Analysis Overview
SHA256
205ae779babd66a06edef8f4549388af61dbb854e06c82a7f291317f4dbe780e
Threat Level: Known bad
The file 205ae779babd66a06edef8f4549388af61dbb854e06c82a7f291317f4dbe780e was found to be: Known bad.
Malicious Activity Summary
RedLine
Healer
SmokeLoader
Modifies Windows Defender Real-time Protection settings
Amadey
Detects Healer an antivirus disabler dropper
RedLine payload
UPX packed file
Checks computer location settings
Windows security modification
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Suspicious use of SetThreadContext
Launches sc.exe
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 13:06
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 13:06
Reported
2024-05-10 13:09
Platform
win10v2004-20240226-en
Max time kernel
155s
Max time network
159s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2226444.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2226444.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2226444.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2226444.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2226444.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2226444.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1782109.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8720694.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2226444.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1782109.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8194596.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2226444.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\082abd50bc322e65df7b85b918d5bc248c652483544b6e4c453e9531969df172.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8720694.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2226444.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2226444.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2226444.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1782109.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\082abd50bc322e65df7b85b918d5bc248c652483544b6e4c453e9531969df172.exe
"C:\Users\Admin\AppData\Local\Temp\082abd50bc322e65df7b85b918d5bc248c652483544b6e4c453e9531969df172.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8720694.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8720694.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2226444.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2226444.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1782109.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1782109.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4248 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8194596.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8194596.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.212.202:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 202.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8720694.exe
| MD5 | da189977109d11d32e33bdc6d5cdea9b |
| SHA1 | ccae29dd9531ca909a8eceee7be37ab7ccb1ea3b |
| SHA256 | 619342e7a2d2a56110b4861ea944b7b5400c15fa20f096a7b8ee7abc335b74de |
| SHA512 | 2a30512da0f7e7daa952479d8d48fcbb504ffe39f4a7772bb9507ea0eb4fca5396acd95290c2eace9a32608930e8a087986d2505f9b979ecc06f659047fb8fa3 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2226444.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/1468-14-0x00007FFCA2C63000-0x00007FFCA2C65000-memory.dmp
memory/1468-15-0x0000000000870000-0x000000000087A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1782109.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8194596.exe
| MD5 | e8cab8397cf45f1981e4d264fe17ee31 |
| SHA1 | 3c86b93b49b33045dfe3ea7a69895215a88bbf12 |
| SHA256 | a885dd87ad27a729a388d38f048b1741da3dcf55fde65d787ac8467cec83c61b |
| SHA512 | 2cc95545111eace1d05b09694dc4439a88dc0e1cf6eed7dcad77e029ad03fa46ac6b121e6543fef4b71685b03c281a70458d55484d79d75573c85d667705d679 |
memory/3648-33-0x0000000000D90000-0x0000000000DC0000-memory.dmp
memory/3648-34-0x0000000003030000-0x0000000003036000-memory.dmp
memory/3648-36-0x000000000B210000-0x000000000B828000-memory.dmp
memory/3648-37-0x000000000AC30000-0x000000000AD3A000-memory.dmp
memory/3648-38-0x00000000055C0000-0x00000000055D2000-memory.dmp
memory/3648-39-0x000000000AF40000-0x000000000AF7C000-memory.dmp
memory/3648-40-0x000000000B0B0000-0x000000000B0FC000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-10 13:06
Reported
2024-05-10 13:09
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\28e73a10869c3ce55af51de963cb8f48eac48b8f171602308b167d940e58899a.exe
"C:\Users\Admin\AppData\Local\Temp\28e73a10869c3ce55af51de963cb8f48eac48b8f171602308b167d940e58899a.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.253.116.51.in-addr.arpa | udp |
Files
memory/3128-0-0x00007FF7F42C0000-0x00007FF7F974F000-memory.dmp
memory/3128-1-0x00007FF7F42C0000-0x00007FF7F974F000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-10 13:06
Reported
2024-05-10 13:09
Platform
win10v2004-20240426-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2308083.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0067136.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\6b061fa4768c28530459442828163e1c4cf33aa058cd0846566771b57ecf36e8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2308083.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6b061fa4768c28530459442828163e1c4cf33aa058cd0846566771b57ecf36e8.exe
"C:\Users\Admin\AppData\Local\Temp\6b061fa4768c28530459442828163e1c4cf33aa058cd0846566771b57ecf36e8.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2308083.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2308083.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0067136.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0067136.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2308083.exe
| MD5 | 9c6164d041c24db6736a51008707f2a6 |
| SHA1 | c11101f7b72a3a0249f3e873bdd3735c1d8267fe |
| SHA256 | bf73429ee52f9270d33a8197ee4e52727f33a67083eb1ae40adfbc8b2dbe2075 |
| SHA512 | 847f56104d115c6b8e59a02fd5252a6e52a8511faf01b59d86fb3abbef1fab226cc5abce2c8921777c0db88e616b6f14028cdfcbd09fc6b6bfc06c5e4aaca2b0 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe
| MD5 | 5663b528b5976a2873c447dbcb05b6af |
| SHA1 | c4e5c3993293c0441f80d4434d177708962bb78f |
| SHA256 | 082e8efad9dc970b2395071b67565558033a397e71cb304fea335ae18b739edf |
| SHA512 | 1c352c1c48faa071b627b152c0898ac7e0e5c685478a79561d388a9a2563ce27c221b05b1e9572b62788dbca008da5858a2d33889b086f254d633f725e3600e2 |
memory/3068-14-0x0000000000430000-0x000000000043A000-memory.dmp
memory/3068-18-0x0000000000401000-0x0000000000402000-memory.dmp
memory/3068-19-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0067136.exe
| MD5 | f5fbed4a17d320d04f69af6ba9604b80 |
| SHA1 | a41d2a644b5bdb23f41b194a06db0fb5e0ff61aa |
| SHA256 | 9a8624b0e10ff7c1764e3cb07d2371b70dd4cf3ad32e8a0f41e5de4db11dacee |
| SHA512 | ae0221d3b79a220d9433c3b2ee243cb61b1f02a65e55337cc40afc978ad3f0c1dc2ae45cabcbe3e69e4e49f25a5db762bf4f891ad2a97fb1a6b11a62dc6c4cda |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/3160-26-0x0000000000440000-0x0000000000470000-memory.dmp
memory/3160-30-0x0000000002510000-0x0000000002516000-memory.dmp
memory/3160-31-0x000000000A5D0000-0x000000000ABE8000-memory.dmp
memory/3160-32-0x000000000A020000-0x000000000A12A000-memory.dmp
memory/3160-33-0x000000000A160000-0x000000000A172000-memory.dmp
memory/3160-34-0x000000000A180000-0x000000000A1BC000-memory.dmp
memory/3160-35-0x0000000002490000-0x00000000024DC000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-10 13:06
Reported
2024-05-10 13:09
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3027297.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3027297.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3027297.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3027297.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3027297.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3027297.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3027297.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b5851738.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3027297.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3027297.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\c47b15f9672b5795b62a389de76336302127184be510254d08b9b5100134dd7d.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3027297.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3027297.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3027297.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c47b15f9672b5795b62a389de76336302127184be510254d08b9b5100134dd7d.exe
"C:\Users\Admin\AppData\Local\Temp\c47b15f9672b5795b62a389de76336302127184be510254d08b9b5100134dd7d.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3027297.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3027297.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b5851738.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b5851738.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | udp | |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| BE | 88.221.83.248:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 248.83.221.88.in-addr.arpa | udp |
| BE | 88.221.83.248:443 | www.bing.com | tcp |
| DE | 217.196.96.101:4132 | tcp | |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 200.64.52.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3027297.exe
| MD5 | a92537fedf49fd467c41d80bde9ba55d |
| SHA1 | 685abba2395ef1a3405f91e849e452ee4aa99226 |
| SHA256 | a0e9f5fb78ce13719eba331ddc31e1c9e0c7712c8466692695331657658ff404 |
| SHA512 | c90ceefe96baeb9583e1834ec1b3b058785cf466a2d998c32e3e644413e9ad515359ccccb87c8575af0120be27af3dd167dcdbe01c3246fb451b6d321c80282f |
memory/1844-7-0x000000007404E000-0x000000007404F000-memory.dmp
memory/1844-8-0x0000000004A20000-0x0000000004A3A000-memory.dmp
memory/1844-9-0x0000000074040000-0x00000000747F0000-memory.dmp
memory/1844-10-0x0000000004B50000-0x00000000050F4000-memory.dmp
memory/1844-11-0x0000000004AC0000-0x0000000004AD8000-memory.dmp
memory/1844-12-0x0000000074040000-0x00000000747F0000-memory.dmp
