Malware Analysis Report

2024-10-16 03:58

Sample ID 240510-ppekwahg33
Target c5a3dbeea17ddba50482e7844a817171580f977dcea9ad7b655d39a934b93b93
SHA256 c5a3dbeea17ddba50482e7844a817171580f977dcea9ad7b655d39a934b93b93
Tags
amadey healer redline krast dropper evasion infostealer persistence trojan 7001210066 discovery dumud zgrat rat spyware stealer lamp lumma lande 5195552529 smokeloader roma backdoor lux3
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c5a3dbeea17ddba50482e7844a817171580f977dcea9ad7b655d39a934b93b93

Threat Level: Known bad

The file c5a3dbeea17ddba50482e7844a817171580f977dcea9ad7b655d39a934b93b93 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline krast dropper evasion infostealer persistence trojan 7001210066 discovery dumud zgrat rat spyware stealer lamp lumma lande 5195552529 smokeloader roma backdoor lux3

Healer

Detect ZGRat V1

Amadey

SmokeLoader

ZGRat

Lumma Stealer

RedLine

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine payload

Executes dropped EXE

Windows security modification

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Launches sc.exe

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 12:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-10 12:29

Reported

2024-05-10 12:33

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5880657.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3352497.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 912 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3352497.exe
PID 912 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3352497.exe
PID 912 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3352497.exe
PID 3976 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3352497.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe
PID 3976 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3352497.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe
PID 3976 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3352497.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5880657.exe
PID 3976 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3352497.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5880657.exe
PID 3976 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3352497.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5880657.exe
PID 4496 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5880657.exe C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
PID 4496 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5880657.exe C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
PID 4496 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5880657.exe C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
PID 912 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0213700.exe
PID 912 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0213700.exe
PID 912 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0213700.exe
PID 1000 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe C:\Windows\SysWOW64\schtasks.exe
PID 1000 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe C:\Windows\SysWOW64\schtasks.exe
PID 1000 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe C:\Windows\SysWOW64\schtasks.exe
PID 1000 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe C:\Windows\SysWOW64\cmd.exe
PID 1000 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe C:\Windows\SysWOW64\cmd.exe
PID 1000 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3140 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3140 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3140 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3140 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3140 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3140 wrote to memory of 4900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 4900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 4900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3140 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3140 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3140 wrote to memory of 1756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3140 wrote to memory of 1756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3140 wrote to memory of 1756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691.exe

"C:\Users\Admin\AppData\Local\Temp\1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3352497.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3352497.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5880657.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5880657.exe

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

"C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0213700.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0213700.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legola.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legola.exe" /P "Admin:N"&&CACLS "legola.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legola.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legola.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\ebb444342c" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\ebb444342c" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
SE 5.42.92.67:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp
SE 5.42.92.67:80 tcp
FI 77.91.68.68:19071 tcp
SE 5.42.92.67:80 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3352497.exe

MD5 859530ca071eca4d755d51e586e8e887
SHA1 de62d33ce5bdbcaee3969c0b7f5923be57f65b18
SHA256 51fe2b44092632d15df632de06f77403d4ed876e788b6b513102a552a4fd7532
SHA512 acd81f2a81bdf865b7ae581034c813d41e694cd942ceca7c5ce801d427c5163803da91d0d06e6eeef5b7906af6dcd075aa869eb5901c96fb162a9031cb0621c1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe

MD5 9df47b120c7025ec8ffdc3338bf3371a
SHA1 18c9a5590d838f935ea38598118558686094db80
SHA256 cc881b7786c962ef44b2394705f24fbf1f7964505b2d3322a522a62d838ff829
SHA512 a70ea602160af906fa5958b9d01ee0ddd93bda62c8f5c1ec2632471561df5290ecd8f428f0b3c87bb2fa8a5546bd9e2e5200faa708d62a3ee36df69390227dc4

memory/696-14-0x00000000007A0000-0x00000000007AA000-memory.dmp

memory/696-15-0x00007FFF8C9E3000-0x00007FFF8C9E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5880657.exe

MD5 a748d210956507aaeb3aa55c796c4493
SHA1 6536facee8829b5d0cab1bcb31c9bb528812c0eb
SHA256 970a4c051a4e15f2fb1aef52a2916e417719475bf3bf076194c3978ca526ac83
SHA512 e117d4e660e74fafee8aab8cc412969b6f27287ce9efd787a72aa40d4128853b46e5a04e5217f1d72cbd5b69ac5570d49c823134776aa9f9cb297b71061aed25

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0213700.exe

MD5 b8c5d95c1f7a38803ce7e06a3163b115
SHA1 8f5850e40c86222637fdf8fe190880eb203bd546
SHA256 dca8ac02fa9e6017548cee8be5c5073643fb1096ed887ac87301018c8f663f61
SHA512 2d55b6393a16147be65d6f5dd8b35bbea1b06b6aafd32256a2accb59877156de41dec5d48f8d05a22abb2853f32ac79932fc43cca7d38a83e89e2f14c55b823c

memory/1972-33-0x0000000000B00000-0x0000000000B30000-memory.dmp

memory/1972-34-0x0000000002DB0000-0x0000000002DB6000-memory.dmp

memory/1972-35-0x0000000005AC0000-0x00000000060D8000-memory.dmp

memory/1972-36-0x00000000055B0000-0x00000000056BA000-memory.dmp

memory/1972-37-0x00000000054A0000-0x00000000054B2000-memory.dmp

memory/1972-38-0x0000000005500000-0x000000000553C000-memory.dmp

memory/1972-39-0x0000000005540000-0x000000000558C000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-10 12:29

Reported

2024-05-10 12:33

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1196 set thread context of 1544 N/A C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1196 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1196 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1196 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1196 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1196 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1196 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1196 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe

"C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 209.80.50.20.in-addr.arpa udp

Files

memory/1196-0-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

memory/1196-1-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

memory/1544-2-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1196-3-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

memory/1544-4-0x000000007472E000-0x000000007472F000-memory.dmp

memory/1544-5-0x00000000054A0000-0x0000000005506000-memory.dmp

memory/1544-6-0x0000000006020000-0x0000000006638000-memory.dmp

memory/1544-7-0x0000000005A80000-0x0000000005A92000-memory.dmp

memory/1544-8-0x0000000005BB0000-0x0000000005CBA000-memory.dmp

memory/1544-9-0x0000000074720000-0x0000000074ED0000-memory.dmp

memory/1544-10-0x000000007472E000-0x000000007472F000-memory.dmp

memory/1544-11-0x0000000074720000-0x0000000074ED0000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-10 12:29

Reported

2024-05-10 12:32

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8a73bb4899be69e1a77d74c46f81ca29b85b5c67b642e09f9735dec87b8b4cc3.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\8a73bb4899be69e1a77d74c46f81ca29b85b5c67b642e09f9735dec87b8b4cc3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8920385.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2944 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\8a73bb4899be69e1a77d74c46f81ca29b85b5c67b642e09f9735dec87b8b4cc3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8920385.exe
PID 2944 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\8a73bb4899be69e1a77d74c46f81ca29b85b5c67b642e09f9735dec87b8b4cc3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8920385.exe
PID 2944 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\8a73bb4899be69e1a77d74c46f81ca29b85b5c67b642e09f9735dec87b8b4cc3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8920385.exe
PID 4364 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8920385.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe
PID 4364 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8920385.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe
PID 4364 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8920385.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe
PID 4364 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8920385.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3800882.exe
PID 4364 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8920385.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3800882.exe
PID 4364 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8920385.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3800882.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8a73bb4899be69e1a77d74c46f81ca29b85b5c67b642e09f9735dec87b8b4cc3.exe

"C:\Users\Admin\AppData\Local\Temp\8a73bb4899be69e1a77d74c46f81ca29b85b5c67b642e09f9735dec87b8b4cc3.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8920385.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8920385.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3800882.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3800882.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
DE 217.196.96.101:4132 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
DE 217.196.96.101:4132 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 217.196.96.101:4132 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
DE 217.196.96.101:4132 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
DE 217.196.96.101:4132 tcp
DE 217.196.96.101:4132 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8920385.exe

MD5 564c7dd5cd6f43333f3726a1067fa7b4
SHA1 d435fc75ad9860e41732452696f59c04373531cf
SHA256 0ed66c396d2ae7b2fd68b55a0d8f255e6d017c11dabaec1a6f3550321e83f664
SHA512 efcbdffc5f2992a4ed1dfa092a0ed9bde85116c09570a40a945a1e9a2211a32562e572ff51706334d97de832126faebdeaa878dafb0683c8e84b119e8a576c5a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe

