Malware Analysis Report

2024-10-16 04:05

Sample ID 240510-np9kksca21
Target red1.zip
SHA256 e6564b70fa3d9a9e989ad7c1bb2b027f2e5447273c0bb64f84c7940828ecb0ed
Tags
amadey healer redline nasa dropper evasion infostealer persistence trojan dumud masha lande zgrat discovery rat spyware stealer smokeloader news backdoor upx mihan lamp 7001210066 krast rhadamanthys
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e6564b70fa3d9a9e989ad7c1bb2b027f2e5447273c0bb64f84c7940828ecb0ed

Threat Level: Known bad

The file red1.zip was found to be: Known bad.

Malicious Activity Summary

amadey healer redline nasa dropper evasion infostealer persistence trojan dumud masha lande zgrat discovery rat spyware stealer smokeloader news backdoor upx mihan lamp 7001210066 krast rhadamanthys

Detect ZGRat V1

ZGRat

RedLine payload

Suspicious use of NtCreateUserProcessOtherParentProcess

SmokeLoader

Rhadamanthys

Detects Healer an antivirus disabler dropper

Amadey

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

UPX packed file

Checks computer location settings

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Launches sc.exe

Unsigned PE

Program crash

Enumerates physical storage devices

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 11:35

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-10 11:35

Reported

2024-05-10 11:38

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\59c1607382fbf89bf1ce30ceb0a4e1724a81c2e855e91e5f12e07c396e822a01.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1259467.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1259467.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1259467.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1259467.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1259467.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1259467.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5798448.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1259467.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\59c1607382fbf89bf1ce30ceb0a4e1724a81c2e855e91e5f12e07c396e822a01.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8665889.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1259467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1259467.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1259467.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4648 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\59c1607382fbf89bf1ce30ceb0a4e1724a81c2e855e91e5f12e07c396e822a01.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8665889.exe
PID 4648 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\59c1607382fbf89bf1ce30ceb0a4e1724a81c2e855e91e5f12e07c396e822a01.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8665889.exe
PID 4648 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\59c1607382fbf89bf1ce30ceb0a4e1724a81c2e855e91e5f12e07c396e822a01.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8665889.exe
PID 2948 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8665889.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5798448.exe
PID 2948 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8665889.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5798448.exe
PID 2948 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8665889.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5798448.exe
PID 3616 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5798448.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 3616 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5798448.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 3616 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5798448.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 2948 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8665889.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1259467.exe
PID 2948 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8665889.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1259467.exe
PID 4776 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 4776 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 4776 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 4776 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 4776 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 4776 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 3332 wrote to memory of 4392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3332 wrote to memory of 4392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3332 wrote to memory of 4392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3332 wrote to memory of 5068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3332 wrote to memory of 5068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3332 wrote to memory of 5068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3332 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3332 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3332 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3332 wrote to memory of 3688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3332 wrote to memory of 3688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3332 wrote to memory of 3688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3332 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3332 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3332 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3332 wrote to memory of 4484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3332 wrote to memory of 4484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3332 wrote to memory of 4484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4648 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\59c1607382fbf89bf1ce30ceb0a4e1724a81c2e855e91e5f12e07c396e822a01.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j2087279.exe
PID 4648 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\59c1607382fbf89bf1ce30ceb0a4e1724a81c2e855e91e5f12e07c396e822a01.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j2087279.exe
PID 4648 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\59c1607382fbf89bf1ce30ceb0a4e1724a81c2e855e91e5f12e07c396e822a01.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j2087279.exe

Processes

C:\Users\Admin\AppData\Local\Temp\59c1607382fbf89bf1ce30ceb0a4e1724a81c2e855e91e5f12e07c396e822a01.exe

"C:\Users\Admin\AppData\Local\Temp\59c1607382fbf89bf1ce30ceb0a4e1724a81c2e855e91e5f12e07c396e822a01.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8665889.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8665889.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5798448.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5798448.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1259467.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1259467.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j2087279.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j2087279.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
FI 77.91.68.3:80 tcp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8665889.exe

MD5 63d9a22d700ce9c714aa0d465728b943
SHA1 e6b90e0a767c65c630eb2dcf016c99608601cc45
SHA256 31cc48ae436597f1580485cfeefc44641b9a32ed1d1ab66a1aa4c99f089d8ce9
SHA512 cbefe1b911475c689d768a60b2f75f1ddb629f0d5dcb2747ec764e372f728e719e218459c341d96c9af650c68c401e8a83279c98d4c229fa7bebd3f047b116e5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5798448.exe

MD5 8c6b79ec436d7cf6950a804c1ec7d3e9
SHA1 4a589d5605d8ef785fdc78b0bf64e769e3a21ad6
SHA256 4e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d
SHA512 06f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1259467.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/768-27-0x0000000000A00000-0x0000000000A0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j2087279.exe

MD5 76699b92c2c551112da1ccbcc32539d1
SHA1 e8975f08845150505619c1accaa40d0a074ac37c
SHA256 8b75aca063567d2dddd348262e9d5e19874077645d642d17839dc69939a98b18
SHA512 cef1b307f5c29aece6c6224623a52d094b74a682d0b9b8fc29ee4c45ebfd3fe058fb5acd21f9996e76b4e982cfa222479268fb37c32480ec1f8eba84ebd97fd0

memory/2216-32-0x0000000000970000-0x00000000009A0000-memory.dmp

memory/2216-33-0x0000000002D00000-0x0000000002D06000-memory.dmp

memory/2216-34-0x000000000ADB0000-0x000000000B3C8000-memory.dmp

memory/2216-35-0x000000000A920000-0x000000000AA2A000-memory.dmp

memory/2216-36-0x000000000A860000-0x000000000A872000-memory.dmp

memory/2216-37-0x000000000A8C0000-0x000000000A8FC000-memory.dmp

memory/2216-38-0x0000000002C70000-0x0000000002CBC000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-10 11:35

Reported

2024-05-10 11:38

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 392 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe C:\Windows\SysWOW64\cmd.exe
PID 392 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe C:\Windows\SysWOW64\cmd.exe
PID 392 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 3652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2196 wrote to memory of 3652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2196 wrote to memory of 3652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2728 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2728 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2728 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2728 wrote to memory of 760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe
PID 2728 wrote to memory of 760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe
PID 2728 wrote to memory of 760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe
PID 760 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe C:\Windows\SysWOW64\msiexec.exe
PID 760 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe C:\Windows\SysWOW64\msiexec.exe
PID 760 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe C:\Windows\SysWOW64\msiexec.exe
PID 2216 wrote to memory of 3996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2216 wrote to memory of 3996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2216 wrote to memory of 3996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe

"C:\Users\Admin\AppData\Local\Temp\a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.cmd

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" /v Release 2>nul

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" /v Release

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic product where name="FiatLink" call uninstall

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe

Setup.exe

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FiatLinkSetup.msi"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 962720363978ACCB7D0BE86CEC2240FA C

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 evcs-ocsp.ws.symantec.com udp
US 152.199.19.74:80 evcs-ocsp.ws.symantec.com tcp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.cmd

MD5 83a8232021f3f7690a57948dd1fd3f53
SHA1 785cab55143c51cf13714c7c3827e0324a767b62
SHA256 5bc380a39e687d214b52d425634db1490a44c4e56ae4be1658275a5282db00f0
SHA512 b9347fb089d2f81f61b40c830a578f47614e48da573ba318b020cc89dcfb65fd50a5dcfdba6e8bf6b5eb914ab441fd461db6ebadfa043b008e92018dee3383a1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CheckNF.bat

MD5 1f4c5332b3e3f7668c6c0fbd730ef6f7
SHA1 f68d224c39e3d472a4cadfbad6f9f3a57ae6f643
SHA256 2f31c813c6d6c132fdfc1c09cf995944170db0a382f799d9dc32c249407e966c
SHA512 df673b727e5853716de4803d2ce98054a46dfdbcfbb7a7523e8fc34aa4c7fbd3354ea5990e6abf511606bf917c3e50e3bb5489a0f10572dd9aa1e9dea23818ea

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe

MD5 a71a3c02f397b830524176f5e7545723
SHA1 d15dfb49314fd2de949b223837b14e9156355122
SHA256 5a8925e95d243ffaeda81be2210fea56fa4e9626484cfadf59da95b485a17ddf
SHA512 a3ba63d54c6afc715bb1e28c90d678ca4f3db6ff8e6a572d984f9c9efaa0fd83a512226aba06a0bf1bdab9780cf922c212b7a9be2e134cec0d395916978b0bb2

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FiatLinkSetup.msi

MD5 7c456cc375ef300f4232063f5d82fc0f
SHA1 3cdb11f579a225b7820250ea3f29ac39b2cecd87
SHA256 d968e60998886a88deed7e9286d4efb90107bc4a068d341cc8b8a2b958720f56
SHA512 13d95cae7ccfcd0d15f383b93f761b059628478f4d851148fc8a78fdadc04bf7f9b9f7cd7240b27acfbc3db5106eb20934093287ba8f22ed13ed07222904c019

C:\Users\Admin\AppData\Local\Temp\MSI19A8.tmp

MD5 b05f77f77b0f12c6774adf5b1d039b44
SHA1 cbf3aa9477641cc0fc39fbecf0c3b6ff7dbb8487
SHA256 344efb1f63e5ca99558a5b45e8462188447fef13252213761b61a2825919e410
SHA512 f93470597cb77156188de0f5675ae1e4d9b09f3b2ff744ad43b96fb2418e2452624a128c656fd5b26b435ac5dc8efaaaab52ad5dc9dc03017f67d1438da04305

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-10 11:35

Reported

2024-05-10 11:38

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c899ff55cbbdd4c5b9be75b0893daed295266b8392bd0365eb55f6acf67f731.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2c899ff55cbbdd4c5b9be75b0893daed295266b8392bd0365eb55f6acf67f731.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9740927.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3980 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2c899ff55cbbdd4c5b9be75b0893daed295266b8392bd0365eb55f6acf67f731.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9740927.exe
PID 3980 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2c899ff55cbbdd4c5b9be75b0893daed295266b8392bd0365eb55f6acf67f731.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9740927.exe
PID 3980 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2c899ff55cbbdd4c5b9be75b0893daed295266b8392bd0365eb55f6acf67f731.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9740927.exe
PID 5100 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9740927.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe
PID 5100 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9740927.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe
PID 5100 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9740927.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe
PID 5100 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9740927.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8089495.exe
PID 5100 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9740927.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8089495.exe
PID 5100 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9740927.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8089495.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2c899ff55cbbdd4c5b9be75b0893daed295266b8392bd0365eb55f6acf67f731.exe

"C:\Users\Admin\AppData\Local\Temp\2c899ff55cbbdd4c5b9be75b0893daed295266b8392bd0365eb55f6acf67f731.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9740927.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9740927.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8089495.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8089495.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.185:443 www.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 185.61.62.23.in-addr.arpa udp
NL 23.62.61.185:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 217.196.96.101:4132 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
DE 217.196.96.101:4132 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
DE 217.196.96.101:4132 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
DE 217.196.96.101:4132 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
DE 217.196.96.101:4132 tcp
DE 217.196.96.101:4132 tcp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9740927.exe