memory/1844-40-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/1844-36-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/1844-34-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/1844-32-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/1844-30-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/1844-28-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/1844-26-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/1844-24-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/1844-22-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/1844-20-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/1844-18-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/1844-16-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/1844-41-0x0000000074040000-0x00000000747F0000-memory.dmp
memory/1844-14-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/1844-13-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/1844-38-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/1844-43-0x0000000074040000-0x00000000747F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b5851738.exe
| MD5 | a71b72e1859bd9a5c048a3c5ee5dfc7b |
| SHA1 | 99896b37b82091d11c534ec59e0c4204f4cd0fcc |
| SHA256 | 141b7eea951585dfd88dbdcd219722d2d8307fc7cbf8c720bd23e3b897966d60 |
| SHA512 | b970d9a52df7a0f34e53515f0a6ca9f6cd01d6b1efefc0c4ccbd08a789281251a57181f813e2c2ddef1d679e73f15357842367307052dd25204c16904c605ce1 |
memory/4144-48-0x0000000073FF0000-0x000000007409B000-memory.dmp
memory/4144-47-0x00000000005C0000-0x00000000005F0000-memory.dmp
memory/4144-49-0x0000000007230000-0x0000000007236000-memory.dmp
memory/4144-50-0x00000000054D0000-0x0000000005AE8000-memory.dmp
memory/4144-51-0x0000000005000000-0x000000000510A000-memory.dmp
memory/4144-52-0x0000000004F30000-0x0000000004F42000-memory.dmp
memory/4144-53-0x0000000073FF0000-0x000000007409B000-memory.dmp
memory/4144-54-0x0000000004F90000-0x0000000004FCC000-memory.dmp
memory/4144-55-0x0000000005110000-0x000000000515C000-memory.dmp
memory/4144-56-0x0000000073FF0000-0x000000007409B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 13:06
Reported
2024-05-10 13:08
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
149s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2973718.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2973718.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2973718.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2973718.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2973718.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2973718.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3759546.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2955265.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2973718.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3759546.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8940839.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2973718.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\0a70b4612b5a8fdde3e7cb75dcc0caca23c46bd980d396bb52f7efc9d122c8f6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2955265.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2973718.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2973718.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2973718.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0a70b4612b5a8fdde3e7cb75dcc0caca23c46bd980d396bb52f7efc9d122c8f6.exe
"C:\Users\Admin\AppData\Local\Temp\0a70b4612b5a8fdde3e7cb75dcc0caca23c46bd980d396bb52f7efc9d122c8f6.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2955265.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2955265.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2973718.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2973718.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3759546.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3759546.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8940839.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8940839.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2955265.exe
| MD5 | 34ee2fbadc86926a5ebdae520d8b8bc7 |
| SHA1 | 81a7e1c0c107c166b732c62c5cde6ae607262f84 |
| SHA256 | c3419ca6d3b5652bbbf590d16bb76558d2e50db7c19a5c8b75d5d778331fc72a |
| SHA512 | d6b26df54abb97810541d5aa959f8027b745cd5961ea73774c17600eeb73a5e8e895f4d4d82bb7a691156b6d745c60eb112b9b88ab76cd46e6c4cf96b667ceff |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2973718.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/1424-14-0x0000000000E30000-0x0000000000E3A000-memory.dmp
memory/1424-15-0x00007FFAD9AF3000-0x00007FFAD9AF5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3759546.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8940839.exe
| MD5 | 040c2fc21e60fd1273e32e83c974cd88 |
| SHA1 | ef82ffc72b30abcb11808f6b3eb4dc7d8d6673c9 |
| SHA256 | 17e4580522ac41d966ae2ea23fdef97db420a6f218ae6ad2901fab76585acd97 |
| SHA512 | 9350416c817b76a12f41eff48c8fbad4cbcb51cde9aa80af969609d065554f69d8b51a91f07c5e0cbc2fb7b8d3be06053a979e01c2ae3fe77cc1c6fce2740a26 |
memory/736-33-0x0000000000B90000-0x0000000000BC0000-memory.dmp
memory/736-34-0x0000000002DE0000-0x0000000002DE6000-memory.dmp
memory/736-35-0x0000000005B20000-0x0000000006138000-memory.dmp
memory/736-36-0x0000000005610000-0x000000000571A000-memory.dmp
memory/736-37-0x0000000005520000-0x0000000005532000-memory.dmp
memory/736-38-0x0000000005580000-0x00000000055BC000-memory.dmp
memory/736-39-0x00000000055C0000-0x000000000560C000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-10 13:06
Reported
2024-05-10 13:08
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8043257.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8043257.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8043257.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8043257.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8043257.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8043257.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8513497.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7683048.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2538163.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8043257.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8513497.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0003853.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6120877.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8043257.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\136b546d35913e21d69572f169ae203809c1521256619595aa6b15d763436c01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7683048.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2538163.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0003853.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0003853.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0003853.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8043257.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8043257.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8043257.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\136b546d35913e21d69572f169ae203809c1521256619595aa6b15d763436c01.exe
"C:\Users\Admin\AppData\Local\Temp\136b546d35913e21d69572f169ae203809c1521256619595aa6b15d763436c01.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7683048.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7683048.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2538163.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2538163.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8043257.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8043257.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8513497.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8513497.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0003853.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0003853.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6120877.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6120877.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7683048.exe
| MD5 | 17332abda5233f92b5d46c7129dad846 |
| SHA1 | c7d990591355e6988c5466640eb78e54dcc2e302 |
| SHA256 | ddfcd0b0522fe7f3a66080c2b6333eb5f7a503604fc76eaee438af682f2d07a4 |
| SHA512 | 3d1c6678e467003576b981b3093df2b95d457bf46d74821ce51015268b7d61666f86710a893d4e8dda7a9583a6b987cd15897c4fcd618adf25962f17207bb3d7 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2538163.exe
| MD5 | 8494092bb93d80ddf730b1119315a031 |
| SHA1 | 014bb057cd19d4968e160c7a9c231b2932436152 |
| SHA256 | 3d140eebec64936b8b093214a0e589f8ae995b0fe0b8635597c5378284298611 |
| SHA512 | e7114b1b3fcd6ac28b3088cce2d116b7252fd0431cdbcd785b847f30df87bca6f732e952301ed5a595ced88d4125d0996881a5deb321be3432eafaec4aae45f4 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8043257.exe
| MD5 | 011e97057df685ee7620914e53d80c08 |
| SHA1 | ac78a1ebffc0cce4e987c17d79c8c61db8d4323f |
| SHA256 | a4941dfa59a520e9bcd49d313a2db0770789e7df586131061fe0d5960920941f |
| SHA512 | 8834c2e0977eec550529ca8d3a8956849df2834c8667e8623adc83ec665610a4b1e03f1d1e007d083c5d8e79dc5af84a79ceff3af5dcaca7f4b2c8579bc1e2bc |
memory/3420-21-0x0000000000D90000-0x0000000000D9A000-memory.dmp
memory/3420-22-0x00007FFA71413000-0x00007FFA71415000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8513497.exe
| MD5 | eaf4f611e83549958aae0501949e6113 |
| SHA1 | 5ccdba08aa690d238bea6aca39cc70fb5dc4929e |
| SHA256 | 9b9f97512cf3c162f6952a330b6dfbcf5c3237886fce33aa47a10278e1b460ff |
| SHA512 | 2ee132317513d0c353208abcae8a7703845bf956ed1be9cfdf96abfb1e80c7243dc394b2c274cccded98d42b2b2cf1031984ba7cb0530197598eb35ccf1ed79f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0003853.exe
| MD5 | 0d304db5e5b152bb08b93caba5a2d025 |
| SHA1 | 305dd8884ed442f1e2b87ddc9d99598715a61c21 |
| SHA256 | 4c5bc68a3e120a583b90f83f158d22dd67ef9b4bc0ce66b57b130877569dfc71 |
| SHA512 | 1ae21e5d8b19ff67fc0e5d42052314d67d72639cfdbe7a04538578e16d5585587ec1704f830df05392c9e5e92185e0b2e6fd914c1ce7131c3789be8072722060 |
memory/4584-40-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6120877.exe
| MD5 | b4e645e86f9c734c67eae379df6f4a9a |