MD5 b4a4c6e6401ce4043ed5f212555de317
SHA1 c6f6c6513769019907b51ff23d0683a5bd197f2a
SHA256 4c411c6600d1f65ea9a585a5f125792c5f74ca5e41d63fc2bd70c60d3b9e7447
SHA512 68b9fd346cddae31abd19022f854ce9b77f48a37cbb8b852ffcab4b3550011e27f1859f33ac2f4745f4838b8084f2a8e9674cd43dfbd18b945f395946b2b3974

memory/4836-14-0x000000007402E000-0x000000007402F000-memory.dmp

memory/4836-15-0x00000000022C0000-0x00000000022DA000-memory.dmp

memory/4836-17-0x0000000004980000-0x0000000004F24000-memory.dmp

memory/4836-16-0x0000000074020000-0x00000000747D0000-memory.dmp

memory/4836-18-0x00000000024C0000-0x00000000024D8000-memory.dmp

memory/4836-36-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/4836-46-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/4836-44-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/4836-47-0x0000000074020000-0x00000000747D0000-memory.dmp

memory/4836-42-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/4836-40-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/4836-38-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/4836-28-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/4836-26-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/4836-24-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/4836-22-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/4836-34-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/4836-32-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/4836-30-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/4836-20-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/4836-19-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/4836-49-0x0000000074020000-0x00000000747D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3800882.exe

MD5 fecafbd83c6218e3ad98ca6c7d0b5671
SHA1 72376a75ab9ce874cfb24df53b52700fb059f47e
SHA256 af55b182e0f5bf4176ceb683cf3e1196ddc159afc733b576be40e6c3b62f793e
SHA512 f44966c871ee17bc71186242b485a768ef6ac48a100a02232d2586b36fc9d0703e3dbfbddce6e55938c586e24aa3c38cbd6bdc47151bc4f51ffbcabd137db8f9

memory/1536-53-0x0000000000150000-0x0000000000180000-memory.dmp

memory/1536-54-0x0000000004870000-0x0000000004876000-memory.dmp

memory/1536-55-0x00000000050D0000-0x00000000056E8000-memory.dmp

memory/1536-56-0x0000000004BC0000-0x0000000004CCA000-memory.dmp

memory/1536-57-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

memory/1536-58-0x0000000004B30000-0x0000000004B6C000-memory.dmp

memory/1536-59-0x0000000004CD0000-0x0000000004D1C000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-10 12:29

Reported

2024-05-10 12:33

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4356 set thread context of 2600 N/A C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4356 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4356 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4356 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4356 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4356 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4356 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4356 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4356 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4356 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4356 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4356 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe

"C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
RU 147.45.47.64:11837 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 64.47.45.147.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4356-0-0x0000000000C40000-0x0000000000C41000-memory.dmp

memory/4356-1-0x0000000000C40000-0x0000000000C41000-memory.dmp

memory/2600-2-0x0000000000400000-0x000000000044A000-memory.dmp

memory/4356-3-0x0000000000C40000-0x0000000000C41000-memory.dmp

memory/2600-4-0x000000007473E000-0x000000007473F000-memory.dmp

memory/2600-5-0x00000000053C0000-0x0000000005964000-memory.dmp

memory/2600-6-0x0000000004EB0000-0x0000000004F42000-memory.dmp

memory/2600-7-0x0000000074730000-0x0000000074EE0000-memory.dmp

memory/2600-8-0x0000000004E50000-0x0000000004E5A000-memory.dmp

memory/2600-9-0x0000000006490000-0x0000000006AA8000-memory.dmp

memory/2600-10-0x0000000005FD0000-0x00000000060DA000-memory.dmp

memory/2600-11-0x0000000005F00000-0x0000000005F12000-memory.dmp

memory/2600-12-0x0000000005F60000-0x0000000005F9C000-memory.dmp

memory/2600-13-0x00000000060E0000-0x000000000612C000-memory.dmp

memory/2600-14-0x0000000006260000-0x00000000062C6000-memory.dmp

memory/2600-15-0x0000000006BB0000-0x0000000006C26000-memory.dmp

memory/2600-16-0x0000000006440000-0x000000000645E000-memory.dmp

memory/2600-17-0x0000000008560000-0x0000000008722000-memory.dmp

memory/2600-18-0x0000000008C60000-0x000000000918C000-memory.dmp

memory/2600-20-0x0000000074730000-0x0000000074EE0000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-10 12:29

Reported

2024-05-10 12:32

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca6d56a637f121ee6406def5cf89663c3e54b2e175e98d4469fb3e3a46e190da.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ca6d56a637f121ee6406def5cf89663c3e54b2e175e98d4469fb3e3a46e190da.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8792484.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3682092.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2532 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\ca6d56a637f121ee6406def5cf89663c3e54b2e175e98d4469fb3e3a46e190da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8792484.exe
PID 2532 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\ca6d56a637f121ee6406def5cf89663c3e54b2e175e98d4469fb3e3a46e190da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8792484.exe
PID 2532 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\ca6d56a637f121ee6406def5cf89663c3e54b2e175e98d4469fb3e3a46e190da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8792484.exe
PID 1464 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8792484.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3682092.exe
PID 1464 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8792484.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3682092.exe
PID 1464 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8792484.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3682092.exe
PID 4540 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3682092.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe
PID 4540 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3682092.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe
PID 4540 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3682092.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe
PID 4540 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3682092.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8276002.exe
PID 4540 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3682092.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8276002.exe
PID 4540 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3682092.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8276002.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ca6d56a637f121ee6406def5cf89663c3e54b2e175e98d4469fb3e3a46e190da.exe

"C:\Users\Admin\AppData\Local\Temp\ca6d56a637f121ee6406def5cf89663c3e54b2e175e98d4469fb3e3a46e190da.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8792484.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8792484.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3682092.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3682092.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8276002.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8276002.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8792484.exe

MD5 e9c35fad007c9abb695cdf32a6ef8350
SHA1 d97cc8e389c68e9aff8d28d0691db3da4b56e93d
SHA256 a7e240048e51d605d4c92f47e4dae2c31558849be479794c2ee0761e240ef03d
SHA512 c6e80f476737b9d56d884438fe2045c3b42ce5e2ebc0833ec786f4c75df10934c67e0b194b79174e6588de14de2d651da5b788553ac3e7a619f3effc110c0ef7

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3682092.exe

MD5 eac44c7b9549f1b58cf25c60ee304435
SHA1 bf66fe6604311066fd2d8de1743af49c8f902edf
SHA256 7adab0943d097033395ba73d8760b3f523fd636a0bb13c8ac0dd37f0a63be91d
SHA512 c32120a4fbeb8b9bff77a9d5fb8f324752524fb8edd87387a28780c0e6eb0affad63a26860f682abac7835ddbcee4cdb9b67f2ecb3a22bdc57802509b5af5ade

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe

MD5 82c2b3a4497da45e69dce662504c47f7
SHA1 068c99cc9b40709f9967d393edd5a9e56b269015
SHA256 cc13fa7cc073a8810513c3fc4bea322132f6c659785cc68a6d11368fe4b11e7d
SHA512 b99991a938c78a90830c08285e98a552c5e0f7eb7717c1a2d4f89f4553bc452944b8b0bf91ad3b930fd9b2c21422fad73b975779c8a7e7a6932b6100fc13e55b

memory/800-21-0x0000000000401000-0x0000000000404000-memory.dmp

memory/800-22-0x0000000000570000-0x00000000005AE000-memory.dmp

memory/800-28-0x0000000000570000-0x00000000005AE000-memory.dmp

memory/800-29-0x0000000002440000-0x0000000002441000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8276002.exe

MD5 6d30780150b36e2b9c70bcf294a2fba7
SHA1 60555be1736e34f14a4fb14aa8f1196d982dd29f
SHA256 fcf9145080af193ac72b17a81c9a76688e37ebd172c6b47e39a4ecd1aedd17fd
SHA512 2dc7a5f53794b4c548861f10fad1f0d79e7485cb2bb4de388f3109f8b82d22d1b87456d2e4f9d19d356180fc8cbebb74d3cd696059bd0c1c60284e45895cc58c

memory/1380-35-0x00000000005B0000-0x000000000063C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/1380-42-0x00000000005B0000-0x000000000063C000-memory.dmp

memory/1380-44-0x00000000043F0000-0x00000000043F6000-memory.dmp

memory/1380-45-0x00000000085A0000-0x0000000008BB8000-memory.dmp

memory/1380-46-0x0000000007F80000-0x000000000808A000-memory.dmp

memory/1380-47-0x0000000008090000-0x00000000080A2000-memory.dmp

memory/1380-48-0x00000000080B0000-0x00000000080EC000-memory.dmp

memory/1380-49-0x0000000005A00000-0x0000000005A4C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 12:29

Reported

2024-05-10 12:32

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe

"C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 92

Network

N/A

Files

memory/2268-0-0x00000000009D9000-0x00000000009DA000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-10 12:29

Reported

2024-05-10 12:33

Platform

win10v2004-20240226-en

Max time kernel

138s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe"

Signatures

Lumma Stealer

stealer lumma

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5028 set thread context of 1712 N/A C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5028 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5028 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5028 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5028 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5028 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5028 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5028 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5028 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5028 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5028 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5028 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5028 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe

