Analysis Overview
SHA256
c5a3dbeea17ddba50482e7844a817171580f977dcea9ad7b655d39a934b93b93
Threat Level: Known bad
The file c5a3dbeea17ddba50482e7844a817171580f977dcea9ad7b655d39a934b93b93 was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
SmokeLoader
Detect ZGRat V1
Healer
RedLine payload
Detects Healer an antivirus disabler dropper
ZGRat
RedLine
Modifies Windows Defender Real-time Protection settings
Amadey
Reads user/profile data of web browsers
Checks computer location settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Launches sc.exe
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 12:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-10 12:30
Reported
2024-05-10 12:33
Platform
win7-20240221-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2768 wrote to memory of 2812 | N/A | C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2768 wrote to memory of 2812 | N/A | C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2768 wrote to memory of 2812 | N/A | C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2768 wrote to memory of 2812 | N/A | C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe
"C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 116
Network
Files
memory/2768-0-0x0000000000154000-0x0000000000156000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-10 12:30
Reported
2024-05-10 12:33
Platform
win10v2004-20240508-en
Max time kernel
130s
Max time network
153s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3592 set thread context of 2740 | N/A | C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe
"C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
Files
memory/3592-0-0x00000000008E0000-0x00000000008E1000-memory.dmp
memory/3592-3-0x00000000008E0000-0x00000000008E1000-memory.dmp
memory/2740-2-0x0000000000400000-0x0000000000422000-memory.dmp
memory/3592-1-0x00000000008E0000-0x00000000008E1000-memory.dmp
memory/2740-4-0x00000000747EE000-0x00000000747EF000-memory.dmp
memory/2740-5-0x0000000005100000-0x0000000005166000-memory.dmp
memory/2740-6-0x0000000005C80000-0x0000000006298000-memory.dmp
memory/2740-7-0x00000000056E0000-0x00000000056F2000-memory.dmp
memory/2740-8-0x0000000005810000-0x000000000591A000-memory.dmp
memory/2740-9-0x00000000747E0000-0x0000000074F90000-memory.dmp
memory/2740-10-0x00000000747EE000-0x00000000747EF000-memory.dmp
memory/2740-11-0x00000000747E0000-0x0000000074F90000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-05-10 12:30
Reported
2024-05-10 12:33
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
159s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\db14966ca75480a4e8f9f3d18c7bada2f205a1ac7404dbeda068279afa55b1cb.exe
"C:\Users\Admin\AppData\Local\Temp\db14966ca75480a4e8f9f3d18c7bada2f205a1ac7404dbeda068279afa55b1cb.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 21.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| MD | 176.123.9.142:14845 | tcp | |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| NL | 23.62.61.57:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp |
Files
memory/3164-0-0x0000000000401000-0x0000000000402000-memory.dmp
memory/3164-1-0x00000000001C0000-0x00000000001F0000-memory.dmp
memory/3164-5-0x0000000000400000-0x0000000000446000-memory.dmp
memory/3164-6-0x00000000025B0000-0x00000000025B6000-memory.dmp
memory/3164-7-0x000000000A050000-0x000000000A668000-memory.dmp
memory/3164-8-0x000000000A670000-0x000000000A77A000-memory.dmp
memory/3164-9-0x000000000A780000-0x000000000A792000-memory.dmp
memory/3164-10-0x000000000A7A0000-0x000000000A7DC000-memory.dmp
memory/3164-11-0x0000000004610000-0x000000000465C000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 12:30
Reported
2024-05-10 12:33
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
151s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6769642.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4707813.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6769642.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j7773066.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4707813.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\1d059ca891566e0006cb4534dc4ff845fedd1d3d468c12366e12f98a815ed7d4.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1d059ca891566e0006cb4534dc4ff845fedd1d3d468c12366e12f98a815ed7d4.exe
"C:\Users\Admin\AppData\Local\Temp\1d059ca891566e0006cb4534dc4ff845fedd1d3d468c12366e12f98a815ed7d4.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4707813.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4707813.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6769642.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6769642.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j7773066.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j7773066.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4707813.exe
| MD5 | 8f60ba120e19ad8816b6be6fba6df1c8 |
| SHA1 | cfce501aefdaf27580c3c267c18dc40d388fe9f8 |
| SHA256 | 18c735c8cb1cefb78e97a96795b953e64ace0111065000dcc15624852066d0e5 |
| SHA512 | 9e3cae60814cdb4ad60e9fb8ccf39d9ad0d9cc2750683c4c6e3da9551f645e0f3d8bd9ce9c551b7ddc9d79c60b2911dee5981a297a9fad36d769d1d924238559 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6769642.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/2516-27-0x0000000000670000-0x000000000067A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j7773066.exe
| MD5 | 03486d7d10f8be93fb55a5a125d79353 |
| SHA1 | 1926c46e2a3ba3f22d2b9a3ec6ff8314bd0d9527 |
| SHA256 | ae95cc3dad2258838bab37078d58f17b2cad2b6a60c313168261a564185745bc |
| SHA512 | 8e380b3e029485f352fc97c51cc1a3d0de69fb7ea83112449390ff0959752849fde05abd72b8439a487a1e3e7d06980bdc90066387fe5d349c7a700e67db335b |
memory/4896-32-0x0000000000420000-0x0000000000450000-memory.dmp
memory/4896-33-0x00000000025D0000-0x00000000025D6000-memory.dmp
memory/4896-34-0x000000000A7B0000-0x000000000ADC8000-memory.dmp
memory/4896-35-0x000000000A2A0000-0x000000000A3AA000-memory.dmp
memory/4896-36-0x000000000A1D0000-0x000000000A1E2000-memory.dmp
memory/4896-37-0x000000000A230000-0x000000000A26C000-memory.dmp
memory/4896-38-0x0000000004720000-0x000000000476C000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-05-10 12:30
Reported
2024-05-10 12:33
Platform
win10v2004-20240226-en
Max time kernel
160s
Max time network
173s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 648 set thread context of 2916 | N/A | C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe
"C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 648 -ip 648
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5972 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 172.217.16.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 234.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
Files
memory/648-0-0x0000000000E76000-0x0000000000E77000-memory.dmp
memory/2916-1-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2916-2-0x00000000741DE000-0x00000000741DF000-memory.dmp
memory/2916-3-0x00000000741DE000-0x00000000741DF000-memory.dmp
memory/2916-4-0x00000000053B0000-0x0000000005416000-memory.dmp
memory/2916-5-0x0000000005D40000-0x0000000006358000-memory.dmp
memory/2916-6-0x00000000050F0000-0x0000000005102000-memory.dmp
memory/2916-7-0x0000000005830000-0x000000000593A000-memory.dmp
memory/2916-8-0x00000000741D0000-0x0000000074980000-memory.dmp
memory/2916-9-0x00000000741D0000-0x0000000074980000-memory.dmp
memory/2916-10-0x00000000065A0000-0x00000000065DC000-memory.dmp
memory/2916-11-0x00000000065E0000-0x000000000662C000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-05-10 12:30
Reported
2024-05-10 12:33
Platform