MD5 9bdf388e7097e941c78a00799f4f4782
SHA1 b7c8e585a79710202c51201e0a064a924a4960dc
SHA256 70a63809823a29da0e2c059f044c0eebb88b69b423048530558c4d81695821cc
SHA512 45a0b0cae69e4950f4b5e9f11ee97f5cd958f0d87c78a78f4f0c3cbf13457f1f7be99c0e6d78a0dbfab736d707fa16f1a846586a985d582644f09ee5585fa0d2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe

MD5 2abc60bf01928f91b0fd732fc843bded
SHA1 7c3fa32805ff83b21b9791085c19d91929d9da98
SHA256 be2409ec07808dd991d967c3a801f6bfc0849d8ac62fa13e6b6368277a9e2cff
SHA512 faa77cb7adc0772a07e6822a73d8831bd892a18d44bdc880c48daa5ebcd7888fef918252b1170c03bfe43ec76d5de3ec04d1763cf21abe2095adc95869140748

memory/1428-14-0x000000007495E000-0x000000007495F000-memory.dmp

memory/1428-15-0x00000000023B0000-0x00000000023CA000-memory.dmp

memory/1428-16-0x0000000074950000-0x0000000075100000-memory.dmp

memory/1428-18-0x0000000002530000-0x0000000002548000-memory.dmp

memory/1428-19-0x0000000074950000-0x0000000075100000-memory.dmp

memory/1428-17-0x0000000004A00000-0x0000000004FA4000-memory.dmp

memory/1428-43-0x0000000002530000-0x0000000002542000-memory.dmp

memory/1428-47-0x0000000002530000-0x0000000002542000-memory.dmp

memory/1428-45-0x0000000002530000-0x0000000002542000-memory.dmp

memory/1428-39-0x0000000002530000-0x0000000002542000-memory.dmp

memory/1428-38-0x0000000002530000-0x0000000002542000-memory.dmp

memory/1428-35-0x0000000002530000-0x0000000002542000-memory.dmp

memory/1428-33-0x0000000002530000-0x0000000002542000-memory.dmp

memory/1428-31-0x0000000002530000-0x0000000002542000-memory.dmp

memory/1428-29-0x0000000002530000-0x0000000002542000-memory.dmp

memory/1428-27-0x0000000002530000-0x0000000002542000-memory.dmp

memory/1428-48-0x0000000074950000-0x0000000075100000-memory.dmp

memory/1428-25-0x0000000002530000-0x0000000002542000-memory.dmp

memory/1428-20-0x0000000002530000-0x0000000002542000-memory.dmp

memory/1428-41-0x0000000002530000-0x0000000002542000-memory.dmp

memory/1428-23-0x0000000002530000-0x0000000002542000-memory.dmp

memory/1428-21-0x0000000002530000-0x0000000002542000-memory.dmp

memory/1428-50-0x0000000074950000-0x0000000075100000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8089495.exe

MD5 0bc5f2797494eb6b5f6e022d890f153f
SHA1 9fbecbe0e9f8f2f3c9f343a75e9086476c153cf6
SHA256 f5aaa70292c55d01baabc02cfa987a86ebee42f448d2e1ec1909c8ce72670901
SHA512 96d04febe6df69fa587c746330adefbe76a2cc8e2ac7aa34db80e13dbde5fa8a7544b91902d5bea73681fbd1910153653de26a2d756287269607340917a216fc

memory/4004-54-0x0000000000960000-0x0000000000990000-memory.dmp

memory/4004-55-0x0000000005140000-0x0000000005146000-memory.dmp

memory/4004-56-0x00000000059F0000-0x0000000006008000-memory.dmp

memory/4004-57-0x00000000054F0000-0x00000000055FA000-memory.dmp

memory/4004-58-0x0000000005420000-0x0000000005432000-memory.dmp

memory/4004-59-0x0000000005480000-0x00000000054BC000-memory.dmp

memory/4004-60-0x0000000005600000-0x000000000564C000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-10 11:35

Reported

2024-05-10 11:38

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8b549a868852eb291819180cd971dd7b163003efa16b8efacf685d2d5f879a5b.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3094357.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3094357.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3094357.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3094357.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3094357.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3094357.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1028562.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3094357.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2466934.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\8b549a868852eb291819180cd971dd7b163003efa16b8efacf685d2d5f879a5b.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3094357.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3094357.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3094357.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\8b549a868852eb291819180cd971dd7b163003efa16b8efacf685d2d5f879a5b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2466934.exe
PID 3032 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\8b549a868852eb291819180cd971dd7b163003efa16b8efacf685d2d5f879a5b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2466934.exe
PID 3032 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\8b549a868852eb291819180cd971dd7b163003efa16b8efacf685d2d5f879a5b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2466934.exe
PID 4056 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2466934.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1028562.exe
PID 4056 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2466934.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1028562.exe
PID 4056 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2466934.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1028562.exe
PID 384 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1028562.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 384 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1028562.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 384 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1028562.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 4056 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2466934.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3094357.exe
PID 4056 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2466934.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3094357.exe
PID 3716 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 3716 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 3716 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 3716 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 3716 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 3716 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 5052 wrote to memory of 1180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5052 wrote to memory of 1180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5052 wrote to memory of 1180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5052 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5052 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5052 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5052 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5052 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5052 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5052 wrote to memory of 3340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5052 wrote to memory of 3340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5052 wrote to memory of 3340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5052 wrote to memory of 5112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5052 wrote to memory of 5112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5052 wrote to memory of 5112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5052 wrote to memory of 4176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5052 wrote to memory of 4176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5052 wrote to memory of 4176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3032 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\8b549a868852eb291819180cd971dd7b163003efa16b8efacf685d2d5f879a5b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j1568602.exe
PID 3032 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\8b549a868852eb291819180cd971dd7b163003efa16b8efacf685d2d5f879a5b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j1568602.exe
PID 3032 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\8b549a868852eb291819180cd971dd7b163003efa16b8efacf685d2d5f879a5b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j1568602.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8b549a868852eb291819180cd971dd7b163003efa16b8efacf685d2d5f879a5b.exe

"C:\Users\Admin\AppData\Local\Temp\8b549a868852eb291819180cd971dd7b163003efa16b8efacf685d2d5f879a5b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2466934.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2466934.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1028562.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1028562.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3094357.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3094357.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j1568602.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j1568602.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

Network

Country Destination Domain Proto
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2466934.exe

MD5 15fb4786a2f674c7576ff4150828ae51
SHA1 71dc0a584da2277291d73acd6862ea5e187d0c10
SHA256 3f6b4f35bbb4e5e4a0af042fa4b811ecc1d56e4f74c435460ee9772b0149743e
SHA512 0211b2529bffb8ca57c01e6505e8af1788db85f7d691b367e1ffa0e4b5b368eb5e7176668cb7e0970ea20f4f1ce51f6ebbecfe1d85b915e393942b0a4b0ae32c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1028562.exe

MD5 8c6b79ec436d7cf6950a804c1ec7d3e9
SHA1 4a589d5605d8ef785fdc78b0bf64e769e3a21ad6
SHA256 4e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d
SHA512 06f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3094357.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/1568-27-0x0000000000FE0000-0x0000000000FEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j1568602.exe

MD5 45c91a14170a0e302dd52df2938617aa
SHA1 cc88a849ff3e75b46a2a0c4e7a69ede018ec254e
SHA256 1baba3253f3576a5314576f444a3353b4d6c5b34c3e296b8f9fc9d6c8264a1dd
SHA512 70c370676a4d3f7d95f640aa8894573eea2212d8a2b0da1b4a0a8ec3ac90fc23414fe8200feb156f30efceaba994c6ab2082216773a0d284f63d7dacb86f4b06

memory/1816-32-0x00000000002F0000-0x0000000000320000-memory.dmp

memory/1816-33-0x00000000026E0000-0x00000000026E6000-memory.dmp

memory/1816-34-0x000000000A770000-0x000000000AD88000-memory.dmp

memory/1816-35-0x000000000A2A0000-0x000000000A3AA000-memory.dmp

memory/1816-36-0x000000000A1E0000-0x000000000A1F2000-memory.dmp

memory/1816-37-0x000000000A240000-0x000000000A27C000-memory.dmp

memory/1816-38-0x0000000004730000-0x000000000477C000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-10 11:35

Reported

2024-05-10 11:38

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ccc5c313f416465ffc57b4343c6e512d0568f618620aaa7b258b5d5721aaf394.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ccc5c313f416465ffc57b4343c6e512d0568f618620aaa7b258b5d5721aaf394.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2882788.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ccc5c313f416465ffc57b4343c6e512d0568f618620aaa7b258b5d5721aaf394.exe

"C:\Users\Admin\AppData\Local\Temp\ccc5c313f416465ffc57b4343c6e512d0568f618620aaa7b258b5d5721aaf394.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2882788.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2882788.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4844943.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4844943.exe

Network

Country Destination Domain Proto
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2882788.exe

MD5 6de9a950d4a4b7c0332b45a5bd235d01
SHA1 841af90b26f4db62c4b8f90e28338191a6a7f828
SHA256 3259015332b3c7d28f60d87021ad2c8774ee8fecdf700f3955e15f54889187a7
SHA512 5020589a686c79d44bd60222e57d114a395b06e9d2a57d29097c2666ec76a8312558593415f55017d066964c49abe9a45ebd738d761666d1b0d93f1bb1e6ba3b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe

MD5 96a788f0a5be814e86485a5a69530a9f
SHA1 2d3e089f1d1e6bcd963d905e4562b3f463795d85
SHA256 49cb26c4643b21f4e6b5ac16f17256db971437aa4ad718cf747ffe01449a8e34
SHA512 d2f13b86e881b2663e32b77cdc3323c971a42737295766ad575bad1fbc21bf8e7c358e87145acbd092dace56b56c7c76203580b4cdf91afb0346b22cb00ecc0f

memory/1796-14-0x00007FF800713000-0x00007FF800715000-memory.dmp

memory/1796-15-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4844943.exe

MD5 672fb4244fd74cff542f35696bd45875
SHA1 d1849efc41f2d286b13d036ef60417c318caf583
SHA256 b6f9f1e64fdbb0df744bf834291c6fc891188daf93e5630537498cf9c44141a6
SHA512 33b1dc400c253744c08c4506ed95e1d8518e67508e4bd6a5a73cceac4b3c628ec001c20e415b0b1d85764cafb3306b9332f3ac2a046a690d7941ecfdadc1bef5

memory/3920-20-0x00000000002A0000-0x00000000002D0000-memory.dmp

memory/3920-21-0x0000000000D20000-0x0000000000D26000-memory.dmp

memory/3920-22-0x00000000052E0000-0x00000000058F8000-memory.dmp

memory/3920-23-0x0000000004DD0000-0x0000000004EDA000-memory.dmp

memory/3920-24-0x00000000026E0000-0x00000000026F2000-memory.dmp

memory/3920-25-0x0000000004CC0000-0x0000000004CFC000-memory.dmp

memory/3920-26-0x0000000004D00000-0x0000000004D4C000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-10 11:35