"C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5028 -ip 5028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4256 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 plasterdaughejsijuk.shop udp
US 104.21.49.211:443 plasterdaughejsijuk.shop tcp
US 8.8.8.8:53 211.49.21.104.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 productivelookewr.shop udp
US 172.67.150.207:443 productivelookewr.shop tcp
US 8.8.8.8:53 tolerateilusidjukl.shop udp
US 104.21.89.202:443 tolerateilusidjukl.shop tcp
US 8.8.8.8:53 shatterbreathepsw.shop udp
US 172.67.169.43:443 shatterbreathepsw.shop tcp
US 8.8.8.8:53 207.150.67.172.in-addr.arpa udp
US 8.8.8.8:53 shortsvelventysjo.shop udp
US 188.114.96.2:443 shortsvelventysjo.shop tcp
US 8.8.8.8:53 incredibleextedwj.shop udp
US 104.21.86.106:443 incredibleextedwj.shop tcp
US 8.8.8.8:53 202.89.21.104.in-addr.arpa udp
US 8.8.8.8:53 43.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 alcojoldwograpciw.shop udp
US 104.21.48.243:443 alcojoldwograpciw.shop tcp
US 8.8.8.8:53 liabilitynighstjsko.shop udp
US 104.21.44.3:443 liabilitynighstjsko.shop tcp
US 8.8.8.8:53 243.48.21.104.in-addr.arpa udp
US 8.8.8.8:53 106.86.21.104.in-addr.arpa udp
US 8.8.8.8:53 demonstationfukewko.shop udp
US 104.21.33.174:443 demonstationfukewko.shop tcp
US 8.8.8.8:53 3.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 174.33.21.104.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/5028-0-0x0000000001034000-0x0000000001036000-memory.dmp

memory/1712-1-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1712-3-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1712-4-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1712-5-0x0000000000400000-0x000000000044E000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-10 12:29

Reported

2024-05-10 12:33

Platform

win7-20240508-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe

"C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe"

Network

N/A

Files

memory/1700-0-0x0000000000230000-0x000000000026E000-memory.dmp

memory/1700-6-0x0000000000401000-0x0000000000404000-memory.dmp

memory/1700-7-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1700-8-0x0000000000230000-0x000000000026E000-memory.dmp

memory/1700-9-0x0000000000490000-0x0000000000491000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-10 12:29

Reported

2024-05-10 12:33

Platform

win7-20240508-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe

"C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 116

Network

N/A

Files

memory/1672-0-0x0000000000CD6000-0x0000000000CD7000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-10 12:29

Reported

2024-05-10 12:33

Platform

win10v2004-20240426-en

Max time kernel

143s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\559234fc528754d07d788aa5eff30aba166a9bab82e9eda45a9737647b0e9fe2.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2300210.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\559234fc528754d07d788aa5eff30aba166a9bab82e9eda45a9737647b0e9fe2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7041233.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1080 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\559234fc528754d07d788aa5eff30aba166a9bab82e9eda45a9737647b0e9fe2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7041233.exe
PID 1080 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\559234fc528754d07d788aa5eff30aba166a9bab82e9eda45a9737647b0e9fe2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7041233.exe
PID 1080 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\559234fc528754d07d788aa5eff30aba166a9bab82e9eda45a9737647b0e9fe2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7041233.exe
PID 4028 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7041233.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe
PID 4028 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7041233.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe
PID 4028 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7041233.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2300210.exe
PID 4028 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7041233.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2300210.exe
PID 4028 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7041233.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2300210.exe
PID 2112 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2300210.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 2112 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2300210.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 2112 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2300210.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 1080 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\559234fc528754d07d788aa5eff30aba166a9bab82e9eda45a9737647b0e9fe2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4310013.exe
PID 1080 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\559234fc528754d07d788aa5eff30aba166a9bab82e9eda45a9737647b0e9fe2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4310013.exe
PID 1080 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\559234fc528754d07d788aa5eff30aba166a9bab82e9eda45a9737647b0e9fe2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4310013.exe
PID 2740 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 2740 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 2740 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 2740 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 4864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 4864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 4864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 4100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2360 wrote to memory of 4100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2360 wrote to memory of 4100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2360 wrote to memory of 4112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2360 wrote to memory of 4112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2360 wrote to memory of 4112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2360 wrote to memory of 4916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 4916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 4916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 3296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2360 wrote to memory of 3296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2360 wrote to memory of 3296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2360 wrote to memory of 3552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2360 wrote to memory of 3552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2360 wrote to memory of 3552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\559234fc528754d07d788aa5eff30aba166a9bab82e9eda45a9737647b0e9fe2.exe

"C:\Users\Admin\AppData\Local\Temp\559234fc528754d07d788aa5eff30aba166a9bab82e9eda45a9737647b0e9fe2.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7041233.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7041233.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2300210.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2300210.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4310013.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4310013.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7041233.exe

MD5 183806bbe94ffb23e6c01226cd4915ee
SHA1 998b949e4c20f7ba170dea950bdae3b362d59bda
SHA256 ac3392df31711209fa4a6b0583d8e3db99d3338ef656d3323c32c66826ccaf11
SHA512 8243f4aba19476b089b4d59ab2ee4a7e461dc8e0aa0e6837c08369fecc1d76cbfb231c59a25abc155e892ab9c0caac755e2848fb7b33c44dac7d6a7dc15b6e01

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4140-14-0x0000000000520000-0x000000000052A000-memory.dmp

memory/4140-15-0x00007FFA69DC3000-0x00007FFA69DC5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2300210.exe

MD5 aea234064483f651010cf9d981f59fea
SHA1 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6
SHA256 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503
SHA512 eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4310013.exe

MD5 5ff1425b42293387a69b84bac555297e
SHA1 d7c86fcedc65935563218b66e9df4a5c6e7e409f
SHA256 4b1981dd1b27cd2d082d28431e9362e0d3d435cb227fd209d28c56bf791c835e
SHA512 6c022f100a89b8a000596d7ab737d117b574e19126b907dd83c917ca85159baf207bc438bca6ac360cd86bfef925327cb3a573f47834e2a592343c16c4909265

memory/2144-33-0x00000000003E0000-0x0000000000410000-memory.dmp

memory/2144-34-0x00000000026D0000-0x00000000026D6000-memory.dmp

memory/2144-35-0x0000000005500000-0x0000000005B18000-memory.dmp

memory/2144-36-0x0000000004FF0000-0x00000000050FA000-memory.dmp

memory/2144-37-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

memory/2144-38-0x0000000004F20000-0x0000000004F5C000-memory.dmp

memory/2144-39-0x0000000004F60000-0x0000000004FAC000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-10 12:29

Reported

2024-05-10 12:33

Platform

win7-20240220-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe

"C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 52

Network

N/A

Files

memory/2028-0-0x0000000000030000-0x0000000000031000-memory.dmp

memory/2028-1-0x0000000000030000-0x0000000000031000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-10 12:29

Reported

2024-05-10 12:33

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\61f1a776dcd13885a5979397d5b945e89d26cfcfe61e000ac89070e4a45bc562.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\61f1a776dcd13885a5979397d5b945e89d26cfcfe61e000ac89070e4a45bc562.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3756826.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1768 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\61f1a776dcd13885a5979397d5b945e89d26cfcfe61e000ac89070e4a45bc562.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3756826.exe
PID 1768 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\61f1a776dcd13885a5979397d5b945e89d26cfcfe61e000ac89070e4a45bc562.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3756826.exe
PID 1768 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\61f1a776dcd13885a5979397d5b945e89d26cfcfe61e000ac89070e4a45bc562.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3756826.exe
PID 4748 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3756826.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe
PID 4748 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3756826.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe
PID 4748 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3756826.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe
PID 4748 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3756826.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6925739.exe
PID 4748 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3756826.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6925739.exe
PID 4748 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3756826.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6925739.exe

Processes

C:\Users\Admin\AppData\Local\Temp\61f1a776dcd13885a5979397d5b945e89d26cfcfe61e000ac89070e4a45bc562.exe

"C:\Users\Admin\AppData\Local\Temp\61f1a776dcd13885a5979397d5b945e89d26cfcfe61e000ac89070e4a45bc562.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3756826.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3756826.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6925739.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6925739.exe

Network

Country Destination Domain Proto
DE 217.196.96.101:4132 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
DE 217.196.96.101:4132 tcp
DE 217.196.96.101:4132 tcp
DE 217.196.96.101:4132 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 217.196.96.101:4132 tcp
DE 217.196.96.101:4132 tcp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3756826.exe

MD5 ca2ad17b64a10b961c2b14a7e47a8030
SHA1 a339ebb686b832fc87af3c287f67d8ef52e140e8
SHA256 23bc83a4a63831c87e6d79e2b366e2534c967a13a377e66f4d92e226f9e8be94
SHA512 ad5e5a03336562d58b02f2556eb833fe3c39d2a7c47584379059cc5a584be1efc981cde4c84a350a4bb244502a73fb7bf0bee7b03b4ef002bb6ecc17d3caff04

