Analysis Overview
SHA256
df50e88cdc283283db23658c52adb6d37e55d4a38da81d63be2c23c190e6d979
Threat Level: Known bad
The file r1.zip was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Lumma Stealer
Detects Healer an antivirus disabler dropper
SmokeLoader
Healer
RedLine payload
RedLine
Amadey
Windows security modification
Reads user/profile data of web browsers
Executes dropped EXE
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Launches sc.exe
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 17:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-09 17:57
Reported
2024-05-09 17:59
Platform
win10v2004-20240426-en
Max time kernel
141s
Max time network
151s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0819028.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0819028.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0819028.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0819028.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0819028.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0819028.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8602197.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0819028.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0028896.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0819028.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0819028.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\dfa156ac28a140cde5b62ac7d594d1000da526091fd584c8e8caa96c692a5bff.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8602197.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0819028.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0819028.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0819028.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dfa156ac28a140cde5b62ac7d594d1000da526091fd584c8e8caa96c692a5bff.exe
"C:\Users\Admin\AppData\Local\Temp\dfa156ac28a140cde5b62ac7d594d1000da526091fd584c8e8caa96c692a5bff.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8602197.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8602197.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0819028.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0819028.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0028896.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0028896.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.226:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| BE | 88.221.83.226:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 226.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8602197.exe
| MD5 | 38dcff455714bdb17ef60c8709fee41a |
| SHA1 | 16eeb79664bf375650e2c86424283481bbd252f1 |
| SHA256 | 008c5bf896cf5af82ff2acf60395ccac2aafbec1cc9d27b23ea76b99e4fdc63b |
| SHA512 | 039d6ea2ef9666a4249580fc9e7dc632becde7f2459d4b3e8d5e7cc8d50610daeca1c88c9399c918c1cf595fda398989b01e43c75f24a1189afe9f2b9c0a073d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0819028.exe
| MD5 | 0b070eaa974b1d0f40b1ff2a74ee5627 |
| SHA1 | 6b6d5b58512593ed0e01787c9008e233df1ae0cf |
| SHA256 | ac60c61dd7faf3ea6adb47dfacc85552deac06248581476c7f3da4e8e611e1d1 |
| SHA512 | e4e1fde5b2d7b5d4ffb9d49ae500c5cd57f20dd104c6ef9d093436f948365e9f134034f0d21272e352b0e5c0679f2db4d92d50a929ea9e046bbdccd84e2846a2 |
memory/536-14-0x00000000004F0000-0x00000000004FA000-memory.dmp
memory/536-18-0x0000000000401000-0x0000000000402000-memory.dmp
memory/536-19-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0028896.exe
| MD5 | ca19281e3856a360a4a919d0e18b53c0 |
| SHA1 | df6ff057de730f59b6edd9d6e79b53487892bb6d |
| SHA256 | 783219954200e5f28c46058a4c247e5d56102d60fe888cf1248d93650a8b64e5 |
| SHA512 | 6a79e3f5dcb8e2c51ee8bd86ac002d9a59ec06b1f9e212e63f8e91e55db42d686ff3952f0ada7a4fa83c261ad1db295168398393b0dd356ab1d5d9108efb8a55 |
memory/3704-25-0x0000000000510000-0x0000000000540000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/3704-30-0x0000000001FD0000-0x0000000001FD6000-memory.dmp
memory/3704-31-0x0000000004B30000-0x0000000005148000-memory.dmp
memory/3704-33-0x0000000004AE0000-0x0000000004AF2000-memory.dmp
memory/3704-34-0x0000000005260000-0x000000000529C000-memory.dmp
memory/3704-32-0x0000000005150000-0x000000000525A000-memory.dmp
memory/3704-35-0x00000000052E0000-0x000000000532C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 17:57
Reported
2024-05-09 18:00
Platform
win10v2004-20240508-en
Max time kernel
91s
Max time network
96s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5068 set thread context of 1328 | N/A | C:\Users\Admin\AppData\Local\Temp\19408d20edf49736ff3e86b9c52dcd2bf4b3da61eff72888392b2de04e27351b.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\19408d20edf49736ff3e86b9c52dcd2bf4b3da61eff72888392b2de04e27351b.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\19408d20edf49736ff3e86b9c52dcd2bf4b3da61eff72888392b2de04e27351b.exe
"C:\Users\Admin\AppData\Local\Temp\19408d20edf49736ff3e86b9c52dcd2bf4b3da61eff72888392b2de04e27351b.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5068 -ip 5068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 316
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | omnomnom.top | udp |
| DE | 195.201.252.28:443 | omnomnom.top | tcp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 28.252.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/5068-1-0x0000000000518000-0x0000000000519000-memory.dmp
memory/1328-0-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1328-2-0x00000000744EE000-0x00000000744EF000-memory.dmp
memory/1328-3-0x0000000004EA0000-0x0000000004F06000-memory.dmp
memory/1328-4-0x00000000059B0000-0x0000000005FC8000-memory.dmp
memory/1328-5-0x0000000005430000-0x0000000005442000-memory.dmp
memory/1328-6-0x0000000005560000-0x000000000566A000-memory.dmp
memory/1328-7-0x00000000744E0000-0x0000000074C90000-memory.dmp
memory/1328-8-0x0000000006220000-0x000000000625C000-memory.dmp
memory/1328-9-0x0000000006260000-0x00000000062AC000-memory.dmp
memory/1328-10-0x00000000065A0000-0x0000000006762000-memory.dmp
memory/1328-11-0x0000000006CA0000-0x00000000071CC000-memory.dmp
memory/1328-12-0x0000000007780000-0x0000000007D24000-memory.dmp
memory/1328-13-0x0000000006770000-0x0000000006802000-memory.dmp
memory/1328-14-0x00000000069D0000-0x0000000006A46000-memory.dmp
memory/1328-15-0x0000000006970000-0x000000000698E000-memory.dmp
memory/1328-16-0x0000000006B00000-0x0000000006B50000-memory.dmp
memory/1328-18-0x00000000744E0000-0x0000000074C90000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-09 17:57
Reported
2024-05-09 18:00
Platform
win10v2004-20240426-en
Max time kernel
139s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0494259.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0494259.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2081936.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2081936.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2081936.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2081936.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0494259.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0494259.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2081936.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2081936.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0494259.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0494259.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6836019.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6690351.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8762757.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2081936.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0494259.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2096168.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2081936.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2081936.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0494259.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8762757.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\2a4e0bfefe7b6b2a94d46c408fe05d1682392c66666138b8b0c32e028bf15aad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6836019.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6690351.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2081936.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2081936.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0494259.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0494259.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2081936.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0494259.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2a4e0bfefe7b6b2a94d46c408fe05d1682392c66666138b8b0c32e028bf15aad.exe
"C:\Users\Admin\AppData\Local\Temp\2a4e0bfefe7b6b2a94d46c408fe05d1682392c66666138b8b0c32e028bf15aad.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6836019.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6836019.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6690351.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6690351.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8762757.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8762757.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2081936.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2081936.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0494259.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0494259.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2096168.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2096168.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6836019.exe
| MD5 | 25658f17325696a77fdc5dc5af300472 |
| SHA1 | 0facd580ea7466701baf25ab3cd36945aea28b7d |
| SHA256 | 3c9d37c487d37aefab6c520534b2a76ee97ccb9d8dddc16b2220e3455f14344a |
| SHA512 | 1155d0d8b34cead480920efdc9220af31e82de4b7e843862163815d061da11e9457d34f16b2f55213728ef43f921ec0f363443fd4a8fe3488fea7612ae297c98 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6690351.exe
| MD5 | a2e96ecf6ba60ff964a2b0b60dde7e27 |
| SHA1 | 501080ad7058cac17e373c9acbda786c3ff9bdac |
| SHA256 | 0e712b394b21d5676bde7625b698470e0f7011ae4897abdec1a4f89dfa8cf096 |
| SHA512 | 93c3963b8488abb826601dc90e98733b1e29549494039df1cd1fb2c351f2374a24ea2e2d8c66eefa51d6ee6a1b0221432a42cfa00eac510da0aef33ed4544bf1 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8762757.exe
| MD5 | d5b0ccf141e399d25360a28d534df7f0 |
| SHA1 | ef15c7a65069cb727ffdb2232c6210d030b4fbfe |
| SHA256 | 0170edb4d68699bbc4babbafeada5ed5138206b0d06d736a1340a077256b3d30 |
| SHA512 | 0ebdf9f7ff7adaa314abec6e2359d2e241c483be42b81aadc097dac13c70a5906ee6e4345579dece05a84373f47462f5f53aee6554e3a4abaf142a5a09c00e51 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2081936.exe
| MD5 | bdb5076d6b84394534265c87b725acd6 |
| SHA1 | be2336c83ca619167ef129bd699027e21fa187b1 |
| SHA256 | 347e9d55c98bc84cef2d62c5e3ce982c9176bee6df41bdbc7d6f31f25744e198 |
| SHA512 | 10404edb5540983006f3f50754d4babc0d6c35ce6315aff8ef6d3d7aa9e5bd5d9b52f3cb05374be7e317ca2a4ea74af6eec99c72335a5112a5f50c1c77ae1173 |
memory/5112-29-0x0000000000560000-0x000000000059E000-memory.dmp
memory/5112-34-0x0000000000560000-0x000000000059E000-memory.dmp
memory/5112-35-0x00000000045E0000-0x00000000045E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0494259.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/2064-41-0x0000000000C10000-0x0000000000C1A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2096168.exe
| MD5 | d672c9ba43fa4ec7905376f48d1f5cbc |
| SHA1 | e0c94e851acb35383c031780e03ea0861acf6dc8 |