| SHA1 | b83783629138441cd29e7e458ab4674a871171c3 |
| SHA256 | 0fecb3e2d66bee2c7df80b58166684f3e1ca5a658bfc320d70e067199763086f |
| SHA512 | e23193579d2cde966cc8dfd98d40f776c6b9c8684d5ce6d5e9d18e543e4bc217e185a541735364bf8571d39dd2641bfa3495d59ca0ddbb048c92d17ce9178184 |
memory/1660-45-0x0000000000D10000-0x0000000000D40000-memory.dmp
memory/1660-46-0x00000000030A0000-0x00000000030A6000-memory.dmp
memory/1660-47-0x000000000B160000-0x000000000B778000-memory.dmp
memory/1660-48-0x000000000ACC0000-0x000000000ADCA000-memory.dmp
memory/1660-49-0x000000000AC00000-0x000000000AC12000-memory.dmp
memory/1660-50-0x000000000AC60000-0x000000000AC9C000-memory.dmp
memory/1660-51-0x0000000002F90000-0x0000000002FDC000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-10 13:06
Reported
2024-05-10 13:09
Platform
win10v2004-20240508-en
Max time kernel
126s
Max time network
152s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7088417.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7088417.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7088417.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9380383.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9380383.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9380383.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9380383.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7088417.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9380383.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9380383.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7088417.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7088417.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7446353.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7768253.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3476318.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9380383.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7088417.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3299072.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9380383.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9380383.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7088417.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3476318.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\3a5fd7dfdeb2d39f59735a8fd4f3621bef5a632886c19bfffeacac3350c44092.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7446353.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7768253.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9380383.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9380383.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7088417.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7088417.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9380383.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7088417.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3a5fd7dfdeb2d39f59735a8fd4f3621bef5a632886c19bfffeacac3350c44092.exe
"C:\Users\Admin\AppData\Local\Temp\3a5fd7dfdeb2d39f59735a8fd4f3621bef5a632886c19bfffeacac3350c44092.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7446353.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7446353.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7768253.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7768253.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3476318.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3476318.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9380383.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9380383.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7088417.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7088417.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3299072.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3299072.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7446353.exe
| MD5 | cdb65c533898d46ca672b92973876229 |
| SHA1 | dd3e4296b3a91e58fc012573d71cab5fff647384 |
| SHA256 | 7ebebeaa103ec219dc21ed1ab8b25e4a2d8d60020566009de3ae760d57231eba |
| SHA512 | ad49996b89fd5eeef0736072c1470f37fc6dc415d23dd3b2631b04fd183d50c4f34ce76233c31d4264f5ab132fcbbdc22158a19475937f211cbc3188a899f53f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7768253.exe
| MD5 | f0f6f170df1d271c552b0d02d9cfd00c |
| SHA1 | 81772a39f54f09e087fe647a2f29d00300ec790e |
| SHA256 | d5e3c032af376571e939c53f9842783cf42e3bec65d504cad97ac08dedbb9e30 |
| SHA512 | 7d0beb6f2f7f02f9664d840df1651846dad6332ba4d7df53870263af432bcd6ee66503e907efe2118196fb886fd0e9798ca2f03b77277281764847c226fb09fb |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3476318.exe
| MD5 | b521dd3035f27c010fee90054ae2676b |
| SHA1 | b14d984181669f3e60e628d4ccb22087098d18f7 |
| SHA256 | 7042a4553944787fcb60549bdef9787f955632186eb343f892b892b221e1e260 |
| SHA512 | 8e0a111b4d67a316f26d6bb046b486c302bbaa6202215a51e4370103cd200ae78e2b4111393bfe020e6e6c6e0107059c30d2252b12ae00cd829f15daafffe5d4 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9380383.exe
| MD5 | bd77385922ae5ed4007eb7317819e44a |
| SHA1 | fc068ca58ab2d5ba7089df2507ff9c3842d9d7a1 |
| SHA256 | 7a6f2da386b5ab2e68859fe2b034068fde5c4c988d44edd3308364dbc95c9556 |
| SHA512 | 091e158952f5f4a7e71c5f49792b2b5bb05939071e14cbe2702d9c0a9255122118a930a48003ba56918f4f1a14c1bb9f87c0bf5a540fadc28a28e3ae0e915cb3 |
memory/4244-28-0x00000000005A0000-0x00000000005DE000-memory.dmp
memory/4244-34-0x00000000005A0000-0x00000000005DE000-memory.dmp
memory/4244-35-0x0000000004420000-0x0000000004421000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7088417.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/2340-41-0x00000000005F0000-0x00000000005FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3299072.exe
| MD5 | 67cb989f9d39ef2dc25805925f57cdd2 |
| SHA1 | 72de5155bbe113cecabc724e967c10080c2d656c |
| SHA256 | a56d1c14695ffe3d85956ba7c177b854a815455c54d2f6d7fb5a62b8581f6b6d |
| SHA512 | dad3cef23beb97eaf54ae22432059de154e7ddb30ddb6431615230ed299b4fadd740cc483fe808c8b303c7a58b2008a560dc7bbc163e0f8928e9475c64aab943 |
memory/4856-46-0x00000000006D0000-0x000000000075C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/4856-53-0x00000000006D0000-0x000000000075C000-memory.dmp
memory/4856-55-0x0000000002410000-0x0000000002416000-memory.dmp
memory/4856-56-0x0000000007460000-0x0000000007A78000-memory.dmp
memory/4856-57-0x0000000006E40000-0x0000000006F4A000-memory.dmp
memory/4856-58-0x0000000006F50000-0x0000000006F62000-memory.dmp
memory/4856-59-0x0000000006F70000-0x0000000006FAC000-memory.dmp
memory/4856-60-0x0000000005A30000-0x0000000005A7C000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-10 13:06
Reported
2024-05-10 13:08
Platform
win7-20240215-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1756 wrote to memory of 2520 | N/A | C:\Users\Admin\AppData\Local\Temp\5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1756 wrote to memory of 2520 | N/A | C:\Users\Admin\AppData\Local\Temp\5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1756 wrote to memory of 2520 | N/A | C:\Users\Admin\AppData\Local\Temp\5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1756 wrote to memory of 2520 | N/A | C:\Users\Admin\AppData\Local\Temp\5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5.exe
"C:\Users\Admin\AppData\Local\Temp\5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 52
Network
Files
memory/1756-1-0x0000000000030000-0x0000000000031000-memory.dmp
memory/1756-0-0x0000000000030000-0x0000000000031000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-10 13:06
Reported
2024-05-10 13:09
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
156s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8574404.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8574404.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8574404.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8574404.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8574404.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8574404.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7357835.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4481156.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7357835.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8574404.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j5297148.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8574404.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\660944c2e28e356790c36fcc99f1413b6daff34f154aeeda556c351fc695e812.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4481156.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8574404.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8574404.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8574404.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\660944c2e28e356790c36fcc99f1413b6daff34f154aeeda556c351fc695e812.exe
"C:\Users\Admin\AppData\Local\Temp\660944c2e28e356790c36fcc99f1413b6daff34f154aeeda556c351fc695e812.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4481156.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4481156.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7357835.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7357835.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8574404.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8574404.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j5297148.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j5297148.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| NL | 52.142.223.178:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 24.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4481156.exe
| MD5 | 4c669c3829673f71b89661184a686673 |
| SHA1 | 8e99df024d707a8562ad4107b8332baf0d2dfd29 |
| SHA256 | 8bcbbee93e9545b076f74e96342643a14eae1c68541d38f2ae8583c9fb5ddb26 |
| SHA512 | 9ab61976c1496929e83ceacf0d25276372658df062b9efea23767ac2911d1e927ece5c5d3d206a37e7b2acb17bb8b622eca222b232ac760a7380ce56562ab768 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7357835.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8574404.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/528-27-0x0000000000F70000-0x0000000000F7A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j5297148.exe