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe

MD5 0e2a8712db80505e38c2816483598edf
SHA1 8ff6735fc1c080fb73825928f2bf9aa409b3758c
SHA256 a88a17437aa434a4c8df1657b4ac4c72d5d65247c160b7d2351101a2955ecd0c
SHA512 1076c1d65c2bd3be562d57ebe5a00af294242456a80a4149e3ae5ed1816a35abdab48cca90617ccb9839a14020391ed425cedba42f63c75b8488f45485108d91

memory/2024-14-0x00000000740FE000-0x00000000740FF000-memory.dmp

memory/2024-15-0x0000000002090000-0x00000000020AA000-memory.dmp

memory/2024-16-0x0000000004A90000-0x0000000005034000-memory.dmp

memory/2024-17-0x00000000740F0000-0x00000000748A0000-memory.dmp

memory/2024-18-0x00000000025B0000-0x00000000025C8000-memory.dmp

memory/2024-19-0x00000000025B0000-0x00000000025C2000-memory.dmp

memory/2024-47-0x00000000740F0000-0x00000000748A0000-memory.dmp

memory/2024-46-0x00000000025B0000-0x00000000025C2000-memory.dmp

memory/2024-44-0x00000000025B0000-0x00000000025C2000-memory.dmp

memory/2024-42-0x00000000025B0000-0x00000000025C2000-memory.dmp

memory/2024-40-0x00000000025B0000-0x00000000025C2000-memory.dmp

memory/2024-38-0x00000000025B0000-0x00000000025C2000-memory.dmp

memory/2024-36-0x00000000025B0000-0x00000000025C2000-memory.dmp

memory/2024-35-0x00000000025B0000-0x00000000025C2000-memory.dmp

memory/2024-32-0x00000000025B0000-0x00000000025C2000-memory.dmp

memory/2024-30-0x00000000025B0000-0x00000000025C2000-memory.dmp

memory/2024-28-0x00000000025B0000-0x00000000025C2000-memory.dmp

memory/2024-26-0x00000000025B0000-0x00000000025C2000-memory.dmp

memory/2024-24-0x00000000025B0000-0x00000000025C2000-memory.dmp

memory/2024-22-0x00000000025B0000-0x00000000025C2000-memory.dmp

memory/2024-20-0x00000000025B0000-0x00000000025C2000-memory.dmp

memory/2024-48-0x00000000740F0000-0x00000000748A0000-memory.dmp

memory/2024-50-0x00000000740F0000-0x00000000748A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6925739.exe

MD5 9eb1e1ed0fb5f198b60699f1d6f2c4d8
SHA1 0a93100586a585ffaceecff9c67cf28e703b67d2
SHA256 0fce1f4c2a87e2bdccfe4c3112f837d1fdeb91edb113f055787e29000a4a348b
SHA512 fe9679472176c5d0648355a230eb9b77a19d565b17cb957a14d96d60df338f039ddbbdc97c611776239e8b5b3e842c85e8ac6b50882feb59917a1bb12496140d

memory/4672-54-0x0000000000110000-0x0000000000140000-memory.dmp

memory/4672-55-0x0000000002210000-0x0000000002216000-memory.dmp

memory/4672-56-0x000000000A420000-0x000000000AA38000-memory.dmp

memory/4672-57-0x0000000009F80000-0x000000000A08A000-memory.dmp

memory/4672-58-0x0000000009EB0000-0x0000000009EC2000-memory.dmp

memory/4672-59-0x0000000009F10000-0x0000000009F4C000-memory.dmp

memory/4672-60-0x0000000002170000-0x00000000021BC000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 12:29

Reported

2024-05-10 12:32

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1d059ca891566e0006cb4534dc4ff845fedd1d3d468c12366e12f98a815ed7d4.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6769642.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1d059ca891566e0006cb4534dc4ff845fedd1d3d468c12366e12f98a815ed7d4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4707813.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4708 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\1d059ca891566e0006cb4534dc4ff845fedd1d3d468c12366e12f98a815ed7d4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4707813.exe
PID 4708 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\1d059ca891566e0006cb4534dc4ff845fedd1d3d468c12366e12f98a815ed7d4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4707813.exe
PID 4708 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\1d059ca891566e0006cb4534dc4ff845fedd1d3d468c12366e12f98a815ed7d4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4707813.exe
PID 3460 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4707813.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6769642.exe
PID 3460 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4707813.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6769642.exe
PID 3460 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4707813.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6769642.exe
PID 824 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6769642.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 824 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6769642.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 824 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6769642.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 3460 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4707813.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe
PID 3460 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4707813.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe
PID 4716 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 4716 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 4716 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 4716 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 4716 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 4716 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2760 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2760 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2760 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2760 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2760 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2760 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2760 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2760 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2760 wrote to memory of 4032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2760 wrote to memory of 4032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2760 wrote to memory of 4032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4708 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\1d059ca891566e0006cb4534dc4ff845fedd1d3d468c12366e12f98a815ed7d4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j7773066.exe
PID 4708 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\1d059ca891566e0006cb4534dc4ff845fedd1d3d468c12366e12f98a815ed7d4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j7773066.exe
PID 4708 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\1d059ca891566e0006cb4534dc4ff845fedd1d3d468c12366e12f98a815ed7d4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j7773066.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1d059ca891566e0006cb4534dc4ff845fedd1d3d468c12366e12f98a815ed7d4.exe

"C:\Users\Admin\AppData\Local\Temp\1d059ca891566e0006cb4534dc4ff845fedd1d3d468c12366e12f98a815ed7d4.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4707813.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4707813.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6769642.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6769642.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j7773066.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j7773066.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4707813.exe

MD5 8f60ba120e19ad8816b6be6fba6df1c8
SHA1 cfce501aefdaf27580c3c267c18dc40d388fe9f8
SHA256 18c735c8cb1cefb78e97a96795b953e64ace0111065000dcc15624852066d0e5
SHA512 9e3cae60814cdb4ad60e9fb8ccf39d9ad0d9cc2750683c4c6e3da9551f645e0f3d8bd9ce9c551b7ddc9d79c60b2911dee5981a297a9fad36d769d1d924238559

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6769642.exe

MD5 aea234064483f651010cf9d981f59fea
SHA1 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6
SHA256 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503
SHA512 eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3696-27-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j7773066.exe

MD5 03486d7d10f8be93fb55a5a125d79353
SHA1 1926c46e2a3ba3f22d2b9a3ec6ff8314bd0d9527
SHA256 ae95cc3dad2258838bab37078d58f17b2cad2b6a60c313168261a564185745bc
SHA512 8e380b3e029485f352fc97c51cc1a3d0de69fb7ea83112449390ff0959752849fde05abd72b8439a487a1e3e7d06980bdc90066387fe5d349c7a700e67db335b

memory/5112-32-0x0000000000530000-0x0000000000560000-memory.dmp

memory/5112-33-0x0000000004E50000-0x0000000004E56000-memory.dmp

memory/5112-34-0x000000000A990000-0x000000000AFA8000-memory.dmp

memory/5112-35-0x000000000A4E0000-0x000000000A5EA000-memory.dmp

memory/5112-36-0x000000000A420000-0x000000000A432000-memory.dmp

memory/5112-37-0x000000000A480000-0x000000000A4BC000-memory.dmp

memory/5112-38-0x00000000027C0000-0x000000000280C000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-10 12:29

Reported

2024-05-10 12:33

Platform

win10v2004-20240508-en

Max time kernel

91s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2376 set thread context of 2216 N/A C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2376 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2376 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2376 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2376 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2376 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2376 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2376 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2376 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2376 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2376 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2376 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe

"C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2376 -ip 2376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 320

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 omnomnom.top udp
DE 195.201.252.28:443 omnomnom.top tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 28.252.201.195.in-addr.arpa udp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/2376-0-0x00000000001D6000-0x00000000001D7000-memory.dmp

memory/2216-1-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2216-2-0x000000007474E000-0x000000007474F000-memory.dmp

memory/2216-3-0x0000000005060000-0x00000000050C6000-memory.dmp

memory/2216-4-0x0000000005BA0000-0x00000000061B8000-memory.dmp

memory/2216-5-0x0000000005610000-0x0000000005622000-memory.dmp

memory/2216-6-0x0000000005740000-0x000000000584A000-memory.dmp

memory/2216-7-0x0000000074740000-0x0000000074EF0000-memory.dmp

memory/2216-8-0x0000000006540000-0x000000000657C000-memory.dmp

memory/2216-9-0x0000000006580000-0x00000000065CC000-memory.dmp

memory/2216-10-0x00000000068C0000-0x0000000006A82000-memory.dmp

memory/2216-11-0x0000000006FC0000-0x00000000074EC000-memory.dmp

memory/2216-12-0x0000000007AA0000-0x0000000008044000-memory.dmp

memory/2216-13-0x0000000006C30000-0x0000000006CC2000-memory.dmp

memory/2216-14-0x0000000006B10000-0x0000000006B86000-memory.dmp

memory/2216-15-0x00000000068A0000-0x00000000068BE000-memory.dmp

memory/2216-16-0x0000000006F50000-0x0000000006FA0000-memory.dmp

memory/2216-18-0x0000000074740000-0x0000000074EF0000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-10 12:29

