Malware Analysis Report

2024-10-16 03:58

Sample ID 240510-qb9pjagb71
Target 205ae779babd66a06edef8f4549388af61dbb854e06c82a7f291317f4dbe780e
SHA256 205ae779babd66a06edef8f4549388af61dbb854e06c82a7f291317f4dbe780e
Tags
amadey healer redline nasa dropper evasion infostealer persistence trojan 5345987420 discovery spyware stealer lande mihan smokeloader backdoor upx krast kira crazy muha lamp masha
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

205ae779babd66a06edef8f4549388af61dbb854e06c82a7f291317f4dbe780e

Threat Level: Known bad

The file 205ae779babd66a06edef8f4549388af61dbb854e06c82a7f291317f4dbe780e was found to be: Known bad.

Malicious Activity Summary

amadey healer redline nasa dropper evasion infostealer persistence trojan 5345987420 discovery spyware stealer lande mihan smokeloader backdoor upx krast kira crazy muha lamp masha

Amadey

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

RedLine payload

Healer

SmokeLoader

RedLine

Executes dropped EXE

Checks computer location settings

Windows security modification

UPX packed file

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

Launches sc.exe

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 13:06

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-10 13:06

Reported

2024-05-10 13:09

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\56dbfb10e07e622006233e2ca432e9b289e276470e18ab3efe037a1c17c40d5d.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3459085.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\56dbfb10e07e622006233e2ca432e9b289e276470e18ab3efe037a1c17c40d5d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3171866.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4104 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\56dbfb10e07e622006233e2ca432e9b289e276470e18ab3efe037a1c17c40d5d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3171866.exe
PID 4104 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\56dbfb10e07e622006233e2ca432e9b289e276470e18ab3efe037a1c17c40d5d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3171866.exe
PID 4104 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\56dbfb10e07e622006233e2ca432e9b289e276470e18ab3efe037a1c17c40d5d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3171866.exe
PID 4444 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3171866.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe
PID 4444 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3171866.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe
PID 4444 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3171866.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3459085.exe
PID 4444 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3171866.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3459085.exe
PID 4444 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3171866.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3459085.exe
PID 1516 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3459085.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 1516 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3459085.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 1516 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3459085.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 4104 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\56dbfb10e07e622006233e2ca432e9b289e276470e18ab3efe037a1c17c40d5d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4445439.exe
PID 4104 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\56dbfb10e07e622006233e2ca432e9b289e276470e18ab3efe037a1c17c40d5d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4445439.exe
PID 4104 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\56dbfb10e07e622006233e2ca432e9b289e276470e18ab3efe037a1c17c40d5d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4445439.exe
PID 1344 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 1344 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 1344 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 1344 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 4052 wrote to memory of 908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4052 wrote to memory of 908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4052 wrote to memory of 908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4052 wrote to memory of 3388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4052 wrote to memory of 3388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4052 wrote to memory of 3388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4052 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4052 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4052 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4052 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4052 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4052 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4052 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4052 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4052 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4052 wrote to memory of 3108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4052 wrote to memory of 3108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4052 wrote to memory of 3108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\56dbfb10e07e622006233e2ca432e9b289e276470e18ab3efe037a1c17c40d5d.exe

"C:\Users\Admin\AppData\Local\Temp\56dbfb10e07e622006233e2ca432e9b289e276470e18ab3efe037a1c17c40d5d.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3171866.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3171866.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3459085.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3459085.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4445439.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4445439.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7056513.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3171866.exe

MD5 b435d6b953887f7a798aa82a97d2735e
SHA1 040f703a0203cf23702c6ff96b85a39654006505
SHA256 39b691839692b9cef4a116a81e30b4bee8cbc04bc169366c90a6338d14af3389
SHA512 a36150b1c22144d4e38d58c3574e45c59a6126185ec847b6c2282d4930b8a097e8e162e5af01c5f761e5510dafb855d7d6bcabe2801ec0852a75fb88c0a66379

memory/2524-15-0x0000000000BC0000-0x0000000000BCA000-memory.dmp

memory/2524-14-0x00007FFFFD403000-0x00007FFFFD405000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3459085.exe

MD5 8c6b79ec436d7cf6950a804c1ec7d3e9
SHA1 4a589d5605d8ef785fdc78b0bf64e769e3a21ad6
SHA256 4e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d
SHA512 06f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4445439.exe

MD5 ec5686f2f6eef77856a46505325aea33
SHA1 a58594f313adbd048b0ff2ac4e42603db57313ef
SHA256 f3cea04ccce7d837e9a850e3c82c83465828d18f1ddceb862a2cc411927a8874
SHA512 033857263c6ba7a1a5df2b441cb43c8e1d516eb5f298c76c00fdce7b7735e76921b5249d820f676355a7a0237f40af35497367d1319732b6629ab609ff154e08

memory/2908-33-0x0000000000420000-0x0000000000450000-memory.dmp

memory/2908-34-0x0000000002700000-0x0000000002706000-memory.dmp

memory/2908-35-0x0000000005530000-0x0000000005B48000-memory.dmp

memory/2908-36-0x0000000005020000-0x000000000512A000-memory.dmp

memory/2908-37-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

memory/2908-38-0x0000000004F50000-0x0000000004F8C000-memory.dmp

memory/2908-39-0x0000000004F90000-0x0000000004FDC000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-10 13:06

Reported

2024-05-10 13:09

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4044 set thread context of 2588 N/A C:\Users\Admin\AppData\Local\Temp\5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4044 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4044 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4044 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4044 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4044 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4044 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4044 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4044 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5.exe

"C:\Users\Admin\AppData\Local\Temp\5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 omnomnom.top udp
DE 195.201.252.28:443 omnomnom.top tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.252.201.195.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

memory/4044-0-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

memory/4044-1-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

memory/2588-2-0x0000000000400000-0x0000000000422000-memory.dmp

memory/4044-3-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

memory/2588-4-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

memory/2588-5-0x0000000005940000-0x00000000059A6000-memory.dmp

memory/2588-6-0x0000000006410000-0x0000000006A28000-memory.dmp

memory/2588-7-0x0000000005E80000-0x0000000005E92000-memory.dmp

memory/2588-8-0x0000000005FB0000-0x00000000060BA000-memory.dmp

memory/2588-9-0x0000000074A50000-0x0000000075200000-memory.dmp

memory/2588-10-0x0000000006C70000-0x0000000006CAC000-memory.dmp

memory/2588-11-0x0000000006CB0000-0x0000000006CFC000-memory.dmp

memory/2588-12-0x0000000006FF0000-0x00000000071B2000-memory.dmp

memory/2588-13-0x00000000076F0000-0x0000000007C1C000-memory.dmp

memory/2588-14-0x00000000071C0000-0x0000000007252000-memory.dmp

memory/2588-15-0x00000000081D0000-0x0000000008774000-memory.dmp

memory/2588-16-0x0000000007FB0000-0x0000000008026000-memory.dmp

memory/2588-17-0x0000000007680000-0x000000000769E000-memory.dmp

memory/2588-18-0x0000000007C90000-0x0000000007CE0000-memory.dmp

memory/2588-19-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

memory/2588-20-0x0000000074A50000-0x0000000075200000-memory.dmp

memory/2588-22-0x0000000074A50000-0x0000000075200000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-10 13:06

Reported

2024-05-10 13:09

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\80f298c436aec6fc79755a500c4350e1d63215b9088f36710903936de3cedc94.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4606134.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4606134.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4606134.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4606134.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4606134.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4606134.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3294115.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4606134.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\80f298c436aec6fc79755a500c4350e1d63215b9088f36710903936de3cedc94.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0096760.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4606134.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4606134.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4606134.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4268 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\80f298c436aec6fc79755a500c4350e1d63215b9088f36710903936de3cedc94.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0096760.exe
PID 4268 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\80f298c436aec6fc79755a500c4350e1d63215b9088f36710903936de3cedc94.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0096760.exe
PID 4268 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\80f298c436aec6fc79755a500c4350e1d63215b9088f36710903936de3cedc94.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0096760.exe
PID 864 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0096760.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3294115.exe
PID 864 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0096760.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3294115.exe
PID 864 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0096760.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3294115.exe
PID 3948 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3294115.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 3948 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3294115.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 3948 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3294115.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 864 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0096760.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4606134.exe
PID 864 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0096760.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4606134.exe
PID 3912 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3912 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3912 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3912 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3912 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3912 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 5052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 5052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 5052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 4660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2176 wrote to memory of 4660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2176 wrote to memory of 4660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2176 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2176 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2176 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2176 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 4200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2176 wrote to memory of 4200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2176 wrote to memory of 4200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2176 wrote to memory of 816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2176 wrote to memory of 816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2176 wrote to memory of 816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4268 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\80f298c436aec6fc79755a500c4350e1d63215b9088f36710903936de3cedc94.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j6935570.exe
PID 4268 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\80f298c436aec6fc79755a500c4350e1d63215b9088f36710903936de3cedc94.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j6935570.exe
PID 4268 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\80f298c436aec6fc79755a500c4350e1d63215b9088f36710903936de3cedc94.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j6935570.exe

Processes

C:\Users\Admin\AppData\Local\Temp\80f298c436aec6fc79755a500c4350e1d63215b9088f36710903936de3cedc94.exe

"C:\Users\Admin\AppData\Local\Temp\80f298c436aec6fc79755a500c4350e1d63215b9088f36710903936de3cedc94.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0096760.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0096760.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3294115.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3294115.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4606134.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4606134.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j6935570.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j6935570.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.107.129:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 129.107.17.2.in-addr.arpa udp
BE 2.17.107.129:443 www.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0096760.exe

