Analysis Overview
SHA256
0ff9bc0436d6052b24d3174a3e4aeb590fa03a5b78a09d0b6a5a4084006891e2
Threat Level: Known bad
The file red1.zip was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Amadey
Modifies Windows Defender Real-time Protection settings
Healer
RedLine
Detects Healer an antivirus disabler dropper
RedLine payload
Windows security modification
Executes dropped EXE
Checks computer location settings
Reads user/profile data of web browsers
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Launches sc.exe
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 11:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 11:49
Reported
2024-05-10 11:53
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4024066.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5031831.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5473069.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4024066.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9593912.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6125712.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5031831.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5473069.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9593912.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9593912.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9593912.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe
"C:\Users\Admin\AppData\Local\Temp\2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5031831.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5031831.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5473069.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5473069.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4024066.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4024066.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9593912.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9593912.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6125712.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6125712.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5031831.exe
| MD5 | 64914ff9bf5be388b673a4c159e81f0d |
| SHA1 | e50e480364a0efb07a0b3619a35706a338cec43d |
| SHA256 | d86e1af67ea1610cd582ea0dee48a2b98bc078d11b39de4f18e1df0e2b904d06 |
| SHA512 | 073712b4a0aa9be3e81d83aa8ed42366e4962b767846172b0e1b33a784d75776c62b703b324a126334aac3b787ba4f94aa592752ca9c98f3c3691649f5177b49 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5473069.exe
| MD5 | 47c57a08974e981716c8ebc94e73cef6 |
| SHA1 | f3a2cc808f85bb7fc40c1814e76cf7ecbc3e76eb |
| SHA256 | c42d18d5dcc41dd560469e1c68b7955501ec3b2545ee8322a1f7dde7d7a90ad8 |
| SHA512 | b6f25499399d4d5738e9b103fe1438705700236656d9242a62194228c69eb70945066fd829191d50e2d8f59aed12cc2bbb5e8daa7961864d81ccb1b8bf7e27e4 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe
| MD5 | b9f7307f3344963173587f481cf79702 |
| SHA1 | d1771c11330d7f05b465837268f1993d16a50ef9 |
| SHA256 | 3f1deb49ae3b7e8074b543490e6a24045c16a73102668c09729a4decb3260068 |
| SHA512 | ef449c472223eddfd606b5035962564da2b3b47e46dd7bb796e8565f14349bc1edd9e716d4b288d65dda044d47f1ee527554d130f0de6b6cf4d78a1b2e0741f5 |
memory/384-21-0x0000000000E80000-0x0000000000E8A000-memory.dmp
memory/384-22-0x00007FF8E4033000-0x00007FF8E4035000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4024066.exe
| MD5 | b4e48d49180a5de33de9a468850dd56d |
| SHA1 | a813b19d1b7ca147c0bf19394d85dbb5e68e2499 |
| SHA256 | 848b8ac51ed5492cc8dbf0db13d11166b3f40984d335c441ad0370fa1c6efaf4 |
| SHA512 | aeba44dbea2fd4d2cd72139e1f3a02be121237909bce8eef15fa36c66903bcae2231c0cb527e3aece354b50412a8ebae4dcce8898b66c1608a7643a45f49905f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9593912.exe
| MD5 | 28b567d6d377880e6336770aa32966c6 |
| SHA1 | 44e450e5488cd710318a62c30ecd3c2b0e5ce405 |
| SHA256 | 970dc870f858c266ae0f4b8f2d1e8cdd971896b7ceba28f8edd18bd341b360b6 |
| SHA512 | 1d7bbc36c404de957393268d1fba3a547b8a1b7535cc6f444bcba8393259e24db8144aeb85b2ca0de1e95196eba7d7693e35e2c7319886d42e5b6515b81bf7d5 |
memory/4904-40-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6125712.exe
| MD5 | 5857ee0726d73781a91d8e82eaa75062 |
| SHA1 | 2af364ed6f7f7612b5c7fdff981d547d13518a1d |
| SHA256 | 9b96fd6fb35d86dbf485be9d03649a67f4e19ec2eacf97b63c1ff5f71495ecc7 |
| SHA512 | 50468fa0a187a446ce3e58aaa2c59ec04f8df55a588a7ae75674976cff5acf1f3c92b27bbe431ebad7f8dbd0125d664f38bade9df34a7fb79c658c5ec27dceb2 |
memory/2836-44-0x0000000000F60000-0x0000000000F90000-memory.dmp
memory/2836-45-0x00000000031D0000-0x00000000031D6000-memory.dmp
memory/2836-46-0x0000000005EF0000-0x0000000006508000-memory.dmp
memory/2836-47-0x00000000059E0000-0x0000000005AEA000-memory.dmp
memory/2836-48-0x00000000058F0000-0x0000000005902000-memory.dmp
memory/2836-49-0x0000000005950000-0x000000000598C000-memory.dmp
memory/2836-50-0x0000000005990000-0x00000000059DC000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-10 11:49
Reported
2024-05-10 11:52
Platform
win7-20240508-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\25c57e67144c4603cb7936eb9ad62fb4a4b313d0acb99262c66c4792f6ecdf48.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\25c57e67144c4603cb7936eb9ad62fb4a4b313d0acb99262c66c4792f6ecdf48.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\25c57e67144c4603cb7936eb9ad62fb4a4b313d0acb99262c66c4792f6ecdf48.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\25c57e67144c4603cb7936eb9ad62fb4a4b313d0acb99262c66c4792f6ecdf48.exe
"C:\Users\Admin\AppData\Local\Temp\25c57e67144c4603cb7936eb9ad62fb4a4b313d0acb99262c66c4792f6ecdf48.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | omnomnom.top | udp |
| DE | 195.201.252.28:443 | omnomnom.top | tcp |
Files
memory/1792-0-0x00000000002C0000-0x00000000002DE000-memory.dmp
memory/1792-4-0x0000000000401000-0x0000000000402000-memory.dmp
memory/1792-5-0x0000000000400000-0x000000000042E000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-10 11:49
Reported
2024-05-10 11:52
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1797481.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1797481.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1797481.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1797481.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1797481.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1797481.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1983558.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3540017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1983558.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1797481.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j9677534.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1797481.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\611b640fd7c9e06cb4ffde1db21b1f9ace29ac4c504fc14569faf426b234ec5e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3540017.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1797481.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1797481.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1797481.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\611b640fd7c9e06cb4ffde1db21b1f9ace29ac4c504fc14569faf426b234ec5e.exe
"C:\Users\Admin\AppData\Local\Temp\611b640fd7c9e06cb4ffde1db21b1f9ace29ac4c504fc14569faf426b234ec5e.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3540017.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3540017.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1983558.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1983558.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1797481.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1797481.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j9677534.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j9677534.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3540017.exe
| MD5 | 684a924cf19cf1e37fed377bd6c055f7 |
| SHA1 | b5826a8f627e10b1a8e5b05650707c2bd6301a8e |
| SHA256 | c0d368903bcc1ca5fabac8802a6f54dd1f5ffb913fc89fe4060051c6d01d4604 |
| SHA512 | 1f40469450fdbfc5b7bd67f1cf89e9c38aa4cdddd4828f365170e78f5f38fa9488a751c3e59a37a5270f60a669df9f438af6557fb799da960eba0b8160f5f632 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1983558.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1797481.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/1636-27-0x00000000003C0000-0x00000000003CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j9677534.exe
| MD5 | 14fa33a7cb56f35ca61a60b179310b74 |
| SHA1 | 1db14aaec5fdd2ba20822922fe9dffb3707bf9ec |
| SHA256 | 44c5e4fee6e9721f929603425aa856ae73ade30c1759321c1d473558a62b0d20 |
| SHA512 | 583a7249b19837f2a78577a60de28f3ee761d27f5142a7f3387998f7bf01a222509893e89486c8d229fb4b002eb24a27626a89022840a976f7a7d4adb26be1d8 |
memory/2544-32-0x0000000000DC0000-0x0000000000DF0000-memory.dmp
memory/2544-33-0x0000000003030000-0x0000000003036000-memory.dmp
memory/2544-34-0x000000000B0C0000-0x000000000B6D8000-memory.dmp
memory/2544-35-0x000000000AC30000-0x000000000AD3A000-memory.dmp
memory/2544-36-0x000000000AB70000-0x000000000AB82000-memory.dmp
memory/2544-37-0x000000000ABD0000-0x000000000AC0C000-memory.dmp
memory/2544-38-0x0000000005070000-0x00000000050BC000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-10 11:49
Reported
2024-05-10 11:52
Platform
win10v2004-20240426-en
Max time kernel
146s
Max time network
