Analysis Overview
SHA256
c5a3dbeea17ddba50482e7844a817171580f977dcea9ad7b655d39a934b93b93
Threat Level: Known bad
The file c5a3dbeea17ddba50482e7844a817171580f977dcea9ad7b655d39a934b93b93 was found to be: Known bad.
Malicious Activity Summary
ZGRat
Healer
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
RedLine
Detect ZGRat V1
Amadey
SmokeLoader
Lumma Stealer
RedLine payload
Executes dropped EXE
Windows security modification
Checks computer location settings
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious behavior: MapViewOfSection
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 12:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral24
Detonation Overview
Submitted
2024-05-10 12:35
Reported
2024-05-10 12:40
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
157s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\db14966ca75480a4e8f9f3d18c7bada2f205a1ac7404dbeda068279afa55b1cb.exe
"C:\Users\Admin\AppData\Local\Temp\db14966ca75480a4e8f9f3d18c7bada2f205a1ac7404dbeda068279afa55b1cb.exe"
Network
| Country | Destination | Domain | Proto |
| MD | 176.123.9.142:14845 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| BE | 88.221.83.217:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 217.83.221.88.in-addr.arpa | udp |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp |
Files
memory/4228-0-0x0000000000401000-0x0000000000402000-memory.dmp
memory/4228-1-0x00000000001C0000-0x00000000001F0000-memory.dmp
memory/4228-5-0x0000000000400000-0x0000000000446000-memory.dmp
memory/4228-6-0x0000000002390000-0x0000000002396000-memory.dmp
memory/4228-7-0x0000000009EA0000-0x000000000A4B8000-memory.dmp
memory/4228-8-0x000000000A500000-0x000000000A60A000-memory.dmp
memory/4228-9-0x000000000A630000-0x000000000A642000-memory.dmp
memory/4228-10-0x000000000A650000-0x000000000A68C000-memory.dmp
memory/4228-11-0x0000000002300000-0x000000000234C000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-05-10 12:35
Reported
2024-05-10 12:39
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1736941.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9071750.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1399127.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1736941.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2251742.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4275669.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9071750.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1399127.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2251742.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2251742.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2251742.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41.exe
"C:\Users\Admin\AppData\Local\Temp\f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9071750.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9071750.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1399127.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1399127.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1736941.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1736941.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2251742.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2251742.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4275669.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4275669.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9071750.exe
| MD5 | 88bee46f431c014c1e45417f6b13e124 |
| SHA1 | 07588e0723944e251a6a2d9db4ed8e45d5f563f1 |
| SHA256 | f4dfc88066f344cec64c3c5076b4e1e051af9f333c455aa2f96daacc1d732999 |
| SHA512 | 5a0c53df34632e2d21c12e572460d54bfe7de21035d44bc36764ed3c6410d661ee50c758366cc8b86c2447b54efab7c41479fb04468afee6b70b9cbbaf55e79e |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1399127.exe
| MD5 | 8f620f99bbeba489fc4bddc2af02f9b8 |
| SHA1 | 2e97752a24581dd229306cfad5763cf82f9c4f96 |
| SHA256 | 26a1717813eedfd0569c474064d1e14eeba61b97bb26866c53a19428a448a3f5 |
| SHA512 | b5065ed02a3bdcb68461265bb56f9173a7f9a1c75d12cf1ae53c43224cf2aada5586a4ee122779d7c83b8e8130cc6a980080cd03c2cc751ce19ac5ea3b2caa03 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe
| MD5 | 12803f40ef0b813626de6e5eb0ec05b2 |
| SHA1 | 27e32adac36ba9f4d54ecbf53e112158d4e988b5 |
| SHA256 | d320fcef46ae85d5f06133a3b8d4f5a7d2dff0886a86d981f3186f464fbb7abb |
| SHA512 | 84d7c28b03fdceb94e00fbcc838f203f6cd9e091b67b7ea8dad577a529a0d96eecf3b246a8548c9b7bef1e063aa96525f6b2148b5d0bb79b32a3415e9f151e0a |
memory/1640-21-0x00007FFC356D3000-0x00007FFC356D5000-memory.dmp
memory/1640-22-0x00000000002C0000-0x00000000002CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1736941.exe
| MD5 | 2b7ed1055ddd27afe675dd11da92357a |
| SHA1 | 3809cb22cbdda5ba5707892163217563020df5ca |
| SHA256 | 9d69e620d8bb7cb24c7d4831312351d09872badc8331594ce05afe46ff56ab3d |
| SHA512 | 549602e7e10ae1b006fafe9d6c1c09d35280a3af8815157dfa9b7664f16bf1682cc782585a24202dd150955073b5e648f0ad8a39add3f95ceeb51a5eb26fc641 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2251742.exe
| MD5 | 88331cf94b56745070654ca04d4c7d98 |
| SHA1 | 248ac76afce09c34082bad3fbd01ce73e4056f65 |
| SHA256 | 32e850a828611bdf20e34f0ac6c397507ff4b140c2b13732b5bf389249693334 |
| SHA512 | a3173aaeb138cb46f951d1e6b103a424c91ee05b416cdc9080e3ac5ba6db33dd0431d1ba0b8228b379f6ea6631b5c6622a4875459ce1105a0b959722e7717f96 |
memory/5096-40-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4275669.exe
| MD5 | 35c0945f8c70c870c070eb2261d6bc04 |
| SHA1 | bfc1ffae759330be5a50c22829fb342bfc644aab |
| SHA256 | e296c73bc0d4abe0e58a2200d0c1839c210debd4deb8b26aa83abc5a2f0aaa1d |
| SHA512 | 8c9e5e646dfcd6b592d516524128d34af326c55a153d77d240ddbe6f418f01be473231e78a1707d72b0fbe3ad367085fc76ff329d8d80515ac07288b5eda73b7 |
memory/3828-45-0x00000000008D0000-0x0000000000900000-memory.dmp
memory/3828-46-0x0000000002AB0000-0x0000000002AB6000-memory.dmp
memory/3828-47-0x000000000ACB0000-0x000000000B2C8000-memory.dmp
memory/3828-48-0x000000000A7A0000-0x000000000A8AA000-memory.dmp
memory/3828-49-0x000000000A690000-0x000000000A6A2000-memory.dmp
memory/3828-50-0x000000000A6F0000-0x000000000A72C000-memory.dmp
memory/3828-51-0x0000000004C20000-0x0000000004C6C000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-05-10 12:35
Reported
2024-05-10 12:40
Platform
win10v2004-20240508-en
Max time kernel
124s
Max time network
131s
Command Line
Signatures
Lumma Stealer
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4920 set thread context of 3708 | N/A | C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe
"C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4920 -ip 4920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 332
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4084,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4216 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sideindexfollowragelrew.pw | udp |
| US | 8.8.8.8:53 | productivelookewr.shop | udp |
| US | 104.21.11.250:443 | productivelookewr.shop | tcp |
| US | 8.8.8.8:53 | tolerateilusidjukl.shop | udp |
| US | 104.21.89.202:443 | tolerateilusidjukl.shop | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | shatterbreathepsw.shop | udp |
| US | 104.21.95.19:443 | shatterbreathepsw.shop | tcp |
| US | 8.8.8.8:53 | shortsvelventysjo.shop | udp |
| US | 172.67.216.69:443 | shortsvelventysjo.shop | tcp |
| US | 8.8.8.8:53 | incredibleextedwj.shop | udp |
| US | 172.67.218.63:443 | incredibleextedwj.shop | tcp |
| US | 8.8.8.8:53 | 202.89.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.11.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.95.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.216.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | alcojoldwograpciw.shop | udp |
| BE | 88.221.83.192:443 | www.bing.com | tcp |
| US | 104.21.48.243:443 | alcojoldwograpciw.shop | tcp |
| US | 8.8.8.8:53 | 192.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.218.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.48.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | liabilitynighstjsko.shop | udp |
| US | 104.21.44.3:443 | liabilitynighstjsko.shop | tcp |
