:8
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4301600.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4301600.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| BE | 2.17.107.123:443 | www.bing.com | tcp |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 123.107.17.2.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2156243.exe
| MD5 | f8b39bfd052a81ec0d573ebcaac1c566 |
| SHA1 | 93d9f8e6c5dcc5b8b95f039298a5fb58f1d1e968 |
| SHA256 | e9cb245bfea68f9bf09c96927a2039e0179748356419234cf5d7074ec2dc3fcf |
| SHA512 | 64326fb13e0cf0ba39aa31fbc7d51e2552b7effec63bf1532a64503497e740238b41f74bfa77d12fce480d59e193735be5c330c2b47225ee9b25102bf4f1a49b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4542108.exe
| MD5 | 14fe65ca4c39b12df68426389b633aed |
| SHA1 | 0536ff02c6028e3c48420555be37554fc6201c00 |
| SHA256 | b17e58f21b1a6a41ad1128690f0d562a055d70d0426ba4c394c57c792473e90f |
| SHA512 | 0b17c1d010132aaae35d58cfc7fe33df11f308d4589b2d48c737c444e77073d3e22f26050b647dbb520728d049cbd2b2eaf3477f893c84ae54dfd22816ceca9d |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8697821.exe
| MD5 | 1767dda783c36bda069190df01c7467d |
| SHA1 | 4abc5215b48c67b2737aa8b103624cdc11c606c4 |
| SHA256 | 00935df1dc707bc0a575565e8a67f077182679d20e76142d949f1131ada74dca |
| SHA512 | a85598f6320fcccae160e7b37b44c572d66e52bc5b8efdcbe581fa3f51fbc4da9995d09415ad2ed4fc1d92dc8008925152a56f0b9703d9add5403dc20fe73208 |
memory/1200-22-0x00007FFE9B9C3000-0x00007FFE9B9C5000-memory.dmp
memory/1200-21-0x0000000000760000-0x000000000076A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7297296.exe
| MD5 | 3251e050d74c269024a1f95e7c8bb02a |
| SHA1 | 97fea2859babf20a7284918694c62acb9c44ef43 |
| SHA256 | bd784f2a39cba15491697a55fc222dd825a52729e77fe151621f1d296bab8cb3 |
| SHA512 | b091edb615306fbb905d90cbb4ffdd5e0b324cba8a2521070997eb733f971bb6b34c65da61b47e752b29f3bbc9a27fd3ed7ab5da385c0a340e556c59e635996a |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6702400.exe
| MD5 | 022c289b67255f1cae9a045e1ac11c7e |
| SHA1 | 63df7122392ecf04adee9d7b50146871eb860724 |
| SHA256 | 82e2550165ef2417b2b73e68d53b4b2044edff94d615c3cc2e221cb878ffcfd6 |
| SHA512 | 4f26f34a95ad5490ed491079ac38f645b48487cb0e0b7b5abffbb51d49e5294fb498d8c73ed7cd4cecc874dc259ec9d529d8eb4f542d3416ef07a5d7986b2148 |
memory/940-39-0x0000000000400000-0x0000000000409000-memory.dmp
memory/940-41-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4301600.exe
| MD5 | 09ff9e8194b9ad0696f1a83a1e45a8bd |
| SHA1 | bc6cc14f54612d4fb9a8c8cfd911b4c6c465622b |
| SHA256 | a4c56e11f4141a85fc9f59202fdca3d1efedc3df744d5ae2cf6f513cbb2a598d |
| SHA512 | 93724ca75fc0d74f1e02155dbea45d6340f89914a7c22f4ce96518f3aa1214d506b2ceb6771a1501b74ac59e32a0a11bb070d09d17b91ed434f8a58ea5326125 |
memory/4796-45-0x0000000000D40000-0x0000000000D70000-memory.dmp
memory/4796-46-0x0000000005660000-0x0000000005666000-memory.dmp
memory/4796-47-0x000000000B170000-0x000000000B788000-memory.dmp
memory/4796-48-0x000000000ACF0000-0x000000000ADFA000-memory.dmp
memory/4796-49-0x000000000AC30000-0x000000000AC42000-memory.dmp
memory/4796-50-0x000000000AC90000-0x000000000ACCC000-memory.dmp
memory/4796-51-0x0000000002FD0000-0x000000000301C000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-09 18:26
Reported
2024-05-09 18:29
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
157s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3542491.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3542491.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3542491.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3542491.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3542491.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3542491.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0053232.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0812977.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7797511.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3542491.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0053232.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9427367.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2875192.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3542491.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\853890cb435781965f3dc9618397058d03c8d3e59706ede7d308b4afe12cbe68.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0812977.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7797511.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9427367.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9427367.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9427367.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3542491.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3542491.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3542491.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\853890cb435781965f3dc9618397058d03c8d3e59706ede7d308b4afe12cbe68.exe
"C:\Users\Admin\AppData\Local\Temp\853890cb435781965f3dc9618397058d03c8d3e59706ede7d308b4afe12cbe68.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0812977.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0812977.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7797511.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7797511.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3542491.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3542491.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0053232.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0053232.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9427367.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9427367.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2875192.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2875192.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| BE | 88.221.83.192:443 | www.bing.com | tcp |
| BE | 88.221.83.192:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 192.83.221.88.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0812977.exe
| MD5 | 4b48efe54f18bd0d702132b9dd87d5a4 |
| SHA1 | 1c73fce06bc3992ad6891ffce68ac110259ac338 |
| SHA256 | 6353e20081b17fcb87b6e48091215d3ced15b545c58252541e6ad469f86ee28d |
| SHA512 | 9f33a26d9ed8a374ab6ff484af4d474a8f3cc737a62520e7dfb49ef11c7104b23be1ba1dfc8f57fbcbf202f29a93eb8fc5a4e7489e0651079f2c13f02192a0ba |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7797511.exe
| MD5 | 72ab08d944fa19aca3d2fae7ae0c7ee2 |
| SHA1 | e31da6072297dcdd757c91e8b4b30ebd42b4fd68 |
| SHA256 | c4dcbfff5e865bc9a6fbf9962b21102a73e74636fca25c63ad35ab1077fd71f3 |
| SHA512 | fdf4e47df1e09df6cb39493165576affab59f855b6d41659fb3ec6c5c077a425782ff3e21250c52d34874b9a3dee6d6fd46beeb89a3803d5f7afdb065756a36a |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3542491.exe
| MD5 | 63ad89a9a8af000b4e51d0f893aad085 |
| SHA1 | 21f1e059d707e49f48331b13ab8332395d2821a5 |
| SHA256 | b00ec97cdf7d31f31c4b35bd2ef8cf500373d642e7e3d13a326f26443e0c4808 |
| SHA512 | 0794e9fdc53c0f56af4e2fb4597facf387d302b25fd04d5b11aa687846327cb723007c020bb744102f7211142e8d9a3bd2fe28604d248bd7d15eeb93cde9418c |
memory/4932-22-0x0000000000E30000-0x0000000000E3A000-memory.dmp
memory/4932-21-0x00007FFF8CE03000-0x00007FFF8CE05000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0053232.exe
| MD5 | 3c62041559af1b19996dbf854519eec8 |
| SHA1 | 86ebe337544b33294f14cfcf5d9d993055823333 |
| SHA256 | b280fa99dc4be9d943bdbae696626b5c39d3f15810eb91cda6b53e6075c7fd0f |
| SHA512 | ef3112655756a7ae16acb10b4a97461e37e6c8795e435599a57303f015460c89187e75b6fa7e6ed82687c758e6e67d45fede7599b1e50590d3d78f08dafad624 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9427367.exe
| MD5 | e04982564d83c1da9dc6811abdaf672c |
| SHA1 | 39e45bf02a3da1a70bdf65b78ad76bc84b1974be |
| SHA256 | 8490f14e10df94782494e03066e7d37b24bbfe263ff115d4c0af74d4d7639469 |
| SHA512 | a9725f8a15eb5062aad342555e5e5b2762d4cc13c95f6e20272c51d28586e5f720a19ce4bd3900941ae933f4455c6926aff2d96218cb6a30cee4f060aeb21a32 |
memory/1692-40-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2875192.exe
| MD5 | 38a04acb886db0132375ad04c9a2bb08 |
| SHA1 | 55ec8886c54c6b02e1b4c1e7d3852251e9d09e2b |
| SHA256 | e06c224f38d4a32ebd14834b31f6aa0fde1aaade7c0fda95e00ea77335ea07dc |
| SHA512 | 44c44ff8633f4b248a9f1dd3bb5e7d50eab8aff1f5d6258964092b784f3a1268d3300056099f6dbd4300b9560f5e6b84da176d6ff80c004f7d02855912ff8263 |
memory/2528-44-0x0000000000D50000-0x0000000000D80000-memory.dmp
memory/2528-45-0x0000000002FE0000-0x0000000002FE6000-memory.dmp
memory/2528-46-0x0000000005D60000-0x0000000006378000-memory.dmp
memory/2528-47-0x0000000005850000-0x000000000595A000-memory.dmp
memory/2528-48-0x00000000055D0000-0x00000000055E2000-memory.dmp
memory/2528-49-0x0000000005740000-0x000000000577C000-memory.dmp
memory/2528-50-0x0000000005780000-0x00000000057CC000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-09 18:26
Reported
2024-05-09 18:29
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4212935.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4212935.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4212935.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4212935.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4212935.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4212935.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1328189.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9303012.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1328189.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4212935.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j7855798.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4212935.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\b22005984d343fd352d0b9067646db68950aebfa2c1e0d33b05276c602f98e40.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9303012.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4212935.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4212935.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4212935.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b22005984d343fd352d0b9067646db68950aebfa2c1e0d33b05276c602f98e40.exe