MD5 c44e5c1dbc033b88b23bfd9c2265aec0
SHA1 746ba7772a23637a08499675b52c85928ebdd364
SHA256 892a8cab1020cfab60d998bf5ace63d960dced1c6a4f047d910eeaf729021bb8
SHA512 0ae27e9cb9bed8aabf871eaab509142ecaf024f96dcd79f256388bdd1044c5ad788a4b6da7d470c9cd4871b917d27d4cb765dba398b167d00dfe3e299d45bbbf

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3294115.exe

MD5 aea234064483f651010cf9d981f59fea
SHA1 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6
SHA256 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503
SHA512 eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4606134.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/1932-27-0x0000000000DB0000-0x0000000000DBA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j6935570.exe

MD5 b9b326df936041afe740e52293cd89e5
SHA1 91b8c4a97b2a09fdc30fadbe95eb26b64947e6cb
SHA256 b3f51ad219c924a14b0461a475e030dade3c4b8176376fd855c90c0300d70185
SHA512 d1f20bca31b33e7df3e94a1a5d194738fb968d3d637b2fd4a851ce70a1392b48218d208ac31398b52608678b934a17e9095e1653cfbbdb9b250ad56b0d0633b8

memory/2084-32-0x0000000000800000-0x0000000000830000-memory.dmp

memory/2084-33-0x0000000001230000-0x0000000001236000-memory.dmp

memory/2084-34-0x000000000AD20000-0x000000000B338000-memory.dmp

memory/2084-35-0x000000000A810000-0x000000000A91A000-memory.dmp

memory/2084-36-0x000000000A700000-0x000000000A712000-memory.dmp

memory/2084-37-0x000000000A760000-0x000000000A79C000-memory.dmp

memory/2084-38-0x0000000002C20000-0x0000000002C6C000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-10 13:06

Reported

2024-05-10 13:09

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c47b15f9672b5795b62a389de76336302127184be510254d08b9b5100134dd7d.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3027297.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3027297.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3027297.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3027297.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3027297.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3027297.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3027297.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b5851738.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3027297.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3027297.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c47b15f9672b5795b62a389de76336302127184be510254d08b9b5100134dd7d.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3027297.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3027297.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3027297.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c47b15f9672b5795b62a389de76336302127184be510254d08b9b5100134dd7d.exe

"C:\Users\Admin\AppData\Local\Temp\c47b15f9672b5795b62a389de76336302127184be510254d08b9b5100134dd7d.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3027297.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3027297.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b5851738.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b5851738.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
DE 217.196.96.101:4132 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
DE 217.196.96.101:4132 tcp
DE 217.196.96.101:4132 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
DE 217.196.96.101:4132 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
DE 217.196.96.101:4132 tcp
DE 217.196.96.101:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3027297.exe

MD5 a92537fedf49fd467c41d80bde9ba55d
SHA1 685abba2395ef1a3405f91e849e452ee4aa99226
SHA256 a0e9f5fb78ce13719eba331ddc31e1c9e0c7712c8466692695331657658ff404
SHA512 c90ceefe96baeb9583e1834ec1b3b058785cf466a2d998c32e3e644413e9ad515359ccccb87c8575af0120be27af3dd167dcdbe01c3246fb451b6d321c80282f

memory/4136-7-0x0000000073FDE000-0x0000000073FDF000-memory.dmp

memory/4136-8-0x00000000024A0000-0x00000000024BA000-memory.dmp

memory/4136-9-0x0000000073FD0000-0x0000000074780000-memory.dmp

memory/4136-10-0x0000000004B30000-0x00000000050D4000-memory.dmp

memory/4136-12-0x0000000073FD0000-0x0000000074780000-memory.dmp

memory/4136-11-0x0000000004AC0000-0x0000000004AD8000-memory.dmp

memory/4136-13-0x0000000073FD0000-0x0000000074780000-memory.dmp

memory/4136-41-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/4136-39-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/4136-37-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/4136-35-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/4136-33-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/4136-31-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/4136-29-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/4136-27-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/4136-25-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/4136-23-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/4136-21-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/4136-19-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/4136-17-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/4136-15-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/4136-14-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

memory/4136-43-0x0000000073FD0000-0x0000000074780000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b5851738.exe

MD5 a71b72e1859bd9a5c048a3c5ee5dfc7b
SHA1 99896b37b82091d11c534ec59e0c4204f4cd0fcc
SHA256 141b7eea951585dfd88dbdcd219722d2d8307fc7cbf8c720bd23e3b897966d60
SHA512 b970d9a52df7a0f34e53515f0a6ca9f6cd01d6b1efefc0c4ccbd08a789281251a57181f813e2c2ddef1d679e73f15357842367307052dd25204c16904c605ce1

memory/3204-48-0x0000000073F80000-0x000000007402B000-memory.dmp

memory/3204-47-0x0000000000330000-0x0000000000360000-memory.dmp

memory/3204-49-0x0000000004B10000-0x0000000004B16000-memory.dmp

memory/3204-50-0x000000000A780000-0x000000000AD98000-memory.dmp

memory/3204-51-0x000000000A2E0000-0x000000000A3EA000-memory.dmp

memory/3204-52-0x000000000A210000-0x000000000A222000-memory.dmp

memory/3204-53-0x0000000073F80000-0x000000007402B000-memory.dmp

memory/3204-54-0x000000000A270000-0x000000000A2AC000-memory.dmp

memory/3204-55-0x00000000044F0000-0x000000000453C000-memory.dmp

memory/3204-56-0x0000000073F80000-0x000000007402B000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-10 13:06

Reported

2024-05-10 13:09

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4802302.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4435054.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6076158.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6942777.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6942777.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6942777.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1448 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4435054.exe
PID 1448 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4435054.exe
PID 1448 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4435054.exe
PID 4336 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4435054.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6076158.exe
PID 4336 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4435054.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6076158.exe
PID 4336 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4435054.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6076158.exe
PID 4284 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6076158.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe
PID 4284 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6076158.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe
PID 4284 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6076158.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4802302.exe
PID 4284 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6076158.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4802302.exe
PID 4284 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6076158.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4802302.exe
PID 3784 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4802302.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 3784 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4802302.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 3784 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4802302.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 4336 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4435054.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6942777.exe
PID 4336 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4435054.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6942777.exe
PID 4336 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4435054.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6942777.exe
PID 1448 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8501327.exe
PID 1448 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8501327.exe
PID 1448 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8501327.exe
PID 4660 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 4660 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 4660 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 4660 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 4660 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 4660 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1884 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1884 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1884 wrote to memory of 3252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1884 wrote to memory of 3252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1884 wrote to memory of 3252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1884 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 1188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1884 wrote to memory of 1188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1884 wrote to memory of 1188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1884 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1884 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1884 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3.exe

"C:\Users\Admin\AppData\Local\Temp\cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4435054.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4435054.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6076158.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6076158.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4802302.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4802302.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6942777.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6942777.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8501327.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8501327.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.3:80 tcp
FI 77.91.68.68:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4435054.exe

MD5 91933e51696584a07d7c09e2e13141f5
SHA1 0f24a6ac68fb31fb27b7c2a0710ad37019447204
SHA256 51b3eccbb193d1455e060d100fcbf91133f137aebc267fb4b9a4b91952126498
SHA512 ccaf03c65b0ae52dad65d5395d16aedb6abe777962a4c6f5cfeb1831d41ed0d0bba6c2d6e62071337b5bfcb34996d68e94ece6bb56110c88f49719d7be2c45c8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6076158.exe

MD5 0711e5b846ebcd95fdcce83aa82ee27d
SHA1 87975557ea8e9efda716a9377dde46b57a7662e8
SHA256 06193190d3c01ff9e2fa5eafb338a958d74abbe89259f7f70391df0721f9a332
SHA512 26fbf12831309e5dd644a73743cd518afff4e9a582893302588ac60552c191e3d21dcd5c2e3cd13fc70ede345aa7ae2e05785e10cd2fc23d0d78cb61153f0c1e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe

MD5 7142af778ac7df1f47ee0f67c5969d10
SHA1 1c951387ce612014321c82bb225b7ca674bc3dd8
SHA256 bbcf2054c9add3d18e308671ee5b1f3cebe898baf3634394b5bbb4c3855c512c
SHA512 d96b464e2e156dbb4afd6cde6f916398db0a6883914a71e682d4170e14b0047a8e59b0b1a5762addeff2b54ef0347cf6dde4e7032bd54d3845ba610616dfa17d

memory/4668-22-0x00000000002E0000-0x00000000002EA000-memory.dmp

memory/4668-21-0x00007FFA734D3000-0x00007FFA734D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4802302.exe

MD5 270a148b44bad929ed1a4adc8cbd94a2
SHA1 55a61daf7fa7f81317d3bacf86064cf27eab3649
SHA256 f125c5d00d3075ed916a60e58897b960eee948a141f793577ad013c85cb91809
SHA512 e9ae358b7e659403326f4da5196217636e24dc09b68c487bd62523d3390ed727247b9a74ecad802277b9d831f95e645e7b40bfe162cf08f6fd3340eb82109c59

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6942777.exe

MD5 ecaccb61a433da4a9745317a688738ed
SHA1 54aad35ff3dbb45a12263306af2a409e56ffa5a0
SHA256 35c335eb5c241a978210148f6886ca0ee20bcd368b17bbaf15eaac5465d14132
SHA512 d4379e9fad838589d447b1a7494f5fff9e9c8797e24bdab00fe3a9f5704135e6263e15432b3dc1fa6c719e93a20271962be87f3be0873f78d7b83d0a4f31dea0

memory/3700-40-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8501327.exe

MD5 12c1ab680089f44c182ab0d1f4a95ae1
SHA1 4a9cfa25e4810ff2428356308e3317aee191d541
SHA256 4a62ceddedc8c2a3cd54f23196890111038241c4f792ebd949d80385cad0f3f5
SHA512 46682624d94f3131db1b196d6bb47ac6e367045fc779a309d8433fc54e6f9ef6edbf99479f976437e5601b9e5f479909bbb46a353f07416790892641c64764ff

memory/3708-44-0x0000000000CC0000-0x0000000000CF0000-memory.dmp

memory/3708-45-0x00000000030F0000-0x00000000030F6000-memory.dmp

memory/3708-46-0x0000000005D60000-0x0000000006378000-memory.dmp

memory/3708-47-0x0000000005850000-0x000000000595A000-memory.dmp

memory/3708-48-0x0000000005790000-0x00000000057A2000-memory.dmp

memory/3708-49-0x00000000057F0000-0x000000000582C000-memory.dmp

memory/3708-50-0x0000000005960000-0x00000000059AC000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-10 13:06