Reported

2024-05-10 11:38

Platform

win10v2004-20240426-en

Max time kernel

136s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7479313.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7958004.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2151231.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 544 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7479313.exe
PID 544 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7479313.exe
PID 544 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7479313.exe
PID 744 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7479313.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7958004.exe
PID 744 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7479313.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7958004.exe
PID 744 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7479313.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7958004.exe
PID 3096 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7958004.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2151231.exe
PID 3096 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7958004.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2151231.exe
PID 3096 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7958004.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2151231.exe
PID 1280 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2151231.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe
PID 1280 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2151231.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe
PID 1280 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2151231.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe
PID 1280 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2151231.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe
PID 1280 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2151231.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe
PID 3096 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7958004.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8826700.exe
PID 3096 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7958004.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8826700.exe
PID 3096 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7958004.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8826700.exe

Processes

C:\Users\Admin\AppData\Local\Temp\61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b.exe

"C:\Users\Admin\AppData\Local\Temp\61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7479313.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7479313.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7958004.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7958004.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2151231.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2151231.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8826700.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8826700.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 77.91.68.48:19071 tcp
FI 77.91.68.48:19071 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
FI 77.91.68.48:19071 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.68.48:19071 tcp
FI 77.91.68.48:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7479313.exe

MD5 f322468f7b64cecefaf9a0f0faccce20
SHA1 3d70724ebe7a280468c06cec4aeff4723eb530be
SHA256 d0d0aa49f6e37875f9b5dd0f21ab7ea9a9a366ff47cf69e224a1aa6e5089a24c
SHA512 b73f96b0eae3a1ca5da4a964cf56c7a991e5d30796a0f56bd6729dd4dfe542ed1053b7e0d3284bac2d5a1c7e646002fdf11866c094543e2e94847a9ed16b1fff

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7958004.exe

MD5 208b54dec1def07b191289f2f777b350
SHA1 10bf86ca447e4aa9d59a244824788350d4b4f071
SHA256 09b9055edb7d51a08a4b7a7b2ee1d982379fff43c34637084fdd32a412a20974
SHA512 06ebe2071211a221f939aa666849012f4d6e1b7855ff8e0df4bda2c0fe1430b564ad1d4209b945cfead695f1503a2dc57af84fae7bd1cf62e71691184a772b2e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2151231.exe

MD5 4b1a2d09d57bf0b2fc99d5da960562d5
SHA1 d72c7391e795ee360ad860d870d03c58372e5d19
SHA256 df3d2938bcbf97d8977a8fe236a2471d529e1b484ba5090635dc3fec80b7b8e3
SHA512 4a69463ab5fcb25140b9ce4fece0c2d0e7c3d2827d7d2addc26a38a8c9aeb1787837ade0084c578c46efa2d4b3c98b4fc0b645334796d40d2a73ea4e55d28684

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe

MD5 ae98a36da0e47b966ed93d845206ce38
SHA1 1ea9b655c02f2073c92e4a010c25a2c5bcad1ed8
SHA256 1c262ccffb16c31cdf0cc414038a3da52f58e209027e5a915f3b6e40be5d3bee
SHA512 975b325fdd9cf5f47778742bf53b10a2903caace94b69d59a16c7c8ade15e8bd7d29ed372269bdde0bf76ac8898771601549f993e69c9801ffc11da4168cb1dc

memory/3716-28-0x0000000000460000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3528-37-0x00000000006B0000-0x00000000006BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8826700.exe

MD5 066240575f50b7f5987e95a3be5d62dc
SHA1 3edf9ff59b4ee474b5d828763d9c4df55bd51179
SHA256 5d78ef153cc6b04717c89d059e6b2c6200834f3945d6e762603d53c118bddfd5
SHA512 702b9df12dcfb2038eb71e0286f1c6d036df628fee3b9c44b295bf5089ce07c88fd70ac44091eb092c941217a7437210ff792190706568d8608f3a689450d76c

memory/1836-43-0x0000000000560000-0x0000000000590000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/1836-47-0x0000000004A60000-0x0000000004A66000-memory.dmp

memory/1836-48-0x0000000009E70000-0x000000000A488000-memory.dmp

memory/1836-49-0x000000000A500000-0x000000000A60A000-memory.dmp

memory/1836-50-0x000000000A640000-0x000000000A652000-memory.dmp

memory/1836-51-0x000000000A660000-0x000000000A69C000-memory.dmp

memory/1836-52-0x0000000002190000-0x00000000021DC000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-10 11:35

Reported

2024-05-10 11:38

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4250b0250d540350db8a017ad70a9992b46d70a0d5ab9438c3c0597af56f27ee.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1280327.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1280327.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1280327.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1280327.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1280327.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1280327.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1561163.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1280327.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4250b0250d540350db8a017ad70a9992b46d70a0d5ab9438c3c0597af56f27ee.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4763657.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1280327.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1280327.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1280327.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1561163.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4408 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\4250b0250d540350db8a017ad70a9992b46d70a0d5ab9438c3c0597af56f27ee.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4763657.exe
PID 4408 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\4250b0250d540350db8a017ad70a9992b46d70a0d5ab9438c3c0597af56f27ee.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4763657.exe
PID 4408 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\4250b0250d540350db8a017ad70a9992b46d70a0d5ab9438c3c0597af56f27ee.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4763657.exe
PID 1764 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4763657.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1280327.exe
PID 1764 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4763657.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1280327.exe
PID 1764 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4763657.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1561163.exe
PID 1764 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4763657.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1561163.exe
PID 1764 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4763657.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1561163.exe
PID 3532 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1561163.exe C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
PID 3532 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1561163.exe C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
PID 3532 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1561163.exe C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
PID 4408 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\4250b0250d540350db8a017ad70a9992b46d70a0d5ab9438c3c0597af56f27ee.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t1649035.exe
PID 4408 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\4250b0250d540350db8a017ad70a9992b46d70a0d5ab9438c3c0597af56f27ee.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t1649035.exe
PID 4408 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\4250b0250d540350db8a017ad70a9992b46d70a0d5ab9438c3c0597af56f27ee.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t1649035.exe
PID 2684 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1592 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1592 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1592 wrote to memory of 4424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1592 wrote to memory of 4424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1592 wrote to memory of 4424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1592 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1592 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1592 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1592 wrote to memory of 64 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1592 wrote to memory of 64 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1592 wrote to memory of 64 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4250b0250d540350db8a017ad70a9992b46d70a0d5ab9438c3c0597af56f27ee.exe

"C:\Users\Admin\AppData\Local\Temp\4250b0250d540350db8a017ad70a9992b46d70a0d5ab9438c3c0597af56f27ee.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4763657.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4763657.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1280327.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1280327.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1561163.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1561163.exe

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

"C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t1649035.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t1649035.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legola.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legola.exe" /P "Admin:N"&&CACLS "legola.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legola.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legola.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\ebb444342c" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\ebb444342c" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
SE 5.42.92.67:80 tcp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp
SE 5.42.92.67:80 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
SE 5.42.92.67:80 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4763657.exe

MD5 d9607af6726ade173eff154940caf1b6
SHA1 d083816e1455d9b2964d007c9344f8739a26952a
SHA256 0d7b7b2df1c4380d28f39f6d1bf4574c393658df66eb6ae7e4da82556bf3d9a4
SHA512 94cf37a2428dab11a6678987787e84cf67314aa74a5dff6b1457be180c3b7c0cf59371a538c2be4e20af34177c533d911008baf10067e610a46affb5620e289c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1280327.exe

MD5 e3e75031d0e39505ed432a196cc418f5
SHA1 13fad2d1ed1a5d2d47397a3d7ee024061bc3a690
SHA256 0b7746585a83c221a064e3a81bd9885cdbb10de4bf3f3d0fd44421ecce838c48
SHA512 a46b44977b3e58e07ef67945ef72980d8fe5bceaf86f86e27173f6c96d4bda5cc8d8ddeac90eb417ee17427afba414abe570f26d18aee525fa8802eb64a2855a

memory/3156-15-0x00007FF8EE563000-0x00007FF8EE565000-memory.dmp

memory/3156-14-0x0000000000810000-0x000000000081A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1561163.exe

MD5 eb3b429d21756dbe557fc8bcd82f4d64
SHA1 e621b5506d1d54d5fadef00aba0985d157e4b3fb
SHA256 779ef2f7698e7d637ff300bab9f7180aa4381bf7889d29dfc596a9298fa33887
SHA512 7209c8d47d7923841002af9b9517fa14b375fb4f4dce238d12091e1ef8baf47215f30762e24f4e0a479454a95d105e060ac70227baabfc72ca7cf2355f03b3e4

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t1649035.exe

MD5 6031d2b63a9ba8752c1f761f764435a8
SHA1 ccbe4b4cc1ca749608ad0b5a9ba77b66e414cede
SHA256 c4d3bee83333cdf60f6d329c2583643db4439db62583a5fa2d4eff17a1ae13e3
SHA512 9fe233a0c6f44ad8ff160c007c6d81484e9afffdcbc707285594f9965821a961fe28754b4da2f5e34884abadbf00f5b347825450541d199700de9ff94b2c7bd8

memory/4704-33-0x0000000000850000-0x0000000000880000-memory.dmp

memory/4704-34-0x0000000005030000-0x0000000005036000-memory.dmp

memory/4704-35-0x0000000005830000-0x0000000005E48000-memory.dmp

memory/4704-36-0x0000000005320000-0x000000000542A000-memory.dmp

memory/4704-37-0x00000000050D0000-0x00000000050E2000-memory.dmp

memory/4704-38-0x0000000005250000-0x000000000528C000-memory.dmp

memory/4704-39-0x0000000005290000-0x00000000052DC000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-10 11:35

Reported

2024-05-10 11:38

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3424 set thread context of 3728 N/A C:\Users\Admin\AppData\Local\Temp\e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3424 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3424 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3424 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3424 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3424 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3424 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3424 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3424 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228.exe

"C:\Users\Admin\AppData\Local\Temp\e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3424 -ip 3424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 336

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
RU 147.45.47.64:11837 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 64.47.45.147.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/3728-0-0x0000000000400000-0x000000000044A000-memory.dmp

memory/3424-1-0x0000000000F92000-0x0000000000F93000-memory.dmp

memory/3728-2-0x000000007499E000-0x000000007499F000-memory.dmp

memory/3728-3-0x0000000005310000-0x00000000058B4000-memory.dmp

memory/3728-4-0x0000000004E60000-0x0000000004EF2000-memory.dmp

memory/3728-5-0x0000000074990000-0x0000000075140000-memory.dmp

memory/3728-6-0x0000000004F10000-0x0000000004F1A000-memory.dmp

memory/3728-7-0x00000000064B0000-0x0000000006AC8000-memory.dmp

memory/3728-8-0x0000000005FF0000-0x00000000060FA000-memory.dmp

memory/3728-9-0x0000000005F20000-0x0000000005F32000-memory.dmp

memory/3728-10-0x0000000005F80000-0x0000000005FBC000-memory.dmp

memory/3728-11-0x0000000006100000-0x000000000614C000-memory.dmp

memory/3728-12-0x0000000006280000-0x00000000062E6000-memory.dmp

memory/3728-13-0x0000000006D50000-0x0000000006DC6000-memory.dmp

memory/3728-14-0x0000000005CF0000-0x0000000005D0E000-memory.dmp

memory/3728-15-0x0000000008520000-0x00000000086E2000-memory.dmp

memory/3728-16-0x0000000008C20000-0x000000000914C000-memory.dmp

memory/3728-18-0x0000000074990000-0x0000000075140000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-10 11:35