| MD5 | b8d329b8de648c9dd98aeef8818aeb39 |
| SHA1 | f8accff92a1bf675ebdad62bb37dc4518c1fe22f |
| SHA256 | 67f421fc16e61bdc4c163b50f144c42442a62c53a89dcdd9f2a27c23d1e010dc |
| SHA512 | 6766c452d33dba045f7653aa927747be03cec14f0f664db696433e121010572792e76b367b45493ad17aea61392e4024662c07bcae842423893ea19b6cf2da1f |
memory/4424-32-0x0000000000AC0000-0x0000000000AF0000-memory.dmp
memory/4424-33-0x0000000007730000-0x0000000007736000-memory.dmp
memory/4424-34-0x000000000ADB0000-0x000000000B3C8000-memory.dmp
memory/4424-35-0x000000000A930000-0x000000000AA3A000-memory.dmp
memory/4424-36-0x000000000A870000-0x000000000A882000-memory.dmp
memory/4424-37-0x000000000A8D0000-0x000000000A90C000-memory.dmp
memory/4424-38-0x0000000004D70000-0x0000000004DBC000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-10 13:06
Reported
2024-05-10 13:09
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
155s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4606134.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4606134.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4606134.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4606134.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4606134.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4606134.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3294115.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0096760.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3294115.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4606134.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j6935570.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4606134.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\80f298c436aec6fc79755a500c4350e1d63215b9088f36710903936de3cedc94.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0096760.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4606134.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4606134.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4606134.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\80f298c436aec6fc79755a500c4350e1d63215b9088f36710903936de3cedc94.exe
"C:\Users\Admin\AppData\Local\Temp\80f298c436aec6fc79755a500c4350e1d63215b9088f36710903936de3cedc94.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0096760.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0096760.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3294115.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3294115.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4606134.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4606134.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3984,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=4492 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j6935570.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j6935570.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0096760.exe
| MD5 | c44e5c1dbc033b88b23bfd9c2265aec0 |
| SHA1 | 746ba7772a23637a08499675b52c85928ebdd364 |
| SHA256 | 892a8cab1020cfab60d998bf5ace63d960dced1c6a4f047d910eeaf729021bb8 |
| SHA512 | 0ae27e9cb9bed8aabf871eaab509142ecaf024f96dcd79f256388bdd1044c5ad788a4b6da7d470c9cd4871b917d27d4cb765dba398b167d00dfe3e299d45bbbf |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3294115.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4606134.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/5104-27-0x00000000008E0000-0x00000000008EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j6935570.exe
| MD5 | b9b326df936041afe740e52293cd89e5 |
| SHA1 | 91b8c4a97b2a09fdc30fadbe95eb26b64947e6cb |
| SHA256 | b3f51ad219c924a14b0461a475e030dade3c4b8176376fd855c90c0300d70185 |
| SHA512 | d1f20bca31b33e7df3e94a1a5d194738fb968d3d637b2fd4a851ce70a1392b48218d208ac31398b52608678b934a17e9095e1653cfbbdb9b250ad56b0d0633b8 |
memory/4120-32-0x0000000000870000-0x00000000008A0000-memory.dmp
memory/4120-33-0x0000000002B40000-0x0000000002B46000-memory.dmp
memory/4120-34-0x000000000AC10000-0x000000000B228000-memory.dmp
memory/4120-36-0x000000000A620000-0x000000000A632000-memory.dmp
memory/4120-35-0x000000000A700000-0x000000000A80A000-memory.dmp
memory/4120-37-0x000000000A680000-0x000000000A6BC000-memory.dmp
memory/4120-38-0x0000000002A10000-0x0000000002A5C000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-10 13:06
Reported
2024-05-10 13:08
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4802302.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4435054.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6076158.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4802302.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6942777.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8501327.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4435054.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6076158.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6942777.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6942777.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6942777.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3.exe
"C:\Users\Admin\AppData\Local\Temp\cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4435054.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4435054.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6076158.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6076158.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4802302.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4802302.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6942777.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6942777.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8501327.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8501327.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4435054.exe
| MD5 | 91933e51696584a07d7c09e2e13141f5 |
| SHA1 | 0f24a6ac68fb31fb27b7c2a0710ad37019447204 |
| SHA256 | 51b3eccbb193d1455e060d100fcbf91133f137aebc267fb4b9a4b91952126498 |
| SHA512 | ccaf03c65b0ae52dad65d5395d16aedb6abe777962a4c6f5cfeb1831d41ed0d0bba6c2d6e62071337b5bfcb34996d68e94ece6bb56110c88f49719d7be2c45c8 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6076158.exe
| MD5 | 0711e5b846ebcd95fdcce83aa82ee27d |
| SHA1 | 87975557ea8e9efda716a9377dde46b57a7662e8 |
| SHA256 | 06193190d3c01ff9e2fa5eafb338a958d74abbe89259f7f70391df0721f9a332 |
| SHA512 | 26fbf12831309e5dd644a73743cd518afff4e9a582893302588ac60552c191e3d21dcd5c2e3cd13fc70ede345aa7ae2e05785e10cd2fc23d0d78cb61153f0c1e |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe
| MD5 | 7142af778ac7df1f47ee0f67c5969d10 |
| SHA1 | 1c951387ce612014321c82bb225b7ca674bc3dd8 |
| SHA256 | bbcf2054c9add3d18e308671ee5b1f3cebe898baf3634394b5bbb4c3855c512c |
| SHA512 | d96b464e2e156dbb4afd6cde6f916398db0a6883914a71e682d4170e14b0047a8e59b0b1a5762addeff2b54ef0347cf6dde4e7032bd54d3845ba610616dfa17d |
memory/3520-21-0x0000000000980000-0x000000000098A000-memory.dmp
memory/3520-22-0x00007FFDEB533000-0x00007FFDEB535000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4802302.exe
| MD5 | 270a148b44bad929ed1a4adc8cbd94a2 |
| SHA1 | 55a61daf7fa7f81317d3bacf86064cf27eab3649 |
| SHA256 | f125c5d00d3075ed916a60e58897b960eee948a141f793577ad013c85cb91809 |
| SHA512 | e9ae358b7e659403326f4da5196217636e24dc09b68c487bd62523d3390ed727247b9a74ecad802277b9d831f95e645e7b40bfe162cf08f6fd3340eb82109c59 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6942777.exe
| MD5 | ecaccb61a433da4a9745317a688738ed |
| SHA1 | 54aad35ff3dbb45a12263306af2a409e56ffa5a0 |
| SHA256 | 35c335eb5c241a978210148f6886ca0ee20bcd368b17bbaf15eaac5465d14132 |
| SHA512 | d4379e9fad838589d447b1a7494f5fff9e9c8797e24bdab00fe3a9f5704135e6263e15432b3dc1fa6c719e93a20271962be87f3be0873f78d7b83d0a4f31dea0 |
memory/4592-40-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8501327.exe
| MD5 | 12c1ab680089f44c182ab0d1f4a95ae1 |
| SHA1 | 4a9cfa25e4810ff2428356308e3317aee191d541 |
| SHA256 | 4a62ceddedc8c2a3cd54f23196890111038241c4f792ebd949d80385cad0f3f5 |
| SHA512 | 46682624d94f3131db1b196d6bb47ac6e367045fc779a309d8433fc54e6f9ef6edbf99479f976437e5601b9e5f479909bbb46a353f07416790892641c64764ff |
memory/3096-45-0x0000000000F10000-0x0000000000F40000-memory.dmp
memory/3096-46-0x0000000003260000-0x0000000003266000-memory.dmp
memory/3096-47-0x000000000B360000-0x000000000B978000-memory.dmp
memory/3096-48-0x000000000AEC0000-0x000000000AFCA000-memory.dmp
memory/3096-49-0x000000000AE00000-0x000000000AE12000-memory.dmp
memory/3096-50-0x000000000AE60000-0x000000000AE9C000-memory.dmp
memory/3096-51-0x0000000003070000-0x00000000030BC000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-10 13:06
Reported
2024-05-10 13:08
Platform
win7-20231129-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\28e73a10869c3ce55af51de963cb8f48eac48b8f171602308b167d940e58899a.exe
"C:\Users\Admin\AppData\Local\Temp\28e73a10869c3ce55af51de963cb8f48eac48b8f171602308b167d940e58899a.exe"
Network
Files
memory/2368-0-0x000000013F0C0000-0x000000014454F000-memory.dmp
memory/2368-1-0x000000013F0C0000-0x000000014454F000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-10 13:06
Reported
2024-05-10 13:09
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1916 set thread context of 3260 | N/A | C:\Users\Admin\AppData\Local\Temp\5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5.exe
"C:\Users\Admin\AppData\Local\Temp\5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | omnomnom.top | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| DE | 195.201.252.28:443 | omnomnom.top | tcp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.252.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
Files
memory/1916-0-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/1916-1-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/1916-3-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/3260-2-0x0000000000400000-0x0000000000422000-memory.dmp
memory/3260-4-0x0000000074DEE000-0x0000000074DEF000-memory.dmp
memory/3260-5-0x0000000005580000-0x00000000055E6000-memory.dmp
memory/3260-6-0x0000000006050000-0x0000000006668000-memory.dmp