153s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8400544.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8400544.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8400544.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8400544.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8400544.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8400544.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7161503.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6078870.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8094658.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1890207.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8400544.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7161503.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9747003.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d7741225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8400544.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\61ec6f7f3198f2f73155461b5544c1c55e467d0faa1776e05504a411b0530974.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6078870.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8094658.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1890207.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9747003.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9747003.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9747003.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8400544.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8400544.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8400544.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\61ec6f7f3198f2f73155461b5544c1c55e467d0faa1776e05504a411b0530974.exe
"C:\Users\Admin\AppData\Local\Temp\61ec6f7f3198f2f73155461b5544c1c55e467d0faa1776e05504a411b0530974.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6078870.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6078870.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8094658.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8094658.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1890207.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1890207.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8400544.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8400544.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7161503.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7161503.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9747003.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9747003.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d7741225.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d7741225.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.57:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| NL | 23.62.61.57:443 | www.bing.com | tcp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.156:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| FI | 77.91.124.156:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.156:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.124.156:19071 | tcp | |
| FI | 77.91.124.156:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6078870.exe
| MD5 | 46a5f69bf60289bf73f38e1d9be85075 |
| SHA1 | 8639931600b10364a4c823b701c00893c22aea6b |
| SHA256 | 65db5d7052987e7e8d814719a1e9c77b7d0f755b7f100a0b3f0b0d1b83d9b43e |
| SHA512 | dbc4506574b8a92d600e60fd642f44942f2a19c3effbf284891da05751b5b6d82dab4122dab6abc758ec40eb366e3e042c3bc46aec3360440e113a550cd7ce29 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8094658.exe
| MD5 | eb475f3a8c4a25a19fa0abdc1e907952 |
| SHA1 | 8988b40a69f6cb754a42bc5c7871ed839629b504 |
| SHA256 | 40fbde6d35302d77db924d8a4db6569c23336d9205e82f12a82228cc100edb71 |
| SHA512 | 3199b26a1ce8049c64556a2a9d0465c3ffa479594ca01d7ce052ba64fd128ab9da6302bf55baaaf59479e3a4c53f0569d93d7bb4d1566d1d65b4864b4a20af09 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1890207.exe
| MD5 | 2dfe4d2812a48ddbf22392cc3a90970b |
| SHA1 | 4f1b63d32b90a492f98673c94646a42a6e853ac6 |
| SHA256 | 9e6f3fd3f785137a445cbe56ff06c292a6df24180f53811fc86132a2bd4859c2 |
| SHA512 | 8b30e6f60dc809e9411dd14439766ec61da1ce41170a987c6c917abfe8df3985d8d6870672b38e72c10317e178e032fdc94f1f36bc4c48cc79938ae9d7c9b6da |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8400544.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/4616-28-0x0000000000A80000-0x0000000000A8A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7161503.exe
| MD5 | bc91e6e768fd91095e2345589ee83b4a |
| SHA1 | 8d1b66b836cb0e5134a3f807e6f552068ae3e049 |
| SHA256 | d0ad15538e2a3f9aedb1b72fcd30581d83b8ca9e8e044f1a404cd3a71cc601a4 |
| SHA512 | 2d8766287f50a95994a2c4496f09114406faa469baeb3719c061e08b323dd359338ba0a8fe526c2f7138fa1c8fa3018743ce2a26203626ecc5901e179d5224b1 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9747003.exe
| MD5 | 6b8535ff7acd76f5a865bfa3e04fe4f7 |
| SHA1 | 26d3dc99f638cf9cae4681dd14269fe9723c904b |
| SHA256 | acf67950c3da59de03f145d42b15fb141395c524a091a46a0cc24d07e3e286da |
| SHA512 | ea3a27b4bb1bb8050b593f64f9bb9bf6ba53de10fb7e12a1e6687e156d85fb5757a1797ad7a7b6cc966730c9fa9b713b8ec01f1e2c2b315977ed47441571f83a |
memory/4960-46-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d7741225.exe
| MD5 | a438c0ff74d4f3006dd94b497bae7179 |
| SHA1 | d6618c08840cea64523e48bde1f433731049876d |
| SHA256 | 7a183cd5079b87c635002449d16a0fe2b686f777b58f507a5825033214aba176 |
| SHA512 | 6ab764d9268aac5902b8026b7c5eb31e3956c86711e3ca52ab3fef12b45ad59a56b3ceb9e671c2efdf7b34543aa263dffe236eada2c754f23aa2ff0b7484a342 |
memory/3092-50-0x00000000008F0000-0x0000000000920000-memory.dmp
memory/3092-51-0x0000000002BE0000-0x0000000002BE6000-memory.dmp
memory/3092-52-0x000000000ABE0000-0x000000000B1F8000-memory.dmp
memory/3092-53-0x000000000A760000-0x000000000A86A000-memory.dmp
memory/3092-54-0x000000000A6A0000-0x000000000A6B2000-memory.dmp
memory/3092-55-0x000000000A700000-0x000000000A73C000-memory.dmp
memory/3092-56-0x0000000004C30000-0x0000000004C7C000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-10 11:49
Reported
2024-05-10 11:52
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3421041.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3421041.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3421041.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3421041.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3421041.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3421041.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9541649.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9784938.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9541649.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3421041.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j4435350.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3421041.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\9a72ed316bbd2e389eb2ecd7243e5841d041badae874aa11f831b452a7cff8b3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9784938.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3421041.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3421041.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3421041.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9a72ed316bbd2e389eb2ecd7243e5841d041badae874aa11f831b452a7cff8b3.exe
"C:\Users\Admin\AppData\Local\Temp\9a72ed316bbd2e389eb2ecd7243e5841d041badae874aa11f831b452a7cff8b3.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9784938.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9784938.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9541649.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9541649.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3421041.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3421041.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j4435350.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j4435350.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 52.111.229.43:443 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9784938.exe
| MD5 | 87959c24901cbb68b1ed0d31e966bf21 |
| SHA1 | fe41e590bfc0981fb23824ffd5718fd8ab4e5f08 |
| SHA256 | b166360a21c7ca4e9f1d17451efc07ffc57fae78b2684eb443d6b811d97a5bf6 |
| SHA512 | 80c637b9caa3eee5669979c3ba891dcde79937711f1dda5c15f1fedb8fef892e5f3ab12486b7869183d8effb61e394dff48539fa39eb2b4895a004413d66a532 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9541649.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3421041.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/4988-27-0x0000000000D00000-0x0000000000D0A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j4435350.exe
| MD5 | 59828ae17439756d437ab117a703fed1 |
| SHA1 | b9ec9e8ed317695cf334ce9199108d9efce2b609 |
| SHA256 | 3638d6290ee0e43d6fbb70ba10cf7b04168e2989f0dd1c7d843f4d34afd7c7cc |
| SHA512 | b11bab3e7cc2f59a45dacbfaff48eed0233aec9015100336eecd215bf1ae01dab5ed74f420e9c0c0b10ea201ed1c8174c1d0c501106a4c958e780823ba5f6d51 |
memory/2472-32-0x0000000000050000-0x0000000000080000-memory.dmp
memory/2472-33-0x00000000023E0000-0x00000000023E6000-memory.dmp
memory/2472-34-0x000000000A3C0000-0x000000000A9D8000-memory.dmp
memory/2472-35-0x0000000009EC0000-0x0000000009FCA000-memory.dmp
memory/2472-36-0x0000000009E00000-0x0000000009E12000-memory.dmp
memory/2472-37-0x0000000009E60000-0x0000000009E9C000-memory.dmp
memory/2472-38-0x00000000021E0000-0x000000000222C000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-10 11:49