| SHA256 | 963945d65b9fa323b0825b650842d944de7c0d5ecbe7af4fe91097f1f6e42702 |
| SHA512 | 551cd7811814302685a698d8a6d73e8ac2dbea66bac651bb2fc6457300d536529619bcb4973b072cedd88c08e96fae0f50abf39ca35e9bc09e38f48566c6bd53 |
memory/1976-47-0x00000000005D0000-0x000000000065C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/1976-53-0x00000000005D0000-0x000000000065C000-memory.dmp
memory/1976-55-0x0000000004450000-0x0000000004456000-memory.dmp
memory/1976-56-0x00000000049E0000-0x0000000004FF8000-memory.dmp
memory/1976-57-0x0000000005070000-0x000000000517A000-memory.dmp
memory/1976-58-0x00000000051A0000-0x00000000051B2000-memory.dmp
memory/1976-59-0x00000000051C0000-0x00000000051FC000-memory.dmp
memory/1976-60-0x0000000005230000-0x000000000527C000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-09 17:57
Reported
2024-05-09 17:59
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4793949.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4793949.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4793949.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4793949.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4793949.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4793949.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0925805.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8271297.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0925805.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4793949.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j9474715.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4793949.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\6568836094de3a32f9c325ced189bb981eb0cf8f4492e1b8b901ef52879c063d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8271297.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4793949.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4793949.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4793949.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6568836094de3a32f9c325ced189bb981eb0cf8f4492e1b8b901ef52879c063d.exe
"C:\Users\Admin\AppData\Local\Temp\6568836094de3a32f9c325ced189bb981eb0cf8f4492e1b8b901ef52879c063d.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8271297.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8271297.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0925805.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0925805.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4793949.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4793949.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j9474715.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j9474715.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.211.222.173.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8271297.exe
| MD5 | a30b3b2fa2e720d72abc0e99733025c5 |
| SHA1 | 183ad1e7f10bfe4b99a43663a27032c5c8c6c87c |
| SHA256 | 004bc4b8f10885b589e3046c83c19e90977aff1b65554b677b1fb5328e2fe3d4 |
| SHA512 | bd2068627036b0a5907cd9eb06efb61cecc0384a7a487def15bbef2bc3f148286d7a161680c3a24abb17de2f0defd6a01d57f31424dd686b77a06f60348c9ef2 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0925805.exe
| MD5 | 8c6b79ec436d7cf6950a804c1ec7d3e9 |
| SHA1 | 4a589d5605d8ef785fdc78b0bf64e769e3a21ad6 |
| SHA256 | 4e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d |
| SHA512 | 06f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4793949.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/2524-27-0x0000000000580000-0x000000000058A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j9474715.exe
| MD5 | 5bcc3128559b24417ec36706579aa398 |
| SHA1 | 452c8a8c62a3fae74f2d66f3b4a1c55a7c325dae |
| SHA256 | e309d8d8fb69a982109fe2f05733cc678ab7f1d0a13ad98c8b69337a678bc626 |
| SHA512 | 88fd7a0c187b7b20cb763fd5e2d22febd134a542f7b071f308e512f8e6e34b1c3ed42cff78c8f6efd6f11649a1fc146753ba7404d066c224d617a7d64b0c5b83 |
memory/3620-32-0x0000000000590000-0x00000000005C0000-memory.dmp
memory/3620-33-0x00000000029C0000-0x00000000029C6000-memory.dmp
memory/3620-34-0x000000000AA10000-0x000000000B028000-memory.dmp
memory/3620-35-0x000000000A540000-0x000000000A64A000-memory.dmp
memory/3620-36-0x000000000A480000-0x000000000A492000-memory.dmp
memory/3620-37-0x000000000A4E0000-0x000000000A51C000-memory.dmp
memory/3620-38-0x0000000004A20000-0x0000000004A6C000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-09 17:57
Reported
2024-05-09 17:59
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5512939.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5512939.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5512939.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5512939.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5512939.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5512939.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6099417.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5512939.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4877536.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5512939.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\24b96bca469764debd638550bc2704add4701110cc7a691fae627e361d8188df.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6099417.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5512939.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5512939.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5512939.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\24b96bca469764debd638550bc2704add4701110cc7a691fae627e361d8188df.exe
"C:\Users\Admin\AppData\Local\Temp\24b96bca469764debd638550bc2704add4701110cc7a691fae627e361d8188df.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6099417.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6099417.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5512939.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5512939.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4877536.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4877536.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 3.17.178.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6099417.exe
| MD5 | 3654700f8e740d91fe6e3f398822bf25 |
| SHA1 | 9e548f654107e2663e4c7074dd3e6abe9e25354a |
| SHA256 | 491316f9f88d72115dd9bd41efcbc31f974b030bf5d33e9308a3ce8b8589652a |
| SHA512 | 2aa4bef6904c28aadd04c4703f307d8e05547457717f826c7a8f201f086375a841530391ae79926c57954b3450a74cdd84e1524531cc48f226c824c8bd9a5387 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5512939.exe
| MD5 | 378e73f5cda4a0c8ed0fc6f199af75b2 |
| SHA1 | 875e88e459b5bc5a3e97c1661d17c641a5f34e6d |
| SHA256 | e4b65082517250ce8b2813339e2a9853cb389c078b16ffd2ba6cd90c1e15801f |
| SHA512 | 83efb06439b4bd2504746b6acd9d9c091faacbf4fac92fa677ce91e6c4af59bc50597a37db1c58c1f1fe580ea0a27818bb38a398a1b1f65aca8d3a8f12bae79c |
memory/1852-14-0x0000000000170000-0x000000000017A000-memory.dmp
memory/1852-15-0x00007FFB22363000-0x00007FFB22365000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4877536.exe
| MD5 | 9346ca64a3826abee40ced926e76f48f |
| SHA1 | 3424ca079ff0f0575890924c48fec09e43488c6a |
| SHA256 | ab5038a0ee6206486cb55a4dac5d0a4d209be90bd9395ebb37e31bfb654d3f87 |
| SHA512 | 733f3fadf7cf3deeda90b046cca19ec47e103567628fcfb8c90e927244b5f0870c3b95d2d67e2d0f0825eed3cddafdf788c10c732e7a5fc7e03c25de27d64530 |
memory/3292-20-0x0000000000940000-0x0000000000970000-memory.dmp
memory/3292-21-0x0000000002CD0000-0x0000000002CD6000-memory.dmp
memory/3292-22-0x000000000ADF0000-0x000000000B408000-memory.dmp
memory/3292-23-0x000000000A8F0000-0x000000000A9FA000-memory.dmp
memory/3292-24-0x000000000A830000-0x000000000A842000-memory.dmp
memory/3292-25-0x000000000A890000-0x000000000A8CC000-memory.dmp
memory/3292-26-0x0000000002C40000-0x0000000002C8C000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-09 17:57
Reported
2024-05-09 17:59
Platform
win10v2004-20240426-en
Max time kernel
140s
Max time network
149s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\9d44150fdc90939c6efc8d7882f0d89238b77267f40bd7b9e9fdff66d41f587d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AutoGetFTA.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9d44150fdc90939c6efc8d7882f0d89238b77267f40bd7b9e9fdff66d41f587d.exe
"C:\Users\Admin\AppData\Local\Temp\9d44150fdc90939c6efc8d7882f0d89238b77267f40bd7b9e9fdff66d41f587d.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AutoGetFTA.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AutoGetFTA.exe -snpk:"4983000338,TXBQ9-J7PF2" -install:1 -requestID:"951147" -silent
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://activate.rockwellautomation.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x104,0x170,0x7ffd5d1746f8,0x7ffd5d174708,0x7ffd5d174718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,7598686395298132979,18143573803869290444,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,7598686395298132979,18143573803869290444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,7598686395298132979,18143573803869290444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7598686395298132979,18143573803869290444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7598686395298132979,18143573803869290444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,7598686395298132979,18143573803869290444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,7598686395298132979,18143573803869290444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7598686395298132979,18143573803869290444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7598686395298132979,18143573803869290444,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7598686395298132979,18143573803869290444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7598686395298132979,18143573803869290444,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,7598686395298132979,18143573803869290444,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3132 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.217:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | activate.rockwellautomation.com | udp |
| DE | 20.52.192.211:443 | activate.rockwellautomation.com | tcp |
| DE | 20.52.192.211:443 | activate.rockwellautomation.com | tcp |
| US | 8.8.8.8:53 | www.rockwellautomation.com | udp |
| US | 8.8.8.8:53 | cdn.cookielaw.org | udp |
| BE | 104.68.90.181:443 | www.rockwellautomation.com | tcp |
| BE | 104.68.90.181:443 | www.rockwellautomation.com | tcp |
| US | 104.19.178.52:443 | cdn.cookielaw.org | tcp |
| US | 104.19.178.52:443 | cdn.cookielaw.org | tcp |
| US | 8.8.8.8:53 | 211.192.52.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.90.68.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.178.19.104.in-addr.arpa | udp |
| US | 104.19.178.52:443 | cdn.cookielaw.org | tcp |
| US | 8.8.8.8:53 | geolocation.onetrust.com | udp |
| US | 172.64.155.119:443 | geolocation.onetrust.com | tcp |
| US | 8.8.8.8:53 | 119.155.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | connect.facebook.net | udp |
| US | 8.8.8.8:53 | static.hotjar.com | udp |
| GB | 163.70.151.21:443 | connect.facebook.net | tcp |
| US | 8.8.8.8:53 | rockwell2023tf.q4web.com | udp |
| GB | 13.224.245.61:443 | static.hotjar.com | tcp |
| US | 162.159.129.11:443 | rockwell2023tf.q4web.com | tcp |
| US | 8.8.8.8:53 | rockwellautomation.scene7.com | udp |
| US | 2.18.190.78:443 | rockwellautomation.scene7.com | tcp |
| US | 2.18.190.78:443 | rockwellautomation.scene7.com | tcp |
| US | 8.8.8.8:53 | s.go-mpulse.net | udp |