| US | 8.8.8.8:53 | demonstationfukewko.shop | udp |
| US | 104.21.33.174:443 | demonstationfukewko.shop | tcp |
| US | 8.8.8.8:53 | 3.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.33.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/4920-0-0x0000000000939000-0x000000000093A000-memory.dmp
memory/3708-1-0x0000000000400000-0x000000000044E000-memory.dmp
memory/3708-3-0x0000000000400000-0x000000000044E000-memory.dmp
memory/3708-4-0x0000000000400000-0x000000000044E000-memory.dmp
memory/3708-5-0x0000000000400000-0x000000000044E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 12:35
Reported
2024-05-10 12:39
Platform
win7-20240508-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1740 wrote to memory of 1968 | N/A | C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1740 wrote to memory of 1968 | N/A | C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1740 wrote to memory of 1968 | N/A | C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1740 wrote to memory of 1968 | N/A | C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe
"C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 92
Network
Files
memory/1740-0-0x0000000000A49000-0x0000000000A4A000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-10 12:35
Reported
2024-05-10 12:39
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5880657.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3352497.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5880657.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0213700.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3352497.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691.exe
"C:\Users\Admin\AppData\Local\Temp\1e44c41d8d889c0d0e018128db620f95ba933996ae31dd11da4f5d407c764691.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3352497.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3352497.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5880657.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5880657.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
"C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0213700.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0213700.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legola.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legola.exe" /P "Admin:N"&&CACLS "legola.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "legola.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "legola.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\ebb444342c" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\ebb444342c" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| BE | 88.221.83.250:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 250.83.221.88.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| SE | 5.42.92.67:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| SE | 5.42.92.67:80 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| SE | 5.42.92.67:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3352497.exe
| MD5 | 859530ca071eca4d755d51e586e8e887 |
| SHA1 | de62d33ce5bdbcaee3969c0b7f5923be57f65b18 |
| SHA256 | 51fe2b44092632d15df632de06f77403d4ed876e788b6b513102a552a4fd7532 |
| SHA512 | acd81f2a81bdf865b7ae581034c813d41e694cd942ceca7c5ce801d427c5163803da91d0d06e6eeef5b7906af6dcd075aa869eb5901c96fb162a9031cb0621c1 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9107253.exe
| MD5 | 9df47b120c7025ec8ffdc3338bf3371a |
| SHA1 | 18c9a5590d838f935ea38598118558686094db80 |
| SHA256 | cc881b7786c962ef44b2394705f24fbf1f7964505b2d3322a522a62d838ff829 |
| SHA512 | a70ea602160af906fa5958b9d01ee0ddd93bda62c8f5c1ec2632471561df5290ecd8f428f0b3c87bb2fa8a5546bd9e2e5200faa708d62a3ee36df69390227dc4 |
memory/4188-14-0x00000000004E0000-0x00000000004EA000-memory.dmp
memory/4188-15-0x00007FFB51503000-0x00007FFB51505000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5880657.exe
| MD5 | a748d210956507aaeb3aa55c796c4493 |
| SHA1 | 6536facee8829b5d0cab1bcb31c9bb528812c0eb |
| SHA256 | 970a4c051a4e15f2fb1aef52a2916e417719475bf3bf076194c3978ca526ac83 |
| SHA512 | e117d4e660e74fafee8aab8cc412969b6f27287ce9efd787a72aa40d4128853b46e5a04e5217f1d72cbd5b69ac5570d49c823134776aa9f9cb297b71061aed25 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0213700.exe
| MD5 | b8c5d95c1f7a38803ce7e06a3163b115 |
| SHA1 | 8f5850e40c86222637fdf8fe190880eb203bd546 |
| SHA256 | dca8ac02fa9e6017548cee8be5c5073643fb1096ed887ac87301018c8f663f61 |
| SHA512 | 2d55b6393a16147be65d6f5dd8b35bbea1b06b6aafd32256a2accb59877156de41dec5d48f8d05a22abb2853f32ac79932fc43cca7d38a83e89e2f14c55b823c |
memory/3080-33-0x0000000000010000-0x0000000000040000-memory.dmp
memory/3080-34-0x0000000002290000-0x0000000002296000-memory.dmp
memory/3080-35-0x0000000004FE0000-0x00000000055F8000-memory.dmp
memory/3080-36-0x0000000004AD0000-0x0000000004BDA000-memory.dmp
memory/3080-37-0x0000000002450000-0x0000000002462000-memory.dmp
memory/3080-38-0x0000000004A00000-0x0000000004A3C000-memory.dmp
memory/3080-39-0x0000000004A40000-0x0000000004A8C000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-10 12:35
Reported
2024-05-10 12:40
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3015164.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6653264.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2222652.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3015164.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4556430.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d1853109.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\b72cfb25178ac78d0dfae350873df231a1f4266a913f47acc5018b87cae84bdf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6653264.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2222652.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4556430.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4556430.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4556430.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b72cfb25178ac78d0dfae350873df231a1f4266a913f47acc5018b87cae84bdf.exe
"C:\Users\Admin\AppData\Local\Temp\b72cfb25178ac78d0dfae350873df231a1f4266a913f47acc5018b87cae84bdf.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6653264.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6653264.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2222652.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2222652.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3015164.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3015164.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4556430.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4556430.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d1853109.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d1853109.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| BE | 88.221.83.219:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6653264.exe
| MD5 | e7fa26de9c820baea690459babf2fbe2 |
| SHA1 | 2ef86403777796d2dc2751f4abb0b42e483a9a90 |
| SHA256 | 630b3bd990cf3a7b799c0a8757ec0da95eb2bc811a803790cd5dd59b96a6ae12 |
| SHA512 | eaa136102af8ce5e1c93a08854c3ca6b768a546bde6b9ba123b0f7f23509155daebbcf221f299c1a44cac81a9690796d317baef311c7fd96c8403d1d6b1f441b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2222652.exe
| MD5 | ef013b3a532e703d4d2c2b5cd426bc90 |
| SHA1 | 74f878cbd5dcd5ebdabf43c262f95ae0c1a697ae |
| SHA256 | a264decd1d4218a6f799938cf789727b2fd2fc2a2f5d29abdbbb3a582213a875 |
| SHA512 | d92fc62a03d6ab3fd5b676c2c5eb6da3dad100a6d5753a364ab1196742b20b66f993c649ef7bf9b96b233935bc2a8698c1ae3af2cf86d6a133f44eb85dc69233 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7534464.exe
| MD5 | 64fef4cf6fc7cd982c1e3967385b6dc8 |
| SHA1 | 30f307ad0ff6a2bf5c90743f09fb2b53705e9660 |
| SHA256 | f7ce92d9f78ff144184570d99e5951f58f6f3b8bcab899f785cea40643e43243 |
| SHA512 | b4875804448ce8d04f4b4138cf4228f25986f6e84bd0523706a4283def46be864ba07584019afbb7e52cb0b2dc997de0288f7062962c11a8515d12f1c1f0119c |
memory/800-21-0x0000000000ED0000-0x0000000000EDA000-memory.dmp
memory/800-22-0x00007FFAD2D43000-0x00007FFAD2D45000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3015164.exe
| MD5 | 9ecc4e0e5e82fc7bc093b19a6f4de2eb |