"C:\Users\Admin\AppData\Local\Temp\b22005984d343fd352d0b9067646db68950aebfa2c1e0d33b05276c602f98e40.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9303012.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9303012.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1328189.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1328189.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4212935.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4212935.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j7855798.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j7855798.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9303012.exe
| MD5 | 1ce22bb3c265a200d6834e5c95d71b49 |
| SHA1 | 06b53508d88f1cc81e4b9afa0400267615052c68 |
| SHA256 | c76d532334acce2e54c8fe71250af0b1f245cdab0b5546ba4d583f6e2cdb9bfc |
| SHA512 | 26cccf4b45f4893bcf06bf95a72fdf30fd4aefa050943c4dffee29b1089ae6ce841fcb6f1bd1fa2bfb704df13222ee7395905ec5d031c8cbc5ba773acfc5c18c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1328189.exe
| MD5 | 8c6b79ec436d7cf6950a804c1ec7d3e9 |
| SHA1 | 4a589d5605d8ef785fdc78b0bf64e769e3a21ad6 |
| SHA256 | 4e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d |
| SHA512 | 06f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4212935.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/3192-27-0x0000000000260000-0x000000000026A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j7855798.exe
| MD5 | 39cb6be4c95cea473d92c895249af6f6 |
| SHA1 | 9b580fa3e27519e084e925adfbbca817a49cb066 |
| SHA256 | 68d6dc71b3eedb859a1b5067c3c2c0a1c4f6f2dd785e8326ef58d6e8ec9f2780 |
| SHA512 | e585197a204bb952ca07ab42c47286f53018ab085fc70481aa43eccb2b4dbbf3965691359524250727dae2a34fa37a8598c11c421174679bbdc8bea9c852879c |
memory/4564-32-0x00000000000B0000-0x00000000000E0000-memory.dmp
memory/4564-33-0x00000000009F0000-0x00000000009F6000-memory.dmp
memory/4564-34-0x000000000A510000-0x000000000AB28000-memory.dmp
memory/4564-35-0x000000000A060000-0x000000000A16A000-memory.dmp
memory/4564-36-0x0000000009FA0000-0x0000000009FB2000-memory.dmp
memory/4564-37-0x000000000A000000-0x000000000A03C000-memory.dmp
memory/4564-38-0x0000000002350000-0x000000000239C000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-09 18:26
Reported
2024-05-09 18:29
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1592910.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1592910.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1592910.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1592910.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1592910.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1592910.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8025108.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4383833.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1592910.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4499084.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1592910.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1592910.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\2d35abe32aaee5617d43bf1fd2ace13b082a8d22878b2f5ae8136ab65d54742d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8025108.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4383833.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1592910.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1592910.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1592910.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2d35abe32aaee5617d43bf1fd2ace13b082a8d22878b2f5ae8136ab65d54742d.exe
"C:\Users\Admin\AppData\Local\Temp\2d35abe32aaee5617d43bf1fd2ace13b082a8d22878b2f5ae8136ab65d54742d.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8025108.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8025108.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4383833.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4383833.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1592910.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1592910.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4499084.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4499084.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.192:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| BE | 88.221.83.193:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 193.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| BE | 88.221.83.192:443 | www.bing.com | tcp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 192.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8025108.exe
| MD5 | 3c6b20838878d1ba0dc85f9e25560d6a |
| SHA1 | 7cc48ef04088c784933916840f1a7ffdbbc05557 |
| SHA256 | 44d9c3ced5756e5568d8a6f88ffe600745a11e96142c8fe1c8fb737587c34165 |
| SHA512 | 694a25eeef0b59a8b0cfb7cab5edf11804f75b0878d0087a73cf63e3ce51c499cc3af5ece50567b0b11f9c8af873e74fb5ed39b9fc26662ffa4339ed181ad78e |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4383833.exe
| MD5 | d051a72f73b7344a0f16d9be0f575638 |
| SHA1 | bc621c580d6a273ea4a3a54f6a87baa4c33c5a77 |
| SHA256 | 1cbe63d47c16a2a7a20ebac006b978d9eeb00a24cf0b71644642e85d70a5a714 |
| SHA512 | 2c2e8e7b0a4ee2fc00ea5c598922ca5ff202d11b0127cec909a0003d0748fbac09a5bd081b63a226d97520d9877c583b003962bc94d2cd2549f7421c2a76ec18 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1592910.exe
| MD5 | 3bd04dbf31955a13a1b2c7610dd7fedc |
| SHA1 | ec1431cad05a34166412e31a7c7d3d25788a9691 |
| SHA256 | 88e9656c88418f0692a5a41a2b7712bba3d19b68eefaf9d5ae79642b336a9a59 |
| SHA512 | eeb9c1c43c598205a61b2fecf8f49074957845dd07a1970ea14c1caf8566eb3ffb2f25b955422fb2d35bfddedfca8fba1438ac4e7486a28008bb5465125c7f6d |
memory/2880-21-0x0000000000580000-0x00000000005BE000-memory.dmp
memory/2880-27-0x0000000000401000-0x0000000000404000-memory.dmp
memory/2880-28-0x0000000000580000-0x00000000005BE000-memory.dmp
memory/2880-29-0x0000000006A90000-0x0000000006A91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4499084.exe
| MD5 | 5b977ea52ce08c78ce679e37b6875d06 |
| SHA1 | 9fd79e29d065e0c79b66a9299333fd2abc829b00 |
| SHA256 | ff022c1a13884cd3bc78a4ed293ffc931e36b91880d996793039c035e87d347f |
| SHA512 | d929c25adf73a2648a3b1de69cf51436a8ffccf878f1f9bde020027b17076f0f036536a3fd63d7f5468fd5272573d109d3ceaccba9a285216487b021edc394ac |
memory/5088-36-0x0000000000590000-0x000000000061C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/5088-42-0x0000000000590000-0x000000000061C000-memory.dmp
memory/5088-44-0x0000000002260000-0x0000000002266000-memory.dmp
memory/5088-45-0x0000000004AA0000-0x00000000050B8000-memory.dmp
memory/5088-46-0x00000000050C0000-0x00000000051CA000-memory.dmp
memory/5088-47-0x00000000051F0000-0x0000000005202000-memory.dmp
memory/5088-48-0x0000000005210000-0x000000000524C000-memory.dmp
memory/5088-49-0x0000000005280000-0x00000000052CC000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-09 18:26
Reported
2024-05-09 18:29
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9778228.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9778228.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9778228.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9778228.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9778228.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9778228.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7514062.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3989871.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7514062.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9778228.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j5730664.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9778228.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\85f2f1ff9ebbc00b11310cb6b89768dcf0eb2032b0a64810fc24c9ec9b4a6804.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3989871.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9778228.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9778228.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9778228.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\85f2f1ff9ebbc00b11310cb6b89768dcf0eb2032b0a64810fc24c9ec9b4a6804.exe
"C:\Users\Admin\AppData\Local\Temp\85f2f1ff9ebbc00b11310cb6b89768dcf0eb2032b0a64810fc24c9ec9b4a6804.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3989871.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3989871.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7514062.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7514062.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9778228.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9778228.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j5730664.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j5730664.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| BE | 2.17.107.114:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| BE | 2.17.107.114:443 | www.bing.com | tcp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3989871.exe
| MD5 | fee1dfcabce9e9f82d95006353181cfe |
| SHA1 | ca0a409265ff8b72329233efe76f24eec865aa92 |
| SHA256 | 9fef00fec6e3a451acefb8f97dea29c004574fc6991e2db975beca02addb7519 |
| SHA512 | 790d8edaeae9b5a2af3dca89daf6f891506d5b0097929735223242e7686a292905fe7c3a7676b99ea9c21e6dbaf2e94823e26a56c3b0e2a870201ddac99ab815 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7514062.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9778228.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/3672-27-0x0000000000E70000-0x0000000000E7A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j5730664.exe