| BE | 23.55.96.141:443 | s.go-mpulse.net | tcp |
| US | 8.8.8.8:53 | snippet.maze.co | udp |
| GB | 143.204.68.55:443 | snippet.maze.co | tcp |
| US | 8.8.8.8:53 | script.hotjar.com | udp |
| GB | 18.245.253.79:443 | script.hotjar.com | tcp |
| US | 8.8.8.8:53 | c.go-mpulse.net | udp |
| US | 8.8.8.8:53 | 200.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.245.224.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.39.156.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.96.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.68.204.143.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.253.245.18.in-addr.arpa | udp |
| BE | 2.21.16.148:443 | c.go-mpulse.net | tcp |
| US | 8.8.8.8:53 | prompts.maze.co | udp |
| US | 23.22.73.139:443 | prompts.maze.co | tcp |
| US | 8.8.8.8:53 | 148.16.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.73.22.23.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AutoGetFTA.exe
| MD5 | b5e74e72395095e7804555f8f53cb96b |
| SHA1 | 2282e82dfb283581704dbaf36c71a979eb7520ba |
| SHA256 | 6a3dc087a1de33c527eb6e307ec2853ec14456f1d62ada55a36974fb2a3fc158 |
| SHA512 | 0ee5e9d7c70bc71f3e0d5bab01223a49bc96bda63aee479f06acb9864855b04a1a6aa668e5966a58e56cfcd7d83651b89d501c2c583b58094fb60479e0de1c86 |
memory/2696-5-0x000000007457E000-0x000000007457F000-memory.dmp
memory/2696-6-0x00000000009C0000-0x00000000009C8000-memory.dmp
memory/2696-7-0x00000000057C0000-0x0000000005D64000-memory.dmp
memory/2696-8-0x00000000052F0000-0x0000000005382000-memory.dmp
memory/2696-9-0x0000000074570000-0x0000000074D20000-memory.dmp
memory/2696-10-0x00000000052A0000-0x00000000052AA000-memory.dmp
memory/2696-12-0x0000000074570000-0x0000000074D20000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ea98e583ad99df195d29aa066204ab56 |
| SHA1 | f89398664af0179641aa0138b337097b617cb2db |
| SHA256 | a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6 |
| SHA512 | e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f |
\??\pipe\LOCAL\crashpad_3320_HOOJHXLDIEPIVGWM
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9d80742099b9ed9b2b73beace243b91a |
| SHA1 | 49d5f67406472ab5202302f9dfd8a97c09fee462 |
| SHA256 | ecf2a8262313fc4c8870334f2f02257f2117f9a0f6511188596d8d14ebba19e7 |
| SHA512 | d812b1053071e55eeca848c207bcfbd4ef4cbbcb436d818c1cc8f72e7f5b6230485ce047a89ef443459b2247fe5b98d2f251d45111c2a536bcdb423f2b18120a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.rockwellautomation.com_0.indexeddb.leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 503ebc9114100601dbb340a39dca0530 |
| SHA1 | 090ede4a1522e4aac9165266596839ffd57eefd1 |
| SHA256 | e28b9e28f59d2a0cb8fdbd5d82c8f5ad613cc733cc2bf8cb5b46a5cdcd309b8a |
| SHA512 | 17a321da92abc0bcdda86fa4c39a324020f806c031a7ee8b2c9ed3f78bf1e7368336ed84521609bb987c73fd504a5e6fbae26cdf6d9cf50d2eff5f901bded583 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7da6c0a5bf523e7715943b66372ca288 |
| SHA1 | 0441716e3742e3559e89c9501c2351f14baf5bdf |
| SHA256 | f627c05370ed0930a77f5d1bd37d7e48a75dddd5732641310b18fa344ee2a1de |
| SHA512 | f1e489f01b0de3fdab780a2f8509f81612ad52e95114a1114cb45962a3ea31ac4906dd9fba0f97cdc558c5c9022e3c076c59869d8b7c717e651fd5613e6d9b33 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | c102c0430d1e6f6f594cf2972d7bcc71 |
| SHA1 | ae24ba34ab318cd181b5c8737c9b9b7b0161fb56 |
| SHA256 | f2c34ead1409409445cdf027506455d594eb5f0c25d749ded1fc2090fce327a2 |
| SHA512 | c45276023ffbbc3b55fa8652c7fbc460d56ae679ec3b450b58d40d7e1189d8cf4faa0c0ca03865f5c888b75f72d7136a8ccd83d52eb30ad45970ed351fee5ab5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57e7b0.TMP
| MD5 | a07e0853b1a3b71e52515c7f5cb6066e |
| SHA1 | aac541c8a2b3d3362deac86b6213b34cedd5c159 |
| SHA256 | f7983ef45a1c8eec91e965bb1f9dc08b34e56bf3c7f8bcc2068cfc926965eb75 |
| SHA512 | 311b0bac3a5965df81948d21b3cbfb736a391799f54ad3bedae716532736c5bc006ba2a51f307234a35f329ab5563dcb225e6cab95ad1c71af0a3e9cc4795691 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | f133809c5672435f9e0b9742f669a675 |
| SHA1 | e12e86b40c9d5bf5eac15e5803c2e5408f00548d |
| SHA256 | 36128e4bb6dd9beb22bd34e17a0baaa3df24b127fd0b0dd074255cef3d1625ff |
| SHA512 | bd3ab5501ac0209d8ef2c6a69a6f6672ca048edb2591ae9fa2ecfc75a6841a20736f8ef6d056970187294628613a9a806edca5ef8945f3cbee996d29cfed76c6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 0a1547e999541a9d33bc0f7fa7648dc8 |
| SHA1 | 03b7c3d91e3d79245bd33e19ff7e605f745187ed |
| SHA256 | 98e2998d774a125500616bd3f9ac7d4ece83586373d660c7a997aba6feba0775 |
| SHA512 | a1055e38ae9ba93680c3cefa88be06fe79c96128d9a76a5428782a81c50453285f5b9d3aea8c2984fa528eeaf48438a37838a5dc31d30a69289737d86d5c314d |
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-09 17:57
Reported
2024-05-09 18:00
Platform
win10v2004-20240426-en
Max time kernel
143s
Max time network
151s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7461725.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7461725.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7461725.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7461725.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7461725.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7461725.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4230051.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0002160.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7461725.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4230051.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t8092700.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7461725.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\cfcca94dd6bef9e4222fd6347d090711d60251b7718a2a4955753cd95d8e9a6e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0002160.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7461725.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7461725.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7461725.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4230051.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cfcca94dd6bef9e4222fd6347d090711d60251b7718a2a4955753cd95d8e9a6e.exe
"C:\Users\Admin\AppData\Local\Temp\cfcca94dd6bef9e4222fd6347d090711d60251b7718a2a4955753cd95d8e9a6e.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0002160.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0002160.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7461725.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7461725.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4230051.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4230051.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
"C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t8092700.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t8092700.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legola.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legola.exe" /P "Admin:N"&&CACLS "legola.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "legola.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "legola.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\ebb444342c" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\ebb444342c" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| BE | 88.221.83.194:443 | www.bing.com | tcp |
| SE | 5.42.92.67:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| SE | 5.42.92.67:80 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| SE | 5.42.92.67:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0002160.exe
| MD5 | 9773524af852d66ae1bda1f57e51ac38 |
| SHA1 | 652cdb9d2381ebfadd7e1bff0f4927fd8698f7de |
| SHA256 | 7715b1f6048505c72cf6442f540f05fd3b3b4156a9de7a453d195b548e57d04d |
| SHA512 | dac54854d13faef59968d138d0333c8d6d05c62f6f67b28d297019ed633649a471b9144dcf6b8ccf3ebd74442c82d3378114e45de376cde6e56ba296b33811ae |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p7461725.exe
| MD5 | 9713cf3d15464788e30ddcf58a99b7fc |
| SHA1 | a8607e692a7924bb8bafe0e4470410123fb0fde4 |
| SHA256 | 5c9341bb1a86ce1c6c4b3fd107ead9a10bb386d9576ea39361bef30c62d01e4c |
| SHA512 | b9069be2cd495bcd6a47867f18f05666bb6e34af102089921885a32a4f627b04918949673f88625e4c312bffdd9533fbb92f4e5145ff20b5cd347a3b574d1b58 |
memory/3196-15-0x00007FFD6E773000-0x00007FFD6E775000-memory.dmp
memory/3196-14-0x00000000007F0000-0x00000000007FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4230051.exe
| MD5 | ce53192381dc6520d37bf9460e728892 |
| SHA1 | ad5cf0012e70eb1b16a6e8d5d1781b28c70dfe63 |
| SHA256 | 28d224e0b67307cd5b5d8e99ca75f949252adff8ca8000c0d72e9e525e1ceff2 |
| SHA512 | a6840a9bd65cf83cbe95fcd8e2e623c009a198f2d8bb043ec2af84c965ee94783a7cad9097bea217236dbc9541e5b836b70c46a128a0cd3d51328127aa3be40d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t8092700.exe
| MD5 | 9ea5066fba88295b8970cfc7e781262d |
| SHA1 | ce9e09c83eea46ea9c00a21035921f2d2b4c92c4 |
| SHA256 | 594ac1ff85516aec772a488593d20f245b1f1fc80121fe55e49e8986398c9d5d |
| SHA512 | e36deb07737a9e76f30e6adc7bba13204f2e32e67505fdd5ef588da6090cdf76166d07b86ea0aab09b3d71c701f437cade780f2f073aea586227b423294ce8cd |
memory/4972-33-0x00000000002E0000-0x0000000000310000-memory.dmp
memory/4972-34-0x0000000000B10000-0x0000000000B16000-memory.dmp
memory/4972-35-0x0000000005330000-0x0000000005948000-memory.dmp
memory/4972-36-0x0000000004E20000-0x0000000004F2A000-memory.dmp
memory/4972-37-0x0000000002710000-0x0000000002722000-memory.dmp
memory/4972-38-0x0000000004D10000-0x0000000004D4C000-memory.dmp
memory/4972-39-0x0000000004D50000-0x0000000004D9C000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-09 17:57
Reported
2024-05-09 17:59
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2394512.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2394512.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2394512.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2394512.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2394512.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2394512.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2995566.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2394512.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3998756.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2394512.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2394512.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\f1ae7fab47b54b57b64fe4b0569d28421b914cc77c243cf2d59a0645d15e8ecc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2995566.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2394512.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2394512.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2394512.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f1ae7fab47b54b57b64fe4b0569d28421b914cc77c243cf2d59a0645d15e8ecc.exe
"C:\Users\Admin\AppData\Local\Temp\f1ae7fab47b54b57b64fe4b0569d28421b914cc77c243cf2d59a0645d15e8ecc.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2995566.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2995566.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2394512.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2394512.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3998756.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3998756.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| BE | 88.221.83.217:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.83.221.88.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2995566.exe
| MD5 | 763ffc96f093a48d1fc0c96bb430a06a |