Reported

2024-05-10 11:38

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eab14d8dada2d5205db79e415c61561de2646a3a67f4615bfffa2f0c272f8738.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\eab14d8dada2d5205db79e415c61561de2646a3a67f4615bfffa2f0c272f8738.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8516316.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 712 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\eab14d8dada2d5205db79e415c61561de2646a3a67f4615bfffa2f0c272f8738.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8516316.exe
PID 712 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\eab14d8dada2d5205db79e415c61561de2646a3a67f4615bfffa2f0c272f8738.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8516316.exe
PID 712 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\eab14d8dada2d5205db79e415c61561de2646a3a67f4615bfffa2f0c272f8738.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8516316.exe
PID 3620 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8516316.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe
PID 3620 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8516316.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe
PID 3620 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8516316.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe
PID 3620 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8516316.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7564883.exe
PID 3620 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8516316.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7564883.exe
PID 3620 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8516316.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7564883.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eab14d8dada2d5205db79e415c61561de2646a3a67f4615bfffa2f0c272f8738.exe

"C:\Users\Admin\AppData\Local\Temp\eab14d8dada2d5205db79e415c61561de2646a3a67f4615bfffa2f0c272f8738.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8516316.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8516316.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7564883.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7564883.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
DE 217.196.96.101:4132 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 217.196.96.101:4132 tcp
DE 217.196.96.101:4132 tcp
DE 217.196.96.101:4132 tcp
DE 217.196.96.101:4132 tcp
DE 217.196.96.101:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8516316.exe

MD5 216c883d69e5b676dadcbbc3c49b2ea7
SHA1 bd25ba694b75cfc5c747073abbe9344001c05d48
SHA256 cd05c707896cf6721f13c5f314b2a73e413a8bc42acd0b01164a2d36426728c7
SHA512 b3b74dea447966ffde82d33e7ae96df894e8145a431eb795af1d882358814ceafc2b22406a522c114a6abcd9b43f2ee166f6c492ed1194aab257b314c3bb5120

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe

MD5 769430943362861334421dba770826e7
SHA1 f4452cae4df613a4a7cb22da4ff12a671e0debb4
SHA256 9eb85dd00a91711de4dbcb01f144368839954d6ec1bdc80bf3df63123b55089d
SHA512 a33420ec4fdda34810b86899b12d38449a85af6b46ac88d630b71bd92f5e9f74fad13b0f51d948bbd3de43d060632af5b81deffb692a5e3e4e6a327614434741

memory/1088-14-0x0000000073DBE000-0x0000000073DBF000-memory.dmp

memory/1088-15-0x00000000048D0000-0x00000000048EA000-memory.dmp

memory/1088-16-0x0000000073DB0000-0x0000000074560000-memory.dmp

memory/1088-17-0x0000000004960000-0x0000000004F04000-memory.dmp

memory/1088-18-0x0000000004F50000-0x0000000004F68000-memory.dmp

memory/1088-36-0x0000000004F50000-0x0000000004F62000-memory.dmp

memory/1088-45-0x0000000004F50000-0x0000000004F62000-memory.dmp

memory/1088-47-0x0000000073DB0000-0x0000000074560000-memory.dmp

memory/1088-46-0x0000000004F50000-0x0000000004F62000-memory.dmp

memory/1088-42-0x0000000004F50000-0x0000000004F62000-memory.dmp

memory/1088-40-0x0000000004F50000-0x0000000004F62000-memory.dmp

memory/1088-38-0x0000000004F50000-0x0000000004F62000-memory.dmp

memory/1088-24-0x0000000004F50000-0x0000000004F62000-memory.dmp

memory/1088-22-0x0000000004F50000-0x0000000004F62000-memory.dmp

memory/1088-20-0x0000000004F50000-0x0000000004F62000-memory.dmp

memory/1088-19-0x0000000004F50000-0x0000000004F62000-memory.dmp

memory/1088-34-0x0000000004F50000-0x0000000004F62000-memory.dmp

memory/1088-32-0x0000000004F50000-0x0000000004F62000-memory.dmp

memory/1088-30-0x0000000004F50000-0x0000000004F62000-memory.dmp

memory/1088-28-0x0000000004F50000-0x0000000004F62000-memory.dmp

memory/1088-26-0x0000000004F50000-0x0000000004F62000-memory.dmp

memory/1088-48-0x0000000073DB0000-0x0000000074560000-memory.dmp

memory/1088-50-0x0000000073DB0000-0x0000000074560000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7564883.exe

MD5 c89a4c50b55d8b6f3a41d465a1aec944
SHA1 5ffbb28b771af6bc8f9f327294605c4bb4edfa65
SHA256 b1266f818eaf91dfe5c7aa2deaf6a428374e2bee21deffb52a3b1c22a49b8759
SHA512 29d7856defe832254a4e0f5d90ada57090bb9f960a8d53deb49273702e3eee04bfe25ac7c0ea1367a76687a1061e16302dcb6147bed30acec4901a2c83418d12

memory/4584-54-0x00000000008D0000-0x0000000000900000-memory.dmp

memory/4584-55-0x00000000051F0000-0x00000000051F6000-memory.dmp

memory/4584-56-0x0000000005990000-0x0000000005FA8000-memory.dmp

memory/4584-57-0x0000000005480000-0x000000000558A000-memory.dmp

memory/4584-58-0x0000000005390000-0x00000000053A2000-memory.dmp

memory/4584-59-0x00000000053F0000-0x000000000542C000-memory.dmp

memory/4584-60-0x0000000005590000-0x00000000055DC000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 11:35

Reported

2024-05-10 11:38

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05b48b2909386e117184a0bdde8c6718992cf21d07674042c9d076292b260729.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4041009.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\05b48b2909386e117184a0bdde8c6718992cf21d07674042c9d076292b260729.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9124773.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4716388.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2505651.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2505651.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2505651.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4020 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\05b48b2909386e117184a0bdde8c6718992cf21d07674042c9d076292b260729.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9124773.exe
PID 4020 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\05b48b2909386e117184a0bdde8c6718992cf21d07674042c9d076292b260729.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9124773.exe
PID 4020 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\05b48b2909386e117184a0bdde8c6718992cf21d07674042c9d076292b260729.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9124773.exe
PID 2368 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9124773.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4716388.exe
PID 2368 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9124773.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4716388.exe
PID 2368 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9124773.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4716388.exe
PID 1104 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4716388.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exe
PID 1104 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4716388.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exe
PID 1104 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4716388.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4041009.exe
PID 1104 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4716388.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4041009.exe
PID 1104 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4716388.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4041009.exe
PID 4548 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4041009.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 4548 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4041009.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 4548 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4041009.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 2368 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9124773.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2505651.exe
PID 2368 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9124773.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2505651.exe
PID 2368 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9124773.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2505651.exe
PID 3980 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3980 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3980 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3980 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3980 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3980 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 4388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4780 wrote to memory of 4388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4780 wrote to memory of 4388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4780 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4780 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4780 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4780 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 3888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4780 wrote to memory of 3888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4780 wrote to memory of 3888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4780 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4780 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4780 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4020 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\05b48b2909386e117184a0bdde8c6718992cf21d07674042c9d076292b260729.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6192642.exe
PID 4020 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\05b48b2909386e117184a0bdde8c6718992cf21d07674042c9d076292b260729.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6192642.exe
PID 4020 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\05b48b2909386e117184a0bdde8c6718992cf21d07674042c9d076292b260729.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6192642.exe

Processes

C:\Users\Admin\AppData\Local\Temp\05b48b2909386e117184a0bdde8c6718992cf21d07674042c9d076292b260729.exe

"C:\Users\Admin\AppData\Local\Temp\05b48b2909386e117184a0bdde8c6718992cf21d07674042c9d076292b260729.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9124773.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9124773.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4716388.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4716388.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4041009.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4041009.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2505651.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2505651.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6192642.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6192642.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
FI 77.91.68.61:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9124773.exe

MD5 1969cc55ecdb4ba432f9df129b085fde
SHA1 578c239149aa29ea2edad5c751a86d57b145e3f0
SHA256 77f32b63d23c002e89fbbe13bd4a1cf8b005e7d988f6f580d58526a7882eb10f
SHA512 358147fba496d3222ad4bf76b7edba4121005a7413dc423db3b438b38f3ad33e979645961a5d0b4661f5557dc66ee0e1a4bdacbe4feb475df747f2a8397125ed

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4716388.exe

MD5 4f02a923ce0a518b99841b16da953969
SHA1 71b2bd669764fe784c80b0433dafe5e9e1564e5b
SHA256 e12ecc6f8d8bc6e6c5ec72b084e0391fb9d6e2b23619536b9453e5a83feca66f
SHA512 ff0f59f919005ec79a075dae8b13c07f508047c37eced3c7ad5c0c6c1199e74bf99f0c327e6c6536a451822397cc10e7d0231110e90d46aebafc093804e50ef5

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exe

MD5 864b6322ef4be9192d857e078e2a69d8
SHA1 24680c8fa196f0a1bf8cf51814149441f138f453
SHA256 1deb97c02d57f4c00871baa9e93d96541a9419c22cdcfb4cb5d7c152f957b07b
SHA512 365f2222be84643e5008ba5999bfd38623787a92fc58b10194775275b5fb1804736206c47739438bae44c6ad5ae502a5bf1f3ce7823d594606f409bb2420a5cb

memory/4092-21-0x0000000000AF0000-0x0000000000AFA000-memory.dmp

memory/4092-22-0x00007FF932F43000-0x00007FF932F45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4041009.exe

MD5 8c118872da7c5c6359306afdf405fb02
SHA1 4caf741d452520d043d7010380149a25d9f44bd5
SHA256 ac1cd3a1d8a1f854838b8a97fed679078f7d4295ebba95f5a2e7e90bd687845d
SHA512 f2037cf9435b1f976e43d6f5c737b50477c03d345054bfccf53075c75ee6de9c343bb55407078bf76fa4c0bad8c3ae13572edf85e34833dba952be507dc8c43c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2505651.exe