win7-20240508-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2740 wrote to memory of 2792 | N/A | C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2740 wrote to memory of 2792 | N/A | C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2740 wrote to memory of 2792 | N/A | C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2740 wrote to memory of 2792 | N/A | C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe
"C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 116
Network
Files
memory/2740-0-0x0000000000B36000-0x0000000000B37000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 12:30
Reported
2024-05-10 12:33
Platform
win7-20240508-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1196 wrote to memory of 2936 | N/A | C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1196 wrote to memory of 2936 | N/A | C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1196 wrote to memory of 2936 | N/A | C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1196 wrote to memory of 2936 | N/A | C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe
"C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 92
Network
Files
memory/1196-0-0x00000000002F9000-0x00000000002FA000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-10 12:30
Reported
2024-05-10 12:33
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3404 set thread context of 952 | N/A | C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe
"C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
Files
memory/3404-0-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
memory/3404-2-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
memory/952-1-0x0000000000400000-0x0000000000422000-memory.dmp
memory/952-3-0x000000007429E000-0x000000007429F000-memory.dmp
memory/952-4-0x0000000005230000-0x0000000005296000-memory.dmp
memory/952-5-0x0000000005D00000-0x0000000006318000-memory.dmp
memory/952-6-0x0000000005790000-0x00000000057A2000-memory.dmp
memory/952-7-0x00000000058C0000-0x00000000059CA000-memory.dmp
memory/952-8-0x0000000074290000-0x0000000074A40000-memory.dmp
memory/952-9-0x000000007429E000-0x000000007429F000-memory.dmp
memory/952-10-0x0000000074290000-0x0000000074A40000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-10 12:30
Reported
2024-05-10 12:33
Platform
win10v2004-20240226-en
Max time kernel
162s
Max time network
170s
Command Line
Signatures
Lumma Stealer
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5004 set thread context of 3768 | N/A | C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe
"C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5004 -ip 5004
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3724 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 239.249.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | plasterdaughejsijuk.shop | udp |
| US | 188.114.96.2:443 | plasterdaughejsijuk.shop | tcp |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | productivelookewr.shop | udp |
| US | 104.21.11.250:443 | productivelookewr.shop | tcp |
| US | 8.8.8.8:53 | tolerateilusidjukl.shop | udp |
| US | 172.67.147.41:443 | tolerateilusidjukl.shop | tcp |
| US | 8.8.8.8:53 | shatterbreathepsw.shop | udp |
| US | 172.67.169.43:443 | shatterbreathepsw.shop | tcp |
| US | 8.8.8.8:53 | shortsvelventysjo.shop | udp |
| US | 188.114.97.2:443 | shortsvelventysjo.shop | tcp |
| US | 8.8.8.8:53 | 250.11.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.169.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | incredibleextedwj.shop | udp |
| US | 172.67.218.63:443 | incredibleextedwj.shop | tcp |
| US | 8.8.8.8:53 | alcojoldwograpciw.shop | udp |
| US | 104.21.48.243:443 | alcojoldwograpciw.shop | tcp |
| US | 8.8.8.8:53 | liabilitynighstjsko.shop | udp |
| US | 188.114.97.2:443 | liabilitynighstjsko.shop | tcp |
| US | 8.8.8.8:53 | 63.218.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.48.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | demonstationfukewko.shop | udp |
| US | 104.21.33.174:443 | demonstationfukewko.shop | tcp |
| US | 8.8.8.8:53 | 174.33.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 13.107.42.16:443 | tcp |
Files
memory/5004-0-0x00000000003F4000-0x00000000003F6000-memory.dmp
memory/3768-1-0x0000000000400000-0x000000000044E000-memory.dmp
memory/3768-3-0x0000000000400000-0x000000000044E000-memory.dmp
memory/3768-4-0x0000000000400000-0x000000000044E000-memory.dmp
memory/3768-5-0x0000000000400000-0x000000000044E000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-10 12:30
Reported
2024-05-10 12:33
Platform
win7-20240215-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2592 wrote to memory of 2496 | N/A | C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2592 wrote to memory of 2496 | N/A | C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2592 wrote to memory of 2496 | N/A | C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2592 wrote to memory of 2496 | N/A | C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe
"C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 52
Network
Files
memory/2592-1-0x0000000000030000-0x0000000000031000-memory.dmp
memory/2592-0-0x0000000000030000-0x0000000000031000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-10 12:30
Reported
2024-05-10 12:33
Platform
win10v2004-20240426-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8792484.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3682092.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8276002.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\ca6d56a637f121ee6406def5cf89663c3e54b2e175e98d4469fb3e3a46e190da.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8792484.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3682092.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ca6d56a637f121ee6406def5cf89663c3e54b2e175e98d4469fb3e3a46e190da.exe
"C:\Users\Admin\AppData\Local\Temp\ca6d56a637f121ee6406def5cf89663c3e54b2e175e98d4469fb3e3a46e190da.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8792484.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8792484.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3682092.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3682092.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8276002.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8276002.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| NL | 23.62.61.57:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.57:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8792484.exe
| MD5 | e9c35fad007c9abb695cdf32a6ef8350 |
| SHA1 | d97cc8e389c68e9aff8d28d0691db3da4b56e93d |
| SHA256 | a7e240048e51d605d4c92f47e4dae2c31558849be479794c2ee0761e240ef03d |
| SHA512 | c6e80f476737b9d56d884438fe2045c3b42ce5e2ebc0833ec786f4c75df10934c67e0b194b79174e6588de14de2d651da5b788553ac3e7a619f3effc110c0ef7 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3682092.exe
| MD5 | eac44c7b9549f1b58cf25c60ee304435 |
| SHA1 | bf66fe6604311066fd2d8de1743af49c8f902edf |
| SHA256 | 7adab0943d097033395ba73d8760b3f523fd636a0bb13c8ac0dd37f0a63be91d |
| SHA512 | c32120a4fbeb8b9bff77a9d5fb8f324752524fb8edd87387a28780c0e6eb0affad63a26860f682abac7835ddbcee4cdb9b67f2ecb3a22bdc57802509b5af5ade |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe
| MD5 | 82c2b3a4497da45e69dce662504c47f7 |
| SHA1 | 068c99cc9b40709f9967d393edd5a9e56b269015 |
| SHA256 | cc13fa7cc073a8810513c3fc4bea322132f6c659785cc68a6d11368fe4b11e7d |
| SHA512 | b99991a938c78a90830c08285e98a552c5e0f7eb7717c1a2d4f89f4553bc452944b8b0bf91ad3b930fd9b2c21422fad73b975779c8a7e7a6932b6100fc13e55b |
memory/1988-21-0x0000000000401000-0x0000000000404000-memory.dmp
memory/1988-22-0x00000000006B0000-0x00000000006EE000-memory.dmp
memory/1988-28-0x00000000006B0000-0x00000000006EE000-memory.dmp
memory/1988-29-0x0000000002330000-0x0000000002331000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8276002.exe