memory/3260-7-0x0000000005AD0000-0x0000000005AE2000-memory.dmp
memory/3260-8-0x0000000005C00000-0x0000000005D0A000-memory.dmp
memory/3260-9-0x0000000074DE0000-0x0000000075590000-memory.dmp
memory/3260-10-0x00000000068C0000-0x00000000068FC000-memory.dmp
memory/3260-11-0x0000000006900000-0x000000000694C000-memory.dmp
memory/3260-12-0x0000000006C40000-0x0000000006E02000-memory.dmp
memory/3260-13-0x0000000007340000-0x000000000786C000-memory.dmp
memory/3260-14-0x0000000006E10000-0x0000000006EA2000-memory.dmp
memory/3260-15-0x0000000007E20000-0x00000000083C4000-memory.dmp
memory/3260-16-0x0000000006EB0000-0x0000000006F26000-memory.dmp
memory/3260-17-0x0000000006F30000-0x0000000006F4E000-memory.dmp
memory/3260-18-0x0000000007010000-0x0000000007060000-memory.dmp
memory/3260-20-0x0000000074DE0000-0x0000000075590000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-10 13:06
Reported
2024-05-10 13:09
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
165s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3979865.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3979865.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3979865.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3979865.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3979865.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3979865.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8289349.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3979865.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2995492.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3979865.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7d1f6eeb31bd2e40692c777766b604a0bf50848518f5c931a53d7c48b988e8ef.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8289349.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3979865.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3979865.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3979865.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7d1f6eeb31bd2e40692c777766b604a0bf50848518f5c931a53d7c48b988e8ef.exe
"C:\Users\Admin\AppData\Local\Temp\7d1f6eeb31bd2e40692c777766b604a0bf50848518f5c931a53d7c48b988e8ef.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8289349.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8289349.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3979865.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3979865.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2995492.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2995492.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 172.217.169.42:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 42.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8289349.exe
| MD5 | 9083e6401030e1b4b0840f3075ef1e1d |
| SHA1 | 78760243052a3d9da2a9576884c4f77a914dfd37 |
| SHA256 | da5de5537c6dc1c6548195f6c6706a32f115855f8f00dda604b989a71a4e4ea3 |
| SHA512 | ab7846f6a9edecd99de8df4bee91268773e748b87ba41d96aee2a0c6a492392f3880f5db08713963454ecad7d642874a3100e35a51974650dab15e29e96a7c0b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3979865.exe
| MD5 | 89e1ac4194ecfd74e1b15b011996075f |
| SHA1 | 61173306273de11f4f2aa7812d8297df0cdce5a1 |
| SHA256 | 660993641635573a5b0a0cb175e536c95532215a375b1609a3062e3998ab2ab1 |
| SHA512 | 82654ec550be53c9c9cea69fdf578bb6b79eb1c41b8ad59153ee68a4e314fbd6386992504617457cd347b0f278a1dac472466dd8952de7cdcaf57c8d0f88b6c6 |
memory/3620-14-0x00007FF8A1EC3000-0x00007FF8A1EC5000-memory.dmp
memory/3620-15-0x0000000000F70000-0x0000000000F7A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2995492.exe
| MD5 | 72e51378e2c8b046f2fb05bb2c37c929 |
| SHA1 | 1825f3057d33f09984909fdcf3ed7e1feecff7f1 |
| SHA256 | f2b31dda24613389d1e0cb1d6a6c7e0c6c740351b01402a59825e59ed397f081 |
| SHA512 | 1f5b158265908118a9912a28f3f144d799cae8930db8d76fa289e38b6ec9ae23dff072dbc3407afcad26cf896df504342102aea14e7d0a5b2740b024e977c04a |
memory/1480-20-0x0000000000490000-0x00000000004C0000-memory.dmp
memory/1480-21-0x0000000004C70000-0x0000000004C76000-memory.dmp
memory/1480-22-0x000000000A8F0000-0x000000000AF08000-memory.dmp
memory/1480-23-0x000000000A3E0000-0x000000000A4EA000-memory.dmp
memory/1480-24-0x0000000004DC0000-0x0000000004DD2000-memory.dmp
memory/1480-25-0x000000000A670000-0x000000000A6AC000-memory.dmp
memory/1480-26-0x000000000A6B0000-0x000000000A6FC000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-10 13:06
Reported
2024-05-10 13:09
Platform
win10v2004-20240226-en
Max time kernel
140s
Max time network
163s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2651355.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2651355.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7896309.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7896309.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7896309.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7896309.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2651355.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2651355.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2651355.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2651355.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7896309.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7896309.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6210097.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9238337.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3931201.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2651355.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7896309.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4075312.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2651355.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2651355.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7896309.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6210097.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9238337.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3931201.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\1ec8ce9ace042665b07a0abc5b206634b1417b5f2a4a00b4554147d518832396.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2651355.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2651355.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7896309.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7896309.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2651355.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7896309.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1ec8ce9ace042665b07a0abc5b206634b1417b5f2a4a00b4554147d518832396.exe
"C:\Users\Admin\AppData\Local\Temp\1ec8ce9ace042665b07a0abc5b206634b1417b5f2a4a00b4554147d518832396.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6210097.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6210097.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9238337.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9238337.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3931201.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3931201.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2651355.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2651355.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7896309.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7896309.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3792 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4075312.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4075312.exe
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.178.10:443 | tcp | |
| GB | 23.44.234.16:80 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6210097.exe
| MD5 | e4759911e541d7a543ea033b0928ddf4 |
| SHA1 | e39c427a6cf47b16cddabfd2c7fb00038e1dbe1f |
| SHA256 | f8dfa98c4e38deff7955c243f9db7b01692e43c0997eca9e5e141cc565cf05be |
| SHA512 | 7760d634d8a8b0a2e2c9847c4c367589607de2d7ac43112830289dbf3585902dd0f824ebfcab04040f701afa6b86884824aed2f032e6c09714ac8575b7bf9e42 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9238337.exe
| MD5 | f4f787db36502a2e05f39da6a313e914 |
| SHA1 | 4f842c75ce854d86420f9790c47c81bdcecd7c5d |
| SHA256 | 3df74027fece0dd6e6c9f46260e3c886ecbcfd4dce43ac64a90f1211d78fe588 |
| SHA512 | 0728509f9668750a075e73175e48f90625f5e62ef3d1e95641d654d43f749dacb1012110c6e445aa64308a64b0d23c447041ab0ec994300a6b06a1091523d52b |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3931201.exe
| MD5 | a11dbc01603450452854f17aa7ea1eef |
| SHA1 | 18436f7c4a7a4477c0baa93ddc108babce9491bf |
| SHA256 | 2d2e176ff101b33e0adec2558415b76c1425ba9502c4b652c64b4751dd11181c |
| SHA512 | 1ac3b35ac7b8742c8eded217595f30ae25eff216409bddd3cc18809ff6e5d873c7feae6e1e3501dc02bebe2205f9f9e8db9718c76315b679ca8ce73aca2135bf |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2651355.exe
| MD5 | 175e3db636d9fd541cc11991815ea662 |
| SHA1 | c5e30c78f298c1aa26768bc036795e19ed7e60d7 |
| SHA256 | c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e |
| SHA512 | 06b1bc8a9746e8dfd1a4d72e98b8b76a1f543ae0c72c9e0233dce81451d7521f586da373e69459170a8d9442da4883f8247cfb9714227744c765c892583ac5c9 |
memory/2128-28-0x00000000005B0000-0x00000000005EE000-memory.dmp
memory/2128-34-0x00000000005B0000-0x00000000005EE000-memory.dmp
memory/2128-35-0x0000000006BD0000-0x0000000006BD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7896309.exe
| MD5 | 06d9b8f9236b959006976da775fea5e7 |
| SHA1 | 46d5c5e6a3e7de6138cd764509a6754ce24d9484 |
| SHA256 | 77353ead4144432dfd0e8fc833c458c8b88fb5d6bf7c9818ac430be40983b7f5 |
| SHA512 | ec0c6135f2b39d70cb35bd713d5fd9a0876055b46584f3535067f0f162be149024770c990e61ee041eabe5d3daf53aac49e747bb96189c3fa17346774a5edc6d |
memory/1344-41-0x0000000000140000-0x000000000014A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4075312.exe
| MD5 | dd10174f7fa3d017558c8310bf07d851 |
| SHA1 | 08d795a3d2334906da989e46a7e57d4ba9aa9f41 |
| SHA256 | cd9de412cda28c677351594338bc352dbcafb8652328624f624263b71bac3604 |
| SHA512 | a714e8babdc8d8a0a9f8e6ef6430d4f1cde70d3d80a902a1e247eb93bdf76e91fa89c4132708e0c632469b725c625ae65e30a908f02018f10b23460a02ec9d05 |