Reported

2024-05-10 13:10

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\136b546d35913e21d69572f169ae203809c1521256619595aa6b15d763436c01.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8043257.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8043257.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8043257.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8043257.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8043257.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8043257.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8513497.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8043257.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\136b546d35913e21d69572f169ae203809c1521256619595aa6b15d763436c01.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7683048.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2538163.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0003853.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0003853.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0003853.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8043257.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8043257.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8043257.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2000 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\136b546d35913e21d69572f169ae203809c1521256619595aa6b15d763436c01.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7683048.exe
PID 2000 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\136b546d35913e21d69572f169ae203809c1521256619595aa6b15d763436c01.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7683048.exe
PID 2000 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\136b546d35913e21d69572f169ae203809c1521256619595aa6b15d763436c01.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7683048.exe
PID 4920 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7683048.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2538163.exe
PID 4920 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7683048.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2538163.exe
PID 4920 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7683048.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2538163.exe
PID 2172 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2538163.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8043257.exe
PID 2172 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2538163.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8043257.exe
PID 2172 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2538163.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8513497.exe
PID 2172 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2538163.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8513497.exe
PID 2172 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2538163.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8513497.exe
PID 1952 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8513497.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 1952 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8513497.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 1952 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8513497.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 4920 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7683048.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0003853.exe
PID 4920 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7683048.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0003853.exe
PID 4920 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7683048.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0003853.exe
PID 3392 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3392 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3392 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3392 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3520 wrote to memory of 3876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3520 wrote to memory of 3876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3520 wrote to memory of 3876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3520 wrote to memory of 3996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3520 wrote to memory of 3996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3520 wrote to memory of 3996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3520 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3520 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3520 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3520 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3520 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3520 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3520 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3520 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3520 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3520 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3520 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3520 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2000 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\136b546d35913e21d69572f169ae203809c1521256619595aa6b15d763436c01.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6120877.exe
PID 2000 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\136b546d35913e21d69572f169ae203809c1521256619595aa6b15d763436c01.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6120877.exe
PID 2000 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\136b546d35913e21d69572f169ae203809c1521256619595aa6b15d763436c01.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6120877.exe

Processes

C:\Users\Admin\AppData\Local\Temp\136b546d35913e21d69572f169ae203809c1521256619595aa6b15d763436c01.exe

"C:\Users\Admin\AppData\Local\Temp\136b546d35913e21d69572f169ae203809c1521256619595aa6b15d763436c01.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7683048.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7683048.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2538163.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2538163.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8043257.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8043257.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8513497.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8513497.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0003853.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0003853.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6120877.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6120877.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Network

Country Destination Domain Proto
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
FI 77.91.68.61:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7683048.exe

MD5 17332abda5233f92b5d46c7129dad846
SHA1 c7d990591355e6988c5466640eb78e54dcc2e302
SHA256 ddfcd0b0522fe7f3a66080c2b6333eb5f7a503604fc76eaee438af682f2d07a4
SHA512 3d1c6678e467003576b981b3093df2b95d457bf46d74821ce51015268b7d61666f86710a893d4e8dda7a9583a6b987cd15897c4fcd618adf25962f17207bb3d7

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2538163.exe

MD5 8494092bb93d80ddf730b1119315a031
SHA1 014bb057cd19d4968e160c7a9c231b2932436152
SHA256 3d140eebec64936b8b093214a0e589f8ae995b0fe0b8635597c5378284298611
SHA512 e7114b1b3fcd6ac28b3088cce2d116b7252fd0431cdbcd785b847f30df87bca6f732e952301ed5a595ced88d4125d0996881a5deb321be3432eafaec4aae45f4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8043257.exe

MD5 011e97057df685ee7620914e53d80c08
SHA1 ac78a1ebffc0cce4e987c17d79c8c61db8d4323f
SHA256 a4941dfa59a520e9bcd49d313a2db0770789e7df586131061fe0d5960920941f
SHA512 8834c2e0977eec550529ca8d3a8956849df2834c8667e8623adc83ec665610a4b1e03f1d1e007d083c5d8e79dc5af84a79ceff3af5dcaca7f4b2c8579bc1e2bc

memory/3468-21-0x00007FF800713000-0x00007FF800715000-memory.dmp

memory/3468-22-0x0000000000160000-0x000000000016A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8513497.exe

MD5 eaf4f611e83549958aae0501949e6113
SHA1 5ccdba08aa690d238bea6aca39cc70fb5dc4929e
SHA256 9b9f97512cf3c162f6952a330b6dfbcf5c3237886fce33aa47a10278e1b460ff
SHA512 2ee132317513d0c353208abcae8a7703845bf956ed1be9cfdf96abfb1e80c7243dc394b2c274cccded98d42b2b2cf1031984ba7cb0530197598eb35ccf1ed79f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0003853.exe

MD5 0d304db5e5b152bb08b93caba5a2d025
SHA1 305dd8884ed442f1e2b87ddc9d99598715a61c21
SHA256 4c5bc68a3e120a583b90f83f158d22dd67ef9b4bc0ce66b57b130877569dfc71
SHA512 1ae21e5d8b19ff67fc0e5d42052314d67d72639cfdbe7a04538578e16d5585587ec1704f830df05392c9e5e92185e0b2e6fd914c1ce7131c3789be8072722060

memory/3048-40-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6120877.exe

MD5 b4e645e86f9c734c67eae379df6f4a9a
SHA1 b83783629138441cd29e7e458ab4674a871171c3
SHA256 0fecb3e2d66bee2c7df80b58166684f3e1ca5a658bfc320d70e067199763086f
SHA512 e23193579d2cde966cc8dfd98d40f776c6b9c8684d5ce6d5e9d18e543e4bc217e185a541735364bf8571d39dd2641bfa3495d59ca0ddbb048c92d17ce9178184

memory/3936-45-0x0000000000820000-0x0000000000850000-memory.dmp

memory/3936-46-0x00000000012B0000-0x00000000012B6000-memory.dmp

memory/3936-47-0x000000000AB90000-0x000000000B1A8000-memory.dmp

memory/3936-48-0x000000000A690000-0x000000000A79A000-memory.dmp

memory/3936-49-0x000000000A5D0000-0x000000000A5E2000-memory.dmp

memory/3936-50-0x000000000A630000-0x000000000A66C000-memory.dmp

memory/3936-51-0x0000000004B80000-0x0000000004BCC000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-10 13:06

Reported

2024-05-10 13:09

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\28e73a10869c3ce55af51de963cb8f48eac48b8f171602308b167d940e58899a.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\28e73a10869c3ce55af51de963cb8f48eac48b8f171602308b167d940e58899a.exe

"C:\Users\Admin\AppData\Local\Temp\28e73a10869c3ce55af51de963cb8f48eac48b8f171602308b167d940e58899a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 106.246.116.51.in-addr.arpa udp

Files

memory/3348-0-0x00007FF7B8580000-0x00007FF7BDA0F000-memory.dmp

memory/3348-1-0x00007FF7B8580000-0x00007FF7BDA0F000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-10 13:06

Reported

2024-05-10 13:09

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6b061fa4768c28530459442828163e1c4cf33aa058cd0846566771b57ecf36e8.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\6b061fa4768c28530459442828163e1c4cf33aa058cd0846566771b57ecf36e8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2308083.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4212 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\6b061fa4768c28530459442828163e1c4cf33aa058cd0846566771b57ecf36e8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2308083.exe
PID 4212 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\6b061fa4768c28530459442828163e1c4cf33aa058cd0846566771b57ecf36e8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2308083.exe
PID 4212 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\6b061fa4768c28530459442828163e1c4cf33aa058cd0846566771b57ecf36e8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2308083.exe
PID 372 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2308083.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe
PID 372 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2308083.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe
PID 372 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2308083.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe
PID 372 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2308083.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0067136.exe
PID 372 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2308083.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0067136.exe
PID 372 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2308083.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0067136.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6b061fa4768c28530459442828163e1c4cf33aa058cd0846566771b57ecf36e8.exe

"C:\Users\Admin\AppData\Local\Temp\6b061fa4768c28530459442828163e1c4cf33aa058cd0846566771b57ecf36e8.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2308083.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2308083.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0067136.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0067136.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
FI 77.91.68.48:19071 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
FI 77.91.68.48:19071 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
FI 77.91.68.48:19071 tcp
FI 77.91.68.48:19071 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.68.48:19071 tcp
FI 77.91.68.48:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2308083.exe

MD5 9c6164d041c24db6736a51008707f2a6
SHA1 c11101f7b72a3a0249f3e873bdd3735c1d8267fe
SHA256 bf73429ee52f9270d33a8197ee4e52727f33a67083eb1ae40adfbc8b2dbe2075
SHA512 847f56104d115c6b8e59a02fd5252a6e52a8511faf01b59d86fb3abbef1fab226cc5abce2c8921777c0db88e616b6f14028cdfcbd09fc6b6bfc06c5e4aaca2b0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0140419.exe