Reported

2024-05-10 12:33

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe"

Signatures

Lumma Stealer

stealer lumma

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2776 set thread context of 744 N/A C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2776 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2776 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2776 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2776 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2776 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2776 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2776 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2776 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2776 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe

"C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2776 -ip 2776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 336

Network

Country Destination Domain Proto
US 8.8.8.8:53 sideindexfollowragelrew.pw udp
US 8.8.8.8:53 productivelookewr.shop udp
US 104.21.11.250:443 productivelookewr.shop tcp
US 8.8.8.8:53 tolerateilusidjukl.shop udp
US 172.67.147.41:443 tolerateilusidjukl.shop tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 250.11.21.104.in-addr.arpa udp
US 8.8.8.8:53 shatterbreathepsw.shop udp
US 104.21.95.19:443 shatterbreathepsw.shop tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 shortsvelventysjo.shop udp
US 104.21.16.225:443 shortsvelventysjo.shop tcp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 41.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 19.95.21.104.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 incredibleextedwj.shop udp
US 104.21.86.106:443 incredibleextedwj.shop tcp
US 8.8.8.8:53 alcojoldwograpciw.shop udp
US 104.21.48.243:443 alcojoldwograpciw.shop tcp
US 8.8.8.8:53 liabilitynighstjsko.shop udp
US 172.67.192.138:443 liabilitynighstjsko.shop tcp
US 8.8.8.8:53 225.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 106.86.21.104.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 243.48.21.104.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 demonstationfukewko.shop udp
US 104.21.33.174:443 demonstationfukewko.shop tcp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 174.33.21.104.in-addr.arpa udp
US 8.8.8.8:53 138.192.67.172.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

memory/2776-0-0x0000000000D59000-0x0000000000D5A000-memory.dmp

memory/744-1-0x0000000000400000-0x000000000044E000-memory.dmp

memory/744-4-0x0000000000400000-0x000000000044E000-memory.dmp

memory/744-3-0x0000000000400000-0x000000000044E000-memory.dmp

memory/744-5-0x0000000000400000-0x000000000044E000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-10 12:29

Reported

2024-05-10 12:32

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1ed736973ca7eb70129cafb36c292298f34a8a710160e69aeec7ad93760ed83e.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7865879.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1ed736973ca7eb70129cafb36c292298f34a8a710160e69aeec7ad93760ed83e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5770759.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1936485.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5034781.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5034781.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5034781.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3960 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\1ed736973ca7eb70129cafb36c292298f34a8a710160e69aeec7ad93760ed83e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5770759.exe
PID 3960 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\1ed736973ca7eb70129cafb36c292298f34a8a710160e69aeec7ad93760ed83e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5770759.exe
PID 3960 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\1ed736973ca7eb70129cafb36c292298f34a8a710160e69aeec7ad93760ed83e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5770759.exe
PID 4504 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5770759.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1936485.exe
PID 4504 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5770759.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1936485.exe
PID 4504 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5770759.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1936485.exe
PID 4740 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1936485.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe
PID 4740 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1936485.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe
PID 4740 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1936485.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7865879.exe
PID 4740 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1936485.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7865879.exe
PID 4740 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1936485.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7865879.exe
PID 1632 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7865879.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 1632 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7865879.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 1632 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7865879.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 4504 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5770759.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5034781.exe
PID 4504 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5770759.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5034781.exe
PID 4504 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5770759.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5034781.exe
PID 904 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 904 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 904 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 904 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 904 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 904 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 3076 wrote to memory of 728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3076 wrote to memory of 728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3076 wrote to memory of 728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3076 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3076 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3076 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3076 wrote to memory of 4252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3076 wrote to memory of 4252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3076 wrote to memory of 4252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3076 wrote to memory of 3280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3076 wrote to memory of 3280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3076 wrote to memory of 3280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3076 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3076 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3076 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3076 wrote to memory of 3376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3076 wrote to memory of 3376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3076 wrote to memory of 3376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3960 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\1ed736973ca7eb70129cafb36c292298f34a8a710160e69aeec7ad93760ed83e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3489522.exe
PID 3960 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\1ed736973ca7eb70129cafb36c292298f34a8a710160e69aeec7ad93760ed83e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3489522.exe
PID 3960 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\1ed736973ca7eb70129cafb36c292298f34a8a710160e69aeec7ad93760ed83e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3489522.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1ed736973ca7eb70129cafb36c292298f34a8a710160e69aeec7ad93760ed83e.exe

"C:\Users\Admin\AppData\Local\Temp\1ed736973ca7eb70129cafb36c292298f34a8a710160e69aeec7ad93760ed83e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5770759.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5770759.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1936485.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1936485.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7865879.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7865879.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5034781.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5034781.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3489522.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3489522.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
FI 77.91.68.3:80 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.3:80 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.3:80 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.68.3:80 tcp
FI 77.91.68.56:19071 tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.56:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5770759.exe

MD5 e5fee7b57e9630eb6cbe1861cb6d1a82
SHA1 de69d6c77a4db78be5c7239199528da46bd4a9b9
SHA256 e7da30afc9870af8478dffe8cb7c3517dbcd725d83d3c9e7435cc5bcfaa1a76d
SHA512 c7af1fd9383094548929920e18b2adeb6d07fded702fc748f557d913ad8521c666e419aee611d994ec94154830967e39d797a98ba0cd18ab10548ce85f6a02ba

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1936485.exe

MD5 b3f0cfa1b2d4fab75074fe1a7b426ebb
SHA1 61d950a5d649826b8b646453df4398cdd56189b9
SHA256 0bd882b9fd1549e5b281cbaa19a8a2a2952a03219737db0af5cadf4e817c0561
SHA512 0141c9f835859df5fa0d8a04d010482961a693bada72d57e60677ee84b79bc86e59b523b3a4f9168fb240a815d9f80fbba05cc0d5f5a7f7d0415d0eabef699d0

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe

MD5 c9767fb557c8496da35f32149019f254
SHA1 dc206616148aad4e06dd3fb380d34b4ba15a9c6d
SHA256 d039e2510d33b0cca9b9d06c2be8152c5e126660c7860649dd966e1a7b375e9c
SHA512 f9c225248b0a8f9766b936694f71b347a0f006110928d26717d886d6b78f1b9ea3b3518a3123004cb20c4d4ffa5eb394bd169641163b297046a967f1ac9c4445

memory/2432-21-0x0000000000250000-0x000000000025A000-memory.dmp

memory/2432-22-0x00007FF8B8D03000-0x00007FF8B8D05000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7865879.exe

MD5 9728e9852854da025b4314bd0fd3687c
SHA1 6a87c09c8e29b6ca1c336416088f12cce0c206f8
SHA256 2c0f306d091f752e409e8bcbe20934ffa23430a90dea79c62aff27ee1b3035cf
SHA512 23df44bd9f5ae665f2d4c320603162b1d98b30b5610e99b5a9082843d76f0a6444e83e1c1792c2febf20d771b297777af8faa0403ba80f2f3f8b1c487abf7144

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5034781.exe

MD5 c4c414d786976435cb8561c43d8dc57d
SHA1 fd73133d3509d1a6982b000a75b9dbdc7769ec22
SHA256 129a6c5e5a8d98619b5be3818dfde6bab9c5345171d9d8401b886fed0660817a
SHA512 744106f95b8f57ea59e2906a7cbaf2e1a172cee013be12f0752b3308c428f92f9824a2497f3fced82d9124d3ab52448d3b240889fdad26925e710aa47f67b028

memory/864-40-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3489522.exe

MD5 fd61776b34b5a58e732533da17d122d0
SHA1 336015c059047a658ea57b6ebe49418d23a65593
SHA256 64faeec435f51816cff0efdacc9e777d677400fd7a59bc1e037a24ec7ae7cb4b
SHA512 afbd9465a721b8e447359c88451f9525ecc5f3aedf79be424b49d4a93d5921797854471257fb1f1ea7d967e56d54aec7b712773875f92fd4335e5a12afd4fc68

memory/4136-45-0x0000000000350000-0x0000000000380000-memory.dmp

memory/4136-46-0x0000000000C50000-0x0000000000C56000-memory.dmp

memory/4136-47-0x000000000A660000-0x000000000AC78000-memory.dmp

memory/4136-48-0x000000000A1C0000-0x000000000A2CA000-memory.dmp

memory/4136-49-0x000000000A100000-0x000000000A112000-memory.dmp

memory/4136-50-0x000000000A160000-0x000000000A19C000-memory.dmp

memory/4136-51-0x0000000004620000-0x000000000466C000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-10 12:29

Reported

2024-05-10 12:32

Platform

win7-20240508-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe

"C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 52

Network

N/A

Files

memory/2344-0-0x0000000000030000-0x0000000000031000-memory.dmp

memory/2344-1-0x0000000000030000-0x0000000000031000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-10 12:29