memory/1256-46-0x00000000005A0000-0x000000000062C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/1256-53-0x00000000005A0000-0x000000000062C000-memory.dmp
memory/1256-55-0x0000000002260000-0x0000000002266000-memory.dmp
memory/1256-56-0x0000000007FC0000-0x00000000085D8000-memory.dmp
memory/1256-57-0x0000000006B00000-0x0000000006C0A000-memory.dmp
memory/1256-58-0x0000000004980000-0x0000000004992000-memory.dmp
memory/1256-59-0x00000000085E0000-0x000000000861C000-memory.dmp
memory/1256-60-0x0000000008620000-0x000000000866C000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-10 13:06
Reported
2024-05-10 13:08
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
152s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3459085.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3171866.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3459085.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4445439.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3171866.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\56dbfb10e07e622006233e2ca432e9b289e276470e18ab3efe037a1c17c40d5d.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\56dbfb10e07e622006233e2ca432e9b289e276470e18ab3efe037a1c17c40d5d.exe
"C:\Users\Admin\AppData\Local\Temp\56dbfb10e07e622006233e2ca432e9b289e276470e18ab3efe037a1c17c40d5d.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3171866.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3171866.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4324,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=1324 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3459085.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3459085.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4445439.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4445439.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3171866.exe
| MD5 | b435d6b953887f7a798aa82a97d2735e |
| SHA1 | 040f703a0203cf23702c6ff96b85a39654006505 |
| SHA256 | 39b691839692b9cef4a116a81e30b4bee8cbc04bc169366c90a6338d14af3389 |
| SHA512 | a36150b1c22144d4e38d58c3574e45c59a6126185ec847b6c2282d4930b8a097e8e162e5af01c5f761e5510dafb855d7d6bcabe2801ec0852a75fb88c0a66379 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/4864-14-0x00007FF841D53000-0x00007FF841D55000-memory.dmp
memory/4864-15-0x0000000000950000-0x000000000095A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3459085.exe
| MD5 | 8c6b79ec436d7cf6950a804c1ec7d3e9 |
| SHA1 | 4a589d5605d8ef785fdc78b0bf64e769e3a21ad6 |
| SHA256 | 4e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d |
| SHA512 | 06f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4445439.exe
| MD5 | ec5686f2f6eef77856a46505325aea33 |
| SHA1 | a58594f313adbd048b0ff2ac4e42603db57313ef |
| SHA256 | f3cea04ccce7d837e9a850e3c82c83465828d18f1ddceb862a2cc411927a8874 |
| SHA512 | 033857263c6ba7a1a5df2b441cb43c8e1d516eb5f298c76c00fdce7b7735e76921b5249d820f676355a7a0237f40af35497367d1319732b6629ab609ff154e08 |
memory/4380-33-0x0000000000E40000-0x0000000000E70000-memory.dmp
memory/4380-34-0x0000000003210000-0x0000000003216000-memory.dmp
memory/4380-35-0x0000000005F80000-0x0000000006598000-memory.dmp
memory/4380-36-0x0000000005A70000-0x0000000005B7A000-memory.dmp
memory/4380-37-0x0000000005900000-0x0000000005912000-memory.dmp
memory/4380-38-0x00000000059A0000-0x00000000059DC000-memory.dmp
memory/4380-39-0x00000000059E0000-0x0000000005A2C000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-10 13:06
Reported
2024-05-10 13:08
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8761760.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8761760.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8761760.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8761760.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8761760.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8761760.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8864243.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0932119.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8761760.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8864243.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5482656.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8761760.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\795a49ee81e6eb25d2140b564c0aa63d165592e4d3b7bb4c29423c619b51334a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0932119.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8761760.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8761760.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8761760.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\795a49ee81e6eb25d2140b564c0aa63d165592e4d3b7bb4c29423c619b51334a.exe
"C:\Users\Admin\AppData\Local\Temp\795a49ee81e6eb25d2140b564c0aa63d165592e4d3b7bb4c29423c619b51334a.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0932119.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0932119.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8761760.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8761760.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8864243.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8864243.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5482656.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5482656.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0932119.exe
| MD5 | edc556bd751be4c21331a62f7cdb4a85 |
| SHA1 | a7f116072ee2b0a502ee9b5b3ad2069bfa760291 |
| SHA256 | bb05c8d756e41cb57119eb061d6fe683f561205cb9729a24b65c604dd286a50d |
| SHA512 | c91080a951f2d3b89f4aac3073395ed139a692fb3b962ffda3e221bb36e55986ea7c47037d0e78ba11ae58082907dd9a452305454c953ce867f30113bcc45da1 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8761760.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/1852-15-0x0000000000A20000-0x0000000000A2A000-memory.dmp
memory/1852-14-0x00007FFB5A783000-0x00007FFB5A785000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8864243.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5482656.exe
| MD5 | d86ee190bbb058c3edb5a4b3194359a0 |
| SHA1 | 1adaefeead16a49a4f48f682c9083c48577baec9 |
| SHA256 | 62dfb4ead4cbed0b017ec79d97d69779dcdcde34ed730db7a5a3ff7f5429b56f |
| SHA512 | 195e7da8cc4268c73189193a480eab12f650b7efd4b8f22c1bbeafc224534a7a880811693994c84d4a7f0ae689e3f6e30c81e67181d8bdb8bb0c78b66079de3f |
memory/3180-33-0x00000000007A0000-0x00000000007D0000-memory.dmp
memory/3180-34-0x0000000002A20000-0x0000000002A26000-memory.dmp
memory/3180-35-0x0000000005720000-0x0000000005D38000-memory.dmp
memory/3180-36-0x0000000005210000-0x000000000531A000-memory.dmp
memory/3180-37-0x0000000005130000-0x0000000005142000-memory.dmp
memory/3180-38-0x0000000005190000-0x00000000051CC000-memory.dmp
memory/3180-39-0x0000000005320000-0x000000000536C000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-10 13:06
Reported
2024-05-10 13:08
Platform
win10v2004-20240426-en
Max time kernel
142s
Max time network
153s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5872437.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5872437.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5872437.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5872437.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5872437.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5872437.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4083166.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2724090.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5872437.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4083166.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8526226.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5872437.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\85555569bb7d45d357512a0eafac484c22aee485efcb08f16f10d5cba19ad94d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2724090.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5872437.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5872437.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5872437.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\85555569bb7d45d357512a0eafac484c22aee485efcb08f16f10d5cba19ad94d.exe
"C:\Users\Admin\AppData\Local\Temp\85555569bb7d45d357512a0eafac484c22aee485efcb08f16f10d5cba19ad94d.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2724090.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2724090.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5872437.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5872437.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4083166.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4083166.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8526226.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8526226.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2724090.exe
| MD5 | 0fd858e561daf18d4cb383f1bbf687d7 |
| SHA1 | da276099ee2552b10cc2affe4fece902f054533f |
| SHA256 | cb7f680c38feae6598560f81f37e6beadb1f80ac8dd54afb2e70a93bbb5a7b27 |
| SHA512 | 94acb0728a163727176d85508383a52a0f32c12e22e92aa2373fcc936ea6a07270f1deda67884ac8f828819af76eb7e5c1473af135d8b76dfd9dd6fb1eea04e5 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5872437.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/3920-15-0x00007FF959943000-0x00007FF959945000-memory.dmp
memory/3920-14-0x0000000000ED0000-0x0000000000EDA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4083166.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8526226.exe
| MD5 | c15ffea057fa3a082ec7d315ef8977dd |
| SHA1 | a8bb3971124751d94fa313ec94a774730c1f849d |
| SHA256 | c709ef60b27f90806ff5f1b4ebdd82dd1607a6514b60867f9543ee60c2759ba0 |
| SHA512 | 5e043852ae1fd34c94c0b1c014fc68dfe675252041e1b30b63bb54fe19fe43aac9d9f03504b35da57c86b37bd9e572e623df9f7be5fbdc97e305dd70366cabc7 |
memory/1296-33-0x00000000000B0000-0x00000000000E0000-memory.dmp
memory/1296-34-0x0000000000960000-0x0000000000966000-memory.dmp
memory/1296-35-0x00000000050E0000-0x00000000056F8000-memory.dmp
memory/1296-36-0x0000000004BD0000-0x0000000004CDA000-memory.dmp
memory/1296-37-0x0000000004930000-0x0000000004942000-memory.dmp
memory/1296-38-0x0000000004AC0000-0x0000000004AFC000-memory.dmp