MD5 5663b528b5976a2873c447dbcb05b6af
SHA1 c4e5c3993293c0441f80d4434d177708962bb78f
SHA256 082e8efad9dc970b2395071b67565558033a397e71cb304fea335ae18b739edf
SHA512 1c352c1c48faa071b627b152c0898ac7e0e5c685478a79561d388a9a2563ce27c221b05b1e9572b62788dbca008da5858a2d33889b086f254d633f725e3600e2

memory/2832-14-0x0000000000401000-0x0000000000402000-memory.dmp

memory/2832-15-0x0000000000420000-0x000000000042A000-memory.dmp

memory/2832-19-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0067136.exe

MD5 f5fbed4a17d320d04f69af6ba9604b80
SHA1 a41d2a644b5bdb23f41b194a06db0fb5e0ff61aa
SHA256 9a8624b0e10ff7c1764e3cb07d2371b70dd4cf3ad32e8a0f41e5de4db11dacee
SHA512 ae0221d3b79a220d9433c3b2ee243cb61b1f02a65e55337cc40afc978ad3f0c1dc2ae45cabcbe3e69e4e49f25a5db762bf4f891ad2a97fb1a6b11a62dc6c4cda

memory/4544-26-0x0000000001E00000-0x0000000001E30000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/4544-30-0x00000000022E0000-0x00000000022E6000-memory.dmp

memory/4544-31-0x0000000009E80000-0x000000000A498000-memory.dmp

memory/4544-32-0x000000000A500000-0x000000000A60A000-memory.dmp

memory/4544-33-0x000000000A640000-0x000000000A652000-memory.dmp

memory/4544-34-0x000000000A660000-0x000000000A69C000-memory.dmp

memory/4544-35-0x0000000004490000-0x00000000044DC000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-10 13:06

Reported

2024-05-10 13:09

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7d1f6eeb31bd2e40692c777766b604a0bf50848518f5c931a53d7c48b988e8ef.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3979865.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3979865.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3979865.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3979865.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3979865.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3979865.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3979865.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7d1f6eeb31bd2e40692c777766b604a0bf50848518f5c931a53d7c48b988e8ef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8289349.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3979865.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3979865.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3979865.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7d1f6eeb31bd2e40692c777766b604a0bf50848518f5c931a53d7c48b988e8ef.exe

"C:\Users\Admin\AppData\Local\Temp\7d1f6eeb31bd2e40692c777766b604a0bf50848518f5c931a53d7c48b988e8ef.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8289349.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8289349.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3979865.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3979865.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2995492.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2995492.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8289349.exe

MD5 9083e6401030e1b4b0840f3075ef1e1d
SHA1 78760243052a3d9da2a9576884c4f77a914dfd37
SHA256 da5de5537c6dc1c6548195f6c6706a32f115855f8f00dda604b989a71a4e4ea3
SHA512 ab7846f6a9edecd99de8df4bee91268773e748b87ba41d96aee2a0c6a492392f3880f5db08713963454ecad7d642874a3100e35a51974650dab15e29e96a7c0b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3979865.exe

MD5 89e1ac4194ecfd74e1b15b011996075f
SHA1 61173306273de11f4f2aa7812d8297df0cdce5a1
SHA256 660993641635573a5b0a0cb175e536c95532215a375b1609a3062e3998ab2ab1
SHA512 82654ec550be53c9c9cea69fdf578bb6b79eb1c41b8ad59153ee68a4e314fbd6386992504617457cd347b0f278a1dac472466dd8952de7cdcaf57c8d0f88b6c6

memory/3412-14-0x0000000000D40000-0x0000000000D4A000-memory.dmp

memory/3412-15-0x00007FFE245E3000-0x00007FFE245E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2995492.exe

MD5 72e51378e2c8b046f2fb05bb2c37c929
SHA1 1825f3057d33f09984909fdcf3ed7e1feecff7f1
SHA256 f2b31dda24613389d1e0cb1d6a6c7e0c6c740351b01402a59825e59ed397f081
SHA512 1f5b158265908118a9912a28f3f144d799cae8930db8d76fa289e38b6ec9ae23dff072dbc3407afcad26cf896df504342102aea14e7d0a5b2740b024e977c04a

memory/4560-20-0x0000000000FA0000-0x0000000000FD0000-memory.dmp

memory/4560-21-0x0000000003530000-0x0000000003536000-memory.dmp

memory/4560-22-0x000000000B420000-0x000000000BA38000-memory.dmp

memory/4560-23-0x000000000AF50000-0x000000000B05A000-memory.dmp

memory/4560-24-0x000000000AE90000-0x000000000AEA2000-memory.dmp

memory/4560-25-0x000000000AEF0000-0x000000000AF2C000-memory.dmp

memory/4560-26-0x00000000033A0000-0x00000000033EC000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-10 13:06

Reported

2024-05-10 13:09

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bd2cad400370a1839dedfee01ba51651868baedcef41cd34976bcfc1a2ccbf26.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\bd2cad400370a1839dedfee01ba51651868baedcef41cd34976bcfc1a2ccbf26.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9136604.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7678896.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0633454.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2852 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\bd2cad400370a1839dedfee01ba51651868baedcef41cd34976bcfc1a2ccbf26.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9136604.exe
PID 2852 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\bd2cad400370a1839dedfee01ba51651868baedcef41cd34976bcfc1a2ccbf26.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9136604.exe
PID 2852 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\bd2cad400370a1839dedfee01ba51651868baedcef41cd34976bcfc1a2ccbf26.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9136604.exe
PID 3544 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9136604.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7678896.exe
PID 3544 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9136604.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7678896.exe
PID 3544 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9136604.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7678896.exe
PID 2400 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7678896.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0633454.exe
PID 2400 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7678896.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0633454.exe
PID 2400 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7678896.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0633454.exe
PID 2328 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0633454.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9751033.exe
PID 2328 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0633454.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9751033.exe
PID 2328 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0633454.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9751033.exe
PID 4932 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9751033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4932 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9751033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4932 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9751033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4932 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9751033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4932 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9751033.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2328 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0633454.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2585981.exe
PID 2328 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0633454.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2585981.exe
PID 2328 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0633454.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2585981.exe
PID 1828 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2585981.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1828 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2585981.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1828 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2585981.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1828 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2585981.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1828 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2585981.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2400 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7678896.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2700905.exe
PID 2400 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7678896.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2700905.exe
PID 2400 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7678896.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2700905.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bd2cad400370a1839dedfee01ba51651868baedcef41cd34976bcfc1a2ccbf26.exe

"C:\Users\Admin\AppData\Local\Temp\bd2cad400370a1839dedfee01ba51651868baedcef41cd34976bcfc1a2ccbf26.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9136604.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9136604.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7678896.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7678896.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0633454.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0633454.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9751033.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9751033.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4932 -ip 4932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 152

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2585981.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2585981.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 1828 -ip 1828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 220

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2700905.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2700905.exe

Network

Country Destination Domain Proto
RU 83.97.73.129:19068 tcp
RU 83.97.73.129:19068 tcp
RU 83.97.73.129:19068 tcp
RU 83.97.73.129:19068 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
RU 83.97.73.129:19068 tcp
RU 83.97.73.129:19068 tcp
RU 83.97.73.129:19068 tcp
RU 83.97.73.129:19068 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
RU 83.97.73.129:19068 tcp
RU 83.97.73.129:19068 tcp
RU 83.97.73.129:19068 tcp
RU 83.97.73.129:19068 tcp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9136604.exe

MD5 33ff5c1b7ad2169df36e814a2d691161
SHA1 e80f0be76be35b9997ecfa24a8efc30748552cbe
SHA256 000643ece079f96ed416c42e9dec2e3a647599f99950c60349c52e36cb724e88
SHA512 216ceb4f2a265aae0b413964c91da9f4f4f45baabe4ed952da89dc8089932472aeecb7ae2fb42408dfcfc8ae575d3d0b99cd89f55620946b155a41dee6019bd3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7678896.exe

MD5 a76aada563b5fff5cf81824d40e87c25
SHA1 b6c50c7d69b765a396e3995642cd3c82ed9eb370
SHA256 f25337a343c26cdecd99eb7f095938fd24fb233463a8af3fa69acc5201eed956
SHA512 093e3da142ee67a4da1c8f352460e5d90e9565ec60855285a19eb6e2c2f85d8b8ec22e0b5f46194222954ffeb19e1a8451f9d364c8869f1ef8050decc7154a56

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0633454.exe

MD5 7df1e56d4c1a1612ee126463fcf8ceb4
SHA1 774ab26898cfa2ace41b0d5fa53538d318e0fa57
SHA256 a62a548ffb1dcb9166d2336968bea9011a44039f391a1a7ef70364f4a0e131a0
SHA512 a84427f66c991496b014e82a1e52a969da9b627d6dfebdb93b74acdda4907df02b7b7d17b25cb732999e4a01e7f6e327be630b93b6dd6c55ed78e3d920ccae15

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9751033.exe

MD5 c0e3f771bcbb789d734e7d3e1b1f4e65
SHA1 02e6e5e508188955181ac98bb1b9c414d2c1aa9e
SHA256 53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02
SHA512 c983b76772a50aece42107a39c828abfa768fc33c8865df73de57e1beca2919e8cc7b8afe1d5ae3e7556273519e311d5e49ed6d52eaf895c3c3d7c34608d2118

memory/604-28-0x0000000000400000-0x0000000000430000-memory.dmp

memory/604-33-0x00000000029E0000-0x00000000029E6000-memory.dmp

memory/604-34-0x0000000005730000-0x0000000005D48000-memory.dmp

memory/604-35-0x0000000005220000-0x000000000532A000-memory.dmp

memory/604-36-0x0000000004FD0000-0x0000000004FE2000-memory.dmp

memory/604-37-0x0000000005150000-0x000000000518C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2585981.exe