| MD5 | 6d30780150b36e2b9c70bcf294a2fba7 |
| SHA1 | 60555be1736e34f14a4fb14aa8f1196d982dd29f |
| SHA256 | fcf9145080af193ac72b17a81c9a76688e37ebd172c6b47e39a4ecd1aedd17fd |
| SHA512 | 2dc7a5f53794b4c548861f10fad1f0d79e7485cb2bb4de388f3109f8b82d22d1b87456d2e4f9d19d356180fc8cbebb74d3cd696059bd0c1c60284e45895cc58c |
memory/3764-35-0x0000000002000000-0x000000000208C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/3764-42-0x0000000002000000-0x000000000208C000-memory.dmp
memory/3764-44-0x00000000043E0000-0x00000000043E6000-memory.dmp
memory/3764-45-0x0000000005000000-0x0000000005618000-memory.dmp
memory/3764-46-0x0000000004A70000-0x0000000004B7A000-memory.dmp
memory/3764-47-0x0000000004BA0000-0x0000000004BB2000-memory.dmp
memory/3764-48-0x0000000004BC0000-0x0000000004BFC000-memory.dmp
memory/3764-49-0x0000000004C30000-0x0000000004C7C000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-10 12:30
Reported
2024-05-10 12:33
Platform
win7-20240221-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\db14966ca75480a4e8f9f3d18c7bada2f205a1ac7404dbeda068279afa55b1cb.exe
"C:\Users\Admin\AppData\Local\Temp\db14966ca75480a4e8f9f3d18c7bada2f205a1ac7404dbeda068279afa55b1cb.exe"
Network
| Country | Destination | Domain | Proto |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp |
Files
memory/1796-1-0x00000000001B0000-0x00000000001E0000-memory.dmp
memory/1796-4-0x0000000000401000-0x0000000000402000-memory.dmp
memory/1796-5-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1796-6-0x00000000005E0000-0x00000000005E6000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-10 12:30
Reported
2024-05-10 12:33
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
151s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3281386.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4192759.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3281386.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8559996.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4192759.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8559996.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8559996.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8559996.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c.exe
"C:\Users\Admin\AppData\Local\Temp\6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4192759.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4192759.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4240,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=1304 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3281386.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3281386.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8559996.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8559996.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.177.190.20.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.3:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4192759.exe
| MD5 | f6c9e67f472f01eccc2c794be5bc61cf |
| SHA1 | 65ca30935f69dd98e136485fa24ecd00dd2afdef |
| SHA256 | 079faabeddf8ac54de6accc9d09b63bf543afdcaf395234f1dbfcf46c5d56d99 |
| SHA512 | ba9c4a04454db187a5fbfd64068729523b364bf72085e6b08607970e4cad972691dafc125981b52178f4fd8ea0d5314e42e61d7852ed4c912521a5a4809bfac6 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe
| MD5 | f5773b2b65f54e39abe894025d6c9885 |
| SHA1 | 3f9d26e35dff7640478119ff8550b6ad5363dfde |
| SHA256 | 9788cb0fcb4b0bb8086babe2cf499aec511ce0a867ad0c79e79c5c9d9a57d561 |
| SHA512 | 27a9015725854d7740536c7d403bd4b01f1baa4e4d6bf195f6b25e9055d58b397303d8aef8d833d761eb1ed62563fe4b7c7a12af0edbf80ba1dea3eb24dfb016 |
memory/1280-14-0x00000000004E0000-0x00000000004EA000-memory.dmp
memory/1280-15-0x00007FFCC25D3000-0x00007FFCC25D5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3281386.exe
| MD5 | 1ff19e67a2ae75ad45eebf9693ec503d |
| SHA1 | 3f3da59265845f64d1f29c92706acf35fb4ab1b5 |
| SHA256 | d0ecd3340d3c57da9d342be0aef3027e74adbb8834be7d05c28942eda33f8708 |
| SHA512 | 9810192a9a0b4410edb1726150f94fdb9091889b656a79cdbe8bb78d2b041c0a173c8f36baa7e52b1d0bb4731fe3a749bc84b3b671a425a0f905a3707f0e9571 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8559996.exe
| MD5 | 499339c2340f225b81aa84b57a06c69f |
| SHA1 | 602c6e3a1ca624caa1ec4cc92dfd62ebde523033 |
| SHA256 | 31c962983a5dcb34c366ea726a6e4defcf6db78d259516edcc1b6336a297bbba |
| SHA512 | a60cedbdb39bec49434526a46369199fa6e41cec24c30764821818e1335fc107123430c61190a265747118e54de289691912c1fa89fc89a79e350813e419838e |
memory/2316-33-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2316-34-0x0000000000400000-0x0000000000409000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-10 12:30
Reported
2024-05-10 12:33
Platform
win10v2004-20240426-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2300210.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7041233.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2300210.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4310013.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\559234fc528754d07d788aa5eff30aba166a9bab82e9eda45a9737647b0e9fe2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7041233.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\559234fc528754d07d788aa5eff30aba166a9bab82e9eda45a9737647b0e9fe2.exe
"C:\Users\Admin\AppData\Local\Temp\559234fc528754d07d788aa5eff30aba166a9bab82e9eda45a9737647b0e9fe2.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7041233.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7041233.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2300210.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2300210.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4310013.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4310013.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.57:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.57:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.61.62.23.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7041233.exe
| MD5 | 183806bbe94ffb23e6c01226cd4915ee |
| SHA1 | 998b949e4c20f7ba170dea950bdae3b362d59bda |
| SHA256 | ac3392df31711209fa4a6b0583d8e3db99d3338ef656d3323c32c66826ccaf11 |
| SHA512 | 8243f4aba19476b089b4d59ab2ee4a7e461dc8e0aa0e6837c08369fecc1d76cbfb231c59a25abc155e892ab9c0caac755e2848fb7b33c44dac7d6a7dc15b6e01 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/1584-14-0x00007FFC40733000-0x00007FFC40735000-memory.dmp
memory/1584-15-0x0000000000B30000-0x0000000000B3A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2300210.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4310013.exe
| MD5 | 5ff1425b42293387a69b84bac555297e |
| SHA1 | d7c86fcedc65935563218b66e9df4a5c6e7e409f |
| SHA256 | 4b1981dd1b27cd2d082d28431e9362e0d3d435cb227fd209d28c56bf791c835e |
| SHA512 | 6c022f100a89b8a000596d7ab737d117b574e19126b907dd83c917ca85159baf207bc438bca6ac360cd86bfef925327cb3a573f47834e2a592343c16c4909265 |
memory/1620-33-0x00000000000E0000-0x0000000000110000-memory.dmp
memory/1620-34-0x00000000024D0000-0x00000000024D6000-memory.dmp
memory/1620-35-0x00000000051D0000-0x00000000057E8000-memory.dmp
memory/1620-36-0x0000000004CC0000-0x0000000004DCA000-memory.dmp
memory/1620-37-0x0000000004BB0000-0x0000000004BC2000-memory.dmp
memory/1620-38-0x0000000004C10000-0x0000000004C4C000-memory.dmp
memory/1620-39-0x0000000004C50000-0x0000000004C9C000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-10 12:30
Reported
2024-05-10 12:33
Platform
win10v2004-20240426-en
Max time kernel
136s
Max time network