MD5 ba117cdee0f70dde00678528d15b0c49
SHA1 003a382b1a54b86999d15334ab118792f8313399
SHA256 65ba81cbbf5db895c8091707aec81f6c8390339700187299312c1b9c7ac8b0a0
SHA512 d395155fe71ba9073ef3154a03f974df8205c8fb7a57c11fcbab93209e862a12f4bcd8d51ce96f3095fa8cfb9cf7978f160065534dc01dc942b7a2458562f6d7

memory/3348-40-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6192642.exe

MD5 660c745e3bc446aebd5e95bea410993b
SHA1 c46d33504bc5ef550542d07f74bd4f1e7826da03
SHA256 bb97c8811add79cf2f4a231939bd29e2ef398b6c747a6810263782a90f7b9ef5
SHA512 a61ab6e6f9ab0bb17d1306967fcd6f6c9647c0d101ab1686451edccb641d7bb75acccb0ec13482f87d505d1508d56577ce7c22ae0102e4e4e526cbf6fdea08fa

memory/4252-44-0x0000000000730000-0x0000000000760000-memory.dmp

memory/4252-45-0x0000000000FB0000-0x0000000000FB6000-memory.dmp

memory/4252-46-0x000000000ABA0000-0x000000000B1B8000-memory.dmp

memory/4252-47-0x000000000A6E0000-0x000000000A7EA000-memory.dmp

memory/4252-48-0x000000000A620000-0x000000000A632000-memory.dmp

memory/4252-49-0x000000000A680000-0x000000000A6BC000-memory.dmp

memory/4252-50-0x00000000028E0000-0x000000000292C000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-10 11:35

Reported

2024-05-10 11:38

Platform

win10v2004-20240508-en

Max time kernel

124s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68ca177d42ab79022ede5d703f2f3b4e3de42fc1ae56a531b50f66f3339721f8.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\68ca177d42ab79022ede5d703f2f3b4e3de42fc1ae56a531b50f66f3339721f8.exe

"C:\Users\Admin\AppData\Local\Temp\68ca177d42ab79022ede5d703f2f3b4e3de42fc1ae56a531b50f66f3339721f8.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4368,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=4608 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/1724-0-0x00007FF7CDE90000-0x00007FF7CEA09000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-10 11:35

Reported

2024-05-10 11:38

Platform

win10v2004-20240426-en

Max time kernel

142s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ba0db3b66f5f3df269e1eb1b3241575d1ec8d58b19767274aae0af44946bbb3.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6050394.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6050394.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6050394.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6050394.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6050394.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6050394.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5038122.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6050394.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\6ba0db3b66f5f3df269e1eb1b3241575d1ec8d58b19767274aae0af44946bbb3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2439283.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6626793.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9387752.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9387752.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9387752.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6050394.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6050394.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6050394.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3348 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\6ba0db3b66f5f3df269e1eb1b3241575d1ec8d58b19767274aae0af44946bbb3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2439283.exe
PID 3348 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\6ba0db3b66f5f3df269e1eb1b3241575d1ec8d58b19767274aae0af44946bbb3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2439283.exe
PID 3348 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\6ba0db3b66f5f3df269e1eb1b3241575d1ec8d58b19767274aae0af44946bbb3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2439283.exe
PID 408 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2439283.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6626793.exe
PID 408 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2439283.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6626793.exe
PID 408 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2439283.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6626793.exe
PID 1484 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6626793.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6050394.exe
PID 1484 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6626793.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6050394.exe
PID 1484 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6626793.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5038122.exe
PID 1484 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6626793.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5038122.exe
PID 1484 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6626793.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5038122.exe
PID 3036 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5038122.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 3036 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5038122.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 3036 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5038122.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 408 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2439283.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9387752.exe
PID 408 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2439283.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9387752.exe
PID 408 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2439283.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9387752.exe
PID 3348 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\6ba0db3b66f5f3df269e1eb1b3241575d1ec8d58b19767274aae0af44946bbb3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9946860.exe
PID 3348 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\6ba0db3b66f5f3df269e1eb1b3241575d1ec8d58b19767274aae0af44946bbb3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9946860.exe
PID 3348 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\6ba0db3b66f5f3df269e1eb1b3241575d1ec8d58b19767274aae0af44946bbb3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9946860.exe
PID 4768 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 4768 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 4768 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 4768 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 4768 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 4768 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 5068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 5068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 5068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3580 wrote to memory of 852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3580 wrote to memory of 852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3580 wrote to memory of 3428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3580 wrote to memory of 3428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3580 wrote to memory of 3428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3580 wrote to memory of 3880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 3880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 3880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 1900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3580 wrote to memory of 1900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3580 wrote to memory of 1900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3580 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3580 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3580 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6ba0db3b66f5f3df269e1eb1b3241575d1ec8d58b19767274aae0af44946bbb3.exe

"C:\Users\Admin\AppData\Local\Temp\6ba0db3b66f5f3df269e1eb1b3241575d1ec8d58b19767274aae0af44946bbb3.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2439283.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2439283.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6626793.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6626793.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6050394.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6050394.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5038122.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5038122.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9387752.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9387752.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9946860.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9946860.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2439283.exe

MD5 1867f755c2e50bec05eb667e0d0a1184
SHA1 8fb81278c740f702f51a45a067b28c2b2564e2ed
SHA256 f34e8c5cb56f19f07740954bfbda5b828aec62e6cb8d7cadbf1354b3f811c2d2
SHA512 30148c0a3b0fc230fa4f455493319343186b7f9d71b33388133ab772ea0a10460d40514bda15486591f0da714904f7a1239c40274fd18fd19b8eb872c4be0cb3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6626793.exe

MD5 f4707a9db7540780ee9da722fde3e0d8
SHA1 38c1069235780f3b2132f28cf526557d418b62b5
SHA256 cb1f767773f8b86ba74d1fac8848b3130be3bc93cc3930e1d123abe7d9329de9
SHA512 1e61b996234ad10e82753fdd995d3a87781b57585e4e24ea8bd11b506541bf57e2f4915f6ea6d8ed0665d23920a0e556723143cb0a4986a46c637f1d02431290

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6050394.exe

MD5 a74dd029101a25504d8fc7ca33c1adc2
SHA1 22cc29079d98d3ff79f13b8ebf9a27c67757594e
SHA256 1361d5cc17da4688d29e0a60cdb9fe1669d80f3c999292e2467969cf898f3f84
SHA512 2a6bb5b8fe48c838d9af2c95a32b69729e32ee0d2ce1fe35d281b286e910657a8792037d3a52b825d24d7e69730eff09f99ec549ecd3da6e4cb69a277a81f5d0

memory/2284-22-0x0000000000020000-0x000000000002A000-memory.dmp

memory/2284-21-0x00007FFE311F3000-0x00007FFE311F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5038122.exe

MD5 787410f258f680e28c135ac0ecc645ca
SHA1 06505649a3c2729796b57e7de0869c8b5a2fd84c
SHA256 064ca5e3fc52bd168e29697fc755b7310781344cafad50e1cd14555e7255641e
SHA512 3c5c3d74569766c30fabe448ec04e1560de75ba10244c4179b0b19deda31ecf5207b7545b6e1c8411e2587409f7d5ca54f35cb04f2bcba109239f83d48294580

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9387752.exe

MD5 df6d3dd8d25c7c1afe3a7756ed9e9ecc
SHA1 a66f386ff69133f8ba6478ae69d56b7880ac0177
SHA256 9916aae975cc1b7af1360bc7de341ddc914a619eeb9cb468cc713147ca4e95f8
SHA512 4c6ec99bd9b06fc4723aefd5a7a637f641aba4fca5d40ae89555a52ec286557675335f2d22ab83710c07a0cd93bbbbcb55614288b4a3cb436c484b7ba173d59b

memory/1408-40-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1408-41-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9946860.exe

MD5 b787561ef39443cd949621f9c189edce
SHA1 6fa6607cb82c22e522547240c8fc40a69cc7c3f7
SHA256 75fe759176072d5688b12d57a87b086cd843600351d953b9ae7672dfe407fc56
SHA512 3fc333966851e5179410aee1b2cfc788d20ce8057af2f1205c2a15add8c77f87e474f404c5cf91d6b5f37e35270ff3596c8c22cfbde61e6b93766f37f575a59e

memory/3988-45-0x0000000000880000-0x00000000008B0000-memory.dmp

memory/3988-46-0x00000000051A0000-0x00000000051A6000-memory.dmp

memory/3988-47-0x0000000005850000-0x0000000005E68000-memory.dmp

memory/3988-48-0x0000000005340000-0x000000000544A000-memory.dmp

memory/3988-49-0x0000000005200000-0x0000000005212000-memory.dmp

memory/3988-50-0x0000000005270000-0x00000000052AC000-memory.dmp

memory/3988-51-0x00000000052B0000-0x00000000052FC000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-10 11:35

Reported

2024-05-10 11:38

Platform

win7-20240508-en

Max time kernel

118s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390.exe

"C:\Users\Admin\AppData\Local\Temp\fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 52

Network

N/A

Files

memory/2220-0-0x0000000000030000-0x0000000000031000-memory.dmp

memory/2220-1-0x0000000000030000-0x0000000000031000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-10 11:35

Reported

2024-05-10 11:38

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\464a7168620633d6f4e27494eec6c1cedff2ae39e5ffda7f9913f43efd93bd38.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\464a7168620633d6f4e27494eec6c1cedff2ae39e5ffda7f9913f43efd93bd38.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4391517.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3652 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\464a7168620633d6f4e27494eec6c1cedff2ae39e5ffda7f9913f43efd93bd38.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4391517.exe
PID 3652 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\464a7168620633d6f4e27494eec6c1cedff2ae39e5ffda7f9913f43efd93bd38.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4391517.exe
PID 3652 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\464a7168620633d6f4e27494eec6c1cedff2ae39e5ffda7f9913f43efd93bd38.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4391517.exe
PID 556 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4391517.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe
PID 556 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4391517.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe
PID 556 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4391517.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe
PID 556 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4391517.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3543593.exe
PID 556 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4391517.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3543593.exe
PID 556 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4391517.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3543593.exe

Processes

C:\Users\Admin\AppData\Local\Temp\464a7168620633d6f4e27494eec6c1cedff2ae39e5ffda7f9913f43efd93bd38.exe

"C:\Users\Admin\AppData\Local\Temp\464a7168620633d6f4e27494eec6c1cedff2ae39e5ffda7f9913f43efd93bd38.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4391517.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4391517.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3543593.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3543593.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
DE 217.196.96.101:4132 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
DE 217.196.96.101:4132 tcp
DE 217.196.96.101:4132 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
DE 217.196.96.101:4132 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 217.196.96.101:4132 tcp
DE 217.196.96.101:4132 tcp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4391517.exe

MD5 8067106c1a967b7bb5811be1ae14865c
SHA1 5c73dab5e1086c66477eec2ffc87f2d307c6c2e8
SHA256 8bf51808036692b58c97fc2ad6b9831492c31663235b3c6a04fc5d1febdef994
SHA512 69d7dc4f4584e1155e6b30f8a82af04c217512de3dcaa1867e673f9fcd1501f476040ef69cb176d4e00f08aaa3c05bc20104d9c462d7bb7c957e44993f623079