MD5 cd5a529d645436b72dc72ebc19950ef3
SHA1 5f571b5fce5b5e210e812e28dad02b80bb1f5d80
SHA256 887d08bb7735494fa22a46935055d0c2d612f70e97ecdd07bccf427d8e49efa3
SHA512 b314a9d61340e1cafd67aef45b5151721a6100ca0f7d6ec787e4fc4d83d1cdb571cfafcd1cc1cee681f3016bfb3fc8074681633607221711163e7da2c2e6b123

memory/604-40-0x0000000005190000-0x00000000051DC000-memory.dmp

memory/1936-42-0x0000000000190000-0x000000000019A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2700905.exe

MD5 3722a3e958832f918370e3491d62d642
SHA1 86d28aa415f98a3ffa95279b4ac521e96ab8131a
SHA256 fc953ae5ccb8716ad6fa4b015596e010272dc5095fb5cf36fc1fe1ac7ca39db9
SHA512 510caffa854da75b5cef2b52ef61dee6670fc684c090911b9bf51678c68144e3f83a2ca2b43364abd0619c6742c03b9f68f29f91d6bb6259c49fc2b8bbaeb791

memory/3096-50-0x0000000000500000-0x0000000000530000-memory.dmp

memory/3096-51-0x0000000000E00000-0x0000000000E06000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-10 13:06

Reported

2024-05-10 13:09

Platform

win10v2004-20240426-en

Max time kernel

142s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1ec8ce9ace042665b07a0abc5b206634b1417b5f2a4a00b4554147d518832396.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2651355.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2651355.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2651355.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7896309.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7896309.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7896309.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2651355.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2651355.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2651355.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7896309.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7896309.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7896309.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2651355.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2651355.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7896309.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1ec8ce9ace042665b07a0abc5b206634b1417b5f2a4a00b4554147d518832396.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6210097.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9238337.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3931201.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2651355.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7896309.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2500 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\1ec8ce9ace042665b07a0abc5b206634b1417b5f2a4a00b4554147d518832396.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6210097.exe
PID 2500 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\1ec8ce9ace042665b07a0abc5b206634b1417b5f2a4a00b4554147d518832396.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6210097.exe
PID 2500 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\1ec8ce9ace042665b07a0abc5b206634b1417b5f2a4a00b4554147d518832396.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6210097.exe
PID 940 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6210097.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9238337.exe
PID 940 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6210097.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9238337.exe
PID 940 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6210097.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9238337.exe
PID 1552 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9238337.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3931201.exe
PID 1552 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9238337.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3931201.exe
PID 1552 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9238337.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3931201.exe
PID 1200 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3931201.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2651355.exe
PID 1200 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3931201.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2651355.exe
PID 1200 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3931201.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2651355.exe
PID 1200 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3931201.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7896309.exe
PID 1200 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3931201.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7896309.exe
PID 1552 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9238337.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4075312.exe
PID 1552 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9238337.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4075312.exe
PID 1552 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9238337.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4075312.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1ec8ce9ace042665b07a0abc5b206634b1417b5f2a4a00b4554147d518832396.exe

"C:\Users\Admin\AppData\Local\Temp\1ec8ce9ace042665b07a0abc5b206634b1417b5f2a4a00b4554147d518832396.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6210097.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6210097.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9238337.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9238337.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3931201.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3931201.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2651355.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2651355.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7896309.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7896309.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4075312.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4075312.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
FI 77.91.68.56:19071 tcp
FI 77.91.68.56:19071 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.68.56:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6210097.exe

MD5 e4759911e541d7a543ea033b0928ddf4
SHA1 e39c427a6cf47b16cddabfd2c7fb00038e1dbe1f
SHA256 f8dfa98c4e38deff7955c243f9db7b01692e43c0997eca9e5e141cc565cf05be
SHA512 7760d634d8a8b0a2e2c9847c4c367589607de2d7ac43112830289dbf3585902dd0f824ebfcab04040f701afa6b86884824aed2f032e6c09714ac8575b7bf9e42

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9238337.exe

MD5 f4f787db36502a2e05f39da6a313e914
SHA1 4f842c75ce854d86420f9790c47c81bdcecd7c5d
SHA256 3df74027fece0dd6e6c9f46260e3c886ecbcfd4dce43ac64a90f1211d78fe588
SHA512 0728509f9668750a075e73175e48f90625f5e62ef3d1e95641d654d43f749dacb1012110c6e445aa64308a64b0d23c447041ab0ec994300a6b06a1091523d52b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3931201.exe

MD5 a11dbc01603450452854f17aa7ea1eef
SHA1 18436f7c4a7a4477c0baa93ddc108babce9491bf
SHA256 2d2e176ff101b33e0adec2558415b76c1425ba9502c4b652c64b4751dd11181c
SHA512 1ac3b35ac7b8742c8eded217595f30ae25eff216409bddd3cc18809ff6e5d873c7feae6e1e3501dc02bebe2205f9f9e8db9718c76315b679ca8ce73aca2135bf

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2651355.exe

MD5 175e3db636d9fd541cc11991815ea662
SHA1 c5e30c78f298c1aa26768bc036795e19ed7e60d7
SHA256 c39106a3520b59f859a00bc0014f6b5a4846b40742a925b66283b31e62094c4e
SHA512 06b1bc8a9746e8dfd1a4d72e98b8b76a1f543ae0c72c9e0233dce81451d7521f586da373e69459170a8d9442da4883f8247cfb9714227744c765c892583ac5c9

memory/3572-28-0x0000000000560000-0x000000000059E000-memory.dmp

memory/3572-34-0x0000000000560000-0x000000000059E000-memory.dmp

memory/3572-35-0x00000000044B0000-0x00000000044B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7896309.exe

MD5 06d9b8f9236b959006976da775fea5e7
SHA1 46d5c5e6a3e7de6138cd764509a6754ce24d9484
SHA256 77353ead4144432dfd0e8fc833c458c8b88fb5d6bf7c9818ac430be40983b7f5
SHA512 ec0c6135f2b39d70cb35bd713d5fd9a0876055b46584f3535067f0f162be149024770c990e61ee041eabe5d3daf53aac49e747bb96189c3fa17346774a5edc6d

memory/3600-41-0x0000000000C30000-0x0000000000C3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4075312.exe

MD5 dd10174f7fa3d017558c8310bf07d851
SHA1 08d795a3d2334906da989e46a7e57d4ba9aa9f41
SHA256 cd9de412cda28c677351594338bc352dbcafb8652328624f624263b71bac3604
SHA512 a714e8babdc8d8a0a9f8e6ef6430d4f1cde70d3d80a902a1e247eb93bdf76e91fa89c4132708e0c632469b725c625ae65e30a908f02018f10b23460a02ec9d05

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/3744-47-0x0000000001F60000-0x0000000001FEC000-memory.dmp

memory/3744-53-0x0000000001F60000-0x0000000001FEC000-memory.dmp

memory/3744-55-0x0000000004520000-0x0000000004526000-memory.dmp

memory/3744-56-0x0000000005E20000-0x0000000006438000-memory.dmp

memory/3744-57-0x0000000006460000-0x000000000656A000-memory.dmp

memory/3744-58-0x0000000006590000-0x00000000065A2000-memory.dmp

memory/3744-59-0x00000000065B0000-0x00000000065EC000-memory.dmp

memory/3744-60-0x0000000006620000-0x000000000666C000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-10 13:06

Reported

2024-05-10 13:09

Platform

win7-20240221-en

Max time kernel

120s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\28e73a10869c3ce55af51de963cb8f48eac48b8f171602308b167d940e58899a.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\28e73a10869c3ce55af51de963cb8f48eac48b8f171602308b167d940e58899a.exe

"C:\Users\Admin\AppData\Local\Temp\28e73a10869c3ce55af51de963cb8f48eac48b8f171602308b167d940e58899a.exe"

Network

N/A

Files

memory/3008-0-0x000000013FCB0000-0x000000014513F000-memory.dmp

memory/3008-1-0x000000013FCB0000-0x000000014513F000-memory.dmp

memory/3008-2-0x000000013FCB0000-0x000000014513F000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-10 13:06

Reported

2024-05-10 13:09

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\85555569bb7d45d357512a0eafac484c22aee485efcb08f16f10d5cba19ad94d.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5872437.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5872437.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5872437.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5872437.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5872437.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5872437.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4083166.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5872437.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\85555569bb7d45d357512a0eafac484c22aee485efcb08f16f10d5cba19ad94d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2724090.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5872437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5872437.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5872437.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 212 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\85555569bb7d45d357512a0eafac484c22aee485efcb08f16f10d5cba19ad94d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2724090.exe
PID 212 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\85555569bb7d45d357512a0eafac484c22aee485efcb08f16f10d5cba19ad94d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2724090.exe
PID 212 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\85555569bb7d45d357512a0eafac484c22aee485efcb08f16f10d5cba19ad94d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2724090.exe
PID 1944 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2724090.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5872437.exe
PID 1944 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2724090.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5872437.exe
PID 1944 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2724090.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4083166.exe
PID 1944 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2724090.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4083166.exe
PID 1944 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2724090.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4083166.exe
PID 2824 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4083166.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 2824 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4083166.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 2824 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4083166.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 212 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\85555569bb7d45d357512a0eafac484c22aee485efcb08f16f10d5cba19ad94d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8526226.exe
PID 212 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\85555569bb7d45d357512a0eafac484c22aee485efcb08f16f10d5cba19ad94d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8526226.exe
PID 212 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\85555569bb7d45d357512a0eafac484c22aee485efcb08f16f10d5cba19ad94d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8526226.exe
PID 1760 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 1760 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 1760 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 1760 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 1760 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 1760 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 692 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 692 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 692 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 692 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 692 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 692 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 692 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 692 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 692 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 692 wrote to memory of 4124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 692 wrote to memory of 4124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 692 wrote to memory of 4124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 692 wrote to memory of 740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 692 wrote to memory of 740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 692 wrote to memory of 740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 692 wrote to memory of 4440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 692 wrote to memory of 4440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 692 wrote to memory of 4440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\85555569bb7d45d357512a0eafac484c22aee485efcb08f16f10d5cba19ad94d.exe