Reported

2024-05-10 12:32

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67045db9602c0bb02004555fcae5f1c816ba6ebea367c933be035b042c153501.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\67045db9602c0bb02004555fcae5f1c816ba6ebea367c933be035b042c153501.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9063373.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6210097.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9238337.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3931201.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4444 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\67045db9602c0bb02004555fcae5f1c816ba6ebea367c933be035b042c153501.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9063373.exe
PID 4444 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\67045db9602c0bb02004555fcae5f1c816ba6ebea367c933be035b042c153501.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9063373.exe
PID 4444 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\67045db9602c0bb02004555fcae5f1c816ba6ebea367c933be035b042c153501.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9063373.exe
PID 1288 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9063373.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6210097.exe
PID 1288 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9063373.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6210097.exe
PID 1288 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9063373.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6210097.exe
PID 1320 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6210097.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9238337.exe
PID 1320 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6210097.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9238337.exe
PID 1320 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6210097.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9238337.exe
PID 2612 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9238337.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3931201.exe
PID 2612 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9238337.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3931201.exe
PID 2612 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9238337.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3931201.exe
PID 1116 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3931201.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe
PID 1116 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3931201.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe
PID 1116 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3931201.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe
PID 1116 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3931201.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe
PID 1116 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3931201.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe
PID 2612 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9238337.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4075312.exe
PID 2612 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9238337.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4075312.exe
PID 2612 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9238337.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4075312.exe

Processes

C:\Users\Admin\AppData\Local\Temp\67045db9602c0bb02004555fcae5f1c816ba6ebea367c933be035b042c153501.exe

"C:\Users\Admin\AppData\Local\Temp\67045db9602c0bb02004555fcae5f1c816ba6ebea367c933be035b042c153501.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9063373.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9063373.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6210097.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6210097.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9238337.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9238337.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3931201.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3931201.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4075312.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4075312.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 4.73.50.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9063373.exe

MD5 2c2992bee297eb92a1c30c47f171520d
SHA1 1aa27a41eb69ed9a6ab90e36fcfb302fd0fd89af
SHA256 1ec8ce9ace042665b07a0abc5b206634b1417b5f2a4a00b4554147d518832396
SHA512 efb5cd6594ce8dbc6635cc04210e5e362f0a3ae2c65d5bc161ec903cd96cd58ffaee72fef87fd72fd71e67e09cb7ee0255e82d9944940d6cdb96277f4eacbbb7

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6210097.exe

MD5 e4759911e541d7a543ea033b0928ddf4
SHA1 e39c427a6cf47b16cddabfd2c7fb00038e1dbe1f
SHA256 f8dfa98c4e38deff7955c243f9db7b01692e43c0997eca9e5e141cc565cf05be
SHA512 7760d634d8a8b0a2e2c9847c4c367589607de2d7ac43112830289dbf3585902dd0f824ebfcab04040f701afa6b86884824aed2f032e6c09714ac8575b7bf9e42

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9238337.exe

MD5 f4f787db36502a2e05f39da6a313e914
SHA1 4f842c75ce854d86420f9790c47c81bdcecd7c5d
SHA256 3df74027fece0dd6e6c9f46260e3c886ecbcfd4dce43ac64a90f1211d78fe588
SHA512 0728509f9668750a075e73175e48f90625f5e62ef3d1e95641d654d43f749dacb1012110c6e445aa64308a64b0d23c447041ab0ec994300a6b06a1091523d52b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3931201.exe

MD5 a11dbc01603450452854f17aa7ea1eef
SHA1 18436f7c4a7a4477c0baa93ddc108babce9491bf
SHA256 2d2e176ff101b33e0adec2558415b76c1425ba9502c4b652c64b4751dd11181c
SHA512 1ac3b35ac7b8742c8eded217595f30ae25eff216409bddd3cc18809ff6e5d873c7feae6e1e3501dc02bebe2205f9f9e8db9718c76315b679ca8ce73aca2135bf

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe

MD5 175e3db636d9fd541cc11991815ea662
SHA1 c5e30c78f298c1aa26768bc036795e19ed7e60d7
SHA256 c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e
SHA512 06b1bc8a9746e8dfd1a4d72e98b8b76a1f543ae0c72c9e0233dce81451d7521f586da373e69459170a8d9442da4883f8247cfb9714227744c765c892583ac5c9

memory/2464-36-0x0000000001F50000-0x0000000001F8E000-memory.dmp

memory/2464-41-0x0000000001F50000-0x0000000001F8E000-memory.dmp

memory/2464-42-0x0000000004450000-0x0000000004451000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe

MD5 06d9b8f9236b959006976da775fea5e7
SHA1 46d5c5e6a3e7de6138cd764509a6754ce24d9484
SHA256 77353ead4144432dfd0e8fc833c458c8b88fb5d6bf7c9818ac430be40983b7f5
SHA512 ec0c6135f2b39d70cb35bd713d5fd9a0876055b46584f3535067f0f162be149024770c990e61ee041eabe5d3daf53aac49e747bb96189c3fa17346774a5edc6d

memory/3764-48-0x0000000000910000-0x000000000091A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4075312.exe

MD5 dd10174f7fa3d017558c8310bf07d851
SHA1 08d795a3d2334906da989e46a7e57d4ba9aa9f41
SHA256 cd9de412cda28c677351594338bc352dbcafb8652328624f624263b71bac3604
SHA512 a714e8babdc8d8a0a9f8e6ef6430d4f1cde70d3d80a902a1e247eb93bdf76e91fa89c4132708e0c632469b725c625ae65e30a908f02018f10b23460a02ec9d05

memory/2008-53-0x0000000000600000-0x000000000068C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/2008-60-0x0000000000600000-0x000000000068C000-memory.dmp

memory/2008-62-0x00000000023D0000-0x00000000023D6000-memory.dmp

memory/2008-63-0x000000000A650000-0x000000000AC68000-memory.dmp

memory/2008-64-0x000000000A0A0000-0x000000000A1AA000-memory.dmp

memory/2008-65-0x000000000A1D0000-0x000000000A1E2000-memory.dmp

memory/2008-66-0x000000000A1F0000-0x000000000A22C000-memory.dmp

memory/2008-67-0x000000000A260000-0x000000000A2AC000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-10 12:29

Reported

2024-05-10 12:32

Platform

win10v2004-20240426-en

Max time kernel

140s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe N/A

SmokeLoader

trojan backdoor smokeloader

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3281386.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4192759.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8559996.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8559996.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8559996.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4192759.exe
PID 2268 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4192759.exe
PID 2268 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4192759.exe
PID 1004 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4192759.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe
PID 1004 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4192759.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe
PID 1004 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4192759.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3281386.exe
PID 1004 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4192759.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3281386.exe
PID 1004 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4192759.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3281386.exe
PID 4352 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3281386.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 4352 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3281386.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 4352 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3281386.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 2268 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8559996.exe
PID 2268 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8559996.exe
PID 2268 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8559996.exe
PID 1768 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 1768 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 1768 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 1768 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2804 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2804 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2804 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2804 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2804 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2804 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2804 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2804 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2804 wrote to memory of 3628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2804 wrote to memory of 3628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2804 wrote to memory of 3628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c.exe

"C:\Users\Admin\AppData\Local\Temp\6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4192759.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4192759.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3281386.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3281386.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8559996.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8559996.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
FI 77.91.68.3:80 tcp
FI 77.91.68.3:80 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
FI 77.91.68.3:80 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.3:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4192759.exe

MD5 f6c9e67f472f01eccc2c794be5bc61cf
SHA1 65ca30935f69dd98e136485fa24ecd00dd2afdef
SHA256 079faabeddf8ac54de6accc9d09b63bf543afdcaf395234f1dbfcf46c5d56d99
SHA512 ba9c4a04454db187a5fbfd64068729523b364bf72085e6b08607970e4cad972691dafc125981b52178f4fd8ea0d5314e42e61d7852ed4c912521a5a4809bfac6

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe

MD5 f5773b2b65f54e39abe894025d6c9885
SHA1 3f9d26e35dff7640478119ff8550b6ad5363dfde
SHA256 9788cb0fcb4b0bb8086babe2cf499aec511ce0a867ad0c79e79c5c9d9a57d561
SHA512 27a9015725854d7740536c7d403bd4b01f1baa4e4d6bf195f6b25e9055d58b397303d8aef8d833d761eb1ed62563fe4b7c7a12af0edbf80ba1dea3eb24dfb016

memory/4592-14-0x00007FFF0B0E3000-0x00007FFF0B0E5000-memory.dmp

memory/4592-15-0x0000000000630000-0x000000000063A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3281386.exe

MD5 1ff19e67a2ae75ad45eebf9693ec503d
SHA1 3f3da59265845f64d1f29c92706acf35fb4ab1b5
SHA256 d0ecd3340d3c57da9d342be0aef3027e74adbb8834be7d05c28942eda33f8708
SHA512 9810192a9a0b4410edb1726150f94fdb9091889b656a79cdbe8bb78d2b041c0a173c8f36baa7e52b1d0bb4731fe3a749bc84b3b671a425a0f905a3707f0e9571