Reported
2024-05-10 11:52
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6771550.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6771550.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6771550.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6771550.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6771550.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6771550.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7383000.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6771550.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4522158.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6771550.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\b2abc74f29ed52ec7d83d19dcdda578b75bfabfe3cb6be161acad9d570a9601f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7383000.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6771550.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6771550.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6771550.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b2abc74f29ed52ec7d83d19dcdda578b75bfabfe3cb6be161acad9d570a9601f.exe
"C:\Users\Admin\AppData\Local\Temp\b2abc74f29ed52ec7d83d19dcdda578b75bfabfe3cb6be161acad9d570a9601f.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7383000.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7383000.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6771550.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6771550.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4522158.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4522158.exe
Network
| Country | Destination | Domain | Proto |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7383000.exe
| MD5 | e3ed7f47e1410b7b8eb2abadf29e8ba9 |
| SHA1 | eaef8940de9977260629fa9eb19d89f19f195206 |
| SHA256 | cbe7e7cd0ef5d0f0de887cc968a0e337eb055609a57d6b8f12dc92889c825693 |
| SHA512 | fa6d6670fdd1fbfa25e7932556b443fdbf5a2de55245a329aa2e43e861dbf0b2d07ad4c019e459152fe9c2b04eedc3bbea3ae9f7d4dbc5ec102a3c5fe108a0a6 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6771550.exe
| MD5 | 9c40063dc990863ba747046695b66de3 |
| SHA1 | 768037d9239254b189798c6b10e6e92f99ab6377 |
| SHA256 | 2a1812293ed1c85ce17438a90c5701f6cd74a623f64a34591df08bdcb473da1c |
| SHA512 | 2ad41fe48174717df9a3524d0833bcfd019065098a8f0272e2d4a116f09c42137942e414559e4395f53cfad34497d2f999784c3a100dd40be3626dd8b4ac4c51 |
memory/5036-14-0x00007FFB978C3000-0x00007FFB978C5000-memory.dmp
memory/5036-15-0x0000000000700000-0x000000000070A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4522158.exe
| MD5 | 069ec3c24700c09e504cd327b8f1b640 |
| SHA1 | d5c8e3cbe2c04c724e06e9ec3ad0212266fd1893 |
| SHA256 | 566bc2d705132076a334bbb608aee51d4624caab0a721492c9a6f34647876f43 |
| SHA512 | 4c5730311b8e9a29089283c7807d68c6b1f8d70c6b7d3edf31bd7274fe4aedf23d7b84cfc42e8a8f1a73e1ed4f4a2f9793a98c848dc90a64ff728a16d3bc8392 |
memory/536-20-0x00000000007A0000-0x00000000007D0000-memory.dmp
memory/536-21-0x0000000005080000-0x0000000005086000-memory.dmp
memory/536-22-0x000000000ABE0000-0x000000000B1F8000-memory.dmp
memory/536-23-0x000000000A750000-0x000000000A85A000-memory.dmp
memory/536-24-0x000000000A690000-0x000000000A6A2000-memory.dmp
memory/536-25-0x000000000A6F0000-0x000000000A72C000-memory.dmp
memory/536-26-0x0000000002940000-0x000000000298C000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-10 11:49
Reported
2024-05-10 11:52
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3124 set thread context of 1192 | N/A | C:\Users\Admin\AppData\Local\Temp\f5875e99d264d6dc6b9a95473f93dd4b60f4562283d31642caef4eb5c5823363.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\f5875e99d264d6dc6b9a95473f93dd4b60f4562283d31642caef4eb5c5823363.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f5875e99d264d6dc6b9a95473f93dd4b60f4562283d31642caef4eb5c5823363.exe
"C:\Users\Admin\AppData\Local\Temp\f5875e99d264d6dc6b9a95473f93dd4b60f4562283d31642caef4eb5c5823363.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3124 -ip 3124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 328
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | omnomnom.top | udp |
| NL | 23.62.61.57:443 | www.bing.com | tcp |
| DE | 195.201.252.28:443 | omnomnom.top | tcp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.252.201.195.in-addr.arpa | udp |
| NL | 23.62.61.57:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/3124-0-0x0000000000FC8000-0x0000000000FC9000-memory.dmp
memory/1192-1-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1192-2-0x0000000074DAE000-0x0000000074DAF000-memory.dmp
memory/1192-3-0x0000000005390000-0x00000000053F6000-memory.dmp
memory/1192-4-0x0000000005EB0000-0x00000000064C8000-memory.dmp
memory/1192-5-0x0000000005940000-0x0000000005952000-memory.dmp
memory/1192-6-0x0000000005A70000-0x0000000005B7A000-memory.dmp
memory/1192-7-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/1192-8-0x0000000005E10000-0x0000000005E4C000-memory.dmp
memory/1192-9-0x0000000005E50000-0x0000000005E9C000-memory.dmp
memory/1192-10-0x0000000006AB0000-0x0000000006C72000-memory.dmp
memory/1192-11-0x00000000071B0000-0x00000000076DC000-memory.dmp
memory/1192-12-0x0000000007C90000-0x0000000008234000-memory.dmp
memory/1192-13-0x0000000006E20000-0x0000000006EB2000-memory.dmp
memory/1192-14-0x00000000076E0000-0x0000000007756000-memory.dmp
memory/1192-15-0x0000000006F10000-0x0000000006F2E000-memory.dmp
memory/1192-16-0x0000000007A40000-0x0000000007A90000-memory.dmp
memory/1192-18-0x0000000074DA0000-0x0000000075550000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-10 11:49
Reported
2024-05-10 11:52
Platform
win10v2004-20240426-en
Max time kernel
146s
Max time network
153s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2571427.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7110096.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2146173.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\fd5bd6afc507aad0acace57fc3b77a0de443e12efcdb3857d899395a962a3b4f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2571427.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7110096.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fd5bd6afc507aad0acace57fc3b77a0de443e12efcdb3857d899395a962a3b4f.exe
"C:\Users\Admin\AppData\Local\Temp\fd5bd6afc507aad0acace57fc3b77a0de443e12efcdb3857d899395a962a3b4f.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2571427.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2571427.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7110096.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7110096.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2146173.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2146173.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| BE | 2.17.196.123:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| BE | 2.17.196.123:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 123.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7110096.exe
| MD5 | 7e16642af0542f98e53a83ef26011162 |
| SHA1 | e3a5d8e9f82a94a78dc8627d0471c5edd4e2953c |
| SHA256 | f09c37ee6dec059ef49483c9da0634b64ea289848a507e331a0bfb8caa65a750 |
| SHA512 | a75bc33c5d2ff76bb6eb17053d3a2f37d89f75189bcbd1c2b0671df3fb32a75bfc464b822b4a35c8869a0eb50a55149b5a7aa204f83d034749acf025d8b3b60e |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1421373.exe
| MD5 | efade657e753c1afa9934e5810c6c45d |
| SHA1 | 69fc060c17e0b19599e31cf883f695f3172fe00d |
| SHA256 | 6c5fd398bae2c753bcbc4bdeb0bcdc53ef76c009021e2a082a3bbc022b9f8635 |
| SHA512 | b1d5e80adf2ba11bd855a93172c761c1f660dad9f3f3c80ba335d8fe668026c6e2337028fd1fa90f35c2cda2778e03f1cf6d26d91a1f376f4fffe380e283e724 |
memory/2240-21-0x0000000000570000-0x00000000005AE000-memory.dmp
memory/2240-27-0x0000000000401000-0x0000000000404000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2571427.exe
| MD5 | e8bfe83276b8cf0523f7cdb5c09d1ccd |
| SHA1 | 25ea0b55076d042b75d8518feacc7acee94db71b |
| SHA256 | 0b91ab3aeed8bf8d36d1d8f9b621ea7419c15705c44a722b707cce7034057966 |
| SHA512 | a12562de993ff37f37738f808fc1ecfb36e79b64442a348196a3d2ea3c3b8fb32c25ff217abfd19246d3a2193d4eae9ee4d580065c3542697f959832ad843935 |
memory/2240-28-0x0000000000570000-0x00000000005AE000-memory.dmp
memory/2240-29-0x00000000020D0000-0x00000000020D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2146173.exe
| MD5 | 92afdf44d1c33960ab452a8c274282db |
| SHA1 | 60c7376a52f74f0799ee2a574782e9855af28efe |
| SHA256 | e12a3d43b1f8a35e75f3bf09ea5422ef10bccfa19a8b2e131259f7b4be5333d2 |
| SHA512 | 31ee981dd21ffe2498d74cf7713df410d55b6a9f9894c571b6d05bd372402362f051b0f87cbcb62d9723c145593eb53dd8c04cdb72836adf9c71b82170a83e1f |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/4488-36-0x0000000001FA0000-0x000000000202C000-memory.dmp
memory/4488-42-0x0000000001FA0000-0x000000000202C000-memory.dmp
memory/4488-44-0x0000000002520000-0x0000000002526000-memory.dmp
memory/4488-47-0x000000000B550000-0x000000000B562000-memory.dmp
memory/4488-46-0x000000000B430000-0x000000000B53A000-memory.dmp
memory/4488-48-0x000000000B570000-0x000000000B5AC000-memory.dmp
memory/4488-45-0x000000000BA50000-0x000000000C068000-memory.dmp
memory/4488-49-0x00000000069F0000-0x0000000006A3C000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-10 11:49
Reported
2024-05-10 11:52