| SHA1 | 1ebc17b9213dc3475dc64fa67256b91ddbf4f9a1 |
| SHA256 | 486fc046814c537646a21c9897140f030f3cf6dd0a016d19b9fa3feb231037ad |
| SHA512 | e57b363ab339ec8b0bcf1943fb3a37b6715bbb65300b003d10ac6075f82a04bc2ad203bfbc773e30ced323d0abfe28ace879f22b96b63d2a7a8da86857a75313 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2394512.exe
| MD5 | 4245f21518f322eb9812ce7b73d93972 |
| SHA1 | 3a3207e35f59b60d9eee6a1b33d23c7d9e9e064b |
| SHA256 | bbad228a6fd76de67c9658d40ebba65d3bdef52dd6441f9a1390d4da5d7941a1 |
| SHA512 | 1589c105a8595f0906c6ce0ac4ba4aaae8d6c4e9bdc80188d096cf750a577def4e5a478b978d602f7380eacad3f4c6436c322869b5bb1ba440db5ebe8e05585b |
memory/4264-14-0x0000000000401000-0x0000000000402000-memory.dmp
memory/4264-15-0x00000000004F0000-0x00000000004FA000-memory.dmp
memory/4264-19-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3998756.exe
| MD5 | ea42acb4e53040846589dddae1fe1b28 |
| SHA1 | 1e509386d256fc81e62f91e8a19c3e368ce9c973 |
| SHA256 | e4eea9a1c2e853b5974d2efc024264f1348b9788b96011c1f9917071dabef890 |
| SHA512 | 57c88dca757deffd2893d1a2c8d3a128fdfe1f8f148754f94bb0e11a14642721efa724ca16407bc640f9198742ede27514e2541e4c89407a6c8e3f5a136ee22d |
memory/2528-25-0x0000000000510000-0x0000000000540000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/2528-30-0x00000000022F0000-0x00000000022F6000-memory.dmp
memory/2528-31-0x0000000004B20000-0x0000000005138000-memory.dmp
memory/2528-32-0x0000000005140000-0x000000000524A000-memory.dmp
memory/2528-33-0x0000000004AE0000-0x0000000004AF2000-memory.dmp
memory/2528-34-0x0000000005250000-0x000000000528C000-memory.dmp
memory/2528-35-0x00000000052E0000-0x000000000532C000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-09 17:57
Reported
2024-05-09 17:59
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9088149.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9088149.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9088149.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9088149.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9088149.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9088149.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0441540.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8571074.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7534543.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9088149.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0441540.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4395091.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6019551.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9088149.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\45405e326148ce7f80326893b92fe8efe62819ee5465fdc13767a76472e21566.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8571074.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7534543.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4395091.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4395091.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4395091.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9088149.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9088149.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9088149.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\45405e326148ce7f80326893b92fe8efe62819ee5465fdc13767a76472e21566.exe
"C:\Users\Admin\AppData\Local\Temp\45405e326148ce7f80326893b92fe8efe62819ee5465fdc13767a76472e21566.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8571074.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8571074.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7534543.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7534543.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9088149.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9088149.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0441540.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0441540.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4395091.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4395091.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6019551.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6019551.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8571074.exe
| MD5 | 17d1a5ab9b16045d2dee23b240c08d7f |
| SHA1 | 502e9887c3f215a103fb32326ac868d341136e3e |
| SHA256 | 27fb7e92926ed2a5e601d4557b0a0bb6bfc3846f6dc07549c649a895db23be3d |
| SHA512 | c081f2954f9c6fcc9734cdea3fa67671e184afb569a33bd3def6ae96e44c1d95fd7d3c849cc946d3077683fdc8cecb47712fb3dce3971296c058c5a1221e0649 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7534543.exe
| MD5 | b786098c10ef1eb2666be81b39e90d70 |
| SHA1 | 56aaafa89e86b6453b7e200bcf267054fdbb9e89 |
| SHA256 | 6fdb9ee41ccdf016c13381cd5e63143c68c4a9d37eb1df34bbcf29ba497c5f34 |
| SHA512 | d80f60aad2a7a704f7462a5a7055d398a50a18a4b2277b70ccd7f9694c08e3df58e23c7f4ca059af2e499ee9f34ff380b459b35471ad3d82a2a70396261dbcaf |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9088149.exe
| MD5 | f8e8d84ee1180cf04cb01bbf1e053624 |
| SHA1 | eea22fb1665b5207cc6f08ad3073583020d50d5e |
| SHA256 | 859e6ad11c4a75949c0392c1913581e5b29cbad41785dbfbd22965c4528a2fc5 |
| SHA512 | 1461454dbf645266d7854228d2344c2561d4699e68eb212f326fe5d7e90c9fdbb7ca062feb17c0afc922a57c7a23bad412d338a7fc14bac8b5e1a0ac0c4a1edc |
memory/1152-22-0x00007FFD5B0B3000-0x00007FFD5B0B5000-memory.dmp
memory/1152-21-0x0000000000B70000-0x0000000000B7A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0441540.exe
| MD5 | 1cbbdf5652b08dce4b85036f6830622d |
| SHA1 | 33cd3306e88009701d2fc86ae1d50abdf356b78d |
| SHA256 | 067c4afa5333fda19de1c681eb2bb0f815529fd10a57f8dc82d35935e45bbf9e |
| SHA512 | ed59c16425568d61e2458c32cf2beb851a3befaa2c07422b25f845bcf358cf928fbafac88cfe60a11bb99cb352dc8577743955f5b7bf50304e4b4d4dc33eea34 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4395091.exe
| MD5 | 9018fd85966acb075a6077f581e9c415 |
| SHA1 | 6d2ddd0f1dde7ebbe5ad037a7f1588a0d074806e |
| SHA256 | b66fe3af1bc03d7e5db29ce891bfd74b993c0ce51b62996c3597ab94ee2ef3dc |
| SHA512 | 56b09c151580d09752eec68ba0f352a8d04f54be32a1e1442899c8f4c24acb751ffdc663040efe1bcf51f1600b3f395168b0e02e696565c86d495adecfa982cb |
memory/2424-40-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6019551.exe
| MD5 | c225c96cdafa0b5c23bc6baa2e0218e7 |
| SHA1 | a2c128cdd18527022d211987d099a027d20d33e7 |
| SHA256 | ecdcf172ca1f833298183532ce056cdcd23b2f69aa7092967658c8c334355bf3 |
| SHA512 | 7eebd21ab59ff872f8e5e5f2d15bf42c8cc23e18fd4e070292327d18983e7ba754ef292bae217c5b69af9758d0df51306127c85fc4aa5e8a29e8793e3a06d870 |
memory/2640-45-0x0000000000DC0000-0x0000000000DF0000-memory.dmp
memory/2640-46-0x00000000057E0000-0x00000000057E6000-memory.dmp
memory/2640-47-0x000000000B230000-0x000000000B848000-memory.dmp
memory/2640-48-0x000000000AD70000-0x000000000AE7A000-memory.dmp
memory/2640-49-0x000000000ACB0000-0x000000000ACC2000-memory.dmp
memory/2640-50-0x000000000AD10000-0x000000000AD4C000-memory.dmp
memory/2640-51-0x00000000051D0000-0x000000000521C000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-09 17:57
Reported
2024-05-09 17:59
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2030400.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2030400.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2030400.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2030400.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2030400.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2030400.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7125234.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4930718.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2030400.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8241084.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2030400.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2030400.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\b2402bf5ca4c67871f6519e689231078532c147c35500668d062dec52e27e9fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7125234.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4930718.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2030400.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2030400.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2030400.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b2402bf5ca4c67871f6519e689231078532c147c35500668d062dec52e27e9fa.exe
"C:\Users\Admin\AppData\Local\Temp\b2402bf5ca4c67871f6519e689231078532c147c35500668d062dec52e27e9fa.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7125234.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7125234.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4930718.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4930718.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2030400.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2030400.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8241084.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8241084.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| BE | 88.221.83.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7125234.exe
| MD5 | b48a578588d98c3a62f893c31d186283 |
| SHA1 | 6390bae1ea0bcbd3946a6fe02c96648630a7078e |
| SHA256 | 12eb65af73d57056b331bbffbd992f9f24d1b8e4a511755169da65e77f541084 |
| SHA512 | d4ba3cfd9be3460f3a7c499636ba52d8314bdbd8361620126446087668145115ebb61a0e19d84fd60af786f0d555617b1ff6ba8ed9bea6c1625fbf347e70bfbc |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4930718.exe
| MD5 | f3520c894e9ce7c7dccd10ebcd9396c0 |
| SHA1 | 9e34c4b127ad1323d64505336bb4d8910c0e3816 |
| SHA256 | 683e4cf522ce3fcaeebd4c3651b2b1284f39a5d589cd6c5a914012659b04253a |
| SHA512 | fe7097e3c7e7dc39ab30ab46acc13fbecb1a1ed74dff67a76d1e1f4d2b54992dccf8627344a418998f3c4370e62ee308fdce7101478de4d6fa4605a46dd2be4c |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2030400.exe
| MD5 | f0cb39848f81ff9d8596467899faf7b5 |
| SHA1 | a4cfd01761010269909a9dc449d3e61ebd91ea4c |
| SHA256 | 5acdb9813683437854c30906c4bf78d941a704f4fb8c9c8e04340302856d553c |
| SHA512 | 6203c1e764d25df982b5f00e7c9949ad01c0baba66be08028a44986a42fba123bd8b08ec922714a7ad7fc52ba59a02321925ae2d11ba12067d2239383cc38855 |
memory/3144-23-0x0000000000570000-0x00000000005AE000-memory.dmp
memory/3144-27-0x0000000000401000-0x0000000000404000-memory.dmp
memory/3144-28-0x0000000000570000-0x00000000005AE000-memory.dmp
memory/3144-29-0x0000000002460000-0x0000000002461000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8241084.exe
| MD5 | 723cd8350a1b5161d46ddaf8ed4014fc |
| SHA1 | 44cd20f39e87ce79c0564844f4fb303c288d67f5 |
| SHA256 | 8d1bd965483537eace2744419a9f76fabed2c980d2ecf59fe4c8c65f25cd04bb |
| SHA512 | fe7da90b1c21f067a815fc7d5b2494f2ca0eb81832b525211beea61e813548c9bdfba28b6ae32a474e337f2f3fe83dc956d95423a9e8ba9d0749ea4af028202f |
memory/1180-35-0x0000000000500000-0x000000000058C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/1180-42-0x0000000000500000-0x000000000058C000-memory.dmp
memory/1180-44-0x00000000044B0000-0x00000000044B6000-memory.dmp
memory/1180-45-0x000000000A070000-0x000000000A688000-memory.dmp
memory/1180-46-0x000000000A6C0000-0x000000000A7CA000-memory.dmp
memory/1180-47-0x000000000A7F0000-0x000000000A802000-memory.dmp
memory/1180-48-0x000000000A810000-0x000000000A84C000-memory.dmp
memory/1180-49-0x0000000006A00000-0x0000000006A4C000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-09 17:57
Reported
2024-05-09 17:59
Platform
win10v2004-20240508-en
Max time kernel
126s
Max time network