| MD5 | f3c0cfb4e86371df64d9a88f149f7396 |
| SHA1 | 4cdb799ab2f6afe190b47e62af376989bb56f822 |
| SHA256 | e77c5b7a1d2f8b87f31053e49de2071ecc44f7daa0ad30bb3595e7d388e28d6e |
| SHA512 | ec993115619d53be8a50d6184624e82df2fc9c74c05b9bfb842c3a2eaff735a6d2e6cc8b5233183c735c9bac2a235af407fbe76ef0d75c17f152055768de86a9 |
memory/4744-32-0x0000000000650000-0x0000000000680000-memory.dmp
memory/4744-33-0x0000000000DD0000-0x0000000000DD6000-memory.dmp
memory/4744-34-0x000000000AB00000-0x000000000B118000-memory.dmp
memory/4744-35-0x000000000A600000-0x000000000A70A000-memory.dmp
memory/4744-36-0x000000000A540000-0x000000000A552000-memory.dmp
memory/4744-37-0x000000000A5A0000-0x000000000A5DC000-memory.dmp
memory/4744-38-0x00000000029A0000-0x00000000029EC000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-09 18:26
Reported
2024-05-09 18:29
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
152s
Command Line
Signatures
Lumma Stealer
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4752 set thread context of 1368 | N/A | C:\Users\Admin\AppData\Local\Temp\8ea62cf58512d2544c0f66fbf28e12c7a8344d4a08e8256c968a35de58ccc513.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8ea62cf58512d2544c0f66fbf28e12c7a8344d4a08e8256c968a35de58ccc513.exe
"C:\Users\Admin\AppData\Local\Temp\8ea62cf58512d2544c0f66fbf28e12c7a8344d4a08e8256c968a35de58ccc513.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sideindexfollowragelrew.pw | udp |
| US | 8.8.8.8:53 | productivelookewr.shop | udp |
| US | 172.67.150.207:443 | productivelookewr.shop | tcp |
| US | 8.8.8.8:53 | 207.150.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tolerateilusidjukl.shop | udp |
| US | 104.21.89.202:443 | tolerateilusidjukl.shop | tcp |
| US | 8.8.8.8:53 | shatterbreathepsw.shop | udp |
| US | 8.8.8.8:53 | 202.89.21.104.in-addr.arpa | udp |
| US | 104.21.95.19:443 | shatterbreathepsw.shop | tcp |
| US | 8.8.8.8:53 | shortsvelventysjo.shop | udp |
| US | 172.67.216.69:443 | shortsvelventysjo.shop | tcp |
| US | 8.8.8.8:53 | incredibleextedwj.shop | udp |
| US | 104.21.86.106:443 | incredibleextedwj.shop | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.95.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.86.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.216.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | alcojoldwograpciw.shop | udp |
| US | 104.21.48.243:443 | alcojoldwograpciw.shop | tcp |
| US | 8.8.8.8:53 | liabilitynighstjsko.shop | udp |
| US | 104.21.44.3:443 | liabilitynighstjsko.shop | tcp |
| US | 8.8.8.8:53 | demonstationfukewko.shop | udp |
| US | 8.8.8.8:53 | 243.48.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.44.21.104.in-addr.arpa | udp |
| US | 104.21.33.174:443 | demonstationfukewko.shop | tcp |
| US | 8.8.8.8:53 | 174.33.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
Files
memory/4752-0-0x00000000000DC000-0x00000000000DD000-memory.dmp
memory/1368-1-0x0000000000400000-0x0000000000451000-memory.dmp
memory/1368-3-0x0000000000400000-0x0000000000451000-memory.dmp
memory/1368-4-0x0000000000400000-0x0000000000451000-memory.dmp
memory/1368-5-0x0000000000400000-0x0000000000451000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-09 18:26
Reported
2024-05-09 18:29
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4802238.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4802238.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4802238.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4802238.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4802238.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4802238.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1628347.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6699584.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1628347.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4802238.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j5920531.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4802238.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\af1379c2cbc8abd767e205c1b0a8be9e9c8b5765083700eb3fd2313bf3a76e5d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6699584.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4802238.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4802238.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4802238.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\af1379c2cbc8abd767e205c1b0a8be9e9c8b5765083700eb3fd2313bf3a76e5d.exe
"C:\Users\Admin\AppData\Local\Temp\af1379c2cbc8abd767e205c1b0a8be9e9c8b5765083700eb3fd2313bf3a76e5d.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6699584.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6699584.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1628347.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1628347.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4802238.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4802238.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j5920531.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j5920531.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| BE | 88.221.83.234:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 234.83.221.88.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6699584.exe
| MD5 | 3d4b15b0e1cb17b89315e4957bc459ca |
| SHA1 | 9712f01a656ea96177fca09fad4ce640e511ecaa |
| SHA256 | 52aaaa485725b68b447b4c5b47443ed9536805ec481f8a97cfa40ed0c91afc17 |
| SHA512 | c18b9ae7b549214e1b2759f5e82736679ff46485a4ab4307d0e77f582e7b8052715e4ccb197fca9114746507b7667ad2ef9e6e94cade7dfa010f7e1b931680ca |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1628347.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4802238.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/4912-27-0x0000000000860000-0x000000000086A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j5920531.exe
| MD5 | 6808399e59b9767c42c4c04822231959 |
| SHA1 | 6830d4b2f1cc31b7895921f9c37f4c7d7e581e9d |
| SHA256 | 1eb9ff45da8fa73b974aeed9a92fba786c341f4c9e25a67a5f475ceb53258bf5 |
| SHA512 | 91158318367d891fadcca60caff299d2813b9e1744036f473898564325f549e53b0708656bee7192844deb51b250dd6f5085fd0d803ef2187e275974e01b1f02 |
memory/2976-32-0x0000000000B60000-0x0000000000B90000-memory.dmp
memory/2976-33-0x0000000002C80000-0x0000000002C86000-memory.dmp
memory/2976-34-0x000000000AFB0000-0x000000000B5C8000-memory.dmp
memory/2976-35-0x000000000AB10000-0x000000000AC1A000-memory.dmp
memory/2976-36-0x000000000AA50000-0x000000000AA62000-memory.dmp
memory/2976-37-0x000000000AAB0000-0x000000000AAEC000-memory.dmp
memory/2976-38-0x0000000004E20000-0x0000000004E6C000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-09 18:26
Reported
2024-05-09 18:29
Platform
win10v2004-20240426-en
Max time kernel
126s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4988471.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4988471.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2534508.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2534508.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2534508.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2534508.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2534508.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4988471.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4988471.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4988471.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4988471.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2534508.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3676714.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4393292.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7581476.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4988471.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2534508.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4553836.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4988471.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4988471.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2534508.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4393292.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7581476.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\b567e2a99fadbe5df72750afd38b655036141fe91ab1982084901d6855e1c6c5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3676714.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4988471.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4988471.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2534508.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2534508.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4988471.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2534508.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b567e2a99fadbe5df72750afd38b655036141fe91ab1982084901d6855e1c6c5.exe
"C:\Users\Admin\AppData\Local\Temp\b567e2a99fadbe5df72750afd38b655036141fe91ab1982084901d6855e1c6c5.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3676714.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3676714.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4393292.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4393292.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7581476.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7581476.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4988471.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4988471.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2534508.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2534508.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4553836.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4553836.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| BE | 2.17.107.114:443 | www.bing.com | tcp |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 114.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| BE | 88.221.83.192:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 192.83.221.88.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.68.48:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3676714.exe