| SHA1 | 1f6e4556dee5c075dfb06bbd4f9bbfbffc926347 |
| SHA256 | eb6991a258a7ae91ffb2d4d170508562eff82c059cf2c58e6500730183cc34bc |
| SHA512 | 9c93be0e7e18c7a5f27a68da43ca5a926c71b14468d8e66b3fff51458996f7ed9d3a9c0a9e12ef947ea130ad53787606afe50f307e0efdabda52755ed8323bd7 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4556430.exe
| MD5 | 99e4fbaf61eda1a131a0fb9d2db25f6e |
| SHA1 | dfbba00b8a56e4405fa1911cf4d1f3466fcdf0e9 |
| SHA256 | 51e82b55c6b0908e8c31d12c5d8160a29addde641ea77b11ab4e229d67d89df3 |
| SHA512 | bf0d17b89b745982ecd8c0773c63fa68e86e3893f3ee4829e50cf7ea647f54b236fb1c4a16811d2e91b5f2b32bd119968eb905e34bb59ba17badbe4c5a043ff5 |
memory/5464-40-0x0000000000400000-0x0000000000409000-memory.dmp
memory/5464-41-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d1853109.exe
| MD5 | 257b3b2a8fd11a9c26682c5c34ff230f |
| SHA1 | c19af2e2d29a96cbf73a54941f398a14c6ba8f14 |
| SHA256 | 2a55756c92b3e9e68116c3617777d07720069a3e0fae13d59412a03f7f5f42c1 |
| SHA512 | 35c8ff10783734d68ae3036845e28f2114f60623aeec5dda81f62adadcf26338fa53fbda810bfa94b1530f30cd44018ae608407de2951177357552d9bfdf4368 |
memory/4644-45-0x0000000000F90000-0x0000000000FC0000-memory.dmp
memory/4644-46-0x0000000003360000-0x0000000003366000-memory.dmp
memory/4644-47-0x0000000005FD0000-0x00000000065E8000-memory.dmp
memory/4644-48-0x0000000005AC0000-0x0000000005BCA000-memory.dmp
memory/4644-49-0x0000000005920000-0x0000000005932000-memory.dmp
memory/4644-50-0x00000000059B0000-0x00000000059EC000-memory.dmp
memory/4644-51-0x00000000059F0000-0x0000000005A3C000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-10 12:35
Reported
2024-05-10 12:39
Platform
win7-20240419-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2456 wrote to memory of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2456 wrote to memory of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2456 wrote to memory of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2456 wrote to memory of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe
"C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 52
Network
Files
memory/2456-0-0x0000000000030000-0x0000000000031000-memory.dmp
memory/2456-1-0x0000000000030000-0x0000000000031000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-05-10 12:35
Reported
2024-05-10 12:39
Platform
win7-20240215-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1568 wrote to memory of 2740 | N/A | C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1568 wrote to memory of 2740 | N/A | C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1568 wrote to memory of 2740 | N/A | C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1568 wrote to memory of 2740 | N/A | C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe
"C:\Users\Admin\AppData\Local\Temp\fc8b501a1823496ec4685f1c935710517b2ee5331f98bf10c5eb7b69350e59d3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 116
Network
Files
memory/1568-0-0x0000000001279000-0x000000000127A000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-10 12:35
Reported
2024-05-10 12:39
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
156s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3281386.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4192759.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3281386.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8559996.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4192759.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8559996.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8559996.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8559996.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3281386.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c.exe
"C:\Users\Admin\AppData\Local\Temp\6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4192759.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4192759.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3281386.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3281386.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8559996.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8559996.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.248:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 88.221.83.248:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.83.221.88.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.3:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4192759.exe
| MD5 | f6c9e67f472f01eccc2c794be5bc61cf |
| SHA1 | 65ca30935f69dd98e136485fa24ecd00dd2afdef |
| SHA256 | 079faabeddf8ac54de6accc9d09b63bf543afdcaf395234f1dbfcf46c5d56d99 |
| SHA512 | ba9c4a04454db187a5fbfd64068729523b364bf72085e6b08607970e4cad972691dafc125981b52178f4fd8ea0d5314e42e61d7852ed4c912521a5a4809bfac6 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe
| MD5 | f5773b2b65f54e39abe894025d6c9885 |
| SHA1 | 3f9d26e35dff7640478119ff8550b6ad5363dfde |
| SHA256 | 9788cb0fcb4b0bb8086babe2cf499aec511ce0a867ad0c79e79c5c9d9a57d561 |
| SHA512 | 27a9015725854d7740536c7d403bd4b01f1baa4e4d6bf195f6b25e9055d58b397303d8aef8d833d761eb1ed62563fe4b7c7a12af0edbf80ba1dea3eb24dfb016 |
memory/2600-14-0x00007FF8AE553000-0x00007FF8AE555000-memory.dmp
memory/2600-15-0x0000000000330000-0x000000000033A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3281386.exe
| MD5 | 1ff19e67a2ae75ad45eebf9693ec503d |
| SHA1 | 3f3da59265845f64d1f29c92706acf35fb4ab1b5 |
| SHA256 | d0ecd3340d3c57da9d342be0aef3027e74adbb8834be7d05c28942eda33f8708 |
| SHA512 | 9810192a9a0b4410edb1726150f94fdb9091889b656a79cdbe8bb78d2b041c0a173c8f36baa7e52b1d0bb4731fe3a749bc84b3b671a425a0f905a3707f0e9571 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8559996.exe
| MD5 | 499339c2340f225b81aa84b57a06c69f |
| SHA1 | 602c6e3a1ca624caa1ec4cc92dfd62ebde523033 |
| SHA256 | 31c962983a5dcb34c366ea726a6e4defcf6db78d259516edcc1b6336a297bbba |
| SHA512 | a60cedbdb39bec49434526a46369199fa6e41cec24c30764821818e1335fc107123430c61190a265747118e54de289691912c1fa89fc89a79e350813e419838e |
memory/3232-33-0x0000000000400000-0x0000000000409000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-10 12:35
Reported
2024-05-10 12:39
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8792484.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3682092.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8276002.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\ca6d56a637f121ee6406def5cf89663c3e54b2e175e98d4469fb3e3a46e190da.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8792484.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3682092.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ca6d56a637f121ee6406def5cf89663c3e54b2e175e98d4469fb3e3a46e190da.exe
"C:\Users\Admin\AppData\Local\Temp\ca6d56a637f121ee6406def5cf89663c3e54b2e175e98d4469fb3e3a46e190da.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8792484.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8792484.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3682092.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3682092.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8276002.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8276002.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.185:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| BE | 88.221.83.185:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.83.221.88.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8792484.exe
| MD5 | e9c35fad007c9abb695cdf32a6ef8350 |
| SHA1 | d97cc8e389c68e9aff8d28d0691db3da4b56e93d |
| SHA256 | a7e240048e51d605d4c92f47e4dae2c31558849be479794c2ee0761e240ef03d |
| SHA512 | c6e80f476737b9d56d884438fe2045c3b42ce5e2ebc0833ec786f4c75df10934c67e0b194b79174e6588de14de2d651da5b788553ac3e7a619f3effc110c0ef7 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3682092.exe
| MD5 | eac44c7b9549f1b58cf25c60ee304435 |
| SHA1 | bf66fe6604311066fd2d8de1743af49c8f902edf |
| SHA256 | 7adab0943d097033395ba73d8760b3f523fd636a0bb13c8ac0dd37f0a63be91d |
| SHA512 | c32120a4fbeb8b9bff77a9d5fb8f324752524fb8edd87387a28780c0e6eb0affad63a26860f682abac7835ddbcee4cdb9b67f2ecb3a22bdc57802509b5af5ade |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8000827.exe