143s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0591490.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0591490.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0591490.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8807328.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8807328.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8807328.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8807328.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0591490.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0591490.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0591490.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8807328.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8807328.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4450258.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2382910.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3119867.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0591490.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8807328.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2338553.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0591490.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0591490.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8807328.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2382910.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3119867.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\cd321830f55d58d1391cb6f68bd887e31a7e1c0da19880caac02e0804afeb9bc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4450258.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0591490.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0591490.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8807328.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8807328.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0591490.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8807328.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cd321830f55d58d1391cb6f68bd887e31a7e1c0da19880caac02e0804afeb9bc.exe
"C:\Users\Admin\AppData\Local\Temp\cd321830f55d58d1391cb6f68bd887e31a7e1c0da19880caac02e0804afeb9bc.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4450258.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4450258.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2382910.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2382910.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3119867.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3119867.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0591490.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0591490.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4440,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4604 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8807328.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8807328.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2338553.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2338553.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| BE | 88.221.83.217:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 217.83.221.88.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4450258.exe
| MD5 | a9c8938bb80e4535f4d00f93ca4db050 |
| SHA1 | 9875588d3102cb2a50eb5fdc0e517af9676fe769 |
| SHA256 | faae488d0f36be21caea7908d89e1171fa6292ebc7f06b387835cc1b0e83cc0d |
| SHA512 | 2a75bbe5717850c7a11ccfd5cecf84bddf982a3512a70909b0d9daf4abe7b217498cc5f147dec1b1b81d2e2d1f7ce54e54eb1fcc15071f3c4f375a0b98ab4d19 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2382910.exe
| MD5 | 9dd971f5c28bd239ce88e6b50cf70234 |
| SHA1 | c4ef5f8668e15371d14fa93c8b18dc4d578d0d3b |
| SHA256 | 1f615508a598246fd500720118f9a85603048c8ba6c60484094605ba69ec1ef8 |
| SHA512 | 57330a0c7b4a1b0539f153c4cfc9a159767352f36748de8c9dcafa3adce2652ee758c7d78c1728f6edda2c4c38b04167c1191e54f65c8005e37109b4d1da36dd |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3119867.exe
| MD5 | a23e8566807ee3a468dabd71af03d831 |
| SHA1 | bdb3d103a6108ba80f05bc73666e74816eb605f8 |
| SHA256 | 8091ea19390957b3e708748238daa02d95f3e2b42abc9d29d7e88172bb344604 |
| SHA512 | aacfadc599c4e0a1ac54664a30fa6ba165df087b97e6225fe561439d465678fa731dc9712a3e1b30c0d79ecff8a2b8007e11f1653867498472125a4c88b4e827 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0591490.exe
| MD5 | 5cef2c3efcc75856638d10e09a8aaa08 |
| SHA1 | 6a91293684bb915d84b394e7a58d92b6c9671c96 |
| SHA256 | b9d62aff6a5001903f6c1dce538cade7460b8efa1670a18002bd2b758944bd0b |
| SHA512 | b20bef185f44d28fcc5e5adfa11991dcb05fae4856e2fc8e1204626e904fb8a90d604377b59a2c9210a3cb632ab08bbbfa04cbaa7fbf958f0735ff9ebd54b0c2 |
memory/3408-28-0x0000000000650000-0x000000000065A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8807328.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/3252-37-0x0000000000800000-0x000000000080A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2338553.exe
| MD5 | 640ce7325e5663516b121c5eeeb02dbc |
| SHA1 | ac6ba514c9442b43450415b22d6b6fb686485cf7 |
| SHA256 | 589e5e37639cfd78e6b7d7bb05bd072742932309195073812a7104cd9e715fc8 |
| SHA512 | 1fa81a601b38f278b163c6ba04fe20d49c6f258ffbd8a4598553b209a83f0433d868f83f1f47876f2c1edef0b431334ebb8dfbcfb8bad3a3db9ee3f6161e87ed |
memory/4524-42-0x0000000000490000-0x00000000004C0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/4524-47-0x0000000006DF0000-0x0000000006DF6000-memory.dmp
memory/4524-48-0x0000000005090000-0x00000000056A8000-memory.dmp
memory/4524-49-0x0000000004AB0000-0x0000000004BBA000-memory.dmp
memory/4524-50-0x0000000004BF0000-0x0000000004C02000-memory.dmp
memory/4524-51-0x0000000004C10000-0x0000000004C4C000-memory.dmp
memory/4524-52-0x0000000004CB0000-0x0000000004CFC000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-09 17:57
Reported
2024-05-09 18:00
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0633454.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9751033.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2585981.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c2700905.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0633454.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\f25337a343c26cdecd99eb7f095938fd24fb233463a8af3fa69acc5201eed956.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4972 set thread context of 864 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9751033.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1028 set thread context of 4176 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2585981.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9751033.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2585981.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f25337a343c26cdecd99eb7f095938fd24fb233463a8af3fa69acc5201eed956.exe
"C:\Users\Admin\AppData\Local\Temp\f25337a343c26cdecd99eb7f095938fd24fb233463a8af3fa69acc5201eed956.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0633454.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0633454.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9751033.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9751033.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4972 -ip 4972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 608
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2585981.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2585981.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1028 -ip 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 152
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c2700905.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c2700905.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| RU | 83.97.73.129:19068 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| RU | 83.97.73.129:19068 | tcp | |
| BE | 88.221.83.217:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.83.221.88.in-addr.arpa | udp |
| BE | 88.221.83.217:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| RU | 83.97.73.129:19068 | tcp | |
| RU | 83.97.73.129:19068 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.56.20.217.in-addr.arpa | udp |
| RU | 83.97.73.129:19068 | tcp | |
| RU | 83.97.73.129:19068 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| RU | 83.97.73.129:19068 | tcp | |
| RU | 83.97.73.129:19068 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| RU | 83.97.73.129:19068 | tcp | |
| RU | 83.97.73.129:19068 | tcp | |
| RU | 83.97.73.129:19068 | tcp | |
| RU | 83.97.73.129:19068 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0633454.exe
| MD5 | 7df1e56d4c1a1612ee126463fcf8ceb4 |
| SHA1 | 774ab26898cfa2ace41b0d5fa53538d318e0fa57 |
| SHA256 | a62a548ffb1dcb9166d2336968bea9011a44039f391a1a7ef70364f4a0e131a0 |
| SHA512 | a84427f66c991496b014e82a1e52a969da9b627d6dfebdb93b74acdda4907df02b7b7d17b25cb732999e4a01e7f6e327be630b93b6dd6c55ed78e3d920ccae15 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9751033.exe
| MD5 | c0e3f771bcbb789d734e7d3e1b1f4e65 |
| SHA1 | 02e6e5e508188955181ac98bb1b9c414d2c1aa9e |
| SHA256 | 53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02 |
| SHA512 | c983b76772a50aece42107a39c828abfa768fc33c8865df73de57e1beca2919e8cc7b8afe1d5ae3e7556273519e311d5e49ed6d52eaf895c3c3d7c34608d2118 |
memory/4972-14-0x0000000000AC7000-0x0000000000AC8000-memory.dmp
memory/864-15-0x0000000000400000-0x0000000000430000-memory.dmp
memory/864-20-0x0000000005770000-0x0000000005776000-memory.dmp
memory/864-21-0x0000000005DF0000-0x0000000006408000-memory.dmp
memory/864-22-0x00000000058E0000-0x00000000059EA000-memory.dmp
memory/864-23-0x0000000005820000-0x0000000005832000-memory.dmp
memory/864-24-0x0000000005880000-0x00000000058BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2585981.exe
| MD5 | cd5a529d645436b72dc72ebc19950ef3 |
| SHA1 | 5f571b5fce5b5e210e812e28dad02b80bb1f5d80 |
| SHA256 | 887d08bb7735494fa22a46935055d0c2d612f70e97ecdd07bccf427d8e49efa3 |
| SHA512 | b314a9d61340e1cafd67aef45b5151721a6100ca0f7d6ec787e4fc4d83d1cdb571cfafcd1cc1cee681f3016bfb3fc8074681633607221711163e7da2c2e6b123 |
memory/864-27-0x00000000059F0000-0x0000000005A3C000-memory.dmp
memory/4176-29-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c2700905.exe
| MD5 | 3722a3e958832f918370e3491d62d642 |
| SHA1 | 86d28aa415f98a3ffa95279b4ac521e96ab8131a |
| SHA256 | fc953ae5ccb8716ad6fa4b015596e010272dc5095fb5cf36fc1fe1ac7ca39db9 |
| SHA512 | 510caffa854da75b5cef2b52ef61dee6670fc684c090911b9bf51678c68144e3f83a2ca2b43364abd0619c6742c03b9f68f29f91d6bb6259c49fc2b8bbaeb791 |
memory/4160-37-0x0000000000AE0000-0x0000000000B10000-memory.dmp
memory/4160-38-0x0000000001220000-0x0000000001226000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 17:57
Reported
2024-05-09 17:59
Platform
win7-20240508-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\19408d20edf49736ff3e86b9c52dcd2bf4b3da61eff72888392b2de04e27351b.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1668 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\19408d20edf49736ff3e86b9c52dcd2bf4b3da61eff72888392b2de04e27351b.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1668 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\19408d20edf49736ff3e86b9c52dcd2bf4b3da61eff72888392b2de04e27351b.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1668 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\19408d20edf49736ff3e86b9c52dcd2bf4b3da61eff72888392b2de04e27351b.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1668 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\19408d20edf49736ff3e86b9c52dcd2bf4b3da61eff72888392b2de04e27351b.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\19408d20edf49736ff3e86b9c52dcd2bf4b3da61eff72888392b2de04e27351b.exe