144s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9063373.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6210097.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9238337.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3931201.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4075312.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\67045db9602c0bb02004555fcae5f1c816ba6ebea367c933be035b042c153501.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9063373.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6210097.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9238337.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3931201.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\67045db9602c0bb02004555fcae5f1c816ba6ebea367c933be035b042c153501.exe
"C:\Users\Admin\AppData\Local\Temp\67045db9602c0bb02004555fcae5f1c816ba6ebea367c933be035b042c153501.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9063373.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9063373.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6210097.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6210097.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9238337.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9238337.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3931201.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3931201.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4075312.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4075312.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9063373.exe
| MD5 | 2c2992bee297eb92a1c30c47f171520d |
| SHA1 | 1aa27a41eb69ed9a6ab90e36fcfb302fd0fd89af |
| SHA256 | 1ec8ce9ace042665b07a0abc5b206634b1417b5f2a4a00b4554147d518832396 |
| SHA512 | efb5cd6594ce8dbc6635cc04210e5e362f0a3ae2c65d5bc161ec903cd96cd58ffaee72fef87fd72fd71e67e09cb7ee0255e82d9944940d6cdb96277f4eacbbb7 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6210097.exe
| MD5 | e4759911e541d7a543ea033b0928ddf4 |
| SHA1 | e39c427a6cf47b16cddabfd2c7fb00038e1dbe1f |
| SHA256 | f8dfa98c4e38deff7955c243f9db7b01692e43c0997eca9e5e141cc565cf05be |
| SHA512 | 7760d634d8a8b0a2e2c9847c4c367589607de2d7ac43112830289dbf3585902dd0f824ebfcab04040f701afa6b86884824aed2f032e6c09714ac8575b7bf9e42 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9238337.exe
| MD5 | f4f787db36502a2e05f39da6a313e914 |
| SHA1 | 4f842c75ce854d86420f9790c47c81bdcecd7c5d |
| SHA256 | 3df74027fece0dd6e6c9f46260e3c886ecbcfd4dce43ac64a90f1211d78fe588 |
| SHA512 | 0728509f9668750a075e73175e48f90625f5e62ef3d1e95641d654d43f749dacb1012110c6e445aa64308a64b0d23c447041ab0ec994300a6b06a1091523d52b |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3931201.exe
| MD5 | a11dbc01603450452854f17aa7ea1eef |
| SHA1 | 18436f7c4a7a4477c0baa93ddc108babce9491bf |
| SHA256 | 2d2e176ff101b33e0adec2558415b76c1425ba9502c4b652c64b4751dd11181c |
| SHA512 | 1ac3b35ac7b8742c8eded217595f30ae25eff216409bddd3cc18809ff6e5d873c7feae6e1e3501dc02bebe2205f9f9e8db9718c76315b679ca8ce73aca2135bf |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe
| MD5 | 175e3db636d9fd541cc11991815ea662 |
| SHA1 | c5e30c78f298c1aa26768bc036795e19ed7e60d7 |
| SHA256 | c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e |
| SHA512 | 06b1bc8a9746e8dfd1a4d72e98b8b76a1f543ae0c72c9e0233dce81451d7521f586da373e69459170a8d9442da4883f8247cfb9714227744c765c892583ac5c9 |
memory/464-35-0x00000000006B0000-0x00000000006EE000-memory.dmp
memory/464-41-0x00000000006B0000-0x00000000006EE000-memory.dmp
memory/464-42-0x0000000002490000-0x0000000002491000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe
| MD5 | 06d9b8f9236b959006976da775fea5e7 |
| SHA1 | 46d5c5e6a3e7de6138cd764509a6754ce24d9484 |
| SHA256 | 77353ead4144432dfd0e8fc833c458c8b88fb5d6bf7c9818ac430be40983b7f5 |
| SHA512 | ec0c6135f2b39d70cb35bd713d5fd9a0876055b46584f3535067f0f162be149024770c990e61ee041eabe5d3daf53aac49e747bb96189c3fa17346774a5edc6d |
memory/4632-48-0x00000000008A0000-0x00000000008AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4075312.exe
| MD5 | dd10174f7fa3d017558c8310bf07d851 |
| SHA1 | 08d795a3d2334906da989e46a7e57d4ba9aa9f41 |
| SHA256 | cd9de412cda28c677351594338bc352dbcafb8652328624f624263b71bac3604 |
| SHA512 | a714e8babdc8d8a0a9f8e6ef6430d4f1cde70d3d80a902a1e247eb93bdf76e91fa89c4132708e0c632469b725c625ae65e30a908f02018f10b23460a02ec9d05 |
memory/4996-53-0x0000000000850000-0x00000000008DC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/4996-60-0x0000000000850000-0x00000000008DC000-memory.dmp
memory/4996-62-0x00000000023C0000-0x00000000023C6000-memory.dmp
memory/4996-63-0x000000000A640000-0x000000000AC58000-memory.dmp
memory/4996-64-0x000000000A0A0000-0x000000000A1AA000-memory.dmp
memory/4996-65-0x000000000A1D0000-0x000000000A1E2000-memory.dmp
memory/4996-66-0x000000000A1F0000-0x000000000A22C000-memory.dmp
memory/4996-67-0x000000000A260000-0x000000000A2AC000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-10 12:30
Reported
2024-05-10 12:33
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3015164.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6653264.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2222652.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3015164.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4556430.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d1853109.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\b72cfb25178ac78d0dfae350873df231a1f4266a913f47acc5018b87cae84bdf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6653264.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2222652.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4556430.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4556430.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4556430.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b72cfb25178ac78d0dfae350873df231a1f4266a913f47acc5018b87cae84bdf.exe
"C:\Users\Admin\AppData\Local\Temp\b72cfb25178ac78d0dfae350873df231a1f4266a913f47acc5018b87cae84bdf.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6653264.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6653264.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2222652.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2222652.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3015164.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3015164.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4556430.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4556430.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d1853109.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d1853109.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 77.239.69.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6653264.exe
| MD5 | e7fa26de9c820baea690459babf2fbe2 |
| SHA1 | 2ef86403777796d2dc2751f4abb0b42e483a9a90 |
| SHA256 | 630b3bd990cf3a7b799c0a8757ec0da95eb2bc811a803790cd5dd59b96a6ae12 |
| SHA512 | eaa136102af8ce5e1c93a08854c3ca6b768a546bde6b9ba123b0f7f23509155daebbcf221f299c1a44cac81a9690796d317baef311c7fd96c8403d1d6b1f441b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2222652.exe
| MD5 | ef013b3a532e703d4d2c2b5cd426bc90 |
| SHA1 | 74f878cbd5dcd5ebdabf43c262f95ae0c1a697ae |
| SHA256 | a264decd1d4218a6f799938cf789727b2fd2fc2a2f5d29abdbbb3a582213a875 |
| SHA512 | d92fc62a03d6ab3fd5b676c2c5eb6da3dad100a6d5753a364ab1196742b20b66f993c649ef7bf9b96b233935bc2a8698c1ae3af2cf86d6a133f44eb85dc69233 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe
| MD5 | 64fef4cf6fc7cd982c1e3967385b6dc8 |
| SHA1 | 30f307ad0ff6a2bf5c90743f09fb2b53705e9660 |
| SHA256 | f7ce92d9f78ff144184570d99e5951f58f6f3b8bcab899f785cea40643e43243 |
| SHA512 | b4875804448ce8d04f4b4138cf4228f25986f6e84bd0523706a4283def46be864ba07584019afbb7e52cb0b2dc997de0288f7062962c11a8515d12f1c1f0119c |
memory/3520-21-0x00000000009F0000-0x00000000009FA000-memory.dmp