| MD5 | 82c2b3a4497da45e69dce662504c47f7 |
| SHA1 | 068c99cc9b40709f9967d393edd5a9e56b269015 |
| SHA256 | cc13fa7cc073a8810513c3fc4bea322132f6c659785cc68a6d11368fe4b11e7d |
| SHA512 | b99991a938c78a90830c08285e98a552c5e0f7eb7717c1a2d4f89f4553bc452944b8b0bf91ad3b930fd9b2c21422fad73b975779c8a7e7a6932b6100fc13e55b |
memory/3112-21-0x0000000000401000-0x0000000000404000-memory.dmp
memory/3112-22-0x00000000004A0000-0x00000000004DE000-memory.dmp
memory/3112-28-0x00000000004A0000-0x00000000004DE000-memory.dmp
memory/3112-29-0x0000000002440000-0x0000000002441000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8276002.exe
| MD5 | 6d30780150b36e2b9c70bcf294a2fba7 |
| SHA1 | 60555be1736e34f14a4fb14aa8f1196d982dd29f |
| SHA256 | fcf9145080af193ac72b17a81c9a76688e37ebd172c6b47e39a4ecd1aedd17fd |
| SHA512 | 2dc7a5f53794b4c548861f10fad1f0d79e7485cb2bb4de388f3109f8b82d22d1b87456d2e4f9d19d356180fc8cbebb74d3cd696059bd0c1c60284e45895cc58c |
memory/1932-35-0x0000000002050000-0x00000000020DC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/1932-42-0x0000000002050000-0x00000000020DC000-memory.dmp
memory/1932-44-0x0000000002510000-0x0000000002516000-memory.dmp
memory/1932-45-0x0000000005B50000-0x0000000006168000-memory.dmp
memory/1932-46-0x00000000061F0000-0x00000000062FA000-memory.dmp
memory/1932-47-0x0000000006320000-0x0000000006332000-memory.dmp
memory/1932-48-0x0000000006340000-0x000000000637C000-memory.dmp
memory/1932-49-0x00000000063B0000-0x00000000063FC000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-10 12:35
Reported
2024-05-10 12:39
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
166s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3756826.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6925739.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3756826.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\61f1a776dcd13885a5979397d5b945e89d26cfcfe61e000ac89070e4a45bc562.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\61f1a776dcd13885a5979397d5b945e89d26cfcfe61e000ac89070e4a45bc562.exe
"C:\Users\Admin\AppData\Local\Temp\61f1a776dcd13885a5979397d5b945e89d26cfcfe61e000ac89070e4a45bc562.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3756826.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3756826.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3792 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6925739.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6925739.exe
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.178.10:443 | tcp | |
| GB | 23.44.234.16:80 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 239.249.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3756826.exe
| MD5 | ca2ad17b64a10b961c2b14a7e47a8030 |
| SHA1 | a339ebb686b832fc87af3c287f67d8ef52e140e8 |
| SHA256 | 23bc83a4a63831c87e6d79e2b366e2534c967a13a377e66f4d92e226f9e8be94 |
| SHA512 | ad5e5a03336562d58b02f2556eb833fe3c39d2a7c47584379059cc5a584be1efc981cde4c84a350a4bb244502a73fb7bf0bee7b03b4ef002bb6ecc17d3caff04 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe
| MD5 | 0e2a8712db80505e38c2816483598edf |
| SHA1 | 8ff6735fc1c080fb73825928f2bf9aa409b3758c |
| SHA256 | a88a17437aa434a4c8df1657b4ac4c72d5d65247c160b7d2351101a2955ecd0c |
| SHA512 | 1076c1d65c2bd3be562d57ebe5a00af294242456a80a4149e3ae5ed1816a35abdab48cca90617ccb9839a14020391ed425cedba42f63c75b8488f45485108d91 |
memory/5032-14-0x0000000074A7E000-0x0000000074A7F000-memory.dmp
memory/5032-15-0x0000000002260000-0x000000000227A000-memory.dmp
memory/5032-16-0x0000000074A70000-0x0000000075220000-memory.dmp
memory/5032-17-0x0000000074A70000-0x0000000075220000-memory.dmp
memory/5032-18-0x0000000074A70000-0x0000000075220000-memory.dmp
memory/5032-19-0x0000000004CD0000-0x0000000005274000-memory.dmp
memory/5032-20-0x0000000002670000-0x0000000002688000-memory.dmp
memory/5032-22-0x0000000002670000-0x0000000002682000-memory.dmp
memory/5032-24-0x0000000002670000-0x0000000002682000-memory.dmp
memory/5032-46-0x0000000002670000-0x0000000002682000-memory.dmp
memory/5032-44-0x0000000002670000-0x0000000002682000-memory.dmp
memory/5032-42-0x0000000002670000-0x0000000002682000-memory.dmp
memory/5032-40-0x0000000002670000-0x0000000002682000-memory.dmp
memory/5032-38-0x0000000002670000-0x0000000002682000-memory.dmp
memory/5032-36-0x0000000002670000-0x0000000002682000-memory.dmp
memory/5032-34-0x0000000002670000-0x0000000002682000-memory.dmp
memory/5032-32-0x0000000002670000-0x0000000002682000-memory.dmp
memory/5032-31-0x0000000002670000-0x0000000002682000-memory.dmp
memory/5032-28-0x0000000002670000-0x0000000002682000-memory.dmp
memory/5032-48-0x0000000002670000-0x0000000002682000-memory.dmp
memory/5032-26-0x0000000002670000-0x0000000002682000-memory.dmp
memory/5032-21-0x0000000002670000-0x0000000002682000-memory.dmp
memory/5032-49-0x0000000074A7E000-0x0000000074A7F000-memory.dmp
memory/5032-51-0x0000000074A70000-0x0000000075220000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6925739.exe
| MD5 | 9eb1e1ed0fb5f198b60699f1d6f2c4d8 |
| SHA1 | 0a93100586a585ffaceecff9c67cf28e703b67d2 |
| SHA256 | 0fce1f4c2a87e2bdccfe4c3112f837d1fdeb91edb113f055787e29000a4a348b |
| SHA512 | fe9679472176c5d0648355a230eb9b77a19d565b17cb957a14d96d60df338f039ddbbdc97c611776239e8b5b3e842c85e8ac6b50882feb59917a1bb12496140d |
memory/1104-55-0x0000000000B80000-0x0000000000BB0000-memory.dmp
memory/1104-56-0x0000000002E30000-0x0000000002E36000-memory.dmp
memory/1104-57-0x0000000005C00000-0x0000000006218000-memory.dmp
memory/1104-58-0x0000000005710000-0x000000000581A000-memory.dmp
memory/1104-59-0x0000000005640000-0x0000000005652000-memory.dmp
memory/1104-60-0x00000000056A0000-0x00000000056DC000-memory.dmp
memory/1104-61-0x0000000005820000-0x000000000586C000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-10 12:35
Reported
2024-05-10 12:39
Platform
win10v2004-20240426-en
Max time kernel
143s
Max time network
137s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ZGRat
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4036 set thread context of 3204 | N/A | C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe
"C:\Users\Admin\AppData\Local\Temp\c2ef692d84f694cd08e3238ae431c5636be2dc51342782c20a577eb05217557e.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 147.45.47.64:11837 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.192:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.47.45.147.in-addr.arpa | udp |
| BE | 88.221.83.192:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
memory/4036-0-0x00000000007C0000-0x00000000007C1000-memory.dmp
memory/4036-1-0x00000000007C0000-0x00000000007C1000-memory.dmp
memory/4036-3-0x00000000007C0000-0x00000000007C1000-memory.dmp
memory/3204-2-0x0000000000400000-0x000000000044A000-memory.dmp
memory/3204-4-0x00000000740DE000-0x00000000740DF000-memory.dmp
memory/3204-5-0x00000000053A0000-0x0000000005944000-memory.dmp
memory/3204-6-0x0000000004E90000-0x0000000004F22000-memory.dmp
memory/3204-7-0x00000000740D0000-0x0000000074880000-memory.dmp
memory/3204-8-0x0000000004E70000-0x0000000004E7A000-memory.dmp
memory/3204-9-0x00000000064C0000-0x0000000006AD8000-memory.dmp
memory/3204-10-0x0000000005FF0000-0x00000000060FA000-memory.dmp
memory/3204-11-0x0000000005F20000-0x0000000005F32000-memory.dmp
memory/3204-12-0x0000000005F80000-0x0000000005FBC000-memory.dmp
memory/3204-13-0x0000000006100000-0x000000000614C000-memory.dmp
memory/3204-14-0x0000000006210000-0x0000000006276000-memory.dmp
memory/3204-15-0x0000000006B60000-0x0000000006BD6000-memory.dmp
memory/3204-16-0x0000000006B20000-0x0000000006B3E000-memory.dmp
memory/3204-17-0x0000000008430000-0x00000000085F2000-memory.dmp
memory/3204-18-0x0000000008B30000-0x000000000905C000-memory.dmp
memory/3204-20-0x00000000740D0000-0x0000000074880000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-10 12:35
Reported
2024-05-10 12:39
Platform
win7-20240508-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\db14966ca75480a4e8f9f3d18c7bada2f205a1ac7404dbeda068279afa55b1cb.exe
"C:\Users\Admin\AppData\Local\Temp\db14966ca75480a4e8f9f3d18c7bada2f205a1ac7404dbeda068279afa55b1cb.exe"
Network