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5617583.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5617583.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5617583.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5617583.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5617583.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5617583.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5327652.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5787480.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5617583.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5327652.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4172059.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5617583.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\6c15f1899ddb76b31fda1ef8a7d18f02ebe3c6f0dc3202cb51c180fecb4fcfed.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5787480.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5617583.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5617583.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5617583.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6c15f1899ddb76b31fda1ef8a7d18f02ebe3c6f0dc3202cb51c180fecb4fcfed.exe
"C:\Users\Admin\AppData\Local\Temp\6c15f1899ddb76b31fda1ef8a7d18f02ebe3c6f0dc3202cb51c180fecb4fcfed.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5787480.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5787480.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5617583.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5617583.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5327652.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5327652.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
"C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4172059.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4172059.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legola.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legola.exe" /P "Admin:N"&&CACLS "legola.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "legola.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "legola.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\ebb444342c" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\ebb444342c" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 106.61.62.23.in-addr.arpa | udp |
| SE | 5.42.92.67:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| SE | 5.42.92.67:80 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| SE | 5.42.92.67:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 201.201.50.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5787480.exe
| MD5 | 694b7729637837e43eb014d4d2c968a6 |
| SHA1 | c2bba306b840849aa140633836ced0605db95793 |
| SHA256 | dd7b0e511c99d37d76ec1481d6d6b7c2ce687b548941818de00975b112032114 |
| SHA512 | d178e85ee9b3b72af324dceae997a1c056e0e5f4e13a36eb2c0fdbf8cf343798c43f128bd459a5e5f31520ddc7128ac949bd78c92d22476edb18ec43249cd0d1 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5617583.exe
| MD5 | 93bcba22f06df8fb86c113973eb20f15 |
| SHA1 | a8eed1517b821fe413cba650de349607f73b8c69 |
| SHA256 | 8322ca1167bd88052e7a2c26eaf5b0d34494d1b899aa5efa4c4f0aaf515151fc |
| SHA512 | 14cb24f0c2539160764d932a3f7a43c72acb95a7b4009f975f7f2fb04749735151fc5fb84f2599de162cabe37f43ac1ec4fbe51c14f3e049329a377720f52960 |
memory/3452-14-0x00007FF85AB63000-0x00007FF85AB65000-memory.dmp
memory/3452-15-0x0000000000EE0000-0x0000000000EEA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5327652.exe
| MD5 | 823b21cc3d3a79887e49212dac643a4f |
| SHA1 | f37b4e8f86bc68eaf50362865799270d972f27b9 |
| SHA256 | 7aab0b2e1ab9e3d05b1e84b50d502f69f540d07da3143db53e636343997deb12 |
| SHA512 | e57c6fca50b51d336cd38019db71c0f557690305d5f6dacd248d97a1710a36c7ae5a5bd388353227f789316bb672ae7390ca4782222408b569bf5e24a904b184 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4172059.exe
| MD5 | e0593e8679d77ab968e27b829f45bcbd |
| SHA1 | a00272b2457e7b03075eb4ee1793613295396d76 |
| SHA256 | 08fbfc3da43662389a9f28a0bf7447814929bb85401e1249326fdb62ec4a5d61 |
| SHA512 | f58274b538abe162be7625b5596fd6920201460e513b41f6ddcb25bbf9a31df1862b7e0051748588ffb0d9dbb2ace8c1570e5e55ce297c898bf9179195da94e4 |
memory/5028-33-0x0000000000AC0000-0x0000000000AF0000-memory.dmp
memory/5028-34-0x0000000005420000-0x0000000005426000-memory.dmp
memory/5028-35-0x0000000005BF0000-0x0000000006208000-memory.dmp
memory/5028-36-0x00000000056E0000-0x00000000057EA000-memory.dmp
memory/5028-37-0x0000000005480000-0x0000000005492000-memory.dmp
memory/5028-38-0x0000000005610000-0x000000000564C000-memory.dmp
memory/5028-39-0x0000000005650000-0x000000000569C000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-10 11:49
Reported
2024-05-10 11:52
Platform
win7-20240221-en
Max time kernel
120s
Max time network
127s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1368 wrote to memory of 2300 | N/A | C:\Users\Admin\AppData\Local\Temp\75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1368 wrote to memory of 2300 | N/A | C:\Users\Admin\AppData\Local\Temp\75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1368 wrote to memory of 2300 | N/A | C:\Users\Admin\AppData\Local\Temp\75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1368 wrote to memory of 2300 | N/A | C:\Users\Admin\AppData\Local\Temp\75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe
"C:\Users\Admin\AppData\Local\Temp\75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 52
Network
Files
memory/1368-0-0x0000000000030000-0x0000000000031000-memory.dmp
memory/1368-1-0x0000000000030000-0x0000000000031000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-10 11:49
Reported
2024-05-10 11:52
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5116 set thread context of 1116 | N/A | C:\Users\Admin\AppData\Local\Temp\75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe
"C:\Users\Admin\AppData\Local\Temp\75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| RU | 5.42.65.77:6541 | tcp | |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.65.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
Files
memory/5116-0-0x0000000000FD0000-0x0000000000FD1000-memory.dmp
memory/5116-3-0x0000000000FD0000-0x0000000000FD1000-memory.dmp
memory/1116-1-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1116-4-0x000000007432E000-0x000000007432F000-memory.dmp
memory/1116-5-0x0000000005EC0000-0x0000000006464000-memory.dmp
memory/1116-6-0x0000000005910000-0x00000000059A2000-memory.dmp
memory/1116-7-0x0000000074320000-0x0000000074AD0000-memory.dmp
memory/1116-8-0x00000000058D0000-0x00000000058DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp545A.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/1116-25-0x0000000006670000-0x00000000066E6000-memory.dmp
memory/1116-26-0x0000000006DD0000-0x0000000006DEE000-memory.dmp
memory/1116-29-0x0000000007410000-0x0000000007A28000-memory.dmp
memory/1116-30-0x0000000006F60000-0x000000000706A000-memory.dmp
memory/1116-31-0x0000000006EA0000-0x0000000006EB2000-memory.dmp
memory/1116-32-0x0000000006F00000-0x0000000006F3C000-memory.dmp
memory/1116-33-0x0000000007070000-0x00000000070BC000-memory.dmp
memory/1116-34-0x00000000071B0000-0x0000000007216000-memory.dmp
memory/1116-37-0x00000000073C0000-0x0000000007410000-memory.dmp
memory/1116-38-0x0000000007EB0000-0x0000000008072000-memory.dmp
memory/1116-39-0x0000000008CB0000-0x00000000091DC000-memory.dmp
memory/1116-41-0x0000000074320000-0x0000000074AD0000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-10 11:49
Reported
2024-05-10 11:52
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6706793.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6706793.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6706793.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6706793.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6706793.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6706793.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4637560.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8837515.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6706793.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4637560.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8409380.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6706793.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7a4ee8388222f5e129b4d1d82750bea32e3956ea160d1a752dea1af994fa77ea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8837515.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6706793.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6706793.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6706793.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7a4ee8388222f5e129b4d1d82750bea32e3956ea160d1a752dea1af994fa77ea.exe
"C:\Users\Admin\AppData\Local\Temp\7a4ee8388222f5e129b4d1d82750bea32e3956ea160d1a752dea1af994fa77ea.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8837515.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8837515.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6706793.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6706793.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4637560.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4637560.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8409380.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8409380.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 106.61.62.23.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 52.111.229.43:443 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 34.197.79.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8837515.exe