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe

MD5 fb624114dcc06c40c7d5a5dd6638c9e3
SHA1 169dfd4765ce943492d1bc716e3c865bb21b2382
SHA256 d8c78b8289dbcba18306ffa4f2e5ce2cb545f767634849fbfde4c7b0d3d9f06c
SHA512 db80b5fc4017036322cfbade1a5b5146cb41e1edc69d018204b380297f426f0c669fe8b8f8f401c8ad7fd967815c242e6fac7376f56f59eb7cb3ef4c05c27223

memory/4008-14-0x000000007468E000-0x000000007468F000-memory.dmp

memory/4008-15-0x00000000022B0000-0x00000000022CA000-memory.dmp

memory/4008-16-0x0000000074680000-0x0000000074E30000-memory.dmp

memory/4008-18-0x0000000002430000-0x0000000002448000-memory.dmp

memory/4008-17-0x0000000004B70000-0x0000000005114000-memory.dmp

memory/4008-19-0x0000000074680000-0x0000000074E30000-memory.dmp

memory/4008-47-0x0000000002430000-0x0000000002442000-memory.dmp

memory/4008-45-0x0000000002430000-0x0000000002442000-memory.dmp

memory/4008-43-0x0000000002430000-0x0000000002442000-memory.dmp

memory/4008-41-0x0000000002430000-0x0000000002442000-memory.dmp

memory/4008-40-0x0000000002430000-0x0000000002442000-memory.dmp

memory/4008-37-0x0000000002430000-0x0000000002442000-memory.dmp

memory/4008-35-0x0000000002430000-0x0000000002442000-memory.dmp

memory/4008-33-0x0000000002430000-0x0000000002442000-memory.dmp

memory/4008-31-0x0000000002430000-0x0000000002442000-memory.dmp

memory/4008-27-0x0000000002430000-0x0000000002442000-memory.dmp

memory/4008-25-0x0000000002430000-0x0000000002442000-memory.dmp

memory/4008-23-0x0000000002430000-0x0000000002442000-memory.dmp

memory/4008-29-0x0000000002430000-0x0000000002442000-memory.dmp

memory/4008-21-0x0000000002430000-0x0000000002442000-memory.dmp

memory/4008-20-0x0000000002430000-0x0000000002442000-memory.dmp

memory/4008-49-0x0000000074680000-0x0000000074E30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3543593.exe

MD5 b28f0616ae5d240ea35b31918179ecfe
SHA1 5c275f432426411ca46193a4e12bbe38b89c814c
SHA256 61d42fbe74bb90f8d932a8ad63ced2f82409b7cab8b3378aba0981d6c9f46dba
SHA512 527aa8f0e6045af3d85fa4537bd83d2977411dfd6d17a704e68f11afe1523f4cb302e1112d4acbc0aefb70b8008cb648930afaf135c5071036bd4b447d8946b7

memory/2984-53-0x0000000000410000-0x0000000000440000-memory.dmp

memory/2984-54-0x00000000025F0000-0x00000000025F6000-memory.dmp

memory/2984-55-0x000000000A7A0000-0x000000000ADB8000-memory.dmp

memory/2984-56-0x000000000A290000-0x000000000A39A000-memory.dmp

memory/2984-57-0x000000000A1B0000-0x000000000A1C2000-memory.dmp

memory/2984-58-0x000000000A210000-0x000000000A24C000-memory.dmp

memory/2984-59-0x0000000004800000-0x000000000484C000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-10 11:35

Reported

2024-05-10 11:38

Platform

win10v2004-20240508-en

Max time kernel

126s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e0a9b6a39ce81b93beb155ac3c237f4a6b9248d6b872ed22bfdf8851796b19b.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2e0a9b6a39ce81b93beb155ac3c237f4a6b9248d6b872ed22bfdf8851796b19b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7472544.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9263224.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1805423.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5289050.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1508 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2e0a9b6a39ce81b93beb155ac3c237f4a6b9248d6b872ed22bfdf8851796b19b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7472544.exe
PID 1508 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2e0a9b6a39ce81b93beb155ac3c237f4a6b9248d6b872ed22bfdf8851796b19b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7472544.exe
PID 1508 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2e0a9b6a39ce81b93beb155ac3c237f4a6b9248d6b872ed22bfdf8851796b19b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7472544.exe
PID 5068 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7472544.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9263224.exe
PID 5068 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7472544.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9263224.exe
PID 5068 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7472544.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9263224.exe
PID 2664 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9263224.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1805423.exe
PID 2664 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9263224.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1805423.exe
PID 2664 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9263224.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1805423.exe
PID 3656 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1805423.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5289050.exe
PID 3656 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1805423.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5289050.exe
PID 3656 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1805423.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5289050.exe
PID 2152 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5289050.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe
PID 2152 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5289050.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe
PID 2152 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5289050.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe
PID 2152 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5289050.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe
PID 2152 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5289050.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe
PID 3656 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1805423.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4849613.exe
PID 3656 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1805423.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4849613.exe
PID 3656 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1805423.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4849613.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2e0a9b6a39ce81b93beb155ac3c237f4a6b9248d6b872ed22bfdf8851796b19b.exe

"C:\Users\Admin\AppData\Local\Temp\2e0a9b6a39ce81b93beb155ac3c237f4a6b9248d6b872ed22bfdf8851796b19b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7472544.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7472544.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9263224.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9263224.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1805423.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1805423.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5289050.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5289050.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4849613.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4849613.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7472544.exe

MD5 4f42b9b022fd8d85dcdd9f017b90ff04
SHA1 676ba0ae4538adddc2b07f55a48cd628d12b7633
SHA256 b02ee275800185a8058ae8d737a10aa7ef514f4d772b4d85a2d65b2239545d4f
SHA512 38f9a1db8fb1505cb1ff738dc29aa61599c4e23a3b5fdd3cb75bfb8bfd3a300132e7c5b476e8bcaa36f5db240f3c6188e5b1028610e2f8d9ebc53f0932187c97

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9263224.exe

MD5 9d65e889dc6cdf70ab7a92689cf92af2
SHA1 507fd511af4528e94e1d2c6d37855380afb4a426
SHA256 2203e5e15c34017bdb5d5dac6cba15f8d99920c65ef189076a1ce7d3af478ad1
SHA512 db30bd0c8afe77d711e58f68fb755e4cb4e762a90ed3aa6319ff4dda932abbd0b067dd9090cc87dac6e2a3b1c27a58bdad18836d609240d7f53714d699a2624c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1805423.exe

MD5 8592a6dc936028a99ace4532cd770d5d
SHA1 7e44db68b7ec9a089b8a4937ed6ebb5d84860656
SHA256 d1285e5b0d41a774b9207d576b7f7843892698c455ef32b279164721daefa805
SHA512 d433730289a88f71bc6ac17faae51ff07fa32e9398c84a00dfe54e70b158fa5d94d2e73a9a2bed44f45e36ae357c6a82c5f4b6e20d487529f3b43842f98510cd

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5289050.exe

MD5 edc75ffe5fa9ffa372060ebd5c09c2b3
SHA1 1c075856c81f5648acc34d08fa5a41debd9387ae
SHA256 92d61909555ed2bddf1f59506648e79a53e769014afc63405405cbfea6979340
SHA512 27943feab8ffb5635b6b886202f75d4f839a7bc4f326df0af1ea92560ee51a167a2d8aabe341b3861876fc7766abd1c8bab3d0dcad9cf69af81dabc89b797c13

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe

MD5 068c37a137de97b4569270eb0fd08b27
SHA1 9cef9ddd66a3c3a18a6993eff25304d29e95bf6d
SHA256 f9adeb967c811f699984b5a9d12d7d5c7090827a0c1ab3bea159c7d04f41286b
SHA512 98f1d6795cadb5ffe4f95c05fa3590832fe64cf1ea539199557fba0b4183c50ec7c0fdd210af23d4c769beb1158eca495e5b176d883ee29501334e88c0139cf1

memory/3984-35-0x0000000000560000-0x000000000059E000-memory.dmp

memory/3984-41-0x0000000000560000-0x000000000059E000-memory.dmp

memory/3984-42-0x0000000002640000-0x0000000002641000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe

MD5 698c2c19db2d75dda748684546023df8
SHA1 f03d654d2459c82f0fbd407289c2b2f6458cfbfd
SHA256 e27ddbbb48705cb0790690d176d326b1e68fac8960b25b65e56582c552d6a749
SHA512 b937e05949307bbf8da79c416c1ab9c844bab3065e2fcd690f6ff5bb403caebc89997b6d050eb82339dd9181a8842629602794bbda2436404381d0cf68f340e4

memory/4692-48-0x00000000001A0000-0x00000000001AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4849613.exe

MD5 da6ff81c6f67611413531f823ea93e2b
SHA1 8e4244fe534ab3ae1ea22dc12f0665bcec0db34a
SHA256 69220a693e0059f35711ed1e66ec35c9b62de85afe4cdb9c282c2d24d9483193
SHA512 f4af9745c5dab137c04b0e86f34fc696c1a9d7fcb9ca9733fcd75256981aa6835f3aeffd4f3fc1fce1c07109096c2835a2b6c83bc246ccfd719372059ebe5d36

memory/4308-53-0x00000000005B0000-0x000000000063C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/4308-60-0x00000000005B0000-0x000000000063C000-memory.dmp

memory/4308-62-0x0000000004510000-0x0000000004516000-memory.dmp

memory/4308-63-0x0000000007270000-0x0000000007888000-memory.dmp

memory/4308-64-0x0000000006CE0000-0x0000000006DEA000-memory.dmp

memory/4308-65-0x0000000006E10000-0x0000000006E22000-memory.dmp

memory/4308-66-0x0000000006E30000-0x0000000006E6C000-memory.dmp

memory/4308-67-0x0000000006EA0000-0x0000000006EEC000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-10 11:35

Reported

2024-05-10 11:38

Platform

win10v2004-20240508-en

Max time kernel

127s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1426625.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4288450.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0931522.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0829334.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1360 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1426625.exe
PID 1360 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1426625.exe
PID 1360 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1426625.exe
PID 1108 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1426625.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4288450.exe
PID 1108 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1426625.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4288450.exe
PID 1108 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1426625.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4288450.exe
PID 2364 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4288450.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0931522.exe
PID 2364 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4288450.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0931522.exe
PID 2364 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4288450.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0931522.exe
PID 208 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0931522.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0829334.exe
PID 208 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0931522.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0829334.exe
PID 208 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0931522.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0829334.exe
PID 464 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0829334.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe
PID 464 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0829334.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe
PID 464 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0829334.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe
PID 464 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0829334.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe
PID 464 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0829334.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe
PID 208 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0931522.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1783125.exe
PID 208 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0931522.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1783125.exe
PID 208 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0931522.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1783125.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf.exe

"C:\Users\Admin\AppData\Local\Temp\4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1426625.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1426625.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4288450.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4288450.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0931522.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0931522.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0829334.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0829334.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1783125.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1783125.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.185:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 23.62.61.185:443 www.bing.com tcp
US 8.8.8.8:53 185.61.62.23.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1426625.exe

MD5 0ffebb1f8e07e9e177551ddfe1e5deb3
SHA1 126013412bc3d49f5c8e3beafe9cfd92fdf59c65
SHA256 cd6bdea7c7a6c6ade538cf5d4567881d67e82dd72d473179cb47986367bae628
SHA512 1a23a319a9d8c4f025ede357e008d6ee0a656f88e7efa0901a46eef7b6c56248dad5a4b251f82b3d7c1aa73562ff5fa00e5ae2f9262554232badebe4dc71918a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4288450.exe