| Country | Destination | Domain | Proto |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| MD | 176.123.9.142:14845 | tcp |
Files
memory/1932-0-0x00000000002A0000-0x00000000002D0000-memory.dmp
memory/1932-4-0x0000000000401000-0x0000000000402000-memory.dmp
memory/1932-5-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1932-6-0x00000000004A0000-0x00000000004A6000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-10 12:35
Reported
2024-05-10 12:39
Platform
win10v2004-20240226-en
Max time kernel
157s
Max time network
163s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7865879.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5770759.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1936485.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7865879.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5034781.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3489522.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5770759.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1936485.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\1ed736973ca7eb70129cafb36c292298f34a8a710160e69aeec7ad93760ed83e.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5034781.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5034781.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5034781.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5034781.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5034781.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5034781.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7865879.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1ed736973ca7eb70129cafb36c292298f34a8a710160e69aeec7ad93760ed83e.exe
"C:\Users\Admin\AppData\Local\Temp\1ed736973ca7eb70129cafb36c292298f34a8a710160e69aeec7ad93760ed83e.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5770759.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5770759.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1936485.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1936485.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7865879.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7865879.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5034781.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5034781.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3489522.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3489522.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 172.217.169.42:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 42.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.29:80 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 104.246.116.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5770759.exe
| MD5 | e5fee7b57e9630eb6cbe1861cb6d1a82 |
| SHA1 | de69d6c77a4db78be5c7239199528da46bd4a9b9 |
| SHA256 | e7da30afc9870af8478dffe8cb7c3517dbcd725d83d3c9e7435cc5bcfaa1a76d |
| SHA512 | c7af1fd9383094548929920e18b2adeb6d07fded702fc748f557d913ad8521c666e419aee611d994ec94154830967e39d797a98ba0cd18ab10548ce85f6a02ba |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1936485.exe
| MD5 | b3f0cfa1b2d4fab75074fe1a7b426ebb |
| SHA1 | 61d950a5d649826b8b646453df4398cdd56189b9 |
| SHA256 | 0bd882b9fd1549e5b281cbaa19a8a2a2952a03219737db0af5cadf4e817c0561 |
| SHA512 | 0141c9f835859df5fa0d8a04d010482961a693bada72d57e60677ee84b79bc86e59b523b3a4f9168fb240a815d9f80fbba05cc0d5f5a7f7d0415d0eabef699d0 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008015.exe
| MD5 | c9767fb557c8496da35f32149019f254 |
| SHA1 | dc206616148aad4e06dd3fb380d34b4ba15a9c6d |
| SHA256 | d039e2510d33b0cca9b9d06c2be8152c5e126660c7860649dd966e1a7b375e9c |
| SHA512 | f9c225248b0a8f9766b936694f71b347a0f006110928d26717d886d6b78f1b9ea3b3518a3123004cb20c4d4ffa5eb394bd169641163b297046a967f1ac9c4445 |
memory/1052-21-0x00007FF97B1D3000-0x00007FF97B1D5000-memory.dmp
memory/1052-22-0x0000000000AF0000-0x0000000000AFA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7865879.exe
| MD5 | 9728e9852854da025b4314bd0fd3687c |
| SHA1 | 6a87c09c8e29b6ca1c336416088f12cce0c206f8 |
| SHA256 | 2c0f306d091f752e409e8bcbe20934ffa23430a90dea79c62aff27ee1b3035cf |
| SHA512 | 23df44bd9f5ae665f2d4c320603162b1d98b30b5610e99b5a9082843d76f0a6444e83e1c1792c2febf20d771b297777af8faa0403ba80f2f3f8b1c487abf7144 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5034781.exe
| MD5 | c4c414d786976435cb8561c43d8dc57d |
| SHA1 | fd73133d3509d1a6982b000a75b9dbdc7769ec22 |
| SHA256 | 129a6c5e5a8d98619b5be3818dfde6bab9c5345171d9d8401b886fed0660817a |
| SHA512 | 744106f95b8f57ea59e2906a7cbaf2e1a172cee013be12f0752b3308c428f92f9824a2497f3fced82d9124d3ab52448d3b240889fdad26925e710aa47f67b028 |
memory/4512-40-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3356-41-0x0000000001090000-0x00000000010A6000-memory.dmp
memory/4512-44-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3489522.exe
| MD5 | fd61776b34b5a58e732533da17d122d0 |
| SHA1 | 336015c059047a658ea57b6ebe49418d23a65593 |
| SHA256 | 64faeec435f51816cff0efdacc9e777d677400fd7a59bc1e037a24ec7ae7cb4b |
| SHA512 | afbd9465a721b8e447359c88451f9525ecc5f3aedf79be424b49d4a93d5921797854471257fb1f1ea7d967e56d54aec7b712773875f92fd4335e5a12afd4fc68 |
memory/4700-48-0x00000000000E0000-0x0000000000110000-memory.dmp
memory/4700-49-0x0000000006E90000-0x0000000006E96000-memory.dmp
memory/4700-50-0x000000000A510000-0x000000000AB28000-memory.dmp
memory/4700-51-0x000000000A090000-0x000000000A19A000-memory.dmp
memory/4700-52-0x0000000009FD0000-0x0000000009FE2000-memory.dmp
memory/4700-53-0x000000000A030000-0x000000000A06C000-memory.dmp
memory/4700-54-0x000000000A1A0000-0x000000000A1EC000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-10 12:35
Reported
2024-05-10 12:39
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2416 wrote to memory of 2132 | N/A | C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2416 wrote to memory of 2132 | N/A | C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2416 wrote to memory of 2132 | N/A | C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2416 wrote to memory of 2132 | N/A | C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe
"C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 52
Network
Files
memory/2416-0-0x0000000000030000-0x0000000000031000-memory.dmp
memory/2416-1-0x0000000000030000-0x0000000000031000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-10 12:35
Reported
2024-05-10 12:39
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9063373.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6210097.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9238337.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3931201.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4075312.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\67045db9602c0bb02004555fcae5f1c816ba6ebea367c933be035b042c153501.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9063373.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6210097.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9238337.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3931201.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\67045db9602c0bb02004555fcae5f1c816ba6ebea367c933be035b042c153501.exe
"C:\Users\Admin\AppData\Local\Temp\67045db9602c0bb02004555fcae5f1c816ba6ebea367c933be035b042c153501.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9063373.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9063373.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6210097.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6210097.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9238337.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9238337.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3931201.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3931201.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4075312.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4075312.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.107.122:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.107.17.2.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9063373.exe
| MD5 | 2c2992bee297eb92a1c30c47f171520d |