| MD5 | 27ff8bcfbd69753a89dca3cb0dcb4793 |
| SHA1 | 0fc68e6d513f53da20e129cabe4c67431924fafd |
| SHA256 | 1ca048e8af553f43feb76af02ecd336aa40f1c1a25d3f47e92597fe40393771c |
| SHA512 | 4b5bbe988e9e9f58915b68040e2a62b733836357fad25b689eef6e3550ca405126a01d19f21a296b3dabef20444e331f4dcf7924d3f96ba14cdf927238756653 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6706793.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/3148-14-0x00000000000F0000-0x00000000000FA000-memory.dmp
memory/3148-15-0x00007FFF98293000-0x00007FFF98295000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4637560.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8409380.exe
| MD5 | 99865b68ab6412c3a103c0b0100d90a3 |
| SHA1 | c5b72dc69026d02757bf6caa9527367fd22e1158 |
| SHA256 | 57a4610b2292db36121bab0d704d870867ea302384ccdb66e3918bf15581042c |
| SHA512 | 8c70df230b6ac966a6fe0d2268f5f92b26d63185955021144d4e2894770ded6a8c263a374ac1c56f4d68abc9aab43209c1109c73d8f01837c6b6f7bb00932e5c |
memory/4568-33-0x0000000000490000-0x00000000004C0000-memory.dmp
memory/4568-34-0x0000000002670000-0x0000000002676000-memory.dmp
memory/4568-35-0x0000000005530000-0x0000000005B48000-memory.dmp
memory/4568-36-0x0000000005020000-0x000000000512A000-memory.dmp
memory/4568-37-0x0000000004D10000-0x0000000004D22000-memory.dmp
memory/4568-38-0x0000000004D70000-0x0000000004DAC000-memory.dmp
memory/4568-39-0x0000000004DB0000-0x0000000004DFC000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-10 11:49
Reported
2024-05-10 11:52
Platform
win10v2004-20240426-en
Max time kernel
142s
Max time network
155s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7283205.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7283205.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7283205.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7283205.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7283205.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7283205.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4383584.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0440533.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7283205.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4383584.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5166286.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7283205.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7b22e6cc31710809bbb88f27afa15ad45784dd0ccd3da27be9b6ca3b039a15ce.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0440533.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7283205.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7283205.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7283205.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7b22e6cc31710809bbb88f27afa15ad45784dd0ccd3da27be9b6ca3b039a15ce.exe
"C:\Users\Admin\AppData\Local\Temp\7b22e6cc31710809bbb88f27afa15ad45784dd0ccd3da27be9b6ca3b039a15ce.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0440533.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0440533.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7283205.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7283205.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4383584.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4383584.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5166286.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5166286.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| NL | 52.142.223.178:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.196.66:443 | www.bing.com | tcp |
| BE | 2.17.196.66:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 66.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0440533.exe
| MD5 | 4089a38e574f75f6d5f6b7c2b21a41d4 |
| SHA1 | 187466ddf9a12449dbb9f4d73aa2acba40dc5750 |
| SHA256 | 251ef86b068c66e5640c3e89c6443737e485c33ac06d9d0e4f15b9823abf3616 |
| SHA512 | 58de48818277d2490be4f687a3773b3062338fa5d518f64e280609b2deb4550e934a203b2ce8fb4771dc1e335ffe306cd8e223fd4a44f49f0c65844560851239 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7283205.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/4144-14-0x0000000000780000-0x000000000078A000-memory.dmp
memory/4144-15-0x00007FFFD89A3000-0x00007FFFD89A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4383584.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5166286.exe
| MD5 | f1bc764701a030324f770e7e3e2d4f7a |
| SHA1 | 617be6505219183a506c618d70709eb29c01db9c |
| SHA256 | 8cbf7b4f01bbcd28bd44ed39a95a7009112c0421f2c4fc846470910cf6606ac4 |
| SHA512 | 4e22af28e37a1d48ea90567ff79370b71faa144c030ce86eb13c861855ea70e68b157383cada39062b50dd8e70c62f9e3195fd393169fba4f1b991410c469ddb |
memory/1600-33-0x0000000000FA0000-0x0000000000FD0000-memory.dmp
memory/1600-34-0x0000000003470000-0x0000000003476000-memory.dmp
memory/1600-35-0x00000000060E0000-0x00000000066F8000-memory.dmp
memory/1600-36-0x0000000005BD0000-0x0000000005CDA000-memory.dmp
memory/1600-37-0x0000000005960000-0x0000000005972000-memory.dmp
memory/1600-38-0x0000000005B00000-0x0000000005B3C000-memory.dmp
memory/1600-39-0x0000000005B40000-0x0000000005B8C000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-10 11:49
Reported
2024-05-10 11:52
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0555264.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9244876.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0555264.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n0393861.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9244876.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe.exe
"C:\Users\Admin\AppData\Local\Temp\c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9244876.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9244876.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0555264.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0555264.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n0393861.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n0393861.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| NL | 52.142.223.178:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9244876.exe
| MD5 | 93ffa00468934287166af15b60356eeb |
| SHA1 | 35e9d895a966d897ba33251c2d2b5a7014319ee7 |
| SHA256 | 6bc35ed67d1cea02ceff4819bc69c44423c7d1a8436a72eeb44b7f1af9651176 |
| SHA512 | 4c9ceb360842454e36d5f13b6d9b5bdc9325406079bc12805af8d56013b00af5d5c84f83e4ee608f6fa8758527cb6086bd4f484860ddc49a8f11bf758d85c23f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/888-15-0x00007FFDB6773000-0x00007FFDB6775000-memory.dmp
memory/888-14-0x0000000000690000-0x000000000069A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0555264.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n0393861.exe
| MD5 | 443987a4df011c617c5d95030a35ae8c |
| SHA1 | 417d2f919c5bc29b0705b8ddc640d9f9eb3b55f8 |
| SHA256 | 04dd9bfbb295c80b65c5b4d5c8cc70f97f8567d3448397efacb6c4062e1ad749 |
| SHA512 | 04a494d1afa814adff7297f4be8a7753ab5569aed1f5f6601e207b7edd0d325174e904e47a6645adaf8fd46522d0c0e877431a7bc0e18ccd11845eab3360e984 |
memory/2436-33-0x00000000007D0000-0x0000000000800000-memory.dmp
memory/2436-34-0x0000000002C00000-0x0000000002C06000-memory.dmp
memory/2436-35-0x00000000058B0000-0x0000000005EC8000-memory.dmp
memory/2436-36-0x00000000053A0000-0x00000000054AA000-memory.dmp
memory/2436-37-0x00000000052B0000-0x00000000052C2000-memory.dmp
memory/2436-38-0x0000000005310000-0x000000000534C000-memory.dmp
memory/2436-39-0x0000000005350000-0x000000000539C000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-10 11:49
Reported
2024-05-10 11:52
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1200585.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5437816.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0536891.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1200585.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5437816.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171.exe
"C:\Users\Admin\AppData\Local\Temp\8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1200585.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1200585.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5437816.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5437816.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0536891.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0536891.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 106.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1200585.exe
| MD5 | 4b68535d9ae7b13cf3ff2f073670fb2d |
| SHA1 | 3ab1babe56d11fa75a053a052cc21eae84258cf6 |
| SHA256 | ccf88160200e2eef59471125da41cf531f00d6be48b568e48f89373a12f76a32 |
| SHA512 | e7239d21f30c08b4676f08a26d5ecc6c469e9933fa3913039a9ab11c810c52c3599ee00bb4a660fdf1028736d48dd7fb05f8e7b04bfe663ff40b0596e5b98b76 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5437816.exe
| MD5 | 32956c577b9a017f545b468acd8a5ae8 |
| SHA1 | b507c3abdcefdf7496d5e7548ffe076967f4a043 |
| SHA256 | 4343f9ba64b5d33cde391141404af6dbe47608e4fb6c56ff20c43a1c1329bf1a |
| SHA512 | fdec719616daeddf386e91c279430699a23debe9318a9717d940963b43b9175ae6bdfad1c17251f698769a30dd4466ff4a45854bd34784f9544f88f3476097df |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0536891.exe
| MD5 | f172d470fc8f5a1f32456a418bcb6517 |