| MD5 | 32f4cf8131e9fc74c4d7168856fc25bf |
| SHA1 | 91ad69566d15d609753bf460e473f1cb450768e5 |
| SHA256 | a1ef65438e4a2438df921312be2b65e4f4c3c7ce79975e046e4b6404d8ab75a1 |
| SHA512 | 7b58a17168d21ada4551db4f7640b510d806dae709541c2b605e6fb8ba9573349adabe903d3cf36bcc2228f2b422b530a1a2cc9e63deb3754f358535d560af5d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4393292.exe
| MD5 | 062f561c8a3d6662aee5199d57c96d7e |
| SHA1 | 67110402e1525dc59204b1955104ed7f3166cd65 |
| SHA256 | 093bbca595f9f179335d27678fe6fcb25cb08d22c093849ef790abc3da10245a |
| SHA512 | b2689d215eb8f3c3e6f5f15e788b623463ad275daf8a9986ceffb728c423fbfea0f2ded850df73cef537dc084d35284837a591f3a52b0070710e5a7bde4d8eb8 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7581476.exe
| MD5 | a26238d202d8891b8c41ff825b824562 |
| SHA1 | 72177137f475b1559aa5e5bd2cd16684e686b2aa |
| SHA256 | d0cd9cfc33e4f832251048419212aff0f9a1a9a0bb5bb626b5ef2b010a53e8a6 |
| SHA512 | 43c9a0b662bd180b9f612d63509c71fe54fb944680b6ad5b21ec3b0911a6a6ed5ae3acd0371f463cbb2f01ac78a0f23a028bdaf60e38dceaac9e2b20e1f420cc |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4988471.exe
| MD5 | dc103ca98f7c49cb23c3f0cc68bc0eb7 |
| SHA1 | 2daec3ebbbadbf4fa60cc7b28715b687b403c51d |
| SHA256 | 83002e9175bfacfa1ec914ac38844260d00b690faa2b52a5bdd32a63232b718c |
| SHA512 | 5a80575884414bd90dd16b16fe67f2eec1829a79f4b8cdc053b0fa69b8e9b4b4f7d95df0e979f37ba7ed48646c34fd11ff54c9eddec1870cf4c6efac05d6002c |
memory/1372-28-0x0000000000500000-0x000000000050A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2534508.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/1308-37-0x0000000000730000-0x000000000073A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4553836.exe
| MD5 | 40a2c1e0fe426012fb45a4a23e4f8466 |
| SHA1 | c8e3a5013932775f1a4d922befdbea2ea443ff2c |
| SHA256 | 1660800bfffa705655117608f880fcda5409645459a11fffbf663dfda5d9d918 |
| SHA512 | 94f55e80039ca5db30e4d404b5989196bc0bc30f40bdc30d07ebafaa98e38767dd83d3dd248d3af01ffc46b626c7a7d7e2e59e2e23f406d0c1dd8ee2e2c3faa6 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/1464-42-0x0000000000640000-0x0000000000670000-memory.dmp
memory/1464-47-0x0000000004A60000-0x0000000004A66000-memory.dmp
memory/1464-48-0x00000000051D0000-0x00000000057E8000-memory.dmp
memory/1464-49-0x0000000004BC0000-0x0000000004CCA000-memory.dmp
memory/1464-50-0x0000000004D00000-0x0000000004D12000-memory.dmp
memory/1464-51-0x0000000004D20000-0x0000000004D5C000-memory.dmp
memory/1464-52-0x0000000004DC0000-0x0000000004E0C000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 18:26
Reported
2024-05-09 18:29
Platform
win7-20240419-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\05a0748d48b19e76e2ac6f6c7a81179bc89e5adf95615c3d3417fc86f39342c0.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1992 wrote to memory of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\05a0748d48b19e76e2ac6f6c7a81179bc89e5adf95615c3d3417fc86f39342c0.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1992 wrote to memory of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\05a0748d48b19e76e2ac6f6c7a81179bc89e5adf95615c3d3417fc86f39342c0.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1992 wrote to memory of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\05a0748d48b19e76e2ac6f6c7a81179bc89e5adf95615c3d3417fc86f39342c0.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1992 wrote to memory of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\05a0748d48b19e76e2ac6f6c7a81179bc89e5adf95615c3d3417fc86f39342c0.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\05a0748d48b19e76e2ac6f6c7a81179bc89e5adf95615c3d3417fc86f39342c0.exe
"C:\Users\Admin\AppData\Local\Temp\05a0748d48b19e76e2ac6f6c7a81179bc89e5adf95615c3d3417fc86f39342c0.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 48
Network
Files
memory/1992-0-0x0000000000AF9000-0x0000000000AFB000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-09 18:26
Reported
2024-05-09 18:29
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8788304.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8788304.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8788304.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8788304.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8788304.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8788304.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2109560.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7479828.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8788304.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2109560.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4919790.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8788304.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\3754d1115a8a0a19cc2164cd88182e48f6c2435bfbbcd6af4c63cc5dc0d61e68.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7479828.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8788304.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8788304.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8788304.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3754d1115a8a0a19cc2164cd88182e48f6c2435bfbbcd6af4c63cc5dc0d61e68.exe
"C:\Users\Admin\AppData\Local\Temp\3754d1115a8a0a19cc2164cd88182e48f6c2435bfbbcd6af4c63cc5dc0d61e68.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7479828.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7479828.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8788304.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8788304.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2109560.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2109560.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4919790.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4919790.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| BE | 88.221.83.227:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 227.83.221.88.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 17.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7479828.exe
| MD5 | 8ab1edbbfed2e4d045e302814f3c5485 |
| SHA1 | 55dc00071e0d5abb37ed3b440dbb754dfe62f9cc |
| SHA256 | 14f08f05850f34cd0ca925d9148ba0191608f5939a83685d819e25b639875cc5 |
| SHA512 | 7ea43b536e07da561513acbafa152c330bd7aa1b26592826d8eada0997bf6dfd04125efa595c8c859b4e86f07c226ad6e7abda97a89c075e5efc1c2d9591b4cf |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8788304.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/1916-14-0x0000000000A10000-0x0000000000A1A000-memory.dmp
memory/1916-15-0x00007FF95DED3000-0x00007FF95DED5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2109560.exe
| MD5 | 8c6b79ec436d7cf6950a804c1ec7d3e9 |
| SHA1 | 4a589d5605d8ef785fdc78b0bf64e769e3a21ad6 |
| SHA256 | 4e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d |
| SHA512 | 06f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4919790.exe
| MD5 | 1cfe536c7ec6a5247d61cafcd97e1ebc |
| SHA1 | 13f4c6c97d0fd97f0ef72e12c088386539effe39 |
| SHA256 | f46eb44a552576e0629c3b33946f8964c58fd96e763c33f12f51c9a5be961fef |
| SHA512 | ce9dc01996faf9e29830f755b1578a7e855e44f70f9947219c82ee43d8c56725258773d31df81bf0967f757e7d2e22695d66fc1fd518cc0e131d6d985de11853 |
memory/1948-33-0x0000000000870000-0x00000000008A0000-memory.dmp
memory/1948-34-0x0000000002A20000-0x0000000002A26000-memory.dmp
memory/1948-35-0x0000000005990000-0x0000000005FA8000-memory.dmp
memory/1948-36-0x0000000005480000-0x000000000558A000-memory.dmp
memory/1948-37-0x0000000005230000-0x0000000005242000-memory.dmp
memory/1948-38-0x00000000053B0000-0x00000000053EC000-memory.dmp
memory/1948-39-0x00000000053F0000-0x000000000543C000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-09 18:26
Reported
2024-05-09 18:29
Platform
win10v2004-20240426-en
Max time kernel
142s
Max time network
154s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4317860.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4317860.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4317860.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4317860.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4317860.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4317860.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3521762.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6874300.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5729178.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4317860.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3521762.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9143825.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8694300.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4317860.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\489287cb76171eb013ef8276977586b53061bbfae58f0a22402bd5aa83ff8d28.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6874300.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5729178.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9143825.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9143825.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9143825.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4317860.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4317860.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4317860.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3521762.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\489287cb76171eb013ef8276977586b53061bbfae58f0a22402bd5aa83ff8d28.exe