"C:\Users\Admin\AppData\Local\Temp\85555569bb7d45d357512a0eafac484c22aee485efcb08f16f10d5cba19ad94d.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2724090.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2724090.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5872437.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5872437.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4083166.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4083166.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8526226.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8526226.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2724090.exe

MD5 0fd858e561daf18d4cb383f1bbf687d7
SHA1 da276099ee2552b10cc2affe4fece902f054533f
SHA256 cb7f680c38feae6598560f81f37e6beadb1f80ac8dd54afb2e70a93bbb5a7b27
SHA512 94acb0728a163727176d85508383a52a0f32c12e22e92aa2373fcc936ea6a07270f1deda67884ac8f828819af76eb7e5c1473af135d8b76dfd9dd6fb1eea04e5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5872437.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4572-14-0x00007FFC0A533000-0x00007FFC0A535000-memory.dmp

memory/4572-15-0x00000000005B0000-0x00000000005BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4083166.exe

MD5 aea234064483f651010cf9d981f59fea
SHA1 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6
SHA256 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503
SHA512 eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8526226.exe

MD5 c15ffea057fa3a082ec7d315ef8977dd
SHA1 a8bb3971124751d94fa313ec94a774730c1f849d
SHA256 c709ef60b27f90806ff5f1b4ebdd82dd1607a6514b60867f9543ee60c2759ba0
SHA512 5e043852ae1fd34c94c0b1c014fc68dfe675252041e1b30b63bb54fe19fe43aac9d9f03504b35da57c86b37bd9e572e623df9f7be5fbdc97e305dd70366cabc7

memory/4664-33-0x0000000000A30000-0x0000000000A60000-memory.dmp

memory/4664-34-0x0000000002D80000-0x0000000002D86000-memory.dmp

memory/4664-35-0x00000000059D0000-0x0000000005FE8000-memory.dmp

memory/4664-36-0x00000000054C0000-0x00000000055CA000-memory.dmp

memory/4664-37-0x00000000053D0000-0x00000000053E2000-memory.dmp

memory/4664-38-0x0000000005430000-0x000000000546C000-memory.dmp

memory/4664-39-0x0000000005470000-0x00000000054BC000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-10 13:06

Reported

2024-05-10 13:09

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c429566ed481fe562466b6e87d2cfe6fc492efeb3007819b63dd4cf45594d639.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9236674.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9236674.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9236674.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9236674.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9236674.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9236674.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9236674.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b3995746.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9236674.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9236674.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c429566ed481fe562466b6e87d2cfe6fc492efeb3007819b63dd4cf45594d639.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9236674.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9236674.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9236674.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c429566ed481fe562466b6e87d2cfe6fc492efeb3007819b63dd4cf45594d639.exe

"C:\Users\Admin\AppData\Local\Temp\c429566ed481fe562466b6e87d2cfe6fc492efeb3007819b63dd4cf45594d639.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9236674.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9236674.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b3995746.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b3995746.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3840 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 217.196.96.101:4132 tcp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp
DE 217.196.96.101:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9236674.exe

MD5 9d6a6a164c9371fe63996d4ee60608df
SHA1 acc572756616ba0cdd302803ade94f4d6f1c447e
SHA256 b80f9eb78c1bc9d2e6abcb79000108ca6ca2700ee20d4c1d9e221d30813383e0
SHA512 c56e4df370b0d536176c362c49f9664f4a5f49b35034e4cc1c70459bfde95fb3d8ae044b7014323fbc20210313a1f489a42f5ad15957529c6446af93ce17bebf

memory/1676-7-0x0000000073CCE000-0x0000000073CCF000-memory.dmp

memory/1676-8-0x0000000002360000-0x000000000237A000-memory.dmp

memory/1676-9-0x0000000073CC0000-0x0000000074470000-memory.dmp

memory/1676-10-0x0000000073CC0000-0x0000000074470000-memory.dmp

memory/1676-11-0x0000000073CC0000-0x0000000074470000-memory.dmp

memory/1676-12-0x0000000004A70000-0x0000000005014000-memory.dmp

memory/1676-13-0x0000000004980000-0x0000000004998000-memory.dmp

memory/1676-15-0x0000000004980000-0x0000000004992000-memory.dmp

memory/1676-17-0x0000000004980000-0x0000000004992000-memory.dmp

memory/1676-39-0x0000000004980000-0x0000000004992000-memory.dmp

memory/1676-35-0x0000000004980000-0x0000000004992000-memory.dmp

memory/1676-33-0x0000000004980000-0x0000000004992000-memory.dmp

memory/1676-31-0x0000000004980000-0x0000000004992000-memory.dmp

memory/1676-29-0x0000000004980000-0x0000000004992000-memory.dmp

memory/1676-27-0x0000000004980000-0x0000000004992000-memory.dmp

memory/1676-26-0x0000000004980000-0x0000000004992000-memory.dmp

memory/1676-41-0x0000000004980000-0x0000000004992000-memory.dmp

memory/1676-23-0x0000000004980000-0x0000000004992000-memory.dmp

memory/1676-22-0x0000000004980000-0x0000000004992000-memory.dmp

memory/1676-37-0x0000000004980000-0x0000000004992000-memory.dmp

memory/1676-19-0x0000000004980000-0x0000000004992000-memory.dmp

memory/1676-14-0x0000000004980000-0x0000000004992000-memory.dmp

memory/1676-43-0x0000000073CC0000-0x0000000074470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b3995746.exe

MD5 72d543112c67db99263bdcdb053c5200
SHA1 5ed8046e303358157f833bfb8bcb42966f3ab14d
SHA256 c7a850a137dec0ca9e361fde39aacb695d98e1165eb401929fbbff687950e0c5
SHA512 32e8967b5136d9799fd0de5c324c075dbd5ba3a5506ee0fb9d070a249e3a52b4a18db04d1cc71517fbecb44897cf6a3dc76d4fa175dd54973ecefd6ad99c7a7e

memory/1076-47-0x0000000000610000-0x0000000000640000-memory.dmp

memory/1076-49-0x0000000000E20000-0x0000000000E26000-memory.dmp

memory/1076-48-0x0000000073C70000-0x0000000073D1B000-memory.dmp

memory/1076-50-0x000000000A900000-0x000000000AF18000-memory.dmp

memory/1076-51-0x000000000A3F0000-0x000000000A4FA000-memory.dmp

memory/1076-52-0x0000000004EF0000-0x0000000004F02000-memory.dmp

memory/1076-53-0x0000000073C70000-0x0000000073D1B000-memory.dmp

memory/1076-54-0x000000000A680000-0x000000000A6BC000-memory.dmp

memory/1076-55-0x0000000073C70000-0x0000000073D1B000-memory.dmp

memory/1076-56-0x000000000A6C0000-0x000000000A70C000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-10 13:06

Reported

2024-05-10 13:09

Platform

win10v2004-20240426-en

Max time kernel

132s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ce9f75c073171b1315c869b550348e6d8c48a986b262a068b33f0833b7a24716.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ce9f75c073171b1315c869b550348e6d8c48a986b262a068b33f0833b7a24716.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6497315.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5100 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\ce9f75c073171b1315c869b550348e6d8c48a986b262a068b33f0833b7a24716.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6497315.exe
PID 5100 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\ce9f75c073171b1315c869b550348e6d8c48a986b262a068b33f0833b7a24716.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6497315.exe
PID 5100 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\ce9f75c073171b1315c869b550348e6d8c48a986b262a068b33f0833b7a24716.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6497315.exe
PID 4696 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6497315.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0077088.exe
PID 4696 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6497315.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0077088.exe
PID 4696 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6497315.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0077088.exe
PID 4696 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6497315.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7490768.exe
PID 4696 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6497315.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7490768.exe
PID 4696 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6497315.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7490768.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ce9f75c073171b1315c869b550348e6d8c48a986b262a068b33f0833b7a24716.exe

"C:\Users\Admin\AppData\Local\Temp\ce9f75c073171b1315c869b550348e6d8c48a986b262a068b33f0833b7a24716.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6497315.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6497315.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0077088.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0077088.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4056 -ip 4056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 136

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7490768.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7490768.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
FI 77.91.68.48:19071 tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
FI 77.91.68.48:19071 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
FI 77.91.68.48:19071 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
FI 77.91.68.48:19071 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
FI 77.91.68.48:19071 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 13.107.21.200:443 tse1.mm.bing.net tcp
US 13.107.21.200:443 tse1.mm.bing.net tcp
US 13.107.21.200:443 tse1.mm.bing.net tcp
US 13.107.21.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.21.107.13.in-addr.arpa udp
FI 77.91.68.48:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6497315.exe

MD5 347fa3300c887f6ed7b1a13377bb28bd
SHA1 f7290c370763737aa41f0bc92d66b2423647815c
SHA256 8ecc876c0ce1dc9774cb4ee93fbcd638c9182cd5c33e4a7aee74bbc39bd75cc4
SHA512 e17a78db324fd6bd80872c92fd6c03f0308b20c256d9a42cec304f21f13df2f0c6069ba95998d525e39b6e99040d07baaabf60015ab4ff88344e5d222c0cc341