| SHA1 | 7cedee0bcbcdb6ec4d0aa1c96cb781b58085c020 |
| SHA256 | 29637e8c1a1ec7bffd145a7e2d3c0dd547d367d43c1a611fac2d21ebac4996b9 |
| SHA512 | f8f43a4c3ef3e7d0d79ad23ad29956d3a2c8d4e8bebbae7cdce7f0ca4ae5dd28408e3c0725ac65173a6b6bafb7c2b38e64f58b0339f4a4754eab76eadc21cc22 |
memory/4584-21-0x0000000000401000-0x0000000000404000-memory.dmp
memory/4584-22-0x0000000001FB0000-0x000000000203C000-memory.dmp
memory/4584-28-0x0000000001FB0000-0x000000000203C000-memory.dmp
memory/4584-29-0x0000000006C70000-0x0000000006C71000-memory.dmp
memory/4584-30-0x0000000004660000-0x0000000004666000-memory.dmp
memory/4584-31-0x0000000005140000-0x0000000005758000-memory.dmp
memory/4584-32-0x0000000004BB0000-0x0000000004CBA000-memory.dmp
memory/4584-33-0x0000000004CE0000-0x0000000004CF2000-memory.dmp
memory/4584-34-0x0000000004D00000-0x0000000004D3C000-memory.dmp
memory/4584-35-0x0000000004D70000-0x0000000004DBC000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-10 11:49
Reported
2024-05-10 11:52
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
153s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3521331.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3521331.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3521331.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3521331.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3521331.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3521331.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2378669.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9871070.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0469683.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3521331.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2378669.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m5980958.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3521331.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\ba5c9d840c93ebc6710e647c2536f2c811d7af83c76d5eda892fe21495932d7b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9871070.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0469683.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3521331.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3521331.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3521331.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3521331.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ba5c9d840c93ebc6710e647c2536f2c811d7af83c76d5eda892fe21495932d7b.exe
"C:\Users\Admin\AppData\Local\Temp\ba5c9d840c93ebc6710e647c2536f2c811d7af83c76d5eda892fe21495932d7b.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9871070.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9871070.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0469683.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0469683.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3521331.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3521331.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4208,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=4116 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2378669.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2378669.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m5980958.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m5980958.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.156:19071 | tcp | |
| FI | 77.91.124.156:19071 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| FI | 77.91.124.156:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.156:19071 | tcp | |
| FI | 77.91.124.156:19071 | tcp | |
| FI | 77.91.124.156:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9871070.exe
| MD5 | ff902d672312916358101ed7de623554 |
| SHA1 | 715da6fa7a64cd74506bb2c694b79ef244f5ad97 |
| SHA256 | a25e95a0a483c22e4a43f7a7bdd429276f32d46fc1fb2ccf878ae459e7bc72d5 |
| SHA512 | eaee1d509fa533fd085a2f42de8f874670ab460b33d61cbcf0ac0f638f0408ad267041efe24ca5d932d19a33a76d044261e05f55bdb06a1362c932ce7c24e7a9 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0469683.exe
| MD5 | a50df7e97cfd900aa018fa21ee85881e |
| SHA1 | d91e9b2e098bb65ae6879052c5c37d416a063b1c |
| SHA256 | f1cdfaaefe0d91938057b073bf4008e0958e6d0f274572d0e88594bb2d8216e3 |
| SHA512 | 75bcdd478f11728e8840d819178acbca77486de2881a1d93de1278ee5d3ab9302dbd929230e9f90b27b506841c8b0da0cc617e99244711cfab661fe2d64651cc |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3521331.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/2728-22-0x00007FFE9F703000-0x00007FFE9F705000-memory.dmp
memory/2728-21-0x0000000000B60000-0x0000000000B6A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2378669.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m5980958.exe
| MD5 | 84420d75df50b6a2c80263485b903e70 |
| SHA1 | 9083bc5b102dad30703c513da08a306f8b666624 |
| SHA256 | 0faffaceb13cf22c2a3a276dc373ee03b0fa95ef8e7443230f84d563a355a9d3 |
| SHA512 | ddf14b82fb62e467f8640e2673a3e8fd942fa234de33819199fc97f22de311842898a9f7c5bfd66f184c3f0955630822d9a986832551812af9950b92a99a829a |
memory/116-40-0x00000000007F0000-0x0000000000820000-memory.dmp
memory/116-41-0x0000000004F90000-0x0000000004F96000-memory.dmp
memory/116-42-0x0000000005730000-0x0000000005D48000-memory.dmp
memory/116-43-0x0000000005240000-0x000000000534A000-memory.dmp
memory/116-44-0x0000000005180000-0x0000000005192000-memory.dmp
memory/116-45-0x00000000051E0000-0x000000000521C000-memory.dmp
memory/116-46-0x0000000005350000-0x000000000539C000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-10 11:49
Reported
2024-05-10 11:52
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2954616.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2954616.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2954616.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2954616.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2954616.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2954616.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4036840.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6943361.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4036840.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2954616.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j8567322.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2954616.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\ba769ab00897d4fb55dffd961262aca94281c6efccb3b806cc40b3c0bfa64fcb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6943361.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2954616.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2954616.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2954616.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ba769ab00897d4fb55dffd961262aca94281c6efccb3b806cc40b3c0bfa64fcb.exe
"C:\Users\Admin\AppData\Local\Temp\ba769ab00897d4fb55dffd961262aca94281c6efccb3b806cc40b3c0bfa64fcb.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6943361.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6943361.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4036840.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4036840.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2954616.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2954616.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j8567322.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j8567322.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6943361.exe
| MD5 | f5a97c904b3ad7b593cee2f7c29e0773 |
| SHA1 | 73f3eb4a8add3d1283caa3a764a41fc0479356a6 |
| SHA256 | 904d21987199721169e7b86bbd054ffd7ad714ce2c0873a9ceeb9e96f5809cd4 |
| SHA512 | cf4cca4dc801b996de1c6eea1ed1580403cdf7aacdb63aa6d7755ea671aff22acac67391dd7683d1b9583fd0800390fb382840a16b037914a23cfa28b1ff57fc |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4036840.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2954616.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/1388-27-0x0000000000850000-0x000000000085A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j8567322.exe
| MD5 | 70ca9c33838b1ee6064e6dcf644561a4 |
| SHA1 | a49eeac940e551865ce58db85e35d07eb23e902d |
| SHA256 | edac60eccc6a5e6b23dc809fe3bd662eec9c502e5ac41ae2b33ccc7e5e46e605 |
| SHA512 | 1f47e5516d772eeb19ee4d6cfd3f5a3086e5fe920c9b59432046cef5b01dd8b1d772ff1a9940eabbd4a0b591739c0a8c64a9d9a103b6975eb52eb811b3e9a7c8 |
memory/5004-32-0x0000000000A30000-0x0000000000A60000-memory.dmp
memory/5004-33-0x0000000005210000-0x0000000005216000-memory.dmp
memory/5004-34-0x000000000AE70000-0x000000000B488000-memory.dmp
memory/5004-35-0x000000000A9E0000-0x000000000AAEA000-memory.dmp
memory/5004-36-0x000000000A920000-0x000000000A932000-memory.dmp
memory/5004-37-0x000000000A980000-0x000000000A9BC000-memory.dmp
memory/5004-38-0x0000000004D40000-0x0000000004D8C000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-10 11:49
Reported
2024-05-10 11:52
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