"C:\Users\Admin\AppData\Local\Temp\489287cb76171eb013ef8276977586b53061bbfae58f0a22402bd5aa83ff8d28.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6874300.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6874300.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5729178.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5729178.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4317860.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4317860.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3521762.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3521762.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9143825.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9143825.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8694300.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8694300.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| BE | 2.17.107.114:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 114.107.17.2.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| BE | 2.17.107.114:443 | www.bing.com | tcp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6874300.exe
| MD5 | 2cd816112e2654e8e6d1d5e787e9bf64 |
| SHA1 | 1578e56dc20951b2d391d5e2efd4ce785cf0f70b |
| SHA256 | 4042d3978e88bc0a60c28e661c1230b93c9f4afb5261582ffdbdf983eb5c0053 |
| SHA512 | c6a5aa7c82dce4d999062265d6389dc8d991e3e9218b45cdd957f593ed0fa49f1c2a3594815ccf7bc4185304f51f241d474d2a66942f98bd6afcd91170a314af |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5729178.exe
| MD5 | b33ed449c8f14c6fb368a86bb106cfa0 |
| SHA1 | 2d87fac952e475fedc5899d84c3fb6a530bd6df1 |
| SHA256 | aa7e2f4b57b1cfe177ed374ae52de66ef67d63d4939667d626a771e6c8ed595f |
| SHA512 | 52f4e528865df21ebf715e7a32d4928d7d280e3f03c8c0af5bc09094ae31ebe975c047c22f9856692b61891c7fa8107696e6d3fd78f09d19e88629443a1cf0e0 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4317860.exe
| MD5 | b376a10928f6fe6080e26c262c6e1ffe |
| SHA1 | abaa3561c3ea57806d17d62a5e03c629f7f1700c |
| SHA256 | 2a8ff60d89a4e89d0a3bfd586e0660aa7dec7e159743ccf2da80aeba770cddf9 |
| SHA512 | 839f809a62fa320e4affbc2d3817504bee3983e9de9f92ba6c5179ac0645b4f4e8b16b27eefc92dfe65975ce7fcf745cd420a18e910fb0f2b9f5e23b078c9676 |
memory/3880-21-0x0000000000C60000-0x0000000000C6A000-memory.dmp
memory/3880-22-0x00007FFD6E5B3000-0x00007FFD6E5B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3521762.exe
| MD5 | 64b4e0fd864249e80e2ca09d305f38d4 |
| SHA1 | fbdef845a041e25ae29e7a118a772d2d3f859e25 |
| SHA256 | 525b363998ba283d3a861ccdee3b6f98c638edcda7bdbc5686a43df89045db1b |
| SHA512 | d63df1c17cc8a4d5ff6b788cf09ffa7694f1d7533216c5256b41231335b79ed0eb9d34615ae63d25ca04e0f4df48c4702128c7f4d873e5489fef29de3ac83984 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9143825.exe
| MD5 | caab6bdd594cf053c653510382e6299d |
| SHA1 | 18cc73141fb10b18448d68e31928da123ea7d9ba |
| SHA256 | b7fbfc8a9db3cd7803e9a85ebfaf788163df49d2a581385388c0b04bab238c4a |
| SHA512 | 479a8da693c49c8dac91fb1d5fed9da53cbb0c0e69ba339d51934cdd73c387ff7ebbd4a0eda5e95dc1599e9d8710bbf353ee414181898ea9ec27cfdef8562f8d |
memory/4292-40-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8694300.exe
| MD5 | 2a96746622fa30b8ba99bb493130fe71 |
| SHA1 | 2df00e287eecd05b459b8f319e48b2db074227a2 |
| SHA256 | cbaf39a88af144f09eb435969816f5a8c3b05418d546ba545436b092381d6ddb |
| SHA512 | 57c9ac6c10d264fe9ac3d8d5413e11b6fb8628422058fb90011b04f2f27e81da808dc1eb2783ae8ed9cdd1fcde22c0f0bb0f4d01b9acec77f244efdc1875fc5b |
memory/748-44-0x0000000000C80000-0x0000000000CB0000-memory.dmp
memory/748-45-0x0000000002E20000-0x0000000002E26000-memory.dmp
memory/748-46-0x0000000005C40000-0x0000000006258000-memory.dmp
memory/748-47-0x0000000005730000-0x000000000583A000-memory.dmp
memory/748-48-0x0000000005620000-0x0000000005632000-memory.dmp
memory/748-49-0x0000000005680000-0x00000000056BC000-memory.dmp
memory/748-50-0x00000000056C0000-0x000000000570C000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-09 18:26
Reported
2024-05-09 18:29
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
158s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7552092.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7552092.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7552092.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7552092.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7552092.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7552092.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8873729.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8228455.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7552092.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8873729.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0596320.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7552092.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\4a64601cda22ee78c5a65b16c6140cd47a27949c9b5b09685526fa936b55c3bb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8228455.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7552092.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7552092.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7552092.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8873729.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4a64601cda22ee78c5a65b16c6140cd47a27949c9b5b09685526fa936b55c3bb.exe
"C:\Users\Admin\AppData\Local\Temp\4a64601cda22ee78c5a65b16c6140cd47a27949c9b5b09685526fa936b55c3bb.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8228455.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8228455.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7552092.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7552092.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8873729.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8873729.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
"C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0596320.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0596320.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legola.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legola.exe" /P "Admin:N"&&CACLS "legola.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "legola.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "legola.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\ebb444342c" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\ebb444342c" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
Network
| Country | Destination | Domain | Proto |
| SE | 5.42.92.67:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| SE | 5.42.92.67:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| SE | 5.42.92.67:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8228455.exe
| MD5 | 1d7f0bbde4a1de9005e72ad73b04e815 |
| SHA1 | 868382c50a8302dfbdb0581bb8adbd5cab2f6ca7 |
| SHA256 | ea7a2e99cc2c8335795cc9a9b7e68cac33146817112f5ec48f105b648f01df25 |
| SHA512 | d41aa8dcccbd3ef22fdc7705b04db06771080553b3dc5722f0c4e24d1c7ae94de9a0140204cdd576d3a513370b3e69d2eae83ac06a402296560265aab242f19d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7552092.exe
| MD5 | f77d78af12b9628421ed4e1dfb7deb13 |
| SHA1 | 9b6fa06af3564e2fe4724d8b5ebfdfd2a7ec0fd5 |
| SHA256 | 10d806abe4d088bbb95c43a04c91f68a10888bd256de9c9a58c4c7642a9572ab |
| SHA512 | 6c01f44fdb412a58a19ddb4caf73a502a5aae10aecb959a67142ab267ef6732a7e5e6346c1a5ce5aa52823ae5b50372c083e4e59f650c835a38c75d334303e00 |
memory/4884-14-0x00007FFC5F2F3000-0x00007FFC5F2F5000-memory.dmp
memory/4884-15-0x0000000000CD0000-0x0000000000CDA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8873729.exe
| MD5 | 4c1ddb64aa9642cf1a82755cb11907b6 |
| SHA1 | 024648f34c29ee0e80ac4bfddab1becd0f63a81f |
| SHA256 | 91bd59d4d14b1d6b2507691afc37760c60929aa64bff3ec83e55369d54bee38b |
| SHA512 | 7f14e4fa309c036f7ee44f88a6ec5ddc7a72b1fa0646646b5978c7efea44997e269945caf96b8d40d7597747492815e09f2664d769022e44db952cc5072d6a24 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0596320.exe
| MD5 | 724524e7826b06b2d9004e8bee566a90 |
| SHA1 | 8d9bba1b3a106cf43e7669601c06705d747d1666 |
| SHA256 | 95fbb7ef4e009a2da579e7fea9287ce2fa03b78e1f22f15790dd12a2fdcc90c9 |
| SHA512 | a5b9decac1c7dfa587ca21f87d7aa9fac6a592565121fa127fc4949df8762e125fd3ccd459c2dbc30a6f13f697e99d536d9647257395dc04d48ca0e0aa94d7f8 |
memory/448-33-0x0000000000070000-0x00000000000A0000-memory.dmp
memory/448-34-0x0000000002320000-0x0000000002326000-memory.dmp
memory/448-35-0x0000000005080000-0x0000000005698000-memory.dmp
memory/448-36-0x0000000004B70000-0x0000000004C7A000-memory.dmp
memory/448-37-0x00000000048F0000-0x0000000004902000-memory.dmp
memory/448-38-0x0000000004A60000-0x0000000004A9C000-memory.dmp
memory/448-39-0x0000000004AA0000-0x0000000004AEC000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-09 18:26
Reported
2024-05-09 18:29
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
96s
Command Line
Signatures
Lumma Stealer
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4248 set thread context of 1804 | N/A | C:\Users\Admin\AppData\Local\Temp\6ade339142b77016063402bfde9702b7b9bb644452bae38929035daf779beae8.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\6ade339142b77016063402bfde9702b7b9bb644452bae38929035daf779beae8.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6ade339142b77016063402bfde9702b7b9bb644452bae38929035daf779beae8.exe
"C:\Users\Admin\AppData\Local\Temp\6ade339142b77016063402bfde9702b7b9bb644452bae38929035daf779beae8.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4248 -ip 4248
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 356
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sideindexfollowragelrew.pw | udp |