memory/3520-22-0x00007FFAD2AF3000-0x00007FFAD2AF5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3015164.exe
| MD5 | 9ecc4e0e5e82fc7bc093b19a6f4de2eb |
| SHA1 | 1f6e4556dee5c075dfb06bbd4f9bbfbffc926347 |
| SHA256 | eb6991a258a7ae91ffb2d4d170508562eff82c059cf2c58e6500730183cc34bc |
| SHA512 | 9c93be0e7e18c7a5f27a68da43ca5a926c71b14468d8e66b3fff51458996f7ed9d3a9c0a9e12ef947ea130ad53787606afe50f307e0efdabda52755ed8323bd7 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4556430.exe
| MD5 | 99e4fbaf61eda1a131a0fb9d2db25f6e |
| SHA1 | dfbba00b8a56e4405fa1911cf4d1f3466fcdf0e9 |
| SHA256 | 51e82b55c6b0908e8c31d12c5d8160a29addde641ea77b11ab4e229d67d89df3 |
| SHA512 | bf0d17b89b745982ecd8c0773c63fa68e86e3893f3ee4829e50cf7ea647f54b236fb1c4a16811d2e91b5f2b32bd119968eb905e34bb59ba17badbe4c5a043ff5 |
memory/4640-39-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4640-42-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d1853109.exe
| MD5 | 257b3b2a8fd11a9c26682c5c34ff230f |
| SHA1 | c19af2e2d29a96cbf73a54941f398a14c6ba8f14 |
| SHA256 | 2a55756c92b3e9e68116c3617777d07720069a3e0fae13d59412a03f7f5f42c1 |
| SHA512 | 35c8ff10783734d68ae3036845e28f2114f60623aeec5dda81f62adadcf26338fa53fbda810bfa94b1530f30cd44018ae608407de2951177357552d9bfdf4368 |
memory/5640-46-0x0000000000590000-0x00000000005C0000-memory.dmp
memory/5640-47-0x0000000004EB0000-0x0000000004EB6000-memory.dmp
memory/5640-48-0x000000000A9C0000-0x000000000AFD8000-memory.dmp
memory/5640-49-0x000000000A540000-0x000000000A64A000-memory.dmp
memory/5640-50-0x000000000A480000-0x000000000A492000-memory.dmp
memory/5640-51-0x000000000A4E0000-0x000000000A51C000-memory.dmp
memory/5640-52-0x00000000049D0000-0x0000000004A1C000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-05-10 12:30
Reported
2024-05-10 12:33
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
154s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1736941.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9071750.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1399127.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1736941.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2251742.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4275669.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9071750.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1399127.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2251742.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2251742.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2251742.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41.exe
"C:\Users\Admin\AppData\Local\Temp\f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9071750.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9071750.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1399127.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1399127.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1736941.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1736941.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2251742.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2251742.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4275669.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4275669.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| IE | 52.111.236.23:443 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9071750.exe
| MD5 | 88bee46f431c014c1e45417f6b13e124 |
| SHA1 | 07588e0723944e251a6a2d9db4ed8e45d5f563f1 |
| SHA256 | f4dfc88066f344cec64c3c5076b4e1e051af9f333c455aa2f96daacc1d732999 |
| SHA512 | 5a0c53df34632e2d21c12e572460d54bfe7de21035d44bc36764ed3c6410d661ee50c758366cc8b86c2447b54efab7c41479fb04468afee6b70b9cbbaf55e79e |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1399127.exe
| MD5 | 8f620f99bbeba489fc4bddc2af02f9b8 |
| SHA1 | 2e97752a24581dd229306cfad5763cf82f9c4f96 |
| SHA256 | 26a1717813eedfd0569c474064d1e14eeba61b97bb26866c53a19428a448a3f5 |
| SHA512 | b5065ed02a3bdcb68461265bb56f9173a7f9a1c75d12cf1ae53c43224cf2aada5586a4ee122779d7c83b8e8130cc6a980080cd03c2cc751ce19ac5ea3b2caa03 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe
| MD5 | 12803f40ef0b813626de6e5eb0ec05b2 |
| SHA1 | 27e32adac36ba9f4d54ecbf53e112158d4e988b5 |
| SHA256 | d320fcef46ae85d5f06133a3b8d4f5a7d2dff0886a86d981f3186f464fbb7abb |
| SHA512 | 84d7c28b03fdceb94e00fbcc838f203f6cd9e091b67b7ea8dad577a529a0d96eecf3b246a8548c9b7bef1e063aa96525f6b2148b5d0bb79b32a3415e9f151e0a |
memory/2912-21-0x00007FFB9ED43000-0x00007FFB9ED45000-memory.dmp
memory/2912-22-0x0000000000F70000-0x0000000000F7A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1736941.exe
| MD5 | 2b7ed1055ddd27afe675dd11da92357a |
| SHA1 | 3809cb22cbdda5ba5707892163217563020df5ca |
| SHA256 | 9d69e620d8bb7cb24c7d4831312351d09872badc8331594ce05afe46ff56ab3d |
| SHA512 | 549602e7e10ae1b006fafe9d6c1c09d35280a3af8815157dfa9b7664f16bf1682cc782585a24202dd150955073b5e648f0ad8a39add3f95ceeb51a5eb26fc641 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2251742.exe
| MD5 | 88331cf94b56745070654ca04d4c7d98 |
| SHA1 | 248ac76afce09c34082bad3fbd01ce73e4056f65 |
| SHA256 | 32e850a828611bdf20e34f0ac6c397507ff4b140c2b13732b5bf389249693334 |
| SHA512 | a3173aaeb138cb46f951d1e6b103a424c91ee05b416cdc9080e3ac5ba6db33dd0431d1ba0b8228b379f6ea6631b5c6622a4875459ce1105a0b959722e7717f96 |
memory/2920-40-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2920-41-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4275669.exe
| MD5 | 35c0945f8c70c870c070eb2261d6bc04 |
| SHA1 | bfc1ffae759330be5a50c22829fb342bfc644aab |
| SHA256 | e296c73bc0d4abe0e58a2200d0c1839c210debd4deb8b26aa83abc5a2f0aaa1d |
| SHA512 | 8c9e5e646dfcd6b592d516524128d34af326c55a153d77d240ddbe6f418f01be473231e78a1707d72b0fbe3ad367085fc76ff329d8d80515ac07288b5eda73b7 |
memory/4016-45-0x00000000005D0000-0x0000000000600000-memory.dmp
memory/4016-46-0x0000000000EC0000-0x0000000000EC6000-memory.dmp
memory/4016-47-0x000000000AA10000-0x000000000B028000-memory.dmp
memory/4016-48-0x000000000A580000-0x000000000A68A000-memory.dmp
memory/4016-49-0x000000000A4C0000-0x000000000A4D2000-memory.dmp
memory/4016-50-0x000000000A520000-0x000000000A55C000-memory.dmp
memory/4016-51-0x0000000004A50000-0x0000000004A9C000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-10 12:30
Reported
2024-05-10 12:33
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4776 set thread context of 1512 | N/A | C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe
"C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 95.16.208.104.in-addr.arpa | udp |
Files
memory/1512-0-0x0000000000400000-0x0000000000422000-memory.dmp
memory/4776-1-0x0000000000B99000-0x0000000000B9A000-memory.dmp
memory/1512-2-0x0000000074DAE000-0x0000000074DAF000-memory.dmp
memory/1512-3-0x00000000054F0000-0x0000000005556000-memory.dmp
memory/1512-4-0x0000000006000000-0x0000000006618000-memory.dmp
memory/1512-5-0x0000000005A50000-0x0000000005A62000-memory.dmp
memory/1512-6-0x0000000005B80000-0x0000000005C8A000-memory.dmp
memory/1512-7-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/1512-8-0x0000000074DAE000-0x0000000074DAF000-memory.dmp
memory/1512-9-0x0000000074DA0000-0x0000000075550000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-10 12:30
Reported
2024-05-10 12:33
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