"C:\Users\Admin\AppData\Local\Temp\19408d20edf49736ff3e86b9c52dcd2bf4b3da61eff72888392b2de04e27351b.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 88
Network
Files
memory/1668-0-0x0000000001128000-0x0000000001129000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-09 17:57
Reported
2024-05-09 17:59
Platform
win7-20231129-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\209f361ec54d3eb7e8c1324ecea4c86835a53f08014f20d8acdb405a98c70e19.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2848 wrote to memory of 1388 | N/A | C:\Users\Admin\AppData\Local\Temp\209f361ec54d3eb7e8c1324ecea4c86835a53f08014f20d8acdb405a98c70e19.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2848 wrote to memory of 1388 | N/A | C:\Users\Admin\AppData\Local\Temp\209f361ec54d3eb7e8c1324ecea4c86835a53f08014f20d8acdb405a98c70e19.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2848 wrote to memory of 1388 | N/A | C:\Users\Admin\AppData\Local\Temp\209f361ec54d3eb7e8c1324ecea4c86835a53f08014f20d8acdb405a98c70e19.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2848 wrote to memory of 1388 | N/A | C:\Users\Admin\AppData\Local\Temp\209f361ec54d3eb7e8c1324ecea4c86835a53f08014f20d8acdb405a98c70e19.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\209f361ec54d3eb7e8c1324ecea4c86835a53f08014f20d8acdb405a98c70e19.exe
"C:\Users\Admin\AppData\Local\Temp\209f361ec54d3eb7e8c1324ecea4c86835a53f08014f20d8acdb405a98c70e19.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 116
Network
Files
memory/2848-0-0x00000000011B4000-0x00000000011B6000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-09 17:57
Reported
2024-05-09 17:59
Platform
win10v2004-20240426-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0410470.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0410470.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0410470.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0410470.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0410470.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0410470.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0689294.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1715175.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5470627.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0410470.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0689294.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1053362.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7760520.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0410470.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1715175.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5470627.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1053362.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1053362.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1053362.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0410470.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0410470.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0410470.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe
"C:\Users\Admin\AppData\Local\Temp\2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1715175.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1715175.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5470627.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5470627.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0410470.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0410470.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0689294.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0689294.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1053362.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1053362.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7760520.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7760520.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 107.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 88.221.83.184:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 184.83.221.88.in-addr.arpa | udp |
| BE | 88.221.83.184:443 | www.bing.com | tcp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| US | 52.111.227.11:443 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1715175.exe
| MD5 | 061c406e23341bbcb1ff5e1801849cb3 |
| SHA1 | 7ec3197388a3543dc54a754b526a21a74de567c3 |
| SHA256 | ae86041c8e819499d71e4c6acc7674c2aa2d49c8bcf4772c06fdcabc12acf52a |
| SHA512 | 176444ce621ff202d78fd397690322fa00d124b7ee51a6ef2cce205e5adc08205db4f4b30f866e8cb8132ef72e83462128cf4d124eeaf8c1d5992e5c18e98adb |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5470627.exe
| MD5 | 76dddeb11de090d98b3d9edc3df979fe |
| SHA1 | 1400ec7994433f280da5b1d84c12d62d8c19702c |
| SHA256 | e13221cfa4276e8a340f3f13212b1fef45770843a843192a8387bbd99143938f |
| SHA512 | 35384efa7caf27758daeb5d6f9a3f84c422116b77abed1e0bb0e978366cadaf2fc0d7fe15b1bb98bfe398c1eab3fb32eb9e3e1a582f5097a6779b4e2ab80f9c5 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0410470.exe
| MD5 | 3a21e5d379f54add2172d6948ca4e597 |
| SHA1 | f2480642965b7c7a804ad8c62d7a623a815b1b02 |
| SHA256 | 2db95b60ef54ddb759464792be2f8a007214003a75cbca2de2a12f6d512900d8 |
| SHA512 | 010b8ac0ec852bbdc5e14f7409fecc81451c197281c1aff63df0acc98f46628151ce2dfabde6bde01e3c1e6b3c031637efee72edd44365afa78bafeaf63dda19 |
memory/4496-22-0x00007FFAF4AA3000-0x00007FFAF4AA5000-memory.dmp
memory/4496-21-0x0000000000170000-0x000000000017A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0689294.exe
| MD5 | 4dcc519d9075200e24e18d1eb479b00e |
| SHA1 | 93a9cd97d0d7c6c98903391297530577e1228451 |
| SHA256 | 503f3735fdd75fa98e846ffc940735d1bc0f8c89c60de01dbcb852432d37e834 |
| SHA512 | b1494415d70a3bfbabbd26361b68858c3c785121ec49b6c054e0487c5bb1dac33e8e8c0cc404b39b598b4b8458c48795ff9efab1d0bf60dabe50ba41bd6f8423 |
memory/4516-40-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1053362.exe
| MD5 | ce02f9d79dea88099619df5cb1312f35 |
| SHA1 | 3c1679bf6d2ad4436f65458e679c66f79d6ae50f |
| SHA256 | 855b0ca776047364d7a3d31a44d746dd673f3d6435723e4a5093a1b757584f54 |
| SHA512 | 6ace95a26369b298fe1b9cefdccea26cb2253a11c829836a51b47b9218fa291586aa6ebb652830d44c0a97b7d1e2caac43a93cad02c5182be21d537322db555d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7760520.exe
| MD5 | 647971d0cadf19b3146ed9825e2e2791 |
| SHA1 | 25435c9b63194809b1ddff2ea49f68336fa16673 |
| SHA256 | 48b9794032771dfe78fc2c2b15e43e4b0a43143a6d6d5f3cea6e64dbcb976a76 |
| SHA512 | 24aa9c1d3252a641cf4b4e74ba77d4fcf7a2d8023a71981ab514f0f9cc73bb387e54743dc2c4a17799b71608785292a0399e4c9a891479dcea18ad829b426b20 |
memory/3780-45-0x0000000000CA0000-0x0000000000CD0000-memory.dmp
memory/3780-46-0x00000000055C0000-0x00000000055C6000-memory.dmp
memory/3780-47-0x000000000B0E0000-0x000000000B6F8000-memory.dmp
memory/3780-48-0x000000000AC50000-0x000000000AD5A000-memory.dmp
memory/3780-49-0x000000000AB90000-0x000000000ABA2000-memory.dmp
memory/3780-50-0x000000000ABF0000-0x000000000AC2C000-memory.dmp
memory/3780-51-0x00000000050B0000-0x00000000050FC000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-09 17:57
Reported
2024-05-09 18:00
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
158s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9367414.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9367414.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9367414.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9367414.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9367414.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9367414.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4433481.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3609919.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0894618.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9367414.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4433481.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5001555.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d0447810.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9367414.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3609919.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0894618.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\30b28fbbc6f9f8aa27776aa07f15f77a8fe9829ca5ded9e75d26ca377674a46a.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5001555.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5001555.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5001555.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9367414.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9367414.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9367414.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\30b28fbbc6f9f8aa27776aa07f15f77a8fe9829ca5ded9e75d26ca377674a46a.exe
"C:\Users\Admin\AppData\Local\Temp\30b28fbbc6f9f8aa27776aa07f15f77a8fe9829ca5ded9e75d26ca377674a46a.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3609919.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3609919.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0894618.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0894618.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9367414.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9367414.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4433481.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4433481.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5001555.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5001555.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d0447810.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d0447810.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.184:443 | www.bing.com | tcp |
| BE | 88.221.83.184:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 130.211.222.173.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3609919.exe
| MD5 | 51509d219b0e1c5395babdd64a3f4bd7 |
| SHA1 | 5ab5e02c8934575730f0859e3c9f6afb41137117 |
| SHA256 | d0b47dca6326a02d2774b4f6fb86bfabe0900177b7cab1991fb5cb69fafffa2d |
| SHA512 | 66245ec54e6c2d46374658132515ea8579e38d5d650ff9fa30f41f46ee7564216a88dcffe6a6b064312112117647981946e7b4b4b9ba8984555a7069db03ecc7 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0894618.exe
| MD5 | 2efe5b8b0ae9eaf208d4b9ffe8224884 |
| SHA1 | 43b7829006b3e5e82ce8b7d99715edcfe4692bb8 |
| SHA256 | f727ea3944553963f5b160dc0d1aef6003df28b825d2e460421f07e3a3829226 |
| SHA512 | 3aa322c1b6a587f3b480d7b0ea38b3401661727e4e874a084f71a180078a33400b8eb1d51d9480b24e56b7e84612efa902fdd5db31b1175f034b8ed17439abd7 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9367414.exe
| MD5 | 48fd367a88cdb2ee5a1d99d40ced959e |
| SHA1 | 8df5da820dd441a7be594edb686f0c0fa5ea08c8 |
| SHA256 | e052a7ccb41484e447d5a213cb3b04b59f11c0c566fa4ed3a3d035962aa41240 |
| SHA512 | 26e2a559de44f37ccba660b3dddef8438f71c659b05f49c692221708afe1f0a8c81b8d828d8b3d67da53b176175ba9f4591dfd1e0e9aa74a66ccb2811d8adcdc |
memory/2660-21-0x00007FFDEB533000-0x00007FFDEB535000-memory.dmp
memory/2660-22-0x0000000000680000-0x000000000068A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4433481.exe
| MD5 | c6972d6e45ff06793d554d266422c551 |
| SHA1 | 87891786fe8bfccded55428b91f0dd92d65c3604 |
| SHA256 | 0e920bba4e991813234708263a8de6d75bc4bf1615aa84c211b480b0f3d84796 |