| US | 8.8.8.8:53 | productivelookewr.shop | udp |
| US | 104.21.11.250:443 | productivelookewr.shop | tcp |
| US | 8.8.8.8:53 | 250.11.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tolerateilusidjukl.shop | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 104.21.89.202:443 | tolerateilusidjukl.shop | tcp |
| BE | 2.17.107.123:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 202.89.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | shatterbreathepsw.shop | udp |
| US | 104.21.95.19:443 | shatterbreathepsw.shop | tcp |
| US | 8.8.8.8:53 | shortsvelventysjo.shop | udp |
| US | 172.67.216.69:443 | shortsvelventysjo.shop | tcp |
| US | 8.8.8.8:53 | 19.95.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | incredibleextedwj.shop | udp |
| US | 104.21.86.106:443 | incredibleextedwj.shop | tcp |
| US | 8.8.8.8:53 | alcojoldwograpciw.shop | udp |
| US | 104.21.48.243:443 | alcojoldwograpciw.shop | tcp |
| US | 8.8.8.8:53 | 69.216.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | liabilitynighstjsko.shop | udp |
| US | 104.21.44.3:443 | liabilitynighstjsko.shop | tcp |
| US | 8.8.8.8:53 | demonstationfukewko.shop | udp |
| US | 104.21.33.174:443 | demonstationfukewko.shop | tcp |
| US | 8.8.8.8:53 | 106.86.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.48.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.33.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/4248-0-0x0000000001086000-0x0000000001087000-memory.dmp
memory/1804-1-0x0000000000400000-0x000000000044F000-memory.dmp
memory/1804-3-0x0000000000400000-0x000000000044F000-memory.dmp
memory/1804-4-0x0000000000400000-0x000000000044F000-memory.dmp
memory/1804-5-0x0000000000400000-0x000000000044F000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-09 18:26
Reported
2024-05-09 18:29
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
156s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8462227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8462227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8462227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8462227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8462227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8462227.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8742565.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6192832.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8462227.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4474769.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8462227.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8462227.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7a398dd87e73b31bd02e99eea6ac42ac6c884f0fed02dcf0a0a2184a33913555.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8742565.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6192832.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8462227.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8462227.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8462227.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7a398dd87e73b31bd02e99eea6ac42ac6c884f0fed02dcf0a0a2184a33913555.exe
"C:\Users\Admin\AppData\Local\Temp\7a398dd87e73b31bd02e99eea6ac42ac6c884f0fed02dcf0a0a2184a33913555.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8742565.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8742565.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6192832.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6192832.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8462227.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8462227.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4474769.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4474769.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| BE | 88.221.83.210:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 210.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8742565.exe
| MD5 | 95d2100c92a77a73c603081f30c2fc23 |
| SHA1 | c1aa4842f6cd0876401f5c2738f41f3083116d47 |
| SHA256 | 84eec35e2697eea6eb88e1c63006dbc7464533bd8a703cd0cbf553d1b60eacc4 |
| SHA512 | e8221ee1bc142f0c8cb3726b46767a196a271de5bdc4d73fb9a9b5e7898c955cdbd7037733142d45873743b1a0bcaf7eee0a7493fab4652cb9b753feb7d807e1 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6192832.exe
| MD5 | 25ae8b33c55e946e87d3ad9cf1b95e4e |
| SHA1 | 94b57f3d5b2ef2a5b4af0f13d93574c441ed9016 |
| SHA256 | d77536661a640bcd7bae77346b665cf7a4cfdf72d66463d638d65efc541a8855 |
| SHA512 | aacbfa748b6e6385e199a358e2781bb05b7eb389ff8f735eaed1c257e9c7ddd6783f8efc9743507c565ad4b0d31987161a07b126b753c4c38f07fccf4ddda233 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8462227.exe
| MD5 | 6ba22005c57de51e274dd36fcc6cf437 |
| SHA1 | b5b07a32ad47870b828e701792f9d90fe8494242 |
| SHA256 | a7c6872ed6045c7dd0706d2b96cd122989cdb9c1d4fa772594131a760e733194 |
| SHA512 | e4215fb7b937afc794d49983738326d8359b2887bc6253a6d5e8380bd2db92afc84dc35206db8a3f8b4e4b2a08b87e04c2108e7fe3c0a1e06a7af897832a40bc |
memory/1724-21-0x0000000000590000-0x00000000005CE000-memory.dmp
memory/1724-27-0x0000000000401000-0x0000000000404000-memory.dmp
memory/1724-28-0x0000000000590000-0x00000000005CE000-memory.dmp
memory/1724-29-0x00000000025D0000-0x00000000025D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4474769.exe
| MD5 | 68285b405009ab1bfb17580e8ccdaaf2 |
| SHA1 | d013006cf8f7fc2f7ed85eb9e961ed29599998c5 |
| SHA256 | 12713c9bded34a577955f09993589e7e6c4ae24791ffd88f4c3d860bc8cf786e |
| SHA512 | ef31bcca57ab341e0768997edbd243b31d73d4cd29eaa9104a88588db2a904bd1f76e9d4883a491c7aa89db5b1046a49b49116e13ad0a2fd065b8f07841974c5 |
memory/3836-35-0x0000000002060000-0x00000000020EC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/3836-42-0x0000000002060000-0x00000000020EC000-memory.dmp
memory/3836-44-0x00000000022A0000-0x00000000022A6000-memory.dmp
memory/3836-45-0x0000000008520000-0x0000000008B38000-memory.dmp
memory/3836-46-0x0000000007F50000-0x000000000805A000-memory.dmp
memory/3836-47-0x0000000008080000-0x0000000008092000-memory.dmp
memory/3836-48-0x00000000080A0000-0x00000000080DC000-memory.dmp
memory/3836-49-0x0000000005A30000-0x0000000005A7C000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-09 18:26
Reported
2024-05-09 18:29
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3010562.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3010562.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3010562.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3010562.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3010562.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3010562.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5089359.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0144022.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3010562.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5089359.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n7691069.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3010562.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\806347c33e4007046137819a7a108692563d6b877051ff1016faf9a47ec660f1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0144022.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3010562.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3010562.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3010562.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\806347c33e4007046137819a7a108692563d6b877051ff1016faf9a47ec660f1.exe
"C:\Users\Admin\AppData\Local\Temp\806347c33e4007046137819a7a108692563d6b877051ff1016faf9a47ec660f1.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0144022.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0144022.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3010562.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3010562.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5089359.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5089359.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n7691069.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n7691069.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| BE | 2.17.107.114:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.107.17.2.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0144022.exe
| MD5 | 46cb90817dd91ee173223981c87c835f |
| SHA1 | f03cca03f3c7f153de6a83bf93d7f2efc852b609 |
| SHA256 | 726ccdeec02f4c1a4e3e172531bfb7ad7735ca6cb5db15bb03c89053f0897d3b |
| SHA512 | 61f52e66398084244466be4e4bc5d100cbef21a1a0f834ef7be5d87a1d14a359b37000817fb33fc39860bccf216efbdbc5ac0790a7a83e4b9cd88c602ece4db6 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3010562.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/4668-14-0x00000000005E0000-0x00000000005EA000-memory.dmp
memory/4668-15-0x00007FFCC5EC0000-0x00007FFCC6189000-memory.dmp
memory/4668-17-0x00007FFCC5EC0000-0x00007FFCC6189000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5089359.exe
| MD5 | 8c6b79ec436d7cf6950a804c1ec7d3e9 |
| SHA1 | 4a589d5605d8ef785fdc78b0bf64e769e3a21ad6 |
| SHA256 | 4e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d |
| SHA512 | 06f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n7691069.exe
| MD5 | 02e90e00b04c743b958e29edc821ad47 |
| SHA1 | 98369ee594281a2c3aff3f55354d55e62492a42a |
| SHA256 | b0379bb047a7a79457ea3535b8924e426c22ff1b832905dae93b6f1c9c69a4e9 |
| SHA512 | e780830987e4abce20bbb238f1097c9dbcff43b334957b88569c58435e989af6100c14d4bf0844fb80b48e371bf5d016f38b9f15fcb3a4b9450928fec8c4904c |
memory/3536-34-0x0000000000180000-0x00000000001B0000-memory.dmp
memory/3536-35-0x00000000023C0000-0x00000000023C6000-memory.dmp
memory/3536-36-0x0000000005180000-0x0000000005798000-memory.dmp
memory/3536-38-0x0000000004B00000-0x0000000004B12000-memory.dmp