156s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7865879.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5770759.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1936485.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7865879.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5034781.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3489522.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\1ed736973ca7eb70129cafb36c292298f34a8a710160e69aeec7ad93760ed83e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5770759.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1936485.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5034781.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5034781.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5034781.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1ed736973ca7eb70129cafb36c292298f34a8a710160e69aeec7ad93760ed83e.exe
"C:\Users\Admin\AppData\Local\Temp\1ed736973ca7eb70129cafb36c292298f34a8a710160e69aeec7ad93760ed83e.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5770759.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5770759.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1936485.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1936485.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7865879.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7865879.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5034781.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5034781.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3489522.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3489522.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.56:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5770759.exe
| MD5 | e5fee7b57e9630eb6cbe1861cb6d1a82 |
| SHA1 | de69d6c77a4db78be5c7239199528da46bd4a9b9 |
| SHA256 | e7da30afc9870af8478dffe8cb7c3517dbcd725d83d3c9e7435cc5bcfaa1a76d |
| SHA512 | c7af1fd9383094548929920e18b2adeb6d07fded702fc748f557d913ad8521c666e419aee611d994ec94154830967e39d797a98ba0cd18ab10548ce85f6a02ba |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1936485.exe
| MD5 | b3f0cfa1b2d4fab75074fe1a7b426ebb |
| SHA1 | 61d950a5d649826b8b646453df4398cdd56189b9 |
| SHA256 | 0bd882b9fd1549e5b281cbaa19a8a2a2952a03219737db0af5cadf4e817c0561 |
| SHA512 | 0141c9f835859df5fa0d8a04d010482961a693bada72d57e60677ee84b79bc86e59b523b3a4f9168fb240a815d9f80fbba05cc0d5f5a7f7d0415d0eabef699d0 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe
| MD5 | c9767fb557c8496da35f32149019f254 |
| SHA1 | dc206616148aad4e06dd3fb380d34b4ba15a9c6d |
| SHA256 | d039e2510d33b0cca9b9d06c2be8152c5e126660c7860649dd966e1a7b375e9c |
| SHA512 | f9c225248b0a8f9766b936694f71b347a0f006110928d26717d886d6b78f1b9ea3b3518a3123004cb20c4d4ffa5eb394bd169641163b297046a967f1ac9c4445 |
memory/1776-21-0x00007FFAC0A83000-0x00007FFAC0A85000-memory.dmp
memory/1776-22-0x0000000000830000-0x000000000083A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7865879.exe
| MD5 | 9728e9852854da025b4314bd0fd3687c |
| SHA1 | 6a87c09c8e29b6ca1c336416088f12cce0c206f8 |
| SHA256 | 2c0f306d091f752e409e8bcbe20934ffa23430a90dea79c62aff27ee1b3035cf |
| SHA512 | 23df44bd9f5ae665f2d4c320603162b1d98b30b5610e99b5a9082843d76f0a6444e83e1c1792c2febf20d771b297777af8faa0403ba80f2f3f8b1c487abf7144 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5034781.exe
| MD5 | c4c414d786976435cb8561c43d8dc57d |
| SHA1 | fd73133d3509d1a6982b000a75b9dbdc7769ec22 |
| SHA256 | 129a6c5e5a8d98619b5be3818dfde6bab9c5345171d9d8401b886fed0660817a |
| SHA512 | 744106f95b8f57ea59e2906a7cbaf2e1a172cee013be12f0752b3308c428f92f9824a2497f3fced82d9124d3ab52448d3b240889fdad26925e710aa47f67b028 |
memory/3148-40-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3148-41-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3489522.exe
| MD5 | fd61776b34b5a58e732533da17d122d0 |
| SHA1 | 336015c059047a658ea57b6ebe49418d23a65593 |
| SHA256 | 64faeec435f51816cff0efdacc9e777d677400fd7a59bc1e037a24ec7ae7cb4b |
| SHA512 | afbd9465a721b8e447359c88451f9525ecc5f3aedf79be424b49d4a93d5921797854471257fb1f1ea7d967e56d54aec7b712773875f92fd4335e5a12afd4fc68 |
memory/372-45-0x0000000000D60000-0x0000000000D90000-memory.dmp
memory/372-46-0x0000000005680000-0x0000000005686000-memory.dmp
memory/372-47-0x0000000005CD0000-0x00000000062E8000-memory.dmp
memory/372-48-0x00000000057C0000-0x00000000058CA000-memory.dmp
memory/372-49-0x00000000056F0000-0x0000000005702000-memory.dmp
memory/372-50-0x0000000005750000-0x000000000578C000-memory.dmp
memory/372-51-0x00000000058D0000-0x000000000591C000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-10 12:30
Reported
2024-05-10 12:33
Platform
win7-20231129-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2368 wrote to memory of 2204 | N/A | C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2368 wrote to memory of 2204 | N/A | C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2368 wrote to memory of 2204 | N/A | C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2368 wrote to memory of 2204 | N/A | C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe
"C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 52
Network
Files
memory/2368-0-0x0000000000030000-0x0000000000031000-memory.dmp
memory/2368-1-0x0000000000030000-0x0000000000031000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-05-10 12:30
Reported
2024-05-10 12:33
Platform
win7-20240221-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2484 wrote to memory of 2848 | N/A | C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2484 wrote to memory of 2848 | N/A | C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2484 wrote to memory of 2848 | N/A | C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2484 wrote to memory of 2848 | N/A | C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe
"C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 116
Network
Files
memory/2484-0-0x0000000001409000-0x000000000140A000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-10 12:30
Reported
2024-05-10 12:33
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
157s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3756826.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6925739.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\61f1a776dcd13885a5979397d5b945e89d26cfcfe61e000ac89070e4a45bc562.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3756826.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\61f1a776dcd13885a5979397d5b945e89d26cfcfe61e000ac89070e4a45bc562.exe
"C:\Users\Admin\AppData\Local\Temp\61f1a776dcd13885a5979397d5b945e89d26cfcfe61e000ac89070e4a45bc562.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3756826.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3756826.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6925739.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6925739.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| DE | 217.196.96.101:4132 | tcp | |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| DE | 217.196.96.101:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3756826.exe
| MD5 | ca2ad17b64a10b961c2b14a7e47a8030 |
| SHA1 | a339ebb686b832fc87af3c287f67d8ef52e140e8 |
| SHA256 | 23bc83a4a63831c87e6d79e2b366e2534c967a13a377e66f4d92e226f9e8be94 |
| SHA512 | ad5e5a03336562d58b02f2556eb833fe3c39d2a7c47584379059cc5a584be1efc981cde4c84a350a4bb244502a73fb7bf0bee7b03b4ef002bb6ecc17d3caff04 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe
| MD5 | 0e2a8712db80505e38c2816483598edf |
| SHA1 | 8ff6735fc1c080fb73825928f2bf9aa409b3758c |
| SHA256 | a88a17437aa434a4c8df1657b4ac4c72d5d65247c160b7d2351101a2955ecd0c |
| SHA512 | 1076c1d65c2bd3be562d57ebe5a00af294242456a80a4149e3ae5ed1816a35abdab48cca90617ccb9839a14020391ed425cedba42f63c75b8488f45485108d91 |
memory/1176-14-0x00000000741FE000-0x00000000741FF000-memory.dmp
memory/1176-15-0x0000000002180000-0x000000000219A000-memory.dmp
memory/1176-16-0x00000000741F0000-0x00000000749A0000-memory.dmp
memory/1176-17-0x0000000004A90000-0x0000000005034000-memory.dmp
memory/1176-18-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/1176-47-0x0000000004990000-0x00000000049A2000-memory.dmp