memory/1296-39-0x0000000004B00000-0x0000000004B4C000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-10 13:06
Reported
2024-05-10 13:08
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9136604.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7678896.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0633454.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9751033.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2585981.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2700905.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7678896.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0633454.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\bd2cad400370a1839dedfee01ba51651868baedcef41cd34976bcfc1a2ccbf26.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9136604.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4652 set thread context of 4396 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9751033.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 5100 set thread context of 2508 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2585981.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9751033.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2585981.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bd2cad400370a1839dedfee01ba51651868baedcef41cd34976bcfc1a2ccbf26.exe
"C:\Users\Admin\AppData\Local\Temp\bd2cad400370a1839dedfee01ba51651868baedcef41cd34976bcfc1a2ccbf26.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9136604.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9136604.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7678896.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7678896.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0633454.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0633454.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9751033.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9751033.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4652 -ip 4652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 156
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2585981.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2585981.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5100 -ip 5100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 148
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2700905.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2700905.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| RU | 83.97.73.129:19068 | tcp | |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 83.97.73.129:19068 | tcp | |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| RU | 83.97.73.129:19068 | tcp | |
| RU | 83.97.73.129:19068 | tcp | |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| RU | 83.97.73.129:19068 | tcp | |
| RU | 83.97.73.129:19068 | tcp | |
| RU | 83.97.73.129:19068 | tcp | |
| RU | 83.97.73.129:19068 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| RU | 83.97.73.129:19068 | tcp | |
| RU | 83.97.73.129:19068 | tcp | |
| RU | 83.97.73.129:19068 | tcp | |
| RU | 83.97.73.129:19068 | tcp | |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9136604.exe
| MD5 | 33ff5c1b7ad2169df36e814a2d691161 |
| SHA1 | e80f0be76be35b9997ecfa24a8efc30748552cbe |
| SHA256 | 000643ece079f96ed416c42e9dec2e3a647599f99950c60349c52e36cb724e88 |
| SHA512 | 216ceb4f2a265aae0b413964c91da9f4f4f45baabe4ed952da89dc8089932472aeecb7ae2fb42408dfcfc8ae575d3d0b99cd89f55620946b155a41dee6019bd3 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7678896.exe
| MD5 | a76aada563b5fff5cf81824d40e87c25 |
| SHA1 | b6c50c7d69b765a396e3995642cd3c82ed9eb370 |
| SHA256 | f25337a343c26cdecd99eb7f095938fd24fb233463a8af3fa69acc5201eed956 |
| SHA512 | 093e3da142ee67a4da1c8f352460e5d90e9565ec60855285a19eb6e2c2f85d8b8ec22e0b5f46194222954ffeb19e1a8451f9d364c8869f1ef8050decc7154a56 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0633454.exe
| MD5 | 7df1e56d4c1a1612ee126463fcf8ceb4 |
| SHA1 | 774ab26898cfa2ace41b0d5fa53538d318e0fa57 |
| SHA256 | a62a548ffb1dcb9166d2336968bea9011a44039f391a1a7ef70364f4a0e131a0 |
| SHA512 | a84427f66c991496b014e82a1e52a969da9b627d6dfebdb93b74acdda4907df02b7b7d17b25cb732999e4a01e7f6e327be630b93b6dd6c55ed78e3d920ccae15 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9751033.exe
| MD5 | c0e3f771bcbb789d734e7d3e1b1f4e65 |
| SHA1 | 02e6e5e508188955181ac98bb1b9c414d2c1aa9e |
| SHA256 | 53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02 |
| SHA512 | c983b76772a50aece42107a39c828abfa768fc33c8865df73de57e1beca2919e8cc7b8afe1d5ae3e7556273519e311d5e49ed6d52eaf895c3c3d7c34608d2118 |
memory/4396-28-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4396-33-0x0000000000A20000-0x0000000000A26000-memory.dmp
memory/4396-34-0x000000000A4E0000-0x000000000AAF8000-memory.dmp
memory/4396-35-0x0000000009FF0000-0x000000000A0FA000-memory.dmp
memory/4396-36-0x0000000009F30000-0x0000000009F42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2585981.exe
| MD5 | cd5a529d645436b72dc72ebc19950ef3 |
| SHA1 | 5f571b5fce5b5e210e812e28dad02b80bb1f5d80 |
| SHA256 | 887d08bb7735494fa22a46935055d0c2d612f70e97ecdd07bccf427d8e49efa3 |
| SHA512 | b314a9d61340e1cafd67aef45b5151721a6100ca0f7d6ec787e4fc4d83d1cdb571cfafcd1cc1cee681f3016bfb3fc8074681633607221711163e7da2c2e6b123 |
memory/4396-39-0x0000000009F90000-0x0000000009FCC000-memory.dmp
memory/4396-41-0x0000000002420000-0x000000000246C000-memory.dmp
memory/2508-42-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2700905.exe
| MD5 | 3722a3e958832f918370e3491d62d642 |
| SHA1 | 86d28aa415f98a3ffa95279b4ac521e96ab8131a |
| SHA256 | fc953ae5ccb8716ad6fa4b015596e010272dc5095fb5cf36fc1fe1ac7ca39db9 |
| SHA512 | 510caffa854da75b5cef2b52ef61dee6670fc684c090911b9bf51678c68144e3f83a2ca2b43364abd0619c6742c03b9f68f29f91d6bb6259c49fc2b8bbaeb791 |
memory/4836-50-0x0000000000CE0000-0x0000000000D10000-memory.dmp
memory/4836-51-0x0000000001460000-0x0000000001466000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-10 13:06
Reported
2024-05-10 13:09
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9236674.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9236674.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9236674.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9236674.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9236674.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9236674.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9236674.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b3995746.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9236674.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9236674.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\c429566ed481fe562466b6e87d2cfe6fc492efeb3007819b63dd4cf45594d639.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9236674.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9236674.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9236674.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c429566ed481fe562466b6e87d2cfe6fc492efeb3007819b63dd4cf45594d639.exe
"C:\Users\Admin\AppData\Local\Temp\c429566ed481fe562466b6e87d2cfe6fc492efeb3007819b63dd4cf45594d639.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9236674.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9236674.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b3995746.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b3995746.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| NL | 23.62.61.57:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 217.196.96.101:4132 | tcp | |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9236674.exe
| MD5 | 9d6a6a164c9371fe63996d4ee60608df |
| SHA1 | acc572756616ba0cdd302803ade94f4d6f1c447e |
| SHA256 | b80f9eb78c1bc9d2e6abcb79000108ca6ca2700ee20d4c1d9e221d30813383e0 |
| SHA512 | c56e4df370b0d536176c362c49f9664f4a5f49b35034e4cc1c70459bfde95fb3d8ae044b7014323fbc20210313a1f489a42f5ad15957529c6446af93ce17bebf |
memory/2540-7-0x0000000074ACE000-0x0000000074ACF000-memory.dmp
memory/2540-8-0x0000000002470000-0x000000000248A000-memory.dmp
memory/2540-10-0x0000000004960000-0x0000000004F04000-memory.dmp
memory/2540-9-0x0000000074AC0000-0x0000000075270000-memory.dmp
memory/2540-11-0x0000000004F50000-0x0000000004F68000-memory.dmp
memory/2540-12-0x0000000074AC0000-0x0000000075270000-memory.dmp
memory/2540-40-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/2540-38-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/2540-36-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/2540-34-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/2540-41-0x0000000074AC0000-0x0000000075270000-memory.dmp
memory/2540-32-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/2540-30-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/2540-28-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/2540-26-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/2540-24-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/2540-22-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/2540-20-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/2540-18-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/2540-16-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/2540-14-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/2540-13-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/2540-43-0x0000000074AC0000-0x0000000075270000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b3995746.exe
| MD5 | 72d543112c67db99263bdcdb053c5200 |
| SHA1 | 5ed8046e303358157f833bfb8bcb42966f3ab14d |
| SHA256 | c7a850a137dec0ca9e361fde39aacb695d98e1165eb401929fbbff687950e0c5 |
| SHA512 | 32e8967b5136d9799fd0de5c324c075dbd5ba3a5506ee0fb9d070a249e3a52b4a18db04d1cc71517fbecb44897cf6a3dc76d4fa175dd54973ecefd6ad99c7a7e |
memory/844-47-0x0000000000080000-0x00000000000B0000-memory.dmp
memory/844-48-0x0000000074A70000-0x0000000074B1B000-memory.dmp
memory/844-49-0x0000000002550000-0x0000000002556000-memory.dmp
memory/844-50-0x0000000005160000-0x0000000005778000-memory.dmp
memory/844-51-0x0000000004C50000-0x0000000004D5A000-memory.dmp