memory/3536-37-0x0000000004C70000-0x0000000004D7A000-memory.dmp
memory/3536-39-0x0000000004BA0000-0x0000000004BDC000-memory.dmp
memory/3536-40-0x0000000004BE0000-0x0000000004C2C000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-09 18:26
Reported
2024-05-09 18:29
Platform
win7-20240221-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\8ea62cf58512d2544c0f66fbf28e12c7a8344d4a08e8256c968a35de58ccc513.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 628 wrote to memory of 1788 | N/A | C:\Users\Admin\AppData\Local\Temp\8ea62cf58512d2544c0f66fbf28e12c7a8344d4a08e8256c968a35de58ccc513.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 628 wrote to memory of 1788 | N/A | C:\Users\Admin\AppData\Local\Temp\8ea62cf58512d2544c0f66fbf28e12c7a8344d4a08e8256c968a35de58ccc513.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 628 wrote to memory of 1788 | N/A | C:\Users\Admin\AppData\Local\Temp\8ea62cf58512d2544c0f66fbf28e12c7a8344d4a08e8256c968a35de58ccc513.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 628 wrote to memory of 1788 | N/A | C:\Users\Admin\AppData\Local\Temp\8ea62cf58512d2544c0f66fbf28e12c7a8344d4a08e8256c968a35de58ccc513.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8ea62cf58512d2544c0f66fbf28e12c7a8344d4a08e8256c968a35de58ccc513.exe
"C:\Users\Admin\AppData\Local\Temp\8ea62cf58512d2544c0f66fbf28e12c7a8344d4a08e8256c968a35de58ccc513.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 48
Network
Files
memory/628-0-0x0000000000A4C000-0x0000000000A4D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 18:26
Reported
2024-05-09 18:29
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3852 set thread context of 900 | N/A | C:\Users\Admin\AppData\Local\Temp\05a0748d48b19e76e2ac6f6c7a81179bc89e5adf95615c3d3417fc86f39342c0.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\05a0748d48b19e76e2ac6f6c7a81179bc89e5adf95615c3d3417fc86f39342c0.exe
"C:\Users\Admin\AppData\Local\Temp\05a0748d48b19e76e2ac6f6c7a81179bc89e5adf95615c3d3417fc86f39342c0.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | omnomnom.top | udp |
| DE | 195.201.252.28:443 | omnomnom.top | tcp |
| US | 8.8.8.8:53 | 28.252.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.173.189.20.in-addr.arpa | udp |
Files
memory/3852-0-0x0000000000A39000-0x0000000000A3B000-memory.dmp
memory/900-1-0x0000000000400000-0x0000000000422000-memory.dmp
memory/900-2-0x000000007430E000-0x000000007430F000-memory.dmp
memory/900-3-0x0000000005520000-0x0000000005586000-memory.dmp
memory/900-4-0x0000000005FC0000-0x00000000065D8000-memory.dmp
memory/900-5-0x0000000005A50000-0x0000000005A62000-memory.dmp
memory/900-6-0x0000000005B80000-0x0000000005C8A000-memory.dmp
memory/900-7-0x0000000074300000-0x0000000074AB0000-memory.dmp
memory/900-8-0x0000000005F20000-0x0000000005F5C000-memory.dmp
memory/900-9-0x0000000005F60000-0x0000000005FAC000-memory.dmp
memory/900-10-0x0000000006BC0000-0x0000000006D82000-memory.dmp
memory/900-11-0x00000000072C0000-0x00000000077EC000-memory.dmp
memory/900-12-0x0000000007DA0000-0x0000000008344000-memory.dmp
memory/900-13-0x0000000006D90000-0x0000000006E22000-memory.dmp
memory/900-14-0x0000000006E30000-0x0000000006EA6000-memory.dmp
memory/900-15-0x0000000006B90000-0x0000000006BAE000-memory.dmp
memory/900-16-0x0000000007250000-0x00000000072A0000-memory.dmp
memory/900-18-0x0000000074300000-0x0000000074AB0000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-09 18:26
Reported
2024-05-09 18:29
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1976300.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1976300.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1976300.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1976300.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1976300.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1976300.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2097999.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2081809.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1976300.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2097999.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t9843531.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1976300.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\4f57ecadcb01211787f5486a7230a8018a0f8a85dfe1ad7b633beb40126c1c56.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2081809.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1976300.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1976300.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1976300.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4f57ecadcb01211787f5486a7230a8018a0f8a85dfe1ad7b633beb40126c1c56.exe
"C:\Users\Admin\AppData\Local\Temp\4f57ecadcb01211787f5486a7230a8018a0f8a85dfe1ad7b633beb40126c1c56.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2081809.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2081809.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1976300.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1976300.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2097999.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2097999.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
"C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t9843531.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t9843531.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legola.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legola.exe" /P "Admin:N"&&CACLS "legola.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "legola.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "legola.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\ebb444342c" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\ebb444342c" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| BE | 88.221.83.192:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| BE | 88.221.83.192:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| SE | 5.42.92.67:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| SE | 5.42.92.67:80 | tcp | |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| SE | 5.42.92.67:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2081809.exe
| MD5 | fe63433bba54b4c204c980dc15efadfd |
| SHA1 | 252e0f36da8f91f4eed8f1d9f345a74903df382e |
| SHA256 | 554d488199e5dd5504083845fab3092f4d76d87d75bcd0ddfaf4dac1d1d99b9c |
| SHA512 | 69652608390a4a474e4a4d70d7409ce97dabc63666cd863321c6034952d3d0103864024e3acf547965337c0096cf42be824fbec5ec2dadca5b05ea19bccea3d1 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1976300.exe
| MD5 | b9e8b82a1111e5f99579603e867e066f |
| SHA1 | 51c4a563cd9010306c1c7b9233b7558601c87459 |
| SHA256 | a8399a95082e0c016baa2c89a98efc6b47195c645daa046700d162276ea6ea2e |
| SHA512 | 7886d6c778fb7f967db66aa2b503529607fb4bf74405fe79059674495f2fc39fc6261c3169addc5cb684feb7605201748d3f99fa011e03f1ed8f2aecdf72e3c5 |
memory/4032-15-0x00007FF8CE0E3000-0x00007FF8CE0E5000-memory.dmp
memory/4032-14-0x00000000002C0000-0x00000000002CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2097999.exe
| MD5 | fef6f3d41b62cf8c70690e92fc75452b |
| SHA1 | d2d161169a60aff2768f05a0baadeba32666f64f |
| SHA256 | 80c4d03c247e6674edc4876fa70d02f48f19a06e1a4b0da0b8685ca1099a0db3 |
| SHA512 | 655a26a0cde241cf60272df1a22b549fc49966126d29b6796a6b963c50c51806ffe460ee386fb72ca7167f96bb3e05bc32520a9a6aee7ed2659486a54f56e29c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t9843531.exe
| MD5 | a12f97fb0436a0eb8f31309519a721af |
| SHA1 | af3a51d724d688c98000750cd60f111c502f6a7d |
| SHA256 | 9a83633fcf9d2262f5a5cc5d804a40a3baed06df86146735541afa8819f50fb5 |
| SHA512 | 40b156db3a2a6c5c7ace9822caf567b0791232179474fecca313d072d974dc703d96f6d39eea50d4a8c16a7af83b0fe209d70ed56c9f8af4faf7c660fbe165e2 |
memory/1096-33-0x0000000000E20000-0x0000000000E50000-memory.dmp
memory/1096-34-0x0000000005780000-0x0000000005786000-memory.dmp
memory/1096-35-0x0000000005F20000-0x0000000006538000-memory.dmp
memory/1096-36-0x0000000005A10000-0x0000000005B1A000-memory.dmp
memory/1096-37-0x0000000005900000-0x0000000005912000-memory.dmp
memory/1096-38-0x0000000005960000-0x000000000599C000-memory.dmp
memory/1096-39-0x00000000059A0000-0x00000000059EC000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-09 18:26
Reported
2024-05-09 18:29
Platform
win7-20240221-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\6ade339142b77016063402bfde9702b7b9bb644452bae38929035daf779beae8.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1632 wrote to memory of 2200 | N/A | C:\Users\Admin\AppData\Local\Temp\6ade339142b77016063402bfde9702b7b9bb644452bae38929035daf779beae8.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1632 wrote to memory of 2200 | N/A | C:\Users\Admin\AppData\Local\Temp\6ade339142b77016063402bfde9702b7b9bb644452bae38929035daf779beae8.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1632 wrote to memory of 2200 | N/A | C:\Users\Admin\AppData\Local\Temp\6ade339142b77016063402bfde9702b7b9bb644452bae38929035daf779beae8.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1632 wrote to memory of 2200 | N/A | C:\Users\Admin\AppData\Local\Temp\6ade339142b77016063402bfde9702b7b9bb644452bae38929035daf779beae8.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6ade339142b77016063402bfde9702b7b9bb644452bae38929035daf779beae8.exe
"C:\Users\Admin\AppData\Local\Temp\6ade339142b77016063402bfde9702b7b9bb644452bae38929035daf779beae8.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 116
Network
Files
memory/1632-0-0x0000000000DE6000-0x0000000000DE7000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-09 18:26
Reported
2024-05-09 18:29