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8559996.exe

MD5 499339c2340f225b81aa84b57a06c69f
SHA1 602c6e3a1ca624caa1ec4cc92dfd62ebde523033
SHA256 31c962983a5dcb34c366ea726a6e4defcf6db78d259516edcc1b6336a297bbba
SHA512 a60cedbdb39bec49434526a46369199fa6e41cec24c30764821818e1335fc107123430c61190a265747118e54de289691912c1fa89fc89a79e350813e419838e

memory/4228-33-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4228-34-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-10 12:29

Reported

2024-05-10 12:33

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2808 set thread context of 3960 N/A C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2808 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2808 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2808 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2808 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2808 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2808 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2808 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2808 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe

"C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 107.116.69.13.in-addr.arpa udp

Files

memory/2808-0-0x0000000000E90000-0x0000000000E91000-memory.dmp

memory/2808-1-0x0000000000E90000-0x0000000000E91000-memory.dmp

memory/2808-3-0x0000000000E90000-0x0000000000E91000-memory.dmp

memory/3960-2-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3960-4-0x00000000742DE000-0x00000000742DF000-memory.dmp

memory/3960-5-0x00000000056A0000-0x0000000005706000-memory.dmp

memory/3960-6-0x00000000061F0000-0x0000000006808000-memory.dmp

memory/3960-7-0x0000000005C70000-0x0000000005C82000-memory.dmp

memory/3960-8-0x0000000005DA0000-0x0000000005EAA000-memory.dmp

memory/3960-9-0x00000000742D0000-0x0000000074A80000-memory.dmp

memory/3960-10-0x00000000742DE000-0x00000000742DF000-memory.dmp

memory/3960-11-0x00000000742D0000-0x0000000074A80000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-10 12:29

Reported

2024-05-10 12:32

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b72cfb25178ac78d0dfae350873df231a1f4266a913f47acc5018b87cae84bdf.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3015164.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b72cfb25178ac78d0dfae350873df231a1f4266a913f47acc5018b87cae84bdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6653264.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2222652.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4556430.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4556430.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4556430.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 448 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\b72cfb25178ac78d0dfae350873df231a1f4266a913f47acc5018b87cae84bdf.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6653264.exe
PID 448 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\b72cfb25178ac78d0dfae350873df231a1f4266a913f47acc5018b87cae84bdf.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6653264.exe
PID 448 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\b72cfb25178ac78d0dfae350873df231a1f4266a913f47acc5018b87cae84bdf.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6653264.exe
PID 5084 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6653264.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2222652.exe
PID 5084 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6653264.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2222652.exe
PID 5084 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6653264.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2222652.exe
PID 1496 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2222652.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe
PID 1496 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2222652.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe
PID 1496 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2222652.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3015164.exe
PID 1496 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2222652.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3015164.exe
PID 1496 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2222652.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3015164.exe
PID 3872 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3015164.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 3872 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3015164.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 3872 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3015164.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 5084 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6653264.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4556430.exe
PID 5084 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6653264.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4556430.exe
PID 5084 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6653264.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4556430.exe
PID 2560 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 3728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 3728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 3728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 116 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 116 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 116 wrote to memory of 4728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 116 wrote to memory of 4728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 116 wrote to memory of 4728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 116 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 3356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 116 wrote to memory of 3356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 116 wrote to memory of 3356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 116 wrote to memory of 3092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 116 wrote to memory of 3092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 116 wrote to memory of 3092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 448 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\b72cfb25178ac78d0dfae350873df231a1f4266a913f47acc5018b87cae84bdf.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d1853109.exe
PID 448 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\b72cfb25178ac78d0dfae350873df231a1f4266a913f47acc5018b87cae84bdf.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d1853109.exe
PID 448 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\b72cfb25178ac78d0dfae350873df231a1f4266a913f47acc5018b87cae84bdf.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d1853109.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b72cfb25178ac78d0dfae350873df231a1f4266a913f47acc5018b87cae84bdf.exe

"C:\Users\Admin\AppData\Local\Temp\b72cfb25178ac78d0dfae350873df231a1f4266a913f47acc5018b87cae84bdf.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6653264.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6653264.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2222652.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2222652.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3015164.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3015164.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4556430.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4556430.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d1853109.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d1853109.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Network

Country Destination Domain Proto
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6653264.exe

MD5 e7fa26de9c820baea690459babf2fbe2
SHA1 2ef86403777796d2dc2751f4abb0b42e483a9a90
SHA256 630b3bd990cf3a7b799c0a8757ec0da95eb2bc811a803790cd5dd59b96a6ae12
SHA512 eaa136102af8ce5e1c93a08854c3ca6b768a546bde6b9ba123b0f7f23509155daebbcf221f299c1a44cac81a9690796d317baef311c7fd96c8403d1d6b1f441b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2222652.exe

MD5 ef013b3a532e703d4d2c2b5cd426bc90
SHA1 74f878cbd5dcd5ebdabf43c262f95ae0c1a697ae
SHA256 a264decd1d4218a6f799938cf789727b2fd2fc2a2f5d29abdbbb3a582213a875
SHA512 d92fc62a03d6ab3fd5b676c2c5eb6da3dad100a6d5753a364ab1196742b20b66f993c649ef7bf9b96b233935bc2a8698c1ae3af2cf86d6a133f44eb85dc69233

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe

MD5 64fef4cf6fc7cd982c1e3967385b6dc8
SHA1 30f307ad0ff6a2bf5c90743f09fb2b53705e9660
SHA256 f7ce92d9f78ff144184570d99e5951f58f6f3b8bcab899f785cea40643e43243
SHA512 b4875804448ce8d04f4b4138cf4228f25986f6e84bd0523706a4283def46be864ba07584019afbb7e52cb0b2dc997de0288f7062962c11a8515d12f1c1f0119c

memory/3960-21-0x00007FF8B1AE3000-0x00007FF8B1AE5000-memory.dmp

memory/3960-22-0x0000000000C60000-0x0000000000C6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3015164.exe

MD5 9ecc4e0e5e82fc7bc093b19a6f4de2eb
SHA1 1f6e4556dee5c075dfb06bbd4f9bbfbffc926347
SHA256 eb6991a258a7ae91ffb2d4d170508562eff82c059cf2c58e6500730183cc34bc
SHA512 9c93be0e7e18c7a5f27a68da43ca5a926c71b14468d8e66b3fff51458996f7ed9d3a9c0a9e12ef947ea130ad53787606afe50f307e0efdabda52755ed8323bd7

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4556430.exe

MD5 99e4fbaf61eda1a131a0fb9d2db25f6e
SHA1 dfbba00b8a56e4405fa1911cf4d1f3466fcdf0e9
SHA256 51e82b55c6b0908e8c31d12c5d8160a29addde641ea77b11ab4e229d67d89df3
SHA512 bf0d17b89b745982ecd8c0773c63fa68e86e3893f3ee4829e50cf7ea647f54b236fb1c4a16811d2e91b5f2b32bd119968eb905e34bb59ba17badbe4c5a043ff5

memory/3596-40-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d1853109.exe

MD5 257b3b2a8fd11a9c26682c5c34ff230f
SHA1 c19af2e2d29a96cbf73a54941f398a14c6ba8f14
SHA256 2a55756c92b3e9e68116c3617777d07720069a3e0fae13d59412a03f7f5f42c1
SHA512 35c8ff10783734d68ae3036845e28f2114f60623aeec5dda81f62adadcf26338fa53fbda810bfa94b1530f30cd44018ae608407de2951177357552d9bfdf4368

memory/2168-45-0x0000000000490000-0x00000000004C0000-memory.dmp

memory/2168-46-0x0000000002870000-0x0000000002876000-memory.dmp

memory/2168-47-0x000000000A850000-0x000000000AE68000-memory.dmp

memory/2168-48-0x000000000A340000-0x000000000A44A000-memory.dmp

memory/2168-49-0x000000000A250000-0x000000000A262000-memory.dmp

memory/2168-50-0x000000000A2B0000-0x000000000A2EC000-memory.dmp

memory/2168-51-0x0000000000D00000-0x0000000000D4C000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-10 12:29

Reported

2024-05-10 12:33

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\db14966ca75480a4e8f9f3d18c7bada2f205a1ac7404dbeda068279afa55b1cb.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\db14966ca75480a4e8f9f3d18c7bada2f205a1ac7404dbeda068279afa55b1cb.exe

"C:\Users\Admin\AppData\Local\Temp\db14966ca75480a4e8f9f3d18c7bada2f205a1ac7404dbeda068279afa55b1cb.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
MD 176.123.9.142:14845 tcp
NL 23.62.61.57:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 57.61.62.23.in-addr.arpa udp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
MD 176.123.9.142:14845 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
US 52.111.229.43:443 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
US 8.8.8.8:53 58.189.79.40.in-addr.arpa udp