| SHA512 | 033ea9cce2084387d12f51b25161da05c0521383b9623d485730abd2f7e868a0a17406068a17e190df17bf1698314dcaefc46f72fc25bf5d9cac49b19c341746 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5001555.exe
| MD5 | b0198ef9b43eeb67df0b78fe1384dfb8 |
| SHA1 | 8b1f10f004e8e76ad4d6863c21d3e19dfc286f05 |
| SHA256 | 654e0218d8752068b3b8ac0cc139cefbbb88114c3b85841ae560fea6a1e3090e |
| SHA512 | ce2fecbb84cdd6339fc4292ef411f6a7500ad307b84b8b5f58f8a5ac8a9733b4f870fa6cc107fcce1313aa3bb2f2653a8dbe7fa08e1c6e5a178d9e27fb7038f0 |
memory/5020-40-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d0447810.exe
| MD5 | 2acc7e0eca74e876fe15968fd10b279f |
| SHA1 | 1ae1ab5bc231b65153785e235c967d8f3a991eeb |
| SHA256 | e5b1e991267996348b3e8165a7b5c8f64e5471a6e9e93b320fa568bc32aeb4c0 |
| SHA512 | a076fddd05bb7c0d432a67d9b8e0ef027b511eaee129d8e570f5e20f5f1183e1acb6e35d2812047f4ca1539530fd066ef5416290e85047b0c9e29d59790d70d5 |
memory/2588-45-0x00000000003B0000-0x00000000003E0000-memory.dmp
memory/2588-46-0x00000000025B0000-0x00000000025B6000-memory.dmp
memory/2588-47-0x000000000A870000-0x000000000AE88000-memory.dmp
memory/2588-48-0x000000000A360000-0x000000000A46A000-memory.dmp
memory/2588-49-0x000000000A2A0000-0x000000000A2B2000-memory.dmp
memory/2588-50-0x000000000A300000-0x000000000A33C000-memory.dmp
memory/2588-51-0x0000000002530000-0x000000000257C000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-09 17:57
Reported
2024-05-09 17:59
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2408745.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2408745.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2408745.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2408745.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2408745.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2408745.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9936236.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0753561.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2408745.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9936236.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8579264.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2408745.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\c6bd926d58aa119662ccfb970124884439404950b8aa818378fa47a61a658a44.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0753561.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2408745.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2408745.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2408745.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c6bd926d58aa119662ccfb970124884439404950b8aa818378fa47a61a658a44.exe
"C:\Users\Admin\AppData\Local\Temp\c6bd926d58aa119662ccfb970124884439404950b8aa818378fa47a61a658a44.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0753561.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0753561.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2408745.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2408745.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9936236.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9936236.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8579264.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8579264.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0753561.exe
| MD5 | 714cbb8e723967f53607fc971e604a38 |
| SHA1 | 853aafc54d3ef37a1412e50d6378225029426021 |
| SHA256 | f4fc03f4803c2893043d5bb6ab1ea440e2abb93c0fcd98242bba9d3630450684 |
| SHA512 | 3dc309925d04b95d55b0338479599b85d96333378f27fd49a209847ba16aa089fb77a5d00ca2591e80b29fea0d444c46fdd64430ee3b2702ce95fae315a4df24 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2408745.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/2184-15-0x00007FFEDC7F3000-0x00007FFEDC7F5000-memory.dmp
memory/2184-14-0x0000000000560000-0x000000000056A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9936236.exe
| MD5 | 8c6b79ec436d7cf6950a804c1ec7d3e9 |
| SHA1 | 4a589d5605d8ef785fdc78b0bf64e769e3a21ad6 |
| SHA256 | 4e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d |
| SHA512 | 06f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8579264.exe
| MD5 | 0e633c45656687936de4c52bc36febde |
| SHA1 | 45b47abd17aeca8787288b7d9cb1d59cb6cff2a3 |
| SHA256 | bdf6d28121204f60f6a6d5ddc2765215070add7370f381238de6564cb844edb1 |
| SHA512 | 5867a3768d42e573aa40a37da4b861867756f27d21954bc968c4b4b4fbfae8313526a3c8b733ee41dfe888ef1704c17ab7ff2e2bae28e785a09b076def4421c2 |
memory/1760-33-0x0000000000920000-0x0000000000950000-memory.dmp
memory/1760-34-0x00000000076D0000-0x00000000076D6000-memory.dmp
memory/1760-35-0x000000000AD50000-0x000000000B368000-memory.dmp
memory/1760-36-0x000000000A8D0000-0x000000000A9DA000-memory.dmp
memory/1760-37-0x000000000A810000-0x000000000A822000-memory.dmp
memory/1760-38-0x000000000A870000-0x000000000A8AC000-memory.dmp
memory/1760-39-0x0000000004D30000-0x0000000004D7C000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-09 17:57
Reported
2024-05-09 18:00
Platform
win7-20240221-en
Max time kernel
134s
Max time network
147s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f5d16598bff76b7aeece243b4478a48e666bbf1a2adb20f2684cefe2f7d06616.exe
"C:\Users\Admin\AppData\Local\Temp\f5d16598bff76b7aeece243b4478a48e666bbf1a2adb20f2684cefe2f7d06616.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 91.103.252.48:33597 | tcp | |
| NL | 91.103.252.48:33597 | tcp | |
| NL | 91.103.252.48:33597 | tcp | |
| NL | 91.103.252.48:33597 | tcp | |
| NL | 91.103.252.48:33597 | tcp | |
| NL | 91.103.252.48:33597 | tcp |
Files
memory/1252-5-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1252-1-0x0000000000320000-0x00000000003AC000-memory.dmp
memory/1252-7-0x0000000000320000-0x00000000003AC000-memory.dmp
memory/1252-8-0x0000000001F10000-0x0000000001F11000-memory.dmp
memory/1252-9-0x0000000001F30000-0x0000000001F36000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-09 17:57
Reported
2024-05-09 18:00
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
151s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f5d16598bff76b7aeece243b4478a48e666bbf1a2adb20f2684cefe2f7d06616.exe
"C:\Users\Admin\AppData\Local\Temp\f5d16598bff76b7aeece243b4478a48e666bbf1a2adb20f2684cefe2f7d06616.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.184:443 | www.bing.com | tcp |
| NL | 91.103.252.48:33597 | tcp | |
| BE | 88.221.83.184:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| NL | 91.103.252.48:33597 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| NL | 91.103.252.48:33597 | tcp | |
| NL | 91.103.252.48:33597 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| NL | 91.103.252.48:33597 | tcp | |
| NL | 91.103.252.48:33597 | tcp |
Files
memory/2468-0-0x0000000000401000-0x0000000000404000-memory.dmp
memory/2468-2-0x0000000002080000-0x000000000210C000-memory.dmp
memory/2468-7-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2468-8-0x0000000002080000-0x000000000210C000-memory.dmp
memory/2468-9-0x00000000023F0000-0x00000000023F1000-memory.dmp
memory/2468-10-0x0000000002410000-0x0000000002416000-memory.dmp
memory/2468-11-0x0000000004B50000-0x0000000005168000-memory.dmp
memory/2468-12-0x00000000051F0000-0x00000000052FA000-memory.dmp
memory/2468-13-0x0000000005320000-0x0000000005332000-memory.dmp
memory/2468-14-0x0000000005340000-0x000000000537C000-memory.dmp
memory/2468-15-0x00000000053B0000-0x00000000053FC000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-09 17:57
Reported
2024-05-09 17:59
Platform
win10v2004-20240508-en
Max time kernel
125s
Max time network
126s
Command Line
Signatures
Lumma Stealer
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3004 set thread context of 3236 | N/A | C:\Users\Admin\AppData\Local\Temp\209f361ec54d3eb7e8c1324ecea4c86835a53f08014f20d8acdb405a98c70e19.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\209f361ec54d3eb7e8c1324ecea4c86835a53f08014f20d8acdb405a98c70e19.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\209f361ec54d3eb7e8c1324ecea4c86835a53f08014f20d8acdb405a98c70e19.exe
"C:\Users\Admin\AppData\Local\Temp\209f361ec54d3eb7e8c1324ecea4c86835a53f08014f20d8acdb405a98c70e19.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3004 -ip 3004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 320
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3444,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=4196 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mazefearcontainujsy.shop | udp |
| US | 172.67.194.228:443 | mazefearcontainujsy.shop | tcp |
| US | 8.8.8.8:53 | productivelookewr.shop | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 104.21.11.250:443 | productivelookewr.shop | tcp |
| US | 8.8.8.8:53 | tolerateilusidjukl.shop | udp |
| US | 172.67.147.41:443 | tolerateilusidjukl.shop | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | shatterbreathepsw.shop | udp |
| US | 104.21.95.19:443 | shatterbreathepsw.shop | tcp |
| US | 8.8.8.8:53 | shortsvelventysjo.shop | udp |
| BE | 88.221.83.226:443 | www.bing.com | tcp |
| BE | 88.221.83.226:443 | www.bing.com | tcp |
| US | 172.67.216.69:443 | shortsvelventysjo.shop | tcp |
| US | 8.8.8.8:53 | 228.194.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.11.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.95.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | incredibleextedwj.shop | udp |
| US | 104.21.86.106:443 | incredibleextedwj.shop | tcp |
| US | 8.8.8.8:53 | alcojoldwograpciw.shop | udp |
| US | 104.21.48.243:443 | alcojoldwograpciw.shop | tcp |
| US | 8.8.8.8:53 | liabilitynighstjsko.shop | udp |
| US | 104.21.44.3:443 | liabilitynighstjsko.shop | tcp |
| US | 8.8.8.8:53 | 226.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.216.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | demonstationfukewko.shop | udp |
| US | 172.67.147.169:443 | demonstationfukewko.shop | tcp |
| US | 8.8.8.8:53 | 243.48.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.86.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
memory/3004-0-0x0000000000BF4000-0x0000000000BF6000-memory.dmp
memory/3236-1-0x0000000000400000-0x000000000044E000-memory.dmp
memory/3236-3-0x0000000000400000-0x000000000044E000-memory.dmp
memory/3236-4-0x0000000000400000-0x000000000044E000-memory.dmp
memory/3236-5-0x0000000000400000-0x000000000044E000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-09 17:57
Reported
2024-05-09 17:59
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
152s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7183740.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7183740.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7183740.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7183740.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7183740.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7183740.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5881446.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7114348.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5881446.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7183740.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j0517728.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7183740.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\55ab9707d2ed04fd65eb47b64da270cf7fa47cedb721831c5dd0567bda7cc950.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7114348.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7183740.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7183740.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7183740.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\55ab9707d2ed04fd65eb47b64da270cf7fa47cedb721831c5dd0567bda7cc950.exe