151s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3252242.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3252242.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3252242.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3252242.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3252242.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3252242.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4118992.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3252242.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2630465.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3252242.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3252242.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\be7c09289a731533f9a2ca91d21b2f010905c445c8710ce84ae829cfe48d3343.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4118992.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3252242.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3252242.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3252242.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\be7c09289a731533f9a2ca91d21b2f010905c445c8710ce84ae829cfe48d3343.exe
"C:\Users\Admin\AppData\Local\Temp\be7c09289a731533f9a2ca91d21b2f010905c445c8710ce84ae829cfe48d3343.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4118992.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4118992.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3252242.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3252242.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2630465.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2630465.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3696 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.249.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4118992.exe
| MD5 | 342b1816c9b8d3e94affca15effaa80e |
| SHA1 | d335bae1ffead340c29b008bb61e3c353520eb8b |
| SHA256 | 189bf8b11dee99ed7e1e469dc473e6a36cc501c81db6093fdae6c031c37139e3 |
| SHA512 | c119ef28e0b35fb48c36e3cf24855056eb0d2ab4cd94af312e33f7ca2bef26563ba46b12783177ff9dbb4e0c9a8982527163ee73e5ac35b4388d02dc673b3269 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3252242.exe
| MD5 | 12a050bebc4ee3e342a8201d7980c888 |
| SHA1 | a9bf8ead7baa337173f676549de30df7ec1eb6e8 |
| SHA256 | 7a6996e3e255f8c534550ce0697812ec907d0654d93797c9eb4af101dd33d72e |
| SHA512 | 974a54fe5f1049f5994bc576cc3643d4c28e97ead6c5bac09288bcd0c6ff206b4c8eaec2909ccc4755565cf6a978af8d599d7a29372016662d183b305ab5f7f2 |
memory/2824-14-0x0000000073CCE000-0x0000000073CCF000-memory.dmp
memory/2824-15-0x0000000073CC0000-0x0000000074470000-memory.dmp
memory/2824-16-0x0000000002140000-0x000000000215A000-memory.dmp
memory/2824-17-0x0000000073CC0000-0x0000000074470000-memory.dmp
memory/2824-18-0x0000000073CC0000-0x0000000074470000-memory.dmp
memory/2824-19-0x0000000004A10000-0x0000000004FB4000-memory.dmp
memory/2824-20-0x0000000002440000-0x0000000002458000-memory.dmp
memory/2824-21-0x0000000002440000-0x0000000002452000-memory.dmp
memory/2824-24-0x0000000002440000-0x0000000002452000-memory.dmp
memory/2824-48-0x0000000002440000-0x0000000002452000-memory.dmp
memory/2824-46-0x0000000002440000-0x0000000002452000-memory.dmp
memory/2824-44-0x0000000002440000-0x0000000002452000-memory.dmp
memory/2824-42-0x0000000002440000-0x0000000002452000-memory.dmp
memory/2824-40-0x0000000002440000-0x0000000002452000-memory.dmp
memory/2824-38-0x0000000002440000-0x0000000002452000-memory.dmp
memory/2824-36-0x0000000002440000-0x0000000002452000-memory.dmp
memory/2824-34-0x0000000002440000-0x0000000002452000-memory.dmp
memory/2824-32-0x0000000002440000-0x0000000002452000-memory.dmp
memory/2824-30-0x0000000002440000-0x0000000002452000-memory.dmp
memory/2824-26-0x0000000002440000-0x0000000002452000-memory.dmp
memory/2824-22-0x0000000002440000-0x0000000002452000-memory.dmp
memory/2824-28-0x0000000002440000-0x0000000002452000-memory.dmp
memory/2824-49-0x0000000073CCE000-0x0000000073CCF000-memory.dmp
memory/2824-50-0x0000000073CC0000-0x0000000074470000-memory.dmp
memory/2824-52-0x0000000073CC0000-0x0000000074470000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2630465.exe
| MD5 | c06cddf22cb66dfd43c6a46444fca4f2 |
| SHA1 | f5ee4fbe06f1d18575e60017b08c9f1eae211744 |
| SHA256 | f8d5814bf1c7514646359fa5f322ba3b7868804a61ee50605232e1b315a649af |
| SHA512 | 091513d35ea23d63491af13edb83d976aa795e334ead4cfda23420b5778307c980cac5f7498981d47c1835b1baf383b86d5278731ad5e719f20b8370a28240df |
memory/4416-56-0x0000000000C60000-0x0000000000C90000-memory.dmp
memory/4416-57-0x0000000002EA0000-0x0000000002EA6000-memory.dmp
memory/4416-58-0x000000000B160000-0x000000000B778000-memory.dmp
memory/4416-59-0x000000000AC50000-0x000000000AD5A000-memory.dmp
memory/4416-60-0x000000000AB40000-0x000000000AB52000-memory.dmp
memory/4416-61-0x000000000ABA0000-0x000000000ABDC000-memory.dmp
memory/4416-62-0x00000000054F0000-0x000000000553C000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 11:49
Reported
2024-05-10 11:52
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
155s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9618800.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7994942.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2565488.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\1238663077477c73376048d8230b1c33b6f5f6a62da8a6c1274721591dac70be.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9618800.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7994942.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1238663077477c73376048d8230b1c33b6f5f6a62da8a6c1274721591dac70be.exe
"C:\Users\Admin\AppData\Local\Temp\1238663077477c73376048d8230b1c33b6f5f6a62da8a6c1274721591dac70be.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9618800.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9618800.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7994942.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7994942.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1288,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4160 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2565488.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2565488.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9618800.exe
| MD5 | 90ddc71aad47f855293aac8fb6cc3155 |
| SHA1 | fd7c1a778a3b152efc0191abb4d9850d3d16c27d |
| SHA256 | b5e4572305046a1e2cb098917210151587637b9c36e569e865604c2ac9c44a89 |
| SHA512 | 7e245ae5d1719e0d5b602daab25e5909ce69ac7043e86484bb4f78dcca330388e3a5d2ac107a2461034f6d4516114be2e57fd7a870d1e12c3d57b4200ac38e2a |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7994942.exe
| MD5 | 99a8d9274cc4137b35ba4257b8656bde |
| SHA1 | 1bc53a1ba6f9ba68e72e4b0633cf6cd4906f03a6 |
| SHA256 | 97c5f5178025c0394c7da0b0e07572cdbe125ba415d6287691a24385bd78d8ac |
| SHA512 | a8b8d287d8ea83079e778a0825c78c8a0e8eaa4762f49f57548cbf57c9199b023505061318c9bb3d34af62349d81626f027d3463926b849206302a9caa934b7b |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0868537.exe
| MD5 | e16312c7c9a868625867d1b890aca6a4 |
| SHA1 | df0ab37d89638f7b20a5dae626e443d6cdd7e7de |
| SHA256 | 52ee36c62392f58e1477cdc63784fd76c34beb00f228e5a53cf87061f92d0f54 |
| SHA512 | 875849af8dc45f53f1c8b71ba7a6487268618c145f10c2d817fcd7aa517e0aff174e14bd7067712e14141248ef4754fcf5c6339ae3a4c1eb80f982353543cbb1 |
memory/2996-21-0x0000000000401000-0x0000000000404000-memory.dmp
memory/2996-22-0x0000000000560000-0x000000000059E000-memory.dmp
memory/2996-28-0x0000000000560000-0x000000000059E000-memory.dmp
memory/2996-29-0x0000000002240000-0x0000000002241000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2565488.exe
| MD5 | a3e8dfc21a7b47a0c350c9ac0d531045 |
| SHA1 | 04e9e262d60a6d12621605556a886d79454a2f8f |
| SHA256 | 92d96d740fe1e575f6ad6b93af64e0e4d47ebd6c5e70d2f6fa5892e8c1548124 |
| SHA512 | fef294ca2691dde614b44d79b7f67b44984f43ea201e3b352ee8ab38346fbc02b711c8e7ff47dad7eca0e445df34adcc9493c61f9f9128cb12f08dc685941cc6 |
memory/3252-35-0x00000000005E0000-0x000000000066C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/3252-42-0x00000000005E0000-0x000000000066C000-memory.dmp
memory/3252-44-0x00000000044F0000-0x00000000044F6000-memory.dmp
memory/3252-45-0x00000000049E0000-0x0000000004FF8000-memory.dmp
memory/3252-46-0x0000000005090000-0x000000000519A000-memory.dmp
memory/3252-47-0x00000000051C0000-0x00000000051D2000-memory.dmp
memory/3252-48-0x00000000051E0000-0x000000000521C000-memory.dmp
memory/3252-49-0x0000000005250000-0x000000000529C000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-10 11:49
Reported
2024-05-10 11:52
Platform
win10v2004-20240426-en
Max time kernel
136s
Max time network
102s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\25c57e67144c4603cb7936eb9ad62fb4a4b313d0acb99262c66c4792f6ecdf48.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\25c57e67144c4603cb7936eb9ad62fb4a4b313d0acb99262c66c4792f6ecdf48.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\25c57e67144c4603cb7936eb9ad62fb4a4b313d0acb99262c66c4792f6ecdf48.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\25c57e67144c4603cb7936eb9ad62fb4a4b313d0acb99262c66c4792f6ecdf48.exe
"C:\Users\Admin\AppData\Local\Temp\25c57e67144c4603cb7936eb9ad62fb4a4b313d0acb99262c66c4792f6ecdf48.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | omnomnom.top | udp |
| DE | 195.201.252.28:443 | omnomnom.top | tcp |
| US | 8.8.8.8:53 | 28.252.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.196.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.196.17.2.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| BE | 2.17.196.72:443 | www.bing.com | tcp |
Files
memory/1072-1-0x0000000000580000-0x000000000059E000-memory.dmp
memory/1072-0-0x0000000000401000-0x0000000000402000-memory.dmp
memory/1072-5-0x0000000000400000-0x000000000042E000-memory.dmp
memory/1072-7-0x0000000005000000-0x0000000005012000-memory.dmp