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0077088.exe

MD5 3afbc821636e1e7951821231f0cdc4bc
SHA1 d962f7454a83bdeb81b16476055773c65090c068
SHA256 b05287fda0d66708df3d5a927caeb62a87e8809fb992871a5615a3c62ce1eeff
SHA512 4b74ca6740b4a8cf7d6bf4a54e64cbf564f42443d4b23d824feb661a8945a7a1a08fb6428afb8a8af7646607b5edc1af9d4c7aea8aac341965dbbf220db86eba

memory/4056-14-0x0000000000401000-0x0000000000402000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7490768.exe

MD5 ed78531c3da44f95b5e5f7aa280bf586
SHA1 a9e403fcbf3a8020cb51d8f3a406c74775936c2d
SHA256 d996d9ed8e0931fe6f414b91b0d4f52fc6b80a8493829f63fdd44cbf9afea60e
SHA512 7649d4ceb7cf0771ed8905dbff16e74b117b0ced16f94026d457a6534a10f39c91da18bd986fd66ded33d9c2c4ef501e7c895760418b39361089f196bbdb6970

memory/4544-18-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4544-19-0x0000000000510000-0x0000000000540000-memory.dmp

memory/4544-23-0x0000000002710000-0x0000000002716000-memory.dmp

memory/4544-24-0x000000000A010000-0x000000000A628000-memory.dmp

memory/4544-25-0x000000000A640000-0x000000000A74A000-memory.dmp

memory/4544-26-0x000000000A780000-0x000000000A792000-memory.dmp

memory/4544-27-0x000000000A7A0000-0x000000000A7DC000-memory.dmp

memory/4544-28-0x0000000002570000-0x00000000025BC000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-10 13:06

Reported

2024-05-10 13:09

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb81f341bc6cd2678bd7559862571f5294b6980de5199672afa03b21de0a4dda.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8749467.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8749467.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8749467.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1637171.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1637171.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1637171.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8749467.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8749467.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1637171.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1637171.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1637171.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8749467.exe N/A

SmokeLoader

trojan backdoor smokeloader

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6555583.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8749467.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8749467.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1637171.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\eb81f341bc6cd2678bd7559862571f5294b6980de5199672afa03b21de0a4dda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4912672.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2606131.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7242091.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8333830.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8333830.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8333830.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8749467.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1637171.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4608 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\eb81f341bc6cd2678bd7559862571f5294b6980de5199672afa03b21de0a4dda.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4912672.exe
PID 4608 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\eb81f341bc6cd2678bd7559862571f5294b6980de5199672afa03b21de0a4dda.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4912672.exe
PID 4608 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\eb81f341bc6cd2678bd7559862571f5294b6980de5199672afa03b21de0a4dda.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4912672.exe
PID 3284 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4912672.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2606131.exe
PID 3284 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4912672.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2606131.exe
PID 3284 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4912672.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2606131.exe
PID 3604 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2606131.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7242091.exe
PID 3604 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2606131.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7242091.exe
PID 3604 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2606131.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7242091.exe
PID 3512 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7242091.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8749467.exe
PID 3512 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7242091.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8749467.exe
PID 3512 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7242091.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8749467.exe
PID 3512 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7242091.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1637171.exe
PID 3512 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7242091.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1637171.exe
PID 3604 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2606131.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0323673.exe
PID 3604 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2606131.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0323673.exe
PID 3604 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2606131.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0323673.exe
PID 3284 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4912672.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6555583.exe
PID 3284 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4912672.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6555583.exe
PID 3284 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4912672.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6555583.exe
PID 1904 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6555583.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 1904 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6555583.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 1904 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6555583.exe C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
PID 4608 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\eb81f341bc6cd2678bd7559862571f5294b6980de5199672afa03b21de0a4dda.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8333830.exe
PID 4608 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\eb81f341bc6cd2678bd7559862571f5294b6980de5199672afa03b21de0a4dda.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8333830.exe
PID 4608 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\eb81f341bc6cd2678bd7559862571f5294b6980de5199672afa03b21de0a4dda.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8333830.exe
PID 1896 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 1896 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 1896 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\schtasks.exe
PID 1896 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 1896 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 1896 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe C:\Windows\SysWOW64\cmd.exe
PID 4676 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4676 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4676 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4676 wrote to memory of 4940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4676 wrote to memory of 4940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4676 wrote to memory of 4940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4676 wrote to memory of 3720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4676 wrote to memory of 3720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4676 wrote to memory of 3720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4676 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4676 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4676 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4676 wrote to memory of 4052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4676 wrote to memory of 4052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4676 wrote to memory of 4052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4676 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4676 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4676 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eb81f341bc6cd2678bd7559862571f5294b6980de5199672afa03b21de0a4dda.exe

"C:\Users\Admin\AppData\Local\Temp\eb81f341bc6cd2678bd7559862571f5294b6980de5199672afa03b21de0a4dda.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4912672.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4912672.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2606131.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2606131.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7242091.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7242091.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8749467.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8749467.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1637171.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1637171.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0323673.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0323673.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 868 -ip 868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 136

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6555583.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6555583.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8333830.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8333830.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "danke.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\3ec1f323b5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
FI 77.91.68.3:80 tcp
FI 77.91.68.3:80 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
FI 77.91.68.3:80 tcp
FI 77.91.68.3:80 tcp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4912672.exe

MD5 6c0d47fa8a9400d2ab02c92cb939d4be
SHA1 3301818aad302ceb9ece4912db4a68ceaefbd2d2
SHA256 be062d6ab948061ae69c5b3daa74e1ba65c9d808c0d4f66ceaa4c32a49a0f524
SHA512 2f37a8ddb09aedc6fbaa9194d434f727840d9021b48cc1ab8f92d9aef7a3ddc979f721710033c6fc7d198e45325c7e6870a919e01c0a300c319ec791c9bb77fd

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2606131.exe

MD5 5a1a774a5e54a905f0f99418b14a9f67
SHA1 bb0ca35d6c19261cc71562381f7e7b0d0917f033
SHA256 5c28c68dd4dab5c823f5e985c9aad0521d701dde5bab6c6524f09ce7639e51c2
SHA512 a8c9ecc26514b6f531cb5271ca69a515abe477d833eff4d0f1fa851e0ffc9042eb58c3fd22ec066deb88bf560b352517c6ef4e50dfcdd49e96f7e8bb716e0560

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7242091.exe

MD5 4870e240aa10c59dbf3dd0b63f02401c
SHA1 73b9bbeb6e24aabe9943cd7e1ac8effcc8f16f8e
SHA256 7d5110bcc343d5026c635a3d54c76fa6675b263fb5246d05bf7bb96864a2b561
SHA512 0d8d2572b500f52ce93b35db9f5e918e306b0b2a450859da75aa42a7679d91cb5ac2ace7ac7838d7c1168fc323338104a300d1fd66d650fd03f24ac2e1731bca

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8749467.exe

MD5 ba8750c3ee2f96f8306237566e458f5b
SHA1 962ae41e251e20d254736e63bcf1ffd6827d5456
SHA256 288f9868f3b220584aa23161b5c1b671fff728ab36635ae8ce0a1721e7ef30c4
SHA512 abfd5f9269bd7a04739661cd067307f195c5c8ffc8db8378d914f5fd18d6a6e6a8c51a509ba8c81b677fcf5fbe85ee9c352379fb293f39ac54696e98e459f530

memory/3136-28-0x0000000000430000-0x000000000043A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1637171.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2252-37-0x0000000000BD0000-0x0000000000BDA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0323673.exe

MD5 47f39c4ad52ef8534ac3964d5c2aba92
SHA1 4ab09d010b5ae8cd1f00f260c339f0ad7f86d8b8
SHA256 a0f1a7cb66e8a078ad2a0d1b94e3f2f3657d04454a2eb9d389788a7c9654506d
SHA512 11c725de1cf294a73d7ef1565978887c62a52dcbf7af519254a078ff2d2dadf7722c6db0bc9712298a404773813ebc1c9f960c8e6a958ad492765028893b8103

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6555583.exe

MD5 8c6b79ec436d7cf6950a804c1ec7d3e9
SHA1 4a589d5605d8ef785fdc78b0bf64e769e3a21ad6
SHA256 4e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d
SHA512 06f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8333830.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

memory/4784-58-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4784-59-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-10 13:06

Reported

2024-05-10 13:09

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\660944c2e28e356790c36fcc99f1413b6daff34f154aeeda556c351fc695e812.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8574404.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8574404.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8574404.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8574404.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8574404.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8574404.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7357835.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8574404.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\660944c2e28e356790c36fcc99f1413b6daff34f154aeeda556c351fc695e812.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4481156.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8574404.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8574404.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8574404.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3468 wrote to memory of 6012 N/A C:\Users\Admin\AppData\Local\Temp\660944c2e28e356790c36fcc99f1413b6daff34f154aeeda556c351fc695e812.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4481156.exe
PID 3468 wrote to memory of 6012 N/A C:\Users\Admin\AppData\Local\Temp\660944c2e28e356790c36fcc99f1413b6daff34f154aeeda556c351fc695e812.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4481156.exe
PID 3468 wrote to memory of 6012 N/A C:\Users\Admin\AppData\Local\Temp\660944c2e28e356790c36fcc99f1413b6daff34f154aeeda556c351fc695e812.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4481156.exe
PID 6012 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4481156.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7357835.exe
PID 6012 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4481156.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7357835.exe
PID 6012 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4481156.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7357835.exe
PID 3088 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7357835.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 3088 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7357835.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 3088 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7357835.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 6012 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4481156.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8574404.exe
PID 6012 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4481156.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8574404.exe
PID 1420 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 1420 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 1420 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 1420 wrote to memory of 5424 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 1420 wrote to memory of 5424 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 1420 wrote to memory of 5424 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 5424 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5424 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5424 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5424 wrote to memory of 4616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5424 wrote to memory of 4616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5424 wrote to memory of 4616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5424 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5424 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5424 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5424 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5424 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5424 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5424 wrote to memory of 5268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5424 wrote to memory of 5268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5424 wrote to memory of 5268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5424 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5424 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5424 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3468 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\660944c2e28e356790c36fcc99f1413b6daff34f154aeeda556c351fc695e812.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j5297148.exe
PID 3468 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\660944c2e28e356790c36fcc99f1413b6daff34f154aeeda556c351fc695e812.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j5297148.exe
PID 3468 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\660944c2e28e356790c36fcc99f1413b6daff34f154aeeda556c351fc695e812.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j5297148.exe