| SHA1 | 1aa27a41eb69ed9a6ab90e36fcfb302fd0fd89af |
| SHA256 | 1ec8ce9ace042665b07a0abc5b206634b1417b5f2a4a00b4554147d518832396 |
| SHA512 | efb5cd6594ce8dbc6635cc04210e5e362f0a3ae2c65d5bc161ec903cd96cd58ffaee72fef87fd72fd71e67e09cb7ee0255e82d9944940d6cdb96277f4eacbbb7 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6210097.exe
| MD5 | e4759911e541d7a543ea033b0928ddf4 |
| SHA1 | e39c427a6cf47b16cddabfd2c7fb00038e1dbe1f |
| SHA256 | f8dfa98c4e38deff7955c243f9db7b01692e43c0997eca9e5e141cc565cf05be |
| SHA512 | 7760d634d8a8b0a2e2c9847c4c367589607de2d7ac43112830289dbf3585902dd0f824ebfcab04040f701afa6b86884824aed2f032e6c09714ac8575b7bf9e42 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9238337.exe
| MD5 | f4f787db36502a2e05f39da6a313e914 |
| SHA1 | 4f842c75ce854d86420f9790c47c81bdcecd7c5d |
| SHA256 | 3df74027fece0dd6e6c9f46260e3c886ecbcfd4dce43ac64a90f1211d78fe588 |
| SHA512 | 0728509f9668750a075e73175e48f90625f5e62ef3d1e95641d654d43f749dacb1012110c6e445aa64308a64b0d23c447041ab0ec994300a6b06a1091523d52b |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3931201.exe
| MD5 | a11dbc01603450452854f17aa7ea1eef |
| SHA1 | 18436f7c4a7a4477c0baa93ddc108babce9491bf |
| SHA256 | 2d2e176ff101b33e0adec2558415b76c1425ba9502c4b652c64b4751dd11181c |
| SHA512 | 1ac3b35ac7b8742c8eded217595f30ae25eff216409bddd3cc18809ff6e5d873c7feae6e1e3501dc02bebe2205f9f9e8db9718c76315b679ca8ce73aca2135bf |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2651355.exe
| MD5 | 175e3db636d9fd541cc11991815ea662 |
| SHA1 | c5e30c78f298c1aa26768bc036795e19ed7e60d7 |
| SHA256 | c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e |
| SHA512 | 06b1bc8a9746e8dfd1a4d72e98b8b76a1f543ae0c72c9e0233dce81451d7521f586da373e69459170a8d9442da4883f8247cfb9714227744c765c892583ac5c9 |
memory/4868-36-0x00000000006A0000-0x00000000006DE000-memory.dmp
memory/4868-41-0x00000000006A0000-0x00000000006DE000-memory.dmp
memory/4868-42-0x0000000002300000-0x0000000002301000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7896309.exe
| MD5 | 06d9b8f9236b959006976da775fea5e7 |
| SHA1 | 46d5c5e6a3e7de6138cd764509a6754ce24d9484 |
| SHA256 | 77353ead4144432dfd0e8fc833c458c8b88fb5d6bf7c9818ac430be40983b7f5 |
| SHA512 | ec0c6135f2b39d70cb35bd713d5fd9a0876055b46584f3535067f0f162be149024770c990e61ee041eabe5d3daf53aac49e747bb96189c3fa17346774a5edc6d |
memory/772-48-0x0000000000EA0000-0x0000000000EAA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4075312.exe
| MD5 | dd10174f7fa3d017558c8310bf07d851 |
| SHA1 | 08d795a3d2334906da989e46a7e57d4ba9aa9f41 |
| SHA256 | cd9de412cda28c677351594338bc352dbcafb8652328624f624263b71bac3604 |
| SHA512 | a714e8babdc8d8a0a9f8e6ef6430d4f1cde70d3d80a902a1e247eb93bdf76e91fa89c4132708e0c632469b725c625ae65e30a908f02018f10b23460a02ec9d05 |
memory/724-54-0x0000000001FC0000-0x000000000204C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/724-60-0x0000000001FC0000-0x000000000204C000-memory.dmp
memory/724-62-0x00000000023C0000-0x00000000023C6000-memory.dmp
memory/724-63-0x000000000A570000-0x000000000AB88000-memory.dmp
memory/724-64-0x0000000009F50000-0x000000000A05A000-memory.dmp
memory/724-65-0x000000000A080000-0x000000000A092000-memory.dmp
memory/724-66-0x000000000A0A0000-0x000000000A0DC000-memory.dmp
memory/724-67-0x000000000A110000-0x000000000A15C000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-10 12:35
Reported
2024-05-10 12:40
Platform
win10v2004-20240426-en
Max time kernel
142s
Max time network
105s
Command Line
Signatures
Lumma Stealer
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4428 set thread context of 5252 | N/A | C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe
"C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4428 -ip 4428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 328
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | plasterdaughejsijuk.shop | udp |
| US | 172.67.193.141:443 | plasterdaughejsijuk.shop | tcp |
| US | 8.8.8.8:53 | productivelookewr.shop | udp |
| US | 172.67.150.207:443 | productivelookewr.shop | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.193.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.150.67.172.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tolerateilusidjukl.shop | udp |
| US | 172.67.147.41:443 | tolerateilusidjukl.shop | tcp |
| BE | 2.17.107.131:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | shatterbreathepsw.shop | udp |
| US | 172.67.169.43:443 | shatterbreathepsw.shop | tcp |
| US | 8.8.8.8:53 | shortsvelventysjo.shop | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.169.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 104.21.16.225:443 | shortsvelventysjo.shop | tcp |
| US | 8.8.8.8:53 | 225.16.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | incredibleextedwj.shop | udp |
| US | 104.21.86.106:443 | incredibleextedwj.shop | tcp |
| US | 8.8.8.8:53 | 106.86.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | alcojoldwograpciw.shop | udp |
| US | 104.21.48.243:443 | alcojoldwograpciw.shop | tcp |
| US | 8.8.8.8:53 | liabilitynighstjsko.shop | udp |
| US | 172.67.192.138:443 | liabilitynighstjsko.shop | tcp |
| US | 8.8.8.8:53 | 243.48.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | demonstationfukewko.shop | udp |
| US | 104.21.33.174:443 | demonstationfukewko.shop | tcp |
| US | 8.8.8.8:53 | 174.33.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.192.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/4428-0-0x0000000000384000-0x0000000000386000-memory.dmp
memory/5252-3-0x0000000000400000-0x000000000044E000-memory.dmp
memory/5252-4-0x0000000000400000-0x000000000044E000-memory.dmp
memory/5252-1-0x0000000000400000-0x000000000044E000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-10 12:35
Reported
2024-05-10 12:39
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8920385.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3800882.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8920385.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\8a73bb4899be69e1a77d74c46f81ca29b85b5c67b642e09f9735dec87b8b4cc3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8a73bb4899be69e1a77d74c46f81ca29b85b5c67b642e09f9735dec87b8b4cc3.exe
"C:\Users\Admin\AppData\Local\Temp\8a73bb4899be69e1a77d74c46f81ca29b85b5c67b642e09f9735dec87b8b4cc3.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8920385.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8920385.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3800882.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3800882.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 82.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| BE | 88.221.83.201:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.83.221.88.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8920385.exe
| MD5 | 564c7dd5cd6f43333f3726a1067fa7b4 |
| SHA1 | d435fc75ad9860e41732452696f59c04373531cf |
| SHA256 | 0ed66c396d2ae7b2fd68b55a0d8f255e6d017c11dabaec1a6f3550321e83f664 |
| SHA512 | efcbdffc5f2992a4ed1dfa092a0ed9bde85116c09570a40a945a1e9a2211a32562e572ff51706334d97de832126faebdeaa878dafb0683c8e84b119e8a576c5a |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0366696.exe
| MD5 | b4a4c6e6401ce4043ed5f212555de317 |
| SHA1 | c6f6c6513769019907b51ff23d0683a5bd197f2a |
| SHA256 | 4c411c6600d1f65ea9a585a5f125792c5f74ca5e41d63fc2bd70c60d3b9e7447 |
| SHA512 | 68b9fd346cddae31abd19022f854ce9b77f48a37cbb8b852ffcab4b3550011e27f1859f33ac2f4745f4838b8084f2a8e9674cd43dfbd18b945f395946b2b3974 |
memory/1844-14-0x00000000746AE000-0x00000000746AF000-memory.dmp
memory/1844-15-0x0000000004A10000-0x0000000004A2A000-memory.dmp
memory/1844-16-0x0000000004AA0000-0x0000000005044000-memory.dmp
memory/1844-18-0x0000000005090000-0x00000000050A8000-memory.dmp
memory/1844-17-0x00000000746A0000-0x0000000074E50000-memory.dmp
memory/1844-19-0x00000000746A0000-0x0000000074E50000-memory.dmp
memory/1844-45-0x0000000005090000-0x00000000050A2000-memory.dmp
memory/1844-47-0x0000000005090000-0x00000000050A2000-memory.dmp
memory/1844-37-0x0000000005090000-0x00000000050A2000-memory.dmp
memory/1844-35-0x0000000005090000-0x00000000050A2000-memory.dmp