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6960566.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6960566.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6960566.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6960566.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6960566.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6960566.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9327819.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2146435.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6960566.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9327819.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n3525433.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6960566.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\6e1ca7d8d7a0c42eccbd5723dfdd5c856c5bb683313ec6d6d042d9ba90afced7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2146435.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6960566.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6960566.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6960566.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9327819.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6e1ca7d8d7a0c42eccbd5723dfdd5c856c5bb683313ec6d6d042d9ba90afced7.exe
"C:\Users\Admin\AppData\Local\Temp\6e1ca7d8d7a0c42eccbd5723dfdd5c856c5bb683313ec6d6d042d9ba90afced7.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2146435.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2146435.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6960566.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6960566.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9327819.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9327819.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n3525433.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n3525433.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| BE | 2.17.107.115:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 115.107.17.2.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2146435.exe
| MD5 | 1d0af0aae583547dbb68ea6a4425732b |
| SHA1 | cb57acc4cbfe908dc265cad8ef73f1a623471693 |
| SHA256 | b4042cb75b2011b5fe5c663f095a681771c1b6a40d57a9847bf753326c4d7339 |
| SHA512 | 4df17549370c24c80f92da8e3f40f8db2dc2e01400fcaa052f30adda963838a3296a0420b64fb9e411115c12624ccc4508b27d4f4f888fb1a21a82dcb4c03219 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6960566.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/2200-15-0x00000000007A0000-0x00000000007AA000-memory.dmp
memory/2200-14-0x00007FF9D49B3000-0x00007FF9D49B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9327819.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n3525433.exe
| MD5 | 696ab4a3613e89446b4c79b90e0be814 |
| SHA1 | 131f11023fb012475be913027d6ae93933eb7efb |
| SHA256 | 478cb11fa1515dfbda2133806f1b2497277c3983fd55fd28540140bb584738db |
| SHA512 | 6680261e35614c1ea36add50d1167954918f2a9c3bd83683d178de4d88f699c30deba7f199dc3b478659a6533bb62fdd9438ade58b8aeb9e14f9216579df5faf |
memory/3728-33-0x0000000000570000-0x00000000005A0000-memory.dmp
memory/3728-34-0x00000000026D0000-0x00000000026D6000-memory.dmp
memory/3728-35-0x0000000005500000-0x0000000005B18000-memory.dmp
memory/3728-36-0x0000000004FF0000-0x00000000050FA000-memory.dmp
memory/3728-37-0x0000000004F00000-0x0000000004F12000-memory.dmp
memory/3728-38-0x0000000004F60000-0x0000000004F9C000-memory.dmp
memory/3728-39-0x0000000004FA0000-0x0000000004FEC000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-09 18:26
Reported
2024-05-09 18:29
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
158s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4877678.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4877678.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4877678.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4877678.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4877678.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4877678.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1731896.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7735097.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9651714.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8930195.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4877678.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1731896.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5813830.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6517710.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4877678.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\f8896ca2a901da194a2479237a084ee46b329ef65d0a6795eb3717cbbacb106f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7735097.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9651714.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8930195.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5813830.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5813830.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5813830.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4877678.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4877678.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4877678.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f8896ca2a901da194a2479237a084ee46b329ef65d0a6795eb3717cbbacb106f.exe
"C:\Users\Admin\AppData\Local\Temp\f8896ca2a901da194a2479237a084ee46b329ef65d0a6795eb3717cbbacb106f.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7735097.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7735097.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9651714.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9651714.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8930195.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8930195.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4877678.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4877678.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1731896.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1731896.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5813830.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5813830.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6517710.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6517710.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.156:19071 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| FI | 77.91.124.156:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.156:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.156:19071 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| FI | 77.91.124.156:19071 | tcp | |
| FI | 77.91.124.156:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7735097.exe
| MD5 | 885a4a970297394d79ee77031b7e45c1 |
| SHA1 | e047e4098085f109756ee1b41f909e6542989e28 |
| SHA256 | bedd17c2701e918a222d927816ead89f393e8bc6bfc0863fb027558a11bb8cb1 |
| SHA512 | 7ad72665f85c0097566d9b603058e3e265e3879fa5e9119f3ea97eb0de1d34612dac368b320446249d1ca93511ae949e684d95ffc7b2aa5bcc08f2df833934e1 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9651714.exe
| MD5 | a7325721b06435fae6e07561054f01ea |
| SHA1 | 5644a31750949715f3767e156a9bf7ec50df535a |
| SHA256 | c5f9b1ea6062ec11e824bf3c0e827fcd59d833dd7c60b286be44e5c45eef66c4 |
| SHA512 | 5ad9e3126a67bc3a20810240acf2de0b824d577e02d0a62f5a1884eed86d5fe044860a4b04bb7434c8c4cffcbfc0ff4a23d1812d00c5691c1bd3a453b88b8b45 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8930195.exe
| MD5 | d1a989866561609b572520c73cd7a5dc |
| SHA1 | 3df22ef545e113ea64ff3c06a582260900917c00 |
| SHA256 | b489f4a828b631c33236bc22447939ad1707b9056d3e80bc39b5a3cccdb279ff |
| SHA512 | 299b86b7882e903207313a5e55dbcd6c32fd159d48adfc9c50da3c615a3dad0b4ed4edc590b7f30c71d78c3cfce4161ec2c63fae67b4ea8c280a30b476df3f10 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4877678.exe
| MD5 | ed511e2251d1ef0096d72b4e0e3deafc |
| SHA1 | 7417a35df63edb5db127325f0f93be26967ac0a5 |
| SHA256 | 5aef47318dc07307d700db0be63eed2bd4dfe932d5622e1d4f26c6d3dc9f27c4 |
| SHA512 | e01e039a88e75e204aaf920f681878722d13f319ae2e1587977f7ed221e504d3a869a92a21d106a74dbbc210761f92cf40b7a90b3f9322b3b7da624cc12ade5e |
memory/2964-28-0x0000000000F20000-0x0000000000F2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1731896.exe
| MD5 | 689f14dd2761b3f04c2d01e949c0113e |
| SHA1 | c1653080c4f91d89a58882dd30d24b5c78b21b34 |
| SHA256 | 16e3600f4661f518baf93ad8d103da10e476a61bddecb87f9868ebb9c0eefeca |
| SHA512 | f7cbe0778ad1593087ceace232d884cdfd6763d75f703beb71982987d935d2d377c3f6d68a3e28bb646a89ab0426938d6a7ba1b87810a65aeafa40bb83b05464 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5813830.exe
| MD5 | 848348d11620b655b7024949855ad44a |
| SHA1 | 211011ae5dad37b0e821b577a58d43b7b1415dca |
| SHA256 | 651641f743cfcbd7a7d982dcdd48a0cf32fd3e06dbecd0a9d018bccb8a957037 |
| SHA512 | 5238118ad56971e6d5dfb386c7c688ce455598b9e93859476b1a72402a423c87f17d2f2ea69cadfc729ff4b9618eea09aeb15b368246d2d0ffcf4b1069c6fbc2 |
memory/4420-45-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4420-47-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6517710.exe
| MD5 | 0de15b48d1e0771f4a2bc2e9b341de47 |
| SHA1 | 406d742eba476626f457e8642c8485dcc5d4358a |
| SHA256 | 2cae57f25897a7a18785f36ddcc7c9a16945d90513379b48b92f1318d3cb28fd |
| SHA512 | b2a0e58e6bf7639d2e5bc05fdf842edafc1400465a308845b4384b1c7b73a7cb3f3548a439503cc9118c7606be46bb08d4a52849f93a0e5a8c1fd106c83db9a1 |
memory/4496-51-0x0000000000790000-0x00000000007C0000-memory.dmp
memory/4496-52-0x0000000002A80000-0x0000000002A86000-memory.dmp
memory/4496-53-0x00000000057B0000-0x0000000005DC8000-memory.dmp
memory/4496-54-0x00000000052A0000-0x00000000053AA000-memory.dmp
memory/4496-55-0x0000000005010000-0x0000000005022000-memory.dmp
memory/4496-56-0x0000000005190000-0x00000000051CC000-memory.dmp
memory/4496-57-0x00000000051D0000-0x000000000521C000-memory.dmp