"C:\Users\Admin\AppData\Local\Temp\55ab9707d2ed04fd65eb47b64da270cf7fa47cedb721831c5dd0567bda7cc950.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7114348.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7114348.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5881446.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5881446.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7183740.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7183740.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j0517728.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j0517728.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| BE | 88.221.83.217:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.83.221.88.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7114348.exe
| MD5 | e37d0db6ccfba7d0582d561115c3f278 |
| SHA1 | 82f23e9d699066944ddb6924e9f02ca52db19638 |
| SHA256 | d53c4e6a84a7acc9de2224a76a962be1be19ffa96d24c5d94ff61f15e1315081 |
| SHA512 | 4376e365325f345551f968b2c8ae0fb52746b54439d5b64851f1f0389d76664635e48dca27ee03ae830a159d92b46a355f978c362def769f0e5314060d8202b4 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5881446.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7183740.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/3084-27-0x0000000000A20000-0x0000000000A2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j0517728.exe
| MD5 | 5cd18033807bd110b0df6220e91f2a3c |
| SHA1 | c22af426d519dc9c7b9541855bb4eb5444499ce6 |
| SHA256 | cdafb6856acd6e01715a5d86cd329b07e7be9ff1aac7e30587c7c9cdbd7ecc22 |
| SHA512 | 5d3616c454d62e47c45635318c7a415a9310f7de90f25da8c443f7b5e444af2cd199e12e3b07f91c173d26f05ba6ec6d6e2979565d84d6fb4ee760c76eddd4a6 |
memory/3672-32-0x0000000000900000-0x0000000000930000-memory.dmp
memory/3672-33-0x0000000002D50000-0x0000000002D56000-memory.dmp
memory/3672-34-0x000000000AD50000-0x000000000B368000-memory.dmp
memory/3672-35-0x000000000A8B0000-0x000000000A9BA000-memory.dmp
memory/3672-36-0x000000000A7F0000-0x000000000A802000-memory.dmp
memory/3672-37-0x000000000A850000-0x000000000A88C000-memory.dmp
memory/3672-38-0x0000000002BD0000-0x0000000002C1C000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-09 17:57
Reported
2024-05-09 17:59
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9013163.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9013163.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9013163.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9013163.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9013163.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9013163.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4063000.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8332952.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4063000.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9013163.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j2372969.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9013163.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\72a27ce3ad4f2daa863374d24914b9bdd41f5b34e08b440b9988fd847de7a3a5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8332952.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9013163.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9013163.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9013163.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\72a27ce3ad4f2daa863374d24914b9bdd41f5b34e08b440b9988fd847de7a3a5.exe
"C:\Users\Admin\AppData\Local\Temp\72a27ce3ad4f2daa863374d24914b9bdd41f5b34e08b440b9988fd847de7a3a5.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8332952.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8332952.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4063000.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4063000.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9013163.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9013163.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j2372969.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j2372969.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| BE | 88.221.83.226:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.83.221.88.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8332952.exe
| MD5 | 60c810b52c9d4d3f5f7b28fa20c736b0 |
| SHA1 | f96a71e56fc946086a35765a6ecfc54c6cdad304 |
| SHA256 | b105a9b0bfa7544aab047543a6b2b1c9c879a630370067b58e1f0c4e7dd612ab |
| SHA512 | a52bcf3b9a0eb31f36da6ee052c89612ec0b3fe32b05d7960a532f1b2343bea8760af6fb3644be397c16548d5094baeac351fe89f719ec89747248f9b496db4a |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4063000.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9013163.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/2884-27-0x0000000000A70000-0x0000000000A7A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j2372969.exe
| MD5 | d558f4e8727dd2b4a26a591c23ddc1e5 |
| SHA1 | f9e946013e1b5d52da335c54099578a29367fe95 |
| SHA256 | 5e13c685e00b349f05dbf46612b995ad9478a12b683192496ddd48f559585c67 |
| SHA512 | 763932bd4e71cc7a2c92aa0444b4ad974883d6d5a373b7f1b9ab60762f19c58e5408ac6b2254a21a05ed819d60cdea28df45c5aa39108d10009f5aa1a7aa742a |
memory/716-32-0x0000000000370000-0x00000000003A0000-memory.dmp
memory/716-33-0x00000000025A0000-0x00000000025A6000-memory.dmp
memory/716-34-0x000000000A800000-0x000000000AE18000-memory.dmp
memory/716-35-0x000000000A320000-0x000000000A42A000-memory.dmp
memory/716-36-0x000000000A260000-0x000000000A272000-memory.dmp
memory/716-37-0x000000000A2C0000-0x000000000A2FC000-memory.dmp
memory/716-38-0x00000000046E0000-0x000000000472C000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-09 17:57
Reported
2024-05-09 17:59
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1007008.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1007008.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1007008.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1007008.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1007008.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1007008.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8404512.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7929989.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0075279.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1007008.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8404512.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7649135.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3259425.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1007008.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\9be0387d865bef272b66fe34363fa38f5c4e2be5b6b773526bfc1d14b4791eb9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7929989.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0075279.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7649135.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7649135.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7649135.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1007008.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1007008.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1007008.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9be0387d865bef272b66fe34363fa38f5c4e2be5b6b773526bfc1d14b4791eb9.exe
"C:\Users\Admin\AppData\Local\Temp\9be0387d865bef272b66fe34363fa38f5c4e2be5b6b773526bfc1d14b4791eb9.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7929989.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7929989.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0075279.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0075279.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1007008.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1007008.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8404512.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8404512.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7649135.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7649135.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3259425.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3259425.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| BE | 2.17.107.115:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 115.107.17.2.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 130.211.222.173.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7929989.exe
| MD5 | e8a9f3d6ecb4c26bd6bc4e71f4b05a15 |
| SHA1 | dc1e9b1c73d4e69075851b0e5ce1b37a3fb6cdd7 |
| SHA256 | a19ced96b752290321528be8392b26ecfc18bc8ec036dfd0ee2f3688b6e70040 |
| SHA512 | b4443c8af6beca8ae5f837c9ab5db4b85c4656a9e0d541bcde462a94cac6a0ca8d30a77135202268fa07082248e0da0ae9987bea1f2d99091389ae65ef3565e1 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0075279.exe
| MD5 | 88082d7552ff97ce093ec66b5673e820 |
| SHA1 | 5782bd873b13b7d0a27138a3a6bed8b006aeac62 |
| SHA256 | b2b6d9ee0b8974e53102bf934aadfb3ac8bac356e845dda30459be570d5a49c0 |
| SHA512 | 65559606241fe01d7389cf6ea00040563e70e2de51f8701418e33921859db6e6d6884f1d56f8bf9daf02a3710b40165919c6cc2661f2f377121b8d38e23372df |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1007008.exe
| MD5 | 9e3e1c1a3c2e043e04527d7893c74f75 |
| SHA1 | 16488d45358b3be09e4a1f6c9ace7686dcd1c4cb |
| SHA256 | 2bda16ddd92a9e1e73f1ac0f3cbf821494cccffa7021e8aeeb0747b6b4afdd90 |
| SHA512 | 508b5897414f39c92ffe58f2c8fcdd13066eb31798a827bac800a57a357e5dfc144ea902e2c0b6b49cfb1ea7927b01ee95032a94d70eea4fdde6af168fcb1ac2 |
memory/1756-21-0x0000000000ED0000-0x0000000000EDA000-memory.dmp
memory/1756-22-0x00007FFCEB7C3000-0x00007FFCEB7C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8404512.exe
| MD5 | 85a74569a8064684aa9b3270f294d22e |
| SHA1 | b6d2cac2b9db6c71e7ea5ae3c14cf035049799a8 |
| SHA256 | 756e1e7fc4a14d9b2a028fe8953405d103d4cac220a79f1d0ee9c85aae1c2ef9 |
| SHA512 | 25942708ee0a4ab138bb3138655549388811c81c14beda1c9dd97d09fb792de3796c2a34d53e6d4a32ae055edf996346d5ef6d8ae6e792378b2ad048148d7cb9 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7649135.exe
| MD5 | f4d46a7d58b62aa1e9aff531b58f0e01 |
| SHA1 | 1d8584b61f64d6774fddff01b1846d3ddadce4c7 |
| SHA256 | ef5f0ad02d3591bb94f82ea5db1ecdd57de252068afd1e10dbd91de7f29fab3c |
| SHA512 | c9824b40aa89c62cadf50efafa8e4f133ae28cfa0a405a2525bf77a322b3d6e105080891e84a629133cbac2258e2417b1e8709e9e2fb24ba0ff838b7061d5459 |
memory/3296-40-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3296-41-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3259425.exe
| MD5 | dad0a56b4a46dd107ee19b0841f142bf |
| SHA1 | 6fb7574d16cfe7930245c996dac1cb257e1b7580 |
| SHA256 | 8fd81175d2e88f745ed105bb2676d61fc344cac6e2123458239e7f59e729b0c3 |
| SHA512 | 8ac9950d75908f9d5f649d68b40e16d7b3561787a746316e58efec2d159e4de2f00b48d24b22c66754a281e4afc248f75fb20260a0d1d10803c8ca25bc360bdd |
memory/1016-45-0x00000000004D0000-0x0000000000500000-memory.dmp
memory/1016-46-0x0000000004DF0000-0x0000000004DF6000-memory.dmp
memory/1016-47-0x000000000A910000-0x000000000AF28000-memory.dmp
memory/1016-48-0x000000000A480000-0x000000000A58A000-memory.dmp
memory/1016-49-0x000000000A3C0000-0x000000000A3D2000-memory.dmp
memory/1016-50-0x000000000A420000-0x000000000A45C000-memory.dmp
memory/1016-51-0x0000000004930000-0x000000000497C000-memory.dmp