memory/1844-33-0x0000000005090000-0x00000000050A2000-memory.dmp
memory/1844-31-0x0000000005090000-0x00000000050A2000-memory.dmp
memory/1844-29-0x0000000005090000-0x00000000050A2000-memory.dmp
memory/1844-27-0x0000000005090000-0x00000000050A2000-memory.dmp
memory/1844-25-0x0000000005090000-0x00000000050A2000-memory.dmp
memory/1844-23-0x0000000005090000-0x00000000050A2000-memory.dmp
memory/1844-21-0x0000000005090000-0x00000000050A2000-memory.dmp
memory/1844-43-0x0000000005090000-0x00000000050A2000-memory.dmp
memory/1844-41-0x0000000005090000-0x00000000050A2000-memory.dmp
memory/1844-39-0x0000000005090000-0x00000000050A2000-memory.dmp
memory/1844-20-0x0000000005090000-0x00000000050A2000-memory.dmp
memory/1844-48-0x00000000746A0000-0x0000000074E50000-memory.dmp
memory/1844-50-0x00000000746A0000-0x0000000074E50000-memory.dmp
memory/1492-54-0x0000000000D80000-0x0000000000DB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3800882.exe
| MD5 | fecafbd83c6218e3ad98ca6c7d0b5671 |
| SHA1 | 72376a75ab9ce874cfb24df53b52700fb059f47e |
| SHA256 | af55b182e0f5bf4176ceb683cf3e1196ddc159afc733b576be40e6c3b62f793e |
| SHA512 | f44966c871ee17bc71186242b485a768ef6ac48a100a02232d2586b36fc9d0703e3dbfbddce6e55938c586e24aa3c38cbd6bdc47151bc4f51ffbcabd137db8f9 |
memory/1492-55-0x0000000005460000-0x0000000005466000-memory.dmp
memory/1492-56-0x0000000005E00000-0x0000000006418000-memory.dmp
memory/1492-57-0x0000000005910000-0x0000000005A1A000-memory.dmp
memory/1492-58-0x0000000005840000-0x0000000005852000-memory.dmp
memory/1492-59-0x00000000058A0000-0x00000000058DC000-memory.dmp
memory/1492-60-0x0000000005A20000-0x0000000005A6C000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-10 12:35
Reported
2024-05-10 12:40
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
153s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 116 set thread context of 1888 | N/A | C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe
"C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| BE | 88.221.83.219:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
Files
memory/116-0-0x0000000000B00000-0x0000000000B01000-memory.dmp
memory/116-1-0x0000000000B00000-0x0000000000B01000-memory.dmp
memory/116-3-0x0000000000B00000-0x0000000000B01000-memory.dmp
memory/1888-2-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1888-4-0x000000007501E000-0x000000007501F000-memory.dmp
memory/1888-5-0x00000000057A0000-0x0000000005806000-memory.dmp
memory/1888-6-0x00000000062F0000-0x0000000006908000-memory.dmp
memory/1888-7-0x0000000005D60000-0x0000000005D72000-memory.dmp
memory/1888-8-0x0000000005E90000-0x0000000005F9A000-memory.dmp
memory/1888-9-0x0000000075010000-0x00000000757C0000-memory.dmp
memory/1888-10-0x000000007501E000-0x000000007501F000-memory.dmp
memory/1888-11-0x0000000075010000-0x00000000757C0000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-10 12:35
Reported
2024-05-10 12:39
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2564 set thread context of 2600 | N/A | C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe
"C:\Users\Admin\AppData\Local\Temp\1d90edda9fc0271748934c0813b8946478823a33b5892d1be2ddf3d383fbc851.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.200:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| BE | 88.221.83.200:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
Files
memory/2564-0-0x0000000000F79000-0x0000000000F7A000-memory.dmp
memory/2600-1-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2600-2-0x000000007473E000-0x000000007473F000-memory.dmp
memory/2600-3-0x0000000004EF0000-0x0000000004F56000-memory.dmp
memory/2600-4-0x0000000005A40000-0x0000000006058000-memory.dmp
memory/2600-5-0x00000000054C0000-0x00000000054D2000-memory.dmp
memory/2600-6-0x00000000055F0000-0x00000000056FA000-memory.dmp
memory/2600-7-0x0000000074730000-0x0000000074EE0000-memory.dmp
memory/2600-8-0x000000007473E000-0x000000007473F000-memory.dmp
memory/2600-9-0x0000000074730000-0x0000000074EE0000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-10 12:35
Reported
2024-05-10 12:39
Platform
win7-20240221-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2864 wrote to memory of 2924 | N/A | C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2864 wrote to memory of 2924 | N/A | C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2864 wrote to memory of 2924 | N/A | C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2864 wrote to memory of 2924 | N/A | C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe
"C:\Users\Admin\AppData\Local\Temp\77cbabe9fe3b8b9ac3422f2b29fbcb0cdb9ee85c7b64b2bde48da25f6ef608cf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 116
Network
Files
memory/2864-0-0x0000000000D54000-0x0000000000D56000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-10 12:35
Reported
2024-05-10 12:39
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2300210.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7041233.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2300210.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4310013.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\559234fc528754d07d788aa5eff30aba166a9bab82e9eda45a9737647b0e9fe2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7041233.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\559234fc528754d07d788aa5eff30aba166a9bab82e9eda45a9737647b0e9fe2.exe
"C:\Users\Admin\AppData\Local\Temp\559234fc528754d07d788aa5eff30aba166a9bab82e9eda45a9737647b0e9fe2.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7041233.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7041233.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2300210.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2300210.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4310013.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4310013.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| BE | 88.221.83.210:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 210.83.221.88.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7041233.exe
| MD5 | 183806bbe94ffb23e6c01226cd4915ee |
| SHA1 | 998b949e4c20f7ba170dea950bdae3b362d59bda |
| SHA256 | ac3392df31711209fa4a6b0583d8e3db99d3338ef656d3323c32c66826ccaf11 |
| SHA512 | 8243f4aba19476b089b4d59ab2ee4a7e461dc8e0aa0e6837c08369fecc1d76cbfb231c59a25abc155e892ab9c0caac755e2848fb7b33c44dac7d6a7dc15b6e01 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4362728.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/3712-14-0x0000000000200000-0x000000000020A000-memory.dmp
memory/3712-15-0x00007FF89D6D3000-0x00007FF89D6D5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2300210.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4310013.exe
| MD5 | 5ff1425b42293387a69b84bac555297e |
| SHA1 | d7c86fcedc65935563218b66e9df4a5c6e7e409f |
| SHA256 | 4b1981dd1b27cd2d082d28431e9362e0d3d435cb227fd209d28c56bf791c835e |
| SHA512 | 6c022f100a89b8a000596d7ab737d117b574e19126b907dd83c917ca85159baf207bc438bca6ac360cd86bfef925327cb3a573f47834e2a592343c16c4909265 |
memory/4752-33-0x0000000000F80000-0x0000000000FB0000-memory.dmp
memory/4752-34-0x0000000003210000-0x0000000003216000-memory.dmp
memory/4752-35-0x0000000005F00000-0x0000000006518000-memory.dmp
memory/4752-36-0x00000000059F0000-0x0000000005AFA000-memory.dmp
memory/4752-37-0x0000000005910000-0x0000000005922000-memory.dmp
memory/4752-38-0x0000000005970000-0x00000000059AC000-memory.dmp
memory/4752-39-0x0000000005B00000-0x0000000005B4C000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-05-10 12:35
Reported
2024-05-10 12:40
Platform
win7-20240220-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2176 wrote to memory of 1592 | N/A | C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2176 wrote to memory of 1592 | N/A | C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2176 wrote to memory of 1592 | N/A | C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2176 wrote to memory of 1592 | N/A | C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe
"C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 116
Network
Files
memory/2176-0-0x0000000000CC6000-0x0000000000CC7000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 12:35
Reported