MD5 05b31cc1f873f663da8a3673ee1c1e70
SHA1 da64bfd433ce785b9d26fb0f6fe4883d9d790b09
SHA256 2a5782027e95953e6a505c58e691fc2324135b202c38c437ad4dc8ced47a2feb
SHA512 d902b06aebe522c883f782dd299f57d3d1925ab3e4955b8ce6882e53523bd63b9d3f35b8c0f0c6ad8aea0a5e9f9e3ad01fd2bc2096dbe62196ce38bb0f6f40d8

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0931522.exe

MD5 50f2ebe7886d7ecf35f81f720ac270ed
SHA1 59f616bc7d655575d54e58c256de026dd0c82c6e
SHA256 e127f2e8fb3406e6ce6497ebf04e41c01b95f4a7c2d3c89ecc5fe462dfa62ffd
SHA512 d685afabb0bb488b1d6d0c3d69b0175593658f5920d25841086759be73ed79ee426883485013fa5b6f5398372c36145c559404ac7892e559d75846fbaf5adf44

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0829334.exe

MD5 c045adc356c9935a873d1cd91cd54989
SHA1 06b1b8c34e396a09a69a425af0f8b00671a4f953
SHA256 bb2374a0251dd291e217e7c74eac6881cc229a2778ba0047f54e014bebc75a62
SHA512 bcab8a6331c4ceb7beeff395fc6d3b8d0ae7e1ae3ea0c45692870aad586563ed8313d24b02d45c69cb0496f7115f6580422637edcb4c188575960819e86f54f0

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe

MD5 c43930fbf73244831a96682aba907e8c
SHA1 44db4ec9c11a04d56d2bfab7f993abf37a23e6fe
SHA256 9beeaf6651baa5e2597a933df6eee18cf168ba41865e18001185613e0949bba3
SHA512 6cb91d5c9317f693a04eec12cddef55760619ed65944df60986b009eb1c782833d121788d4352519e6391bed2a06f0f602b1f4a753623c7ac92dd0440dd307af

memory/4732-35-0x0000000000490000-0x00000000004CE000-memory.dmp

memory/4732-41-0x0000000000490000-0x00000000004CE000-memory.dmp

memory/4732-42-0x0000000006A90000-0x0000000006A91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe

MD5 f77d78af12b9628421ed4e1dfb7deb13
SHA1 9b6fa06af3564e2fe4724d8b5ebfdfd2a7ec0fd5
SHA256 10d806abe4d088bbb95c43a04c91f68a10888bd256de9c9a58c4c7642a9572ab
SHA512 6c01f44fdb412a58a19ddb4caf73a502a5aae10aecb959a67142ab267ef6732a7e5e6346c1a5ce5aa52823ae5b50372c083e4e59f650c835a38c75d334303e00

memory/4536-48-0x00000000009C0000-0x00000000009CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1783125.exe

MD5 1bc0f3239045d44d169496f3b247f881
SHA1 1884266973607585ec1b134f6009c17e54f3b18f
SHA256 8d09dd356bd29f5d38121849999e828d955e116d03542444d0b4f40073596e7f
SHA512 dc3a2358d4d2613bb82c60362c409590a8699d53625efd9fd8b853f5e19afed07c798cf66b59d38bd526a80559bc4cc486b23b0f40f3fb120bd61a67946f87a9

memory/3980-53-0x0000000001FF0000-0x000000000207C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/3980-60-0x0000000001FF0000-0x000000000207C000-memory.dmp

memory/3980-62-0x0000000002250000-0x0000000002256000-memory.dmp

memory/3980-63-0x0000000005E10000-0x0000000006428000-memory.dmp

memory/3980-64-0x0000000006470000-0x000000000657A000-memory.dmp

memory/3980-65-0x00000000065A0000-0x00000000065B2000-memory.dmp

memory/3980-66-0x00000000065C0000-0x00000000065FC000-memory.dmp

memory/3980-67-0x0000000006630000-0x000000000667C000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-10 11:35

Reported

2024-05-10 11:38

Platform

win7-20240221-en

Max time kernel

122s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b.exe

"C:\Users\Admin\AppData\Local\Temp\e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 116

Network

N/A

Files

memory/2216-0-0x0000000001273000-0x0000000001275000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-10 11:35

Reported

2024-05-10 11:38

Platform

win7-20240215-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228.exe

"C:\Users\Admin\AppData\Local\Temp\e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 116

Network

N/A

Files

memory/2744-0-0x0000000000302000-0x0000000000303000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-10 11:35

Reported

2024-05-10 11:38

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f943251c5b3ff162faabeb09676429800f82298b7971cbfb3dee652de07b391b.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6394657.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6394657.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6394657.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6394657.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6394657.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6394657.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4651268.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6394657.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f943251c5b3ff162faabeb09676429800f82298b7971cbfb3dee652de07b391b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7661534.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6394657.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3096 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\f943251c5b3ff162faabeb09676429800f82298b7971cbfb3dee652de07b391b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7661534.exe
PID 3096 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\f943251c5b3ff162faabeb09676429800f82298b7971cbfb3dee652de07b391b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7661534.exe
PID 3096 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\f943251c5b3ff162faabeb09676429800f82298b7971cbfb3dee652de07b391b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7661534.exe
PID 3420 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7661534.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4651268.exe
PID 3420 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7661534.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4651268.exe
PID 3420 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7661534.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4651268.exe
PID 1652 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4651268.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 1652 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4651268.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 1652 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4651268.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 3420 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7661534.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6394657.exe
PID 3420 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7661534.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6394657.exe
PID 3252 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3252 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3252 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3252 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3252 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3252 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 5048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 5048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 5048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 1456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4552 wrote to memory of 1456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4552 wrote to memory of 1456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4552 wrote to memory of 4028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4552 wrote to memory of 4028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4552 wrote to memory of 4028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4552 wrote to memory of 4760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 4760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 4760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 4568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4552 wrote to memory of 4568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4552 wrote to memory of 4568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4552 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4552 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4552 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3096 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\f943251c5b3ff162faabeb09676429800f82298b7971cbfb3dee652de07b391b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j3117914.exe
PID 3096 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\f943251c5b3ff162faabeb09676429800f82298b7971cbfb3dee652de07b391b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j3117914.exe
PID 3096 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\f943251c5b3ff162faabeb09676429800f82298b7971cbfb3dee652de07b391b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j3117914.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f943251c5b3ff162faabeb09676429800f82298b7971cbfb3dee652de07b391b.exe

"C:\Users\Admin\AppData\Local\Temp\f943251c5b3ff162faabeb09676429800f82298b7971cbfb3dee652de07b391b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7661534.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7661534.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4651268.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4651268.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6394657.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6394657.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4232,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j3117914.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j3117914.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
FI 77.91.68.61:80 tcp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7661534.exe

MD5 b590de91b098593e9d552d46029e22a0
SHA1 68efe1b06f4ff1415479c9401f6975fe8c5890a3
SHA256 8ccb68574729f8a471c6ba81c8611248a1f3def44181a894a04f7fd2003df361
SHA512 327f417030d7d54732c6687d693192dd95e9f53f0b1fa492fe73aef9668acde1cb5ebceea40a78903642f51a87888b4173adaf7ef21c12e627294d939c0c32cd

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4651268.exe

MD5 aea234064483f651010cf9d981f59fea
SHA1 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6
SHA256 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503
SHA512 eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6394657.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/800-27-0x0000000000DA0000-0x0000000000DAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j3117914.exe

MD5 1447b4fb4151d764c146112f35fbd3e7
SHA1 9094efd622b29020446376a29f77e58388cde97b
SHA256 a524f189c161620e8ff49b7a6b2b71540a776ce6259e18e8286aa0c8a81beb20
SHA512 d1c81398785b34beb7cb1edab4a602dcbb993d49e43cdd029c21a16283f4f90c4fdb15c70b6adc8cff3d5aed2930298c21888276739c2b6fd9eaaac9c429da76

memory/3328-32-0x0000000000690000-0x00000000006C0000-memory.dmp

memory/3328-33-0x0000000000D80000-0x0000000000D86000-memory.dmp

memory/3328-34-0x000000000AB40000-0x000000000B158000-memory.dmp

memory/3328-35-0x000000000A640000-0x000000000A74A000-memory.dmp

memory/3328-36-0x000000000A580000-0x000000000A592000-memory.dmp

memory/3328-37-0x000000000A5E0000-0x000000000A61C000-memory.dmp

memory/3328-38-0x00000000028C0000-0x000000000290C000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-10 11:35

Reported

2024-05-10 11:38

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 32 set thread context of 772 N/A C:\Users\Admin\AppData\Local\Temp\fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 32 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 32 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 32 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 32 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 32 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 32 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 32 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 32 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 32 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 32 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 32 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390.exe

"C:\Users\Admin\AppData\Local\Temp\fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp

Files

memory/32-0-0x0000000000A50000-0x0000000000A51000-memory.dmp

memory/32-1-0x0000000000A50000-0x0000000000A51000-memory.dmp

memory/772-2-0x0000000000400000-0x0000000000422000-memory.dmp

memory/32-3-0x0000000000A50000-0x0000000000A51000-memory.dmp

memory/772-4-0x000000007439E000-0x000000007439F000-memory.dmp

memory/772-5-0x0000000004F50000-0x0000000004FB6000-memory.dmp

memory/772-6-0x0000000005AD0000-0x00000000060E8000-memory.dmp

memory/772-7-0x0000000005540000-0x0000000005552000-memory.dmp

memory/772-8-0x0000000005670000-0x000000000577A000-memory.dmp

memory/772-9-0x0000000074390000-0x0000000074B40000-memory.dmp

memory/772-10-0x000000007439E000-0x000000007439F000-memory.dmp

memory/772-11-0x0000000074390000-0x0000000074B40000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 11:35

Reported

2024-05-10 11:38

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\143e14de3ab20f2359132907b991db6a76d0d521ba132b83a736d149619409c5.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5242522.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\143e14de3ab20f2359132907b991db6a76d0d521ba132b83a736d149619409c5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1359229.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5242522.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1536 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\143e14de3ab20f2359132907b991db6a76d0d521ba132b83a736d149619409c5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1359229.exe
PID 1536 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\143e14de3ab20f2359132907b991db6a76d0d521ba132b83a736d149619409c5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1359229.exe
PID 1536 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\143e14de3ab20f2359132907b991db6a76d0d521ba132b83a736d149619409c5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1359229.exe
PID 4976 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1359229.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe
PID 4976 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1359229.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe
PID 4976 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1359229.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5242522.exe
PID 4976 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1359229.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5242522.exe
PID 4976 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1359229.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5242522.exe
PID 3660 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5242522.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 3660 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5242522.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 3660 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5242522.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 1536 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\143e14de3ab20f2359132907b991db6a76d0d521ba132b83a736d149619409c5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4765071.exe
PID 1536 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\143e14de3ab20f2359132907b991db6a76d0d521ba132b83a736d149619409c5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4765071.exe
PID 1536 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\143e14de3ab20f2359132907b991db6a76d0d521ba132b83a736d149619409c5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4765071.exe
PID 5084 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 5084 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 5084 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 5084 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 5084 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 5084 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3688 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3688 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3688 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3688 wrote to memory of 3952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3688 wrote to memory of 3952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3688 wrote to memory of 3952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3688 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3688 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3688 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3688 wrote to memory of 4848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3688 wrote to memory of 4848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3688 wrote to memory of 4848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3688 wrote to memory of 3576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3688 wrote to memory of 3576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3688 wrote to memory of 3576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3688 wrote to memory of 4972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3688 wrote to memory of 4972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3688 wrote to memory of 4972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\143e14de3ab20f2359132907b991db6a76d0d521ba132b83a736d149619409c5.exe