Files

memory/660-0-0x0000000000401000-0x0000000000402000-memory.dmp

memory/660-1-0x0000000000520000-0x0000000000550000-memory.dmp

memory/660-5-0x0000000000400000-0x0000000000446000-memory.dmp

memory/660-6-0x0000000006F70000-0x0000000006F76000-memory.dmp

memory/660-7-0x0000000005210000-0x0000000005828000-memory.dmp

memory/660-8-0x0000000004BF0000-0x0000000004CFA000-memory.dmp

memory/660-9-0x0000000004D20000-0x0000000004D32000-memory.dmp

memory/660-10-0x0000000004D40000-0x0000000004D7C000-memory.dmp

memory/660-11-0x0000000004DF0000-0x0000000004E3C000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-10 12:29

Reported

2024-05-10 12:33

Platform

win10v2004-20240426-en

Max time kernel

140s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2980 set thread context of 2876 N/A C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2980 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2980 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2980 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2980 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2980 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2980 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2980 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe

"C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 104.20.4.235:443 pastebin.com tcp

Files

memory/2876-1-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2980-0-0x0000000001039000-0x000000000103A000-memory.dmp

memory/2876-2-0x00000000745AE000-0x00000000745AF000-memory.dmp

memory/2876-3-0x0000000005750000-0x00000000057B6000-memory.dmp

memory/2876-4-0x0000000006260000-0x0000000006878000-memory.dmp

memory/2876-5-0x0000000005CB0000-0x0000000005CC2000-memory.dmp

memory/2876-6-0x0000000005DE0000-0x0000000005EEA000-memory.dmp

memory/2876-7-0x00000000745A0000-0x0000000074D50000-memory.dmp

memory/2876-8-0x00000000745AE000-0x00000000745AF000-memory.dmp

memory/2876-9-0x00000000745A0000-0x0000000074D50000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-10 12:29

Reported

2024-05-10 12:32

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1736941.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9071750.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1399127.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2251742.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2251742.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2251742.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4172 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9071750.exe
PID 4172 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9071750.exe
PID 4172 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9071750.exe
PID 3260 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9071750.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1399127.exe
PID 3260 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9071750.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1399127.exe
PID 3260 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9071750.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1399127.exe
PID 4796 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1399127.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe
PID 4796 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1399127.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe
PID 4796 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1399127.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1736941.exe
PID 4796 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1399127.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1736941.exe
PID 4796 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1399127.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1736941.exe
PID 3268 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1736941.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 3268 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1736941.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 3268 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1736941.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 3260 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9071750.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2251742.exe
PID 3260 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9071750.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2251742.exe
PID 3260 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9071750.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2251742.exe
PID 3008 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3008 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3008 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3008 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 4608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 4608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 4608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 5068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 5068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 5068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 3580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 3580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 3580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4172 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4275669.exe
PID 4172 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4275669.exe
PID 4172 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4275669.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41.exe

"C:\Users\Admin\AppData\Local\Temp\f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9071750.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9071750.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1399127.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1399127.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1736941.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1736941.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2251742.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2251742.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4275669.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4275669.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Network

Country Destination Domain Proto
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9071750.exe

MD5 88bee46f431c014c1e45417f6b13e124
SHA1 07588e0723944e251a6a2d9db4ed8e45d5f563f1
SHA256 f4dfc88066f344cec64c3c5076b4e1e051af9f333c455aa2f96daacc1d732999
SHA512 5a0c53df34632e2d21c12e572460d54bfe7de21035d44bc36764ed3c6410d661ee50c758366cc8b86c2447b54efab7c41479fb04468afee6b70b9cbbaf55e79e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1399127.exe

MD5 8f620f99bbeba489fc4bddc2af02f9b8
SHA1 2e97752a24581dd229306cfad5763cf82f9c4f96
SHA256 26a1717813eedfd0569c474064d1e14eeba61b97bb26866c53a19428a448a3f5
SHA512 b5065ed02a3bdcb68461265bb56f9173a7f9a1c75d12cf1ae53c43224cf2aada5586a4ee122779d7c83b8e8130cc6a980080cd03c2cc751ce19ac5ea3b2caa03

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe

MD5 12803f40ef0b813626de6e5eb0ec05b2
SHA1 27e32adac36ba9f4d54ecbf53e112158d4e988b5
SHA256 d320fcef46ae85d5f06133a3b8d4f5a7d2dff0886a86d981f3186f464fbb7abb
SHA512 84d7c28b03fdceb94e00fbcc838f203f6cd9e091b67b7ea8dad577a529a0d96eecf3b246a8548c9b7bef1e063aa96525f6b2148b5d0bb79b32a3415e9f151e0a

memory/3188-21-0x0000000000B20000-0x0000000000B2A000-memory.dmp

memory/3188-22-0x00007FF9F8763000-0x00007FF9F8765000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1736941.exe

MD5 2b7ed1055ddd27afe675dd11da92357a
SHA1 3809cb22cbdda5ba5707892163217563020df5ca
SHA256 9d69e620d8bb7cb24c7d4831312351d09872badc8331594ce05afe46ff56ab3d
SHA512 549602e7e10ae1b006fafe9d6c1c09d35280a3af8815157dfa9b7664f16bf1682cc782585a24202dd150955073b5e648f0ad8a39add3f95ceeb51a5eb26fc641

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2251742.exe

MD5 88331cf94b56745070654ca04d4c7d98
SHA1 248ac76afce09c34082bad3fbd01ce73e4056f65
SHA256 32e850a828611bdf20e34f0ac6c397507ff4b140c2b13732b5bf389249693334
SHA512 a3173aaeb138cb46f951d1e6b103a424c91ee05b416cdc9080e3ac5ba6db33dd0431d1ba0b8228b379f6ea6631b5c6622a4875459ce1105a0b959722e7717f96

memory/4520-40-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4275669.exe

MD5 35c0945f8c70c870c070eb2261d6bc04
SHA1 bfc1ffae759330be5a50c22829fb342bfc644aab
SHA256 e296c73bc0d4abe0e58a2200d0c1839c210debd4deb8b26aa83abc5a2f0aaa1d
SHA512 8c9e5e646dfcd6b592d516524128d34af326c55a153d77d240ddbe6f418f01be473231e78a1707d72b0fbe3ad367085fc76ff329d8d80515ac07288b5eda73b7

memory/1976-45-0x0000000000E90000-0x0000000000EC0000-memory.dmp

memory/1976-46-0x0000000001650000-0x0000000001656000-memory.dmp

memory/1976-47-0x000000000B300000-0x000000000B918000-memory.dmp

memory/1976-48-0x000000000AE40000-0x000000000AF4A000-memory.dmp

memory/1976-49-0x000000000AD80000-0x000000000AD92000-memory.dmp

memory/1976-50-0x000000000ADE0000-0x000000000AE1C000-memory.dmp

memory/1976-51-0x00000000052B0000-0x00000000052FC000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-10 12:29

Reported

2024-05-10 12:33

Platform

win7-20240221-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe

"C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 52

Network

N/A

Files

memory/1184-0-0x0000000000030000-0x0000000000031000-memory.dmp

memory/1184-1-0x0000000000030000-0x0000000000031000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-10 12:29

Reported

2024-05-10 12:32

Platform

win7-20240220-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe

"C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 116

Network

N/A

Files

memory/1120-0-0x00000000009A9000-0x00000000009AA000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-10 12:29

Reported

2024-05-10 12:32

Platform

win7-20240508-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe

"C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 116

Network

N/A

Files

memory/2176-0-0x0000000000D14000-0x0000000000D16000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-10 12:29

Reported

2024-05-10 12:32

Platform

win7-20231129-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\db14966ca75480a4e8f9f3d18c7bada2f205a1ac7404dbeda068279afa55b1cb.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\db14966ca75480a4e8f9f3d18c7bada2f205a1ac7404dbeda068279afa55b1cb.exe

"C:\Users\Admin\AppData\Local\Temp\db14966ca75480a4e8f9f3d18c7bada2f205a1ac7404dbeda068279afa55b1cb.exe"

Network

Country Destination Domain Proto
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp
MD 176.123.9.142:14845 tcp

Files

memory/2188-1-0x0000000000450000-0x0000000000480000-memory.dmp

memory/2188-4-0x0000000000401000-0x0000000000402000-memory.dmp

memory/2188-5-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2188-6-0x0000000000570000-0x0000000000576000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-10 12:29

Reported

2024-05-10 12:33

Platform

win10v2004-20240426-en

Max time kernel

145s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe

"C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.57:443 www.bing.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.61.62.23.in-addr.arpa udp
NL 23.62.61.57:443 www.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

memory/4560-0-0x00000000006B0000-0x00000000006EE000-memory.dmp

memory/4560-6-0x0000000000401000-0x0000000000404000-memory.dmp

memory/4560-7-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4560-8-0x00000000006B0000-0x00000000006EE000-memory.dmp

memory/4560-9-0x0000000002450000-0x0000000002451000-memory.dmp