2024-05-10 12:39
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
152s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6769642.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4707813.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6769642.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j7773066.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\1d059ca891566e0006cb4534dc4ff845fedd1d3d468c12366e12f98a815ed7d4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4707813.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1d059ca891566e0006cb4534dc4ff845fedd1d3d468c12366e12f98a815ed7d4.exe
"C:\Users\Admin\AppData\Local\Temp\1d059ca891566e0006cb4534dc4ff845fedd1d3d468c12366e12f98a815ed7d4.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4707813.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4707813.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6769642.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6769642.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4252,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4604 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j7773066.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j7773066.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| BE | 2.17.107.131:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.107.17.2.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4707813.exe
| MD5 | 8f60ba120e19ad8816b6be6fba6df1c8 |
| SHA1 | cfce501aefdaf27580c3c267c18dc40d388fe9f8 |
| SHA256 | 18c735c8cb1cefb78e97a96795b953e64ace0111065000dcc15624852066d0e5 |
| SHA512 | 9e3cae60814cdb4ad60e9fb8ccf39d9ad0d9cc2750683c4c6e3da9551f645e0f3d8bd9ce9c551b7ddc9d79c60b2911dee5981a297a9fad36d769d1d924238559 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6769642.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/2836-27-0x0000000000EF0000-0x0000000000EFA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j7773066.exe
| MD5 | 03486d7d10f8be93fb55a5a125d79353 |
| SHA1 | 1926c46e2a3ba3f22d2b9a3ec6ff8314bd0d9527 |
| SHA256 | ae95cc3dad2258838bab37078d58f17b2cad2b6a60c313168261a564185745bc |
| SHA512 | 8e380b3e029485f352fc97c51cc1a3d0de69fb7ea83112449390ff0959752849fde05abd72b8439a487a1e3e7d06980bdc90066387fe5d349c7a700e67db335b |
memory/2948-32-0x0000000000430000-0x0000000000460000-memory.dmp
memory/2948-33-0x0000000002750000-0x0000000002756000-memory.dmp
memory/2948-34-0x000000000A8B0000-0x000000000AEC8000-memory.dmp
memory/2948-35-0x000000000A3E0000-0x000000000A4EA000-memory.dmp
memory/2948-36-0x000000000A320000-0x000000000A332000-memory.dmp
memory/2948-37-0x000000000A380000-0x000000000A3BC000-memory.dmp
memory/2948-38-0x00000000028A0000-0x00000000028EC000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-10 12:35
Reported
2024-05-10 12:39
Platform
win10v2004-20240426-en
Max time kernel
136s
Max time network
153s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4304 set thread context of 4088 | N/A | C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe
"C:\Users\Admin\AppData\Local\Temp\5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.210:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.83.221.88.in-addr.arpa | udp |
| BE | 88.221.83.210:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
Files
memory/4304-0-0x0000000000340000-0x0000000000341000-memory.dmp
memory/4088-1-0x0000000000400000-0x0000000000422000-memory.dmp
memory/4304-3-0x0000000000340000-0x0000000000341000-memory.dmp
memory/4088-4-0x00000000741CE000-0x00000000741CF000-memory.dmp
memory/4088-5-0x0000000005120000-0x0000000005186000-memory.dmp
memory/4088-6-0x0000000005C40000-0x0000000006258000-memory.dmp
memory/4088-7-0x00000000056D0000-0x00000000056E2000-memory.dmp
memory/4088-8-0x0000000005800000-0x000000000590A000-memory.dmp
memory/4088-9-0x00000000741C0000-0x0000000074970000-memory.dmp
memory/4088-10-0x00000000741CE000-0x00000000741CF000-memory.dmp
memory/4088-11-0x00000000741C0000-0x0000000074970000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-10 12:35
Reported
2024-05-10 12:39
Platform
win7-20240221-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1444 wrote to memory of 2372 | N/A | C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1444 wrote to memory of 2372 | N/A | C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1444 wrote to memory of 2372 | N/A | C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1444 wrote to memory of 2372 | N/A | C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe
"C:\Users\Admin\AppData\Local\Temp\8db3c27c31541a43d1adeae01ca7caf3f0c8d6e3733168917ea04d58d7e4a488.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 52
Network
Files
memory/1444-0-0x0000000000030000-0x0000000000031000-memory.dmp
memory/1444-1-0x0000000000030000-0x0000000000031000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-10 12:35
Reported
2024-05-10 12:39
Platform
win7-20240508-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe
"C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe"
Network
Files
memory/2892-0-0x00000000002B0000-0x00000000002EE000-memory.dmp
memory/2892-6-0x0000000000401000-0x0000000000404000-memory.dmp
memory/2892-7-0x0000000000400000-0x000000000044E000-memory.dmp
memory/2892-8-0x00000000002B0000-0x00000000002EE000-memory.dmp
memory/2892-9-0x00000000004A0000-0x00000000004A1000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-10 12:35
Reported
2024-05-10 12:39
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe
"C:\Users\Admin\AppData\Local\Temp\c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.233:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.83.221.88.in-addr.arpa | udp |
| BE | 88.221.83.233:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.143.182.52.in-addr.arpa | udp |
Files
memory/4764-0-0x0000000002060000-0x000000000209E000-memory.dmp
memory/4764-6-0x0000000000401000-0x0000000000404000-memory.dmp
memory/4764-7-0x0000000000400000-0x000000000044E000-memory.dmp
memory/4764-8-0x0000000002060000-0x000000000209E000-memory.dmp
memory/4764-9-0x00000000024B0000-0x00000000024B1000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-05-10 12:35
Reported
2024-05-10 12:40
Platform
win10v2004-20240508-en
Max time kernel
95s
Max time network
101s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4824 set thread context of 3236 | N/A | C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe
"C:\Users\Admin\AppData\Local\Temp\e800205bb9a5d3866d735915080e828250891d7d9c930245afd8def35dd08dfd.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4824 -ip 4824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 320
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | omnomnom.top | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| DE | 195.201.252.28:443 | omnomnom.top | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.252.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| BE | 88.221.83.217:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 217.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/4824-0-0x0000000000B26000-0x0000000000B27000-memory.dmp
memory/3236-1-0x0000000000400000-0x0000000000422000-memory.dmp
memory/3236-2-0x00000000746DE000-0x00000000746DF000-memory.dmp
memory/3236-3-0x0000000005030000-0x0000000005096000-memory.dmp
memory/3236-4-0x0000000005B50000-0x0000000006168000-memory.dmp
memory/3236-5-0x00000000055E0000-0x00000000055F2000-memory.dmp
memory/3236-6-0x0000000005710000-0x000000000581A000-memory.dmp
memory/3236-7-0x00000000746D0000-0x0000000074E80000-memory.dmp
memory/3236-8-0x0000000005AB0000-0x0000000005AEC000-memory.dmp
memory/3236-9-0x0000000005AF0000-0x0000000005B3C000-memory.dmp
memory/3236-10-0x0000000006750000-0x0000000006912000-memory.dmp
memory/3236-11-0x0000000006E50000-0x000000000737C000-memory.dmp
memory/3236-12-0x0000000006920000-0x00000000069B2000-memory.dmp
memory/3236-13-0x0000000007930000-0x0000000007ED4000-memory.dmp
memory/3236-14-0x0000000006C80000-0x0000000006CF6000-memory.dmp
memory/3236-15-0x0000000006B40000-0x0000000006B5E000-memory.dmp
memory/3236-16-0x0000000006DC0000-0x0000000006E10000-memory.dmp
memory/3236-18-0x00000000746D0000-0x0000000074E80000-memory.dmp