"C:\Users\Admin\AppData\Local\Temp\143e14de3ab20f2359132907b991db6a76d0d521ba132b83a736d149619409c5.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1359229.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1359229.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5242522.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5242522.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4765071.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4765071.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.68.61:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
FI 77.91.68.61:80 tcp
FI 77.91.68.68:19071 tcp
NL 23.62.61.185:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1359229.exe

MD5 f5f946ac4583af832c2d637fd85246fb
SHA1 dffad329cad828e547d1eb418a4fc709ba05fcc7
SHA256 44e8ec63756866f0209362393b22273dd2106f5a207ff8f8e16f71ce45bf0455
SHA512 0f5fbb1400818078d97964da427e24cedd8a998343cc2de79a28b0137c629070ba60f44ea0c03fa8424c03040fff403cf4b72597596917ca72ba1eed2a55e9b6

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/400-14-0x0000000000F50000-0x0000000000F5A000-memory.dmp

memory/400-15-0x00007FFB7B3C3000-0x00007FFB7B3C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5242522.exe

MD5 aea234064483f651010cf9d981f59fea
SHA1 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6
SHA256 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503
SHA512 eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4765071.exe

MD5 2e579346644673daa171cbfbbf226e92
SHA1 15c654470dda2e03c3579cc06f02f01756b8f220
SHA256 e7fa30eaa844288719a635b40bfa1bce8aeb1bade6683915e00b71891453019a
SHA512 b5a0a0c869447ab586dfcb512b646b409139eb2e086c0c46f777fecb84d417fef7c75be688a3f63eea0fc704649b683f10afa20b9243e4e8d7363883daebe995

memory/1564-33-0x00000000001A0000-0x00000000001D0000-memory.dmp

memory/1564-34-0x0000000002550000-0x0000000002556000-memory.dmp

memory/1564-35-0x0000000005230000-0x0000000005848000-memory.dmp

memory/1564-36-0x0000000004D30000-0x0000000004E3A000-memory.dmp

memory/1564-37-0x0000000004C70000-0x0000000004C82000-memory.dmp

memory/1564-38-0x0000000004CD0000-0x0000000004D0C000-memory.dmp

memory/1564-39-0x0000000004E40000-0x0000000004E8C000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-10 11:35

Reported

2024-05-10 11:38

Platform

win10v2004-20240508-en

Max time kernel

91s

Max time network

96s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3096 created 2648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\system32\sihost.exe

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3212 set thread context of 3096 N/A C:\Users\Admin\AppData\Local\Temp\e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3212 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3212 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3212 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3212 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3212 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3212 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3212 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3212 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3212 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3212 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3212 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3096 wrote to memory of 220 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 3096 wrote to memory of 220 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 3096 wrote to memory of 220 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 3096 wrote to memory of 220 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 3096 wrote to memory of 220 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b.exe

"C:\Users\Admin\AppData\Local\Temp\e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3212 -ip 3212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 320

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3096 -ip 3096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3096 -ip 3096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 588

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3212-0-0x0000000000343000-0x0000000000345000-memory.dmp

memory/3096-1-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3096-3-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3096-4-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3096-5-0x0000000003CF0000-0x00000000040F0000-memory.dmp

memory/3096-6-0x0000000003CF0000-0x00000000040F0000-memory.dmp

memory/3096-7-0x0000000003CF0000-0x00000000040F0000-memory.dmp

memory/3096-8-0x00007FFA91BF0000-0x00007FFA91DE5000-memory.dmp

memory/3096-9-0x0000000003CF0000-0x00000000040F0000-memory.dmp

memory/3096-11-0x00000000759C0000-0x0000000075BD5000-memory.dmp

memory/220-12-0x00000000008A0000-0x00000000008A9000-memory.dmp

memory/220-14-0x00000000024D0000-0x00000000028D0000-memory.dmp

memory/220-16-0x00000000024D0000-0x00000000028D0000-memory.dmp

memory/220-19-0x00000000024D0000-0x00000000028D0000-memory.dmp

memory/220-18-0x00000000759C0000-0x0000000075BD5000-memory.dmp

memory/220-15-0x00007FFA91BF0000-0x00007FFA91DE5000-memory.dmp

memory/220-20-0x00000000024D0000-0x00000000028D0000-memory.dmp

memory/3096-21-0x0000000003CF0000-0x00000000040F0000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-10 11:35

Reported

2024-05-10 11:38

Platform

win7-20240221-en

Max time kernel

119s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68ca177d42ab79022ede5d703f2f3b4e3de42fc1ae56a531b50f66f3339721f8.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\68ca177d42ab79022ede5d703f2f3b4e3de42fc1ae56a531b50f66f3339721f8.exe

"C:\Users\Admin\AppData\Local\Temp\68ca177d42ab79022ede5d703f2f3b4e3de42fc1ae56a531b50f66f3339721f8.exe"

Network

N/A

Files

memory/2908-1-0x000000013FDC0000-0x0000000140939000-memory.dmp

memory/2908-0-0x000000013FDC0000-0x0000000140939000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-10 11:35

Reported

2024-05-10 11:38

Platform

win10v2004-20240426-en

Max time kernel

139s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8193530.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7356747.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1869910.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6266876.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4976 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8193530.exe
PID 4976 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8193530.exe
PID 4976 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8193530.exe
PID 2788 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8193530.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7356747.exe
PID 2788 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8193530.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7356747.exe
PID 2788 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8193530.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7356747.exe
PID 3720 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7356747.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1869910.exe
PID 3720 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7356747.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1869910.exe
PID 3720 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7356747.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1869910.exe
PID 1848 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1869910.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6266876.exe
PID 1848 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1869910.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6266876.exe
PID 1848 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1869910.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6266876.exe
PID 2068 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6266876.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe
PID 2068 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6266876.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe
PID 2068 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6266876.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe
PID 2068 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6266876.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe
PID 2068 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6266876.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe
PID 1848 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1869910.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9863785.exe
PID 1848 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1869910.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9863785.exe
PID 1848 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1869910.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9863785.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9.exe

"C:\Users\Admin\AppData\Local\Temp\b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8193530.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8193530.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7356747.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7356747.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1869910.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1869910.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6266876.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6266876.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9863785.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9863785.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.185:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 23.62.61.185:443 www.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 185.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8193530.exe

MD5 8f452b4a4326c38e4571b85753f14835
SHA1 39e82691dbf838c5929a85c0ccea571b2eeaa762
SHA256 2c425603871cfae47a16427da45eb520a5ed3d232c7cd61f40106132368da097
SHA512 5a562cd0ba0c785afe7121fd99bc39173a2121452c011bdb7424ffe30c95e181d4848dbe70996f40d02e03518328159b8913ae7351cfb4da9d4da1b4cd36a061

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7356747.exe

MD5 c01e50a9b08254b6225359b71398aec4
SHA1 69290aa4f0cfff274bd47cbea733cd1494329fff
SHA256 e11371b57008d6851d429072eb585f23a66ef95ba1f2fe63bd2ee922b8583a12
SHA512 73b878812254dbf5854e5cd330bcb063eca437b2f84b127f6f8fae664d274b3de5904a97ea070c77f32fe3838d69926aa7e9f19d3abaa4b81cc8684c9acc0b5d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1869910.exe

MD5 b047020daecfcd4d6486280843970ca3
SHA1 1126405fb85088855aa5c5b0a4fe8c53deff0d25
SHA256 6347410a710cfe628661defb8efdb525f50735c3eeb0911a1b4c40888708bab8
SHA512 78d6bbedafae407382fb5e27982c03d04c8036406742168203577974d0632915125324292665ff07e82ef42faeca5a24add5ac0ccf0ac7a5ced4152bfad44a65

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6266876.exe

MD5 3700b23c6984dc6b04ae254478422acf
SHA1 c96f67a6cd8c1c5c421a2f7268fdb0cbbcf5969d
SHA256 53432dba21043cefad2ee82a5077c1aea9238fa7a57f8701799c03717b27b344
SHA512 5c9b84a799ae5178ff835fb31e8a9b986bd923fc6fa5d13aff1df33ed66f0eea4826066ec741b04deafd5370a08dbdf154668c3dfde2177c9b1378198fb1ce75

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe

MD5 52a2bfba5bb378ef0d888bff0a0a9a4c
SHA1 e407c2042a2751b2643c4ba379b37f5c98242c07
SHA256 46aedf9813ed0c38fac92d5493e5dde9b57dbc6304456fc2ececa49e07feed65
SHA512 cd46b3f4f4165ddc64c3c87ad8ef0b855c032e8ecb863092b9fb08cd5885a31178f8538dfd447c4e0848cdf09cd7e2ce4e972c2ac4719cb60dd5c36ae8713ec8

memory/1512-35-0x00000000005A0000-0x00000000005DE000-memory.dmp

memory/1512-41-0x00000000005A0000-0x00000000005DE000-memory.dmp

memory/1512-42-0x0000000002370000-0x0000000002371000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe

MD5 a489f76b1e20676c44e20a1265d95bd2
SHA1 4adea8e3285c282db000d943bb98a5a7b9f797b7
SHA256 4c2d887e30ef21d4754b422f989dd02647ffd5ecfeea4342034e646e914ea32d
SHA512 06b205ec385ac02692a039cff628c8c5dcc4d1e388a05d4bdc8ad6b7f6efc61a3caf8c9bd9f18d08f321a4e11d27932af8a0ca8bc60bf62d2dbf0a8075bbcfa3

memory/1736-48-0x0000000000B10000-0x0000000000B1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9863785.exe

MD5 c0cb72fd5b63fa6a0e23311a69b60989
SHA1 bc1d486836b34d78d9169fec03e4b60433e1374c
SHA256 875aa2484a1a2abf76d5e4888f69df5ef6eac968473931e34bfd7a571eaa3a1d
SHA512 a469239d9e7178b1127af703d1347670173ec45f446bc47e96b1edc8f6ecc1482de44d055a9183b8e9f441a9b0d1625da2b48d36392c919ca5be3ad6f542c805

memory/4480-54-0x0000000001FF0000-0x000000000207C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/4480-60-0x0000000001FF0000-0x000000000207C000-memory.dmp

memory/4480-62-0x0000000002540000-0x0000000002546000-memory.dmp

memory/4480-63-0x0000000005040000-0x0000000005658000-memory.dmp

memory/4480-64-0x0000000004A90000-0x0000000004B9A000-memory.dmp

memory/4480-65-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

memory/4480-66-0x0000000004BE0000-0x0000000004C1C000-memory.dmp

memory/4480-67-0x0000000004C50000-0x0000000004C9C000-memory.dmp