memory/844-52-0x0000000004B40000-0x0000000004B52000-memory.dmp
memory/844-53-0x0000000074A70000-0x0000000074B1B000-memory.dmp
memory/844-54-0x0000000004BA0000-0x0000000004BDC000-memory.dmp
memory/844-55-0x0000000004BF0000-0x0000000004C3C000-memory.dmp
memory/844-56-0x0000000074A70000-0x0000000074B1B000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-10 13:06
Reported
2024-05-10 13:08
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6497315.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0077088.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7490768.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\ce9f75c073171b1315c869b550348e6d8c48a986b262a068b33f0833b7a24716.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6497315.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0077088.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ce9f75c073171b1315c869b550348e6d8c48a986b262a068b33f0833b7a24716.exe
"C:\Users\Admin\AppData\Local\Temp\ce9f75c073171b1315c869b550348e6d8c48a986b262a068b33f0833b7a24716.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6497315.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6497315.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0077088.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0077088.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2720 -ip 2720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 136
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7490768.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7490768.exe
Network
| Country | Destination | Domain | Proto |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6497315.exe
| MD5 | 347fa3300c887f6ed7b1a13377bb28bd |
| SHA1 | f7290c370763737aa41f0bc92d66b2423647815c |
| SHA256 | 8ecc876c0ce1dc9774cb4ee93fbcd638c9182cd5c33e4a7aee74bbc39bd75cc4 |
| SHA512 | e17a78db324fd6bd80872c92fd6c03f0308b20c256d9a42cec304f21f13df2f0c6069ba95998d525e39b6e99040d07baaabf60015ab4ff88344e5d222c0cc341 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0077088.exe
| MD5 | 3afbc821636e1e7951821231f0cdc4bc |
| SHA1 | d962f7454a83bdeb81b16476055773c65090c068 |
| SHA256 | b05287fda0d66708df3d5a927caeb62a87e8809fb992871a5615a3c62ce1eeff |
| SHA512 | 4b74ca6740b4a8cf7d6bf4a54e64cbf564f42443d4b23d824feb661a8945a7a1a08fb6428afb8a8af7646607b5edc1af9d4c7aea8aac341965dbbf220db86eba |
memory/2720-14-0x0000000000401000-0x0000000000402000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7490768.exe
| MD5 | ed78531c3da44f95b5e5f7aa280bf586 |
| SHA1 | a9e403fcbf3a8020cb51d8f3a406c74775936c2d |
| SHA256 | d996d9ed8e0931fe6f414b91b0d4f52fc6b80a8493829f63fdd44cbf9afea60e |
| SHA512 | 7649d4ceb7cf0771ed8905dbff16e74b117b0ced16f94026d457a6534a10f39c91da18bd986fd66ded33d9c2c4ef501e7c895760418b39361089f196bbdb6970 |
memory/4908-18-0x0000000000460000-0x0000000000490000-memory.dmp
memory/4908-22-0x0000000000400000-0x000000000043A000-memory.dmp
memory/4908-23-0x0000000006F30000-0x0000000006F36000-memory.dmp
memory/4908-24-0x0000000009F90000-0x000000000A5A8000-memory.dmp
memory/4908-25-0x000000000A750000-0x000000000A85A000-memory.dmp
memory/4908-26-0x000000000A670000-0x000000000A682000-memory.dmp
memory/4908-27-0x000000000A690000-0x000000000A6CC000-memory.dmp
memory/4908-28-0x00000000045F0000-0x000000000463C000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-10 13:06
Reported
2024-05-10 13:08
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
142s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8749467.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8749467.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8749467.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8749467.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1637171.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1637171.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8749467.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8749467.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1637171.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1637171.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1637171.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1637171.exe | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6555583.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4912672.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2606131.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7242091.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8749467.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1637171.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0323673.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6555583.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8333830.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8749467.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8749467.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1637171.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\eb81f341bc6cd2678bd7559862571f5294b6980de5199672afa03b21de0a4dda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4912672.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2606131.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7242091.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0323673.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8333830.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8333830.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8333830.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8749467.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8749467.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1637171.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1637171.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8749467.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1637171.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6555583.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\eb81f341bc6cd2678bd7559862571f5294b6980de5199672afa03b21de0a4dda.exe
"C:\Users\Admin\AppData\Local\Temp\eb81f341bc6cd2678bd7559862571f5294b6980de5199672afa03b21de0a4dda.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4912672.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4912672.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2606131.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2606131.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7242091.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7242091.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8749467.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8749467.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1637171.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1637171.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0323673.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0323673.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4708 -ip 4708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 136
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6555583.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6555583.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8333830.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8333830.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.185:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 185.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.3:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4912672.exe
| MD5 | 6c0d47fa8a9400d2ab02c92cb939d4be |
| SHA1 | 3301818aad302ceb9ece4912db4a68ceaefbd2d2 |
| SHA256 | be062d6ab948061ae69c5b3daa74e1ba65c9d808c0d4f66ceaa4c32a49a0f524 |
| SHA512 | 2f37a8ddb09aedc6fbaa9194d434f727840d9021b48cc1ab8f92d9aef7a3ddc979f721710033c6fc7d198e45325c7e6870a919e01c0a300c319ec791c9bb77fd |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2606131.exe
| MD5 | 5a1a774a5e54a905f0f99418b14a9f67 |
| SHA1 | bb0ca35d6c19261cc71562381f7e7b0d0917f033 |
| SHA256 | 5c28c68dd4dab5c823f5e985c9aad0521d701dde5bab6c6524f09ce7639e51c2 |
| SHA512 | a8c9ecc26514b6f531cb5271ca69a515abe477d833eff4d0f1fa851e0ffc9042eb58c3fd22ec066deb88bf560b352517c6ef4e50dfcdd49e96f7e8bb716e0560 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7242091.exe
| MD5 | 4870e240aa10c59dbf3dd0b63f02401c |
| SHA1 | 73b9bbeb6e24aabe9943cd7e1ac8effcc8f16f8e |
| SHA256 | 7d5110bcc343d5026c635a3d54c76fa6675b263fb5246d05bf7bb96864a2b561 |
| SHA512 | 0d8d2572b500f52ce93b35db9f5e918e306b0b2a450859da75aa42a7679d91cb5ac2ace7ac7838d7c1168fc323338104a300d1fd66d650fd03f24ac2e1731bca |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8749467.exe
| MD5 | ba8750c3ee2f96f8306237566e458f5b |
| SHA1 | 962ae41e251e20d254736e63bcf1ffd6827d5456 |
| SHA256 | 288f9868f3b220584aa23161b5c1b671fff728ab36635ae8ce0a1721e7ef30c4 |
| SHA512 | abfd5f9269bd7a04739661cd067307f195c5c8ffc8db8378d914f5fd18d6a6e6a8c51a509ba8c81b677fcf5fbe85ee9c352379fb293f39ac54696e98e459f530 |
memory/4180-28-0x0000000000510000-0x000000000051A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1637171.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/2824-37-0x0000000000AD0000-0x0000000000ADA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0323673.exe
| MD5 | 47f39c4ad52ef8534ac3964d5c2aba92 |
| SHA1 | 4ab09d010b5ae8cd1f00f260c339f0ad7f86d8b8 |
| SHA256 | a0f1a7cb66e8a078ad2a0d1b94e3f2f3657d04454a2eb9d389788a7c9654506d |
| SHA512 | 11c725de1cf294a73d7ef1565978887c62a52dcbf7af519254a078ff2d2dadf7722c6db0bc9712298a404773813ebc1c9f960c8e6a958ad492765028893b8103 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6555583.exe
| MD5 | 8c6b79ec436d7cf6950a804c1ec7d3e9 |
| SHA1 | 4a589d5605d8ef785fdc78b0bf64e769e3a21ad6 |
| SHA256 | 4e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d |
| SHA512 | 06f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8333830.exe
| MD5 | 35a15fad3767597b01a20d75c3c6889a |
| SHA1 | eef19e2757667578f73c4b5720cf94c2ab6e60c8 |
| SHA256 | 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc |
| SHA512 | c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577 |
memory/216-58-0x0000000000400000-0x0000000000409000-memory.dmp
memory/216-59-0x0000000000400000-0x0000000000409000-memory.dmp