memory/1176-43-0x0000000004990000-0x00000000049A2000-memory.dmp
memory/1176-41-0x0000000004990000-0x00000000049A2000-memory.dmp
memory/1176-39-0x0000000004990000-0x00000000049A2000-memory.dmp
memory/1176-37-0x0000000004990000-0x00000000049A2000-memory.dmp
memory/1176-35-0x0000000004990000-0x00000000049A2000-memory.dmp
memory/1176-33-0x0000000004990000-0x00000000049A2000-memory.dmp
memory/1176-31-0x0000000004990000-0x00000000049A2000-memory.dmp
memory/1176-29-0x0000000004990000-0x00000000049A2000-memory.dmp
memory/1176-27-0x0000000004990000-0x00000000049A2000-memory.dmp
memory/1176-25-0x0000000004990000-0x00000000049A2000-memory.dmp
memory/1176-23-0x0000000004990000-0x00000000049A2000-memory.dmp
memory/1176-21-0x0000000004990000-0x00000000049A2000-memory.dmp
memory/1176-20-0x0000000004990000-0x00000000049A2000-memory.dmp
memory/1176-45-0x0000000004990000-0x00000000049A2000-memory.dmp
memory/1176-19-0x00000000741F0000-0x00000000749A0000-memory.dmp
memory/1176-48-0x00000000741F0000-0x00000000749A0000-memory.dmp
memory/1176-50-0x00000000741F0000-0x00000000749A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6925739.exe
| MD5 | 9eb1e1ed0fb5f198b60699f1d6f2c4d8 |
| SHA1 | 0a93100586a585ffaceecff9c67cf28e703b67d2 |
| SHA256 | 0fce1f4c2a87e2bdccfe4c3112f837d1fdeb91edb113f055787e29000a4a348b |
| SHA512 | fe9679472176c5d0648355a230eb9b77a19d565b17cb957a14d96d60df338f039ddbbdc97c611776239e8b5b3e842c85e8ac6b50882feb59917a1bb12496140d |
memory/2212-54-0x0000000000860000-0x0000000000890000-memory.dmp
memory/2212-55-0x00000000012E0000-0x00000000012E6000-memory.dmp
memory/2212-56-0x000000000AC70000-0x000000000B288000-memory.dmp
memory/2212-57-0x000000000A760000-0x000000000A86A000-memory.dmp
memory/2212-58-0x0000000005170000-0x0000000005182000-memory.dmp
memory/2212-59-0x000000000A690000-0x000000000A6CC000-memory.dmp
memory/2212-60-0x0000000004B30000-0x0000000004B7C000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-10 12:30
Reported
2024-05-10 12:33
Platform
win10v2004-20240426-en
Max time kernel
144s
Max time network
152s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8920385.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3800882.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8920385.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\8a73bb4899be69e1a77d74c46f81ca29b85b5c67b642e09f9735dec87b8b4cc3.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8a73bb4899be69e1a77d74c46f81ca29b85b5c67b642e09f9735dec87b8b4cc3.exe
"C:\Users\Admin\AppData\Local\Temp\8a73bb4899be69e1a77d74c46f81ca29b85b5c67b642e09f9735dec87b8b4cc3.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8920385.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8920385.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3800882.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3800882.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.61.62.23.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| DE | 217.196.96.101:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8920385.exe
| MD5 | 564c7dd5cd6f43333f3726a1067fa7b4 |
| SHA1 | d435fc75ad9860e41732452696f59c04373531cf |
| SHA256 | 0ed66c396d2ae7b2fd68b55a0d8f255e6d017c11dabaec1a6f3550321e83f664 |
| SHA512 | efcbdffc5f2992a4ed1dfa092a0ed9bde85116c09570a40a945a1e9a2211a32562e572ff51706334d97de832126faebdeaa878dafb0683c8e84b119e8a576c5a |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe
| MD5 | b4a4c6e6401ce4043ed5f212555de317 |
| SHA1 | c6f6c6513769019907b51ff23d0683a5bd197f2a |
| SHA256 | 4c411c6600d1f65ea9a585a5f125792c5f74ca5e41d63fc2bd70c60d3b9e7447 |
| SHA512 | 68b9fd346cddae31abd19022f854ce9b77f48a37cbb8b852ffcab4b3550011e27f1859f33ac2f4745f4838b8084f2a8e9674cd43dfbd18b945f395946b2b3974 |
memory/1632-14-0x00000000746BE000-0x00000000746BF000-memory.dmp
memory/1632-15-0x0000000002150000-0x000000000216A000-memory.dmp
memory/1632-17-0x0000000004AE0000-0x0000000005084000-memory.dmp
memory/1632-16-0x00000000746B0000-0x0000000074E60000-memory.dmp
memory/1632-18-0x0000000002360000-0x0000000002378000-memory.dmp
memory/1632-19-0x00000000746B0000-0x0000000074E60000-memory.dmp
memory/1632-45-0x0000000002360000-0x0000000002372000-memory.dmp
memory/1632-47-0x0000000002360000-0x0000000002372000-memory.dmp
memory/1632-43-0x0000000002360000-0x0000000002372000-memory.dmp
memory/1632-41-0x0000000002360000-0x0000000002372000-memory.dmp
memory/1632-39-0x0000000002360000-0x0000000002372000-memory.dmp
memory/1632-37-0x0000000002360000-0x0000000002372000-memory.dmp
memory/1632-35-0x0000000002360000-0x0000000002372000-memory.dmp
memory/1632-33-0x0000000002360000-0x0000000002372000-memory.dmp
memory/1632-31-0x0000000002360000-0x0000000002372000-memory.dmp
memory/1632-25-0x0000000002360000-0x0000000002372000-memory.dmp
memory/1632-23-0x0000000002360000-0x0000000002372000-memory.dmp
memory/1632-21-0x0000000002360000-0x0000000002372000-memory.dmp
memory/1632-20-0x0000000002360000-0x0000000002372000-memory.dmp
memory/1632-29-0x0000000002360000-0x0000000002372000-memory.dmp
memory/1632-27-0x0000000002360000-0x0000000002372000-memory.dmp
memory/1632-48-0x00000000746B0000-0x0000000074E60000-memory.dmp
memory/1632-50-0x00000000746B0000-0x0000000074E60000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3800882.exe
| MD5 | fecafbd83c6218e3ad98ca6c7d0b5671 |
| SHA1 | 72376a75ab9ce874cfb24df53b52700fb059f47e |
| SHA256 | af55b182e0f5bf4176ceb683cf3e1196ddc159afc733b576be40e6c3b62f793e |
| SHA512 | f44966c871ee17bc71186242b485a768ef6ac48a100a02232d2586b36fc9d0703e3dbfbddce6e55938c586e24aa3c38cbd6bdc47151bc4f51ffbcabd137db8f9 |
memory/1100-54-0x0000000000850000-0x0000000000880000-memory.dmp
memory/1100-55-0x0000000005170000-0x0000000005176000-memory.dmp
memory/1100-56-0x00000000057E0000-0x0000000005DF8000-memory.dmp
memory/1100-57-0x00000000052D0000-0x00000000053DA000-memory.dmp
memory/1100-58-0x00000000051E0000-0x00000000051F2000-memory.dmp
memory/1100-59-0x0000000005240000-0x000000000527C000-memory.dmp
memory/1100-60-0x0000000005280000-0x00000000052CC000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-10 12:30
Reported
2024-05-10 12:33
Platform
win7-20240221-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1948 wrote to memory of 1964 | N/A | C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1948 wrote to memory of 1964 | N/A | C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1948 wrote to memory of 1964 | N/A | C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1948 wrote to memory of 1964 | N/A | C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe
"C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 52
Network
Files
memory/1948-0-0x0000000000030000-0x0000000000031000-memory.dmp
memory/1948-1-0x0000000000030000-0x0000000000031000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-10 12:30
Reported
2024-05-10 12:33
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe
"C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe"
Network
Files
memory/2904-0-0x0000000000230000-0x000000000026E000-memory.dmp
memory/2904-6-0x0000000000401000-0x0000000000404000-memory.dmp
memory/2904-7-0x0000000000400000-0x000000000044E000-memory.dmp
memory/2904-8-0x0000000000230000-0x000000000026E000-memory.dmp
memory/2904-9-0x0000000000690000-0x0000000000691000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-05-10 12:30
Reported
2024-05-10 12:33
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Lumma Stealer
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 348 set thread context of 2628 | N/A | C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe
"C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 348 -ip 348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 332