memory/1072-8-0x0000000005020000-0x000000000512A000-memory.dmp
memory/1072-6-0x00000000049A0000-0x0000000004FB8000-memory.dmp
memory/1072-9-0x0000000005C60000-0x0000000005C9C000-memory.dmp
memory/1072-10-0x0000000005CD0000-0x0000000005D1C000-memory.dmp
memory/1072-11-0x0000000005E50000-0x0000000006012000-memory.dmp
memory/1072-12-0x0000000006040000-0x000000000656C000-memory.dmp
memory/1072-13-0x0000000006620000-0x0000000006686000-memory.dmp
memory/1072-15-0x0000000006E60000-0x0000000006EF2000-memory.dmp
memory/1072-14-0x0000000006870000-0x0000000006E14000-memory.dmp
memory/1072-16-0x0000000007100000-0x0000000007176000-memory.dmp
memory/1072-17-0x00000000070D0000-0x00000000070EE000-memory.dmp
memory/1072-18-0x0000000007EF0000-0x0000000007F40000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-10 11:49
Reported
2024-05-10 11:52
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5932766.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5938639.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0342307.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\3931c3ca01cc35353f3a071c6ef787511253396b8e24e12cdf7dbbe451ac80c1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5932766.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5938639.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3931c3ca01cc35353f3a071c6ef787511253396b8e24e12cdf7dbbe451ac80c1.exe
"C:\Users\Admin\AppData\Local\Temp\3931c3ca01cc35353f3a071c6ef787511253396b8e24e12cdf7dbbe451ac80c1.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5932766.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5932766.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5938639.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5938639.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0342307.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0342307.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5932766.exe
| MD5 | 593ede5a8738e03045fbdd8749a6e243 |
| SHA1 | 3a1a88e094044fc01fbb0f3c021f605a0bf205e5 |
| SHA256 | 5bd93810d14d1d53c1b01da14ad20d1678b35121b1b79a99d80d6f142b042b35 |
| SHA512 | 885dea94e1bc48fb33e6a7d090760405d66ddbe870b26bcc6698f7e5cc9be3afa2a8230d221fa5b5e0153186db8f1d8a4f3d39e6a453d3fb483af15f9726628f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5938639.exe
| MD5 | 4034b1065af3735c533fb7decd29832e |
| SHA1 | 5143cee7c773b6aaee56881d9fa835fd74d1f8b9 |
| SHA256 | 755bb37818f1d16c04a5eea3ee3c2b89d15241d56de769f48a1ca5944cfdca30 |
| SHA512 | 54bafe1aa2c50c7947cc31455337f6eea06cfc272353856be15fe10923d6bff89ff141bd5d106e63817f46958d99f29f2fa1805d19d7ec0577a041e50e210fad |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0342307.exe
| MD5 | e76acee1a8aec03021a19b513b2840eb |
| SHA1 | 0f7f101568ba939c3dde1bbee456ef558e005960 |
| SHA256 | 11d122567336ec2641f0f38b47fb9f469d9b4ffee8a017f996a028b8989a597b |
| SHA512 | dcd6da202bbcf52fadfd1d12a25eb88383e76274dbd09044e9dc40e36542b4c0791234bbb3101e1e61f48958b00dac26e7c266a65bf3bd54ddec37e2fcd8a3eb |
memory/1720-21-0x0000000000401000-0x0000000000404000-memory.dmp
memory/1720-22-0x0000000001FD0000-0x000000000205C000-memory.dmp
memory/1720-28-0x0000000001FD0000-0x000000000205C000-memory.dmp
memory/1720-29-0x0000000004650000-0x0000000004651000-memory.dmp
memory/1720-30-0x0000000004660000-0x0000000004666000-memory.dmp
memory/1720-31-0x0000000004B30000-0x0000000005148000-memory.dmp
memory/1720-32-0x00000000051E0000-0x00000000052EA000-memory.dmp
memory/1720-33-0x0000000005310000-0x0000000005322000-memory.dmp
memory/1720-34-0x0000000005330000-0x000000000536C000-memory.dmp
memory/1720-35-0x00000000053A0000-0x00000000053EC000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-10 11:49
Reported
2024-05-10 11:52
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a5361408.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a5361408.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a5361408.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a5361408.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a5361408.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a5361408.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a5361408.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b9204441.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a5361408.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a5361408.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\b577c897b2be38c4bed293104f5424d9cc6213dcbf6ee85b26b1d55373ce3f2b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a5361408.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a5361408.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a5361408.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b577c897b2be38c4bed293104f5424d9cc6213dcbf6ee85b26b1d55373ce3f2b.exe
"C:\Users\Admin\AppData\Local\Temp\b577c897b2be38c4bed293104f5424d9cc6213dcbf6ee85b26b1d55373ce3f2b.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a5361408.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a5361408.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b9204441.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b9204441.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| DE | 217.196.96.101:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a5361408.exe
| MD5 | 2b40e45051c08f09e153920e70df2c25 |
| SHA1 | 931d45a37994ecb74d6dee9279d3dd6815f548b3 |
| SHA256 | 058560e2c49c2a222c6af7852a9b34b41bfe339e44cb15242099e45330ea165c |
| SHA512 | 5825aece817b86dd8839aaff8d0589f19ad884a599cc59bd37c21449f635d78cd4604090b4d0c85c05c5fdeabf8e6a2b9f2d80c5ce668df064724405471ba1c2 |
memory/1176-7-0x0000000073BFE000-0x0000000073BFF000-memory.dmp
memory/1176-8-0x0000000002260000-0x000000000227A000-memory.dmp
memory/1176-9-0x0000000073BF0000-0x00000000743A0000-memory.dmp
memory/1176-12-0x0000000073BF0000-0x00000000743A0000-memory.dmp
memory/1176-41-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/1176-37-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/1176-35-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/1176-33-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/1176-31-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/1176-29-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/1176-25-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/1176-23-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/1176-15-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/1176-14-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/1176-39-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/1176-27-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/1176-21-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/1176-19-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/1176-17-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/1176-13-0x0000000073BF0000-0x00000000743A0000-memory.dmp
memory/1176-11-0x0000000004AC0000-0x0000000004AD8000-memory.dmp
memory/1176-10-0x0000000004C30000-0x00000000051D4000-memory.dmp
memory/1176-43-0x0000000073BF0000-0x00000000743A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b9204441.exe
| MD5 | eec777b906748afe4d53dbb8e4754198 |
| SHA1 | 8e844ea4bab50d8052265684efc714f489d7d885 |
| SHA256 | 0eb2bb95f55cb1bccdbd68e3641ebb6920a0573a06c437adfc190572580f42e2 |
| SHA512 | 7abdf11736a2dae6e6fefa0e10ace4196236141f12714a236ba9fad23fc29ee8c65a74cb74a280094cb31e2a796596663486e8c0f71c3479d6c08134a239bc86 |
memory/2192-48-0x0000000073BA0000-0x0000000073C4B000-memory.dmp
memory/2192-49-0x0000000002F40000-0x0000000002F46000-memory.dmp
memory/2192-47-0x0000000000C50000-0x0000000000C80000-memory.dmp
memory/2192-50-0x0000000005CE0000-0x00000000062F8000-memory.dmp
memory/2192-51-0x00000000057E0000-0x00000000058EA000-memory.dmp
memory/2192-53-0x0000000073BA0000-0x0000000073C4B000-memory.dmp
memory/2192-54-0x0000000005770000-0x00000000057AC000-memory.dmp
memory/2192-52-0x0000000005710000-0x0000000005722000-memory.dmp
memory/2192-55-0x00000000058F0000-0x000000000593C000-memory.dmp
memory/2192-56-0x0000000073BA0000-0x0000000073C4B000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-10 11:49
Reported
2024-05-10 11:52
Platform
win7-20240221-en
Max time kernel
120s
Max time network
127s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\f5875e99d264d6dc6b9a95473f93dd4b60f4562283d31642caef4eb5c5823363.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3048 wrote to memory of 3020 | N/A | C:\Users\Admin\AppData\Local\Temp\f5875e99d264d6dc6b9a95473f93dd4b60f4562283d31642caef4eb5c5823363.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 3048 wrote to memory of 3020 | N/A | C:\Users\Admin\AppData\Local\Temp\f5875e99d264d6dc6b9a95473f93dd4b60f4562283d31642caef4eb5c5823363.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 3048 wrote to memory of 3020 | N/A | C:\Users\Admin\AppData\Local\Temp\f5875e99d264d6dc6b9a95473f93dd4b60f4562283d31642caef4eb5c5823363.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 3048 wrote to memory of 3020 | N/A | C:\Users\Admin\AppData\Local\Temp\f5875e99d264d6dc6b9a95473f93dd4b60f4562283d31642caef4eb5c5823363.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f5875e99d264d6dc6b9a95473f93dd4b60f4562283d31642caef4eb5c5823363.exe
"C:\Users\Admin\AppData\Local\Temp\f5875e99d264d6dc6b9a95473f93dd4b60f4562283d31642caef4eb5c5823363.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 88
Network
Files
memory/3048-0-0x0000000001088000-0x0000000001089000-memory.dmp