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sideindexfollowragelrew.pw | udp |
| US | 8.8.8.8:53 | productivelookewr.shop | udp |
| US | 104.21.11.250:443 | productivelookewr.shop | tcp |
| US | 8.8.8.8:53 | tolerateilusidjukl.shop | udp |
| US | 104.21.89.202:443 | tolerateilusidjukl.shop | tcp |
| US | 8.8.8.8:53 | shatterbreathepsw.shop | udp |
| US | 104.21.95.19:443 | shatterbreathepsw.shop | tcp |
| US | 8.8.8.8:53 | 250.11.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.89.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | shortsvelventysjo.shop | udp |
| US | 104.21.16.225:443 | shortsvelventysjo.shop | tcp |
| US | 8.8.8.8:53 | incredibleextedwj.shop | udp |
| US | 104.21.86.106:443 | incredibleextedwj.shop | tcp |
| US | 8.8.8.8:53 | alcojoldwograpciw.shop | udp |
| US | 104.21.48.243:443 | alcojoldwograpciw.shop | tcp |
| US | 8.8.8.8:53 | 106.86.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.16.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.95.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | liabilitynighstjsko.shop | udp |
| US | 104.21.44.3:443 | liabilitynighstjsko.shop | tcp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | demonstationfukewko.shop | udp |
| US | 104.21.33.174:443 | demonstationfukewko.shop | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.48.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.33.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
Files
memory/348-0-0x00000000005F9000-0x00000000005FA000-memory.dmp
memory/2628-1-0x0000000000400000-0x000000000044E000-memory.dmp
memory/2628-3-0x0000000000400000-0x000000000044E000-memory.dmp
memory/2628-4-0x0000000000400000-0x000000000044E000-memory.dmp
memory/2628-5-0x0000000000400000-0x000000000044E000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-10 12:30
Reported
2024-05-10 12:33
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5880657.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3352497.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5880657.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0213700.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3352497.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691.exe
"C:\Users\Admin\AppData\Local\Temp\1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3352497.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3352497.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5880657.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5880657.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
"C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0213700.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0213700.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legola.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legola.exe" /P "Admin:N"&&CACLS "legola.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "legola.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "legola.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\ebb444342c" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\ebb444342c" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| SE | 5.42.92.67:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| SE | 5.42.92.67:80 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| SE | 5.42.92.67:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3352497.exe
| MD5 | 859530ca071eca4d755d51e586e8e887 |
| SHA1 | de62d33ce5bdbcaee3969c0b7f5923be57f65b18 |
| SHA256 | 51fe2b44092632d15df632de06f77403d4ed876e788b6b513102a552a4fd7532 |
| SHA512 | acd81f2a81bdf865b7ae581034c813d41e694cd942ceca7c5ce801d427c5163803da91d0d06e6eeef5b7906af6dcd075aa869eb5901c96fb162a9031cb0621c1 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe
| MD5 | 9df47b120c7025ec8ffdc3338bf3371a |
| SHA1 | 18c9a5590d838f935ea38598118558686094db80 |
| SHA256 | cc881b7786c962ef44b2394705f24fbf1f7964505b2d3322a522a62d838ff829 |
| SHA512 | a70ea602160af906fa5958b9d01ee0ddd93bda62c8f5c1ec2632471561df5290ecd8f428f0b3c87bb2fa8a5546bd9e2e5200faa708d62a3ee36df69390227dc4 |
memory/3724-14-0x00007FFEE8B93000-0x00007FFEE8B95000-memory.dmp
memory/3724-15-0x0000000000640000-0x000000000064A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5880657.exe
| MD5 | a748d210956507aaeb3aa55c796c4493 |
| SHA1 | 6536facee8829b5d0cab1bcb31c9bb528812c0eb |
| SHA256 | 970a4c051a4e15f2fb1aef52a2916e417719475bf3bf076194c3978ca526ac83 |
| SHA512 | e117d4e660e74fafee8aab8cc412969b6f27287ce9efd787a72aa40d4128853b46e5a04e5217f1d72cbd5b69ac5570d49c823134776aa9f9cb297b71061aed25 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0213700.exe
| MD5 | b8c5d95c1f7a38803ce7e06a3163b115 |
| SHA1 | 8f5850e40c86222637fdf8fe190880eb203bd546 |
| SHA256 | dca8ac02fa9e6017548cee8be5c5073643fb1096ed887ac87301018c8f663f61 |
| SHA512 | 2d55b6393a16147be65d6f5dd8b35bbea1b06b6aafd32256a2accb59877156de41dec5d48f8d05a22abb2853f32ac79932fc43cca7d38a83e89e2f14c55b823c |
memory/2288-33-0x00000000009A0000-0x00000000009D0000-memory.dmp
memory/2288-34-0x00000000051C0000-0x00000000051C6000-memory.dmp
memory/2288-35-0x00000000059E0000-0x0000000005FF8000-memory.dmp
memory/2288-36-0x00000000054D0000-0x00000000055DA000-memory.dmp
memory/2288-37-0x0000000005220000-0x0000000005232000-memory.dmp
memory/2288-38-0x00000000053C0000-0x00000000053FC000-memory.dmp
memory/2288-39-0x0000000005400000-0x000000000544C000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-10 12:30
Reported
2024-05-10 12:33
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ZGRat
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2872 set thread context of 2676 | N/A | C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe
"C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| RU | 147.45.47.64:11837 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.47.45.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/2872-0-0x00000000005C0000-0x00000000005C1000-memory.dmp
memory/2872-1-0x00000000005C0000-0x00000000005C1000-memory.dmp
memory/2676-2-0x0000000000400000-0x000000000044A000-memory.dmp
memory/2872-3-0x00000000005C0000-0x00000000005C1000-memory.dmp
memory/2676-4-0x0000000074BEE000-0x0000000074BEF000-memory.dmp
memory/2676-5-0x0000000005330000-0x00000000058D4000-memory.dmp
memory/2676-6-0x0000000004D80000-0x0000000004E12000-memory.dmp
memory/2676-8-0x0000000074BE0000-0x0000000075390000-memory.dmp
memory/2676-7-0x0000000004D30000-0x0000000004D3A000-memory.dmp
memory/2676-9-0x0000000006390000-0x00000000069A8000-memory.dmp
memory/2676-10-0x0000000005EC0000-0x0000000005FCA000-memory.dmp
memory/2676-11-0x0000000005DF0000-0x0000000005E02000-memory.dmp
memory/2676-12-0x0000000005E50000-0x0000000005E8C000-memory.dmp
memory/2676-13-0x0000000005FD0000-0x000000000601C000-memory.dmp
memory/2676-14-0x0000000006150000-0x00000000061B6000-memory.dmp
memory/2676-15-0x0000000006AB0000-0x0000000006B26000-memory.dmp
memory/2676-16-0x00000000062E0000-0x00000000062FE000-memory.dmp
memory/2676-17-0x0000000008000000-0x00000000081C2000-memory.dmp
memory/2676-18-0x0000000008700000-0x0000000008C2C000-memory.dmp
memory/2676-20-0x0000000074BE0000-0x0000000075390000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-10 12:30
Reported
2024-05-10 12:33
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
100s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe
"C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
Files
memory/1976-0-0x00000000005B0000-0x00000000005EE000-memory.dmp
memory/1976-6-0x0000000000401000-0x0000000000404000-memory.dmp
memory/1976-7-0x0000000000400000-0x000000000044E000-memory.dmp
memory/1976-9-0x0000000002390000-0x0000000002391000-memory.dmp
memory/1976-8-0x00000000005B0000-0x00000000005EE000-memory.dmp