Processes

C:\Users\Admin\AppData\Local\Temp\660944c2e28e356790c36fcc99f1413b6daff34f154aeeda556c351fc695e812.exe

"C:\Users\Admin\AppData\Local\Temp\660944c2e28e356790c36fcc99f1413b6daff34f154aeeda556c351fc695e812.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4481156.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4481156.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7357835.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7357835.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8574404.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8574404.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j5297148.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j5297148.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.185:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.185:443 www.bing.com tcp
US 8.8.8.8:53 185.83.221.88.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4481156.exe

MD5 4c669c3829673f71b89661184a686673
SHA1 8e99df024d707a8562ad4107b8332baf0d2dfd29
SHA256 8bcbbee93e9545b076f74e96342643a14eae1c68541d38f2ae8583c9fb5ddb26
SHA512 9ab61976c1496929e83ceacf0d25276372658df062b9efea23767ac2911d1e927ece5c5d3d206a37e7b2acb17bb8b622eca222b232ac760a7380ce56562ab768

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7357835.exe

MD5 aea234064483f651010cf9d981f59fea
SHA1 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6
SHA256 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503
SHA512 eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8574404.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4192-27-0x00000000003B0000-0x00000000003BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j5297148.exe

MD5 b8d329b8de648c9dd98aeef8818aeb39
SHA1 f8accff92a1bf675ebdad62bb37dc4518c1fe22f
SHA256 67f421fc16e61bdc4c163b50f144c42442a62c53a89dcdd9f2a27c23d1e010dc
SHA512 6766c452d33dba045f7653aa927747be03cec14f0f664db696433e121010572792e76b367b45493ad17aea61392e4024662c07bcae842423893ea19b6cf2da1f

memory/1564-32-0x0000000000EA0000-0x0000000000ED0000-memory.dmp

memory/1564-33-0x0000000003130000-0x0000000003136000-memory.dmp

memory/1564-34-0x000000000B290000-0x000000000B8A8000-memory.dmp

memory/1564-35-0x000000000AD80000-0x000000000AE8A000-memory.dmp

memory/1564-36-0x00000000058C0000-0x00000000058D2000-memory.dmp

memory/1564-37-0x000000000ACB0000-0x000000000ACEC000-memory.dmp

memory/1564-38-0x0000000003050000-0x000000000309C000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-10 13:06

Reported

2024-05-10 13:09

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\795a49ee81e6eb25d2140b564c0aa63d165592e4d3b7bb4c29423c619b51334a.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8761760.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8761760.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8761760.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8761760.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8761760.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8761760.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8864243.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8761760.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\795a49ee81e6eb25d2140b564c0aa63d165592e4d3b7bb4c29423c619b51334a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0932119.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8761760.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8761760.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8761760.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8864243.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4160 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\795a49ee81e6eb25d2140b564c0aa63d165592e4d3b7bb4c29423c619b51334a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0932119.exe
PID 4160 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\795a49ee81e6eb25d2140b564c0aa63d165592e4d3b7bb4c29423c619b51334a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0932119.exe
PID 4160 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\795a49ee81e6eb25d2140b564c0aa63d165592e4d3b7bb4c29423c619b51334a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0932119.exe
PID 3200 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0932119.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8761760.exe
PID 3200 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0932119.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8761760.exe
PID 3200 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0932119.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8864243.exe
PID 3200 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0932119.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8864243.exe
PID 3200 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0932119.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8864243.exe
PID 4720 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8864243.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 4720 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8864243.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 4720 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8864243.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 4160 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\795a49ee81e6eb25d2140b564c0aa63d165592e4d3b7bb4c29423c619b51334a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5482656.exe
PID 4160 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\795a49ee81e6eb25d2140b564c0aa63d165592e4d3b7bb4c29423c619b51334a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5482656.exe
PID 4160 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\795a49ee81e6eb25d2140b564c0aa63d165592e4d3b7bb4c29423c619b51334a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5482656.exe
PID 3100 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3100 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3100 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3100 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 1172 wrote to memory of 3612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1172 wrote to memory of 3612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1172 wrote to memory of 3612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1172 wrote to memory of 1112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1172 wrote to memory of 1112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1172 wrote to memory of 1112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1172 wrote to memory of 3456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1172 wrote to memory of 3456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1172 wrote to memory of 3456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1172 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1172 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1172 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1172 wrote to memory of 372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1172 wrote to memory of 372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1172 wrote to memory of 372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1172 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1172 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1172 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\795a49ee81e6eb25d2140b564c0aa63d165592e4d3b7bb4c29423c619b51334a.exe

"C:\Users\Admin\AppData\Local\Temp\795a49ee81e6eb25d2140b564c0aa63d165592e4d3b7bb4c29423c619b51334a.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0932119.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0932119.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8761760.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8761760.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8864243.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8864243.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5482656.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5482656.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
FI 77.91.68.61:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.61:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.61:80 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0932119.exe

MD5 edc556bd751be4c21331a62f7cdb4a85
SHA1 a7f116072ee2b0a502ee9b5b3ad2069bfa760291
SHA256 bb05c8d756e41cb57119eb061d6fe683f561205cb9729a24b65c604dd286a50d
SHA512 c91080a951f2d3b89f4aac3073395ed139a692fb3b962ffda3e221bb36e55986ea7c47037d0e78ba11ae58082907dd9a452305454c953ce867f30113bcc45da1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8761760.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/1156-14-0x0000000000EB0000-0x0000000000EBA000-memory.dmp

memory/1156-15-0x00007FF96DAD3000-0x00007FF96DAD5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8864243.exe

MD5 aea234064483f651010cf9d981f59fea
SHA1 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6
SHA256 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503
SHA512 eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5482656.exe

MD5 d86ee190bbb058c3edb5a4b3194359a0
SHA1 1adaefeead16a49a4f48f682c9083c48577baec9
SHA256 62dfb4ead4cbed0b017ec79d97d69779dcdcde34ed730db7a5a3ff7f5429b56f
SHA512 195e7da8cc4268c73189193a480eab12f650b7efd4b8f22c1bbeafc224534a7a880811693994c84d4a7f0ae689e3f6e30c81e67181d8bdb8bb0c78b66079de3f

memory/4488-33-0x0000000000A50000-0x0000000000A80000-memory.dmp

memory/4488-34-0x0000000005230000-0x0000000005236000-memory.dmp

memory/4488-35-0x00000000059C0000-0x0000000005FD8000-memory.dmp

memory/4488-36-0x00000000054B0000-0x00000000055BA000-memory.dmp

memory/4488-37-0x00000000053E0000-0x00000000053F2000-memory.dmp

memory/4488-38-0x0000000005440000-0x000000000547C000-memory.dmp

memory/4488-39-0x00000000055C0000-0x000000000560C000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-10 13:06

Reported

2024-05-10 13:09

Platform

win10v2004-20240508-en

Max time kernel

126s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a5fd7dfdeb2d39f59735a8fd4f3621bef5a632886c19bfffeacac3350c44092.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9380383.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9380383.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9380383.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7088417.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7088417.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7088417.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7088417.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9380383.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9380383.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9380383.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7088417.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7088417.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9380383.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9380383.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7088417.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3a5fd7dfdeb2d39f59735a8fd4f3621bef5a632886c19bfffeacac3350c44092.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7446353.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7768253.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3476318.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9380383.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7088417.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\3a5fd7dfdeb2d39f59735a8fd4f3621bef5a632886c19bfffeacac3350c44092.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7446353.exe
PID 2040 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\3a5fd7dfdeb2d39f59735a8fd4f3621bef5a632886c19bfffeacac3350c44092.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7446353.exe
PID 2040 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\3a5fd7dfdeb2d39f59735a8fd4f3621bef5a632886c19bfffeacac3350c44092.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7446353.exe
PID 3932 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7446353.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7768253.exe
PID 3932 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7446353.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7768253.exe
PID 3932 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7446353.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7768253.exe
PID 1336 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7768253.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3476318.exe
PID 1336 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7768253.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3476318.exe
PID 1336 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7768253.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3476318.exe
PID 1328 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3476318.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9380383.exe
PID 1328 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3476318.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9380383.exe
PID 1328 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3476318.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9380383.exe
PID 1328 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3476318.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7088417.exe
PID 1328 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3476318.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7088417.exe
PID 1336 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7768253.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3299072.exe
PID 1336 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7768253.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3299072.exe
PID 1336 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7768253.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3299072.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3a5fd7dfdeb2d39f59735a8fd4f3621bef5a632886c19bfffeacac3350c44092.exe

"C:\Users\Admin\AppData\Local\Temp\3a5fd7dfdeb2d39f59735a8fd4f3621bef5a632886c19bfffeacac3350c44092.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7446353.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7446353.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7768253.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7768253.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3476318.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3476318.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9380383.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9380383.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4308,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=3772 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7088417.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7088417.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3299072.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3299072.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
FI 77.91.68.48:19071 tcp
FI 77.91.68.48:19071 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
FI 77.91.68.48:19071 tcp
FI 77.91.68.48:19071 tcp
FI 77.91.68.48:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7446353.exe

MD5 cdb65c533898d46ca672b92973876229
SHA1 dd3e4296b3a91e58fc012573d71cab5fff647384
SHA256 7ebebeaa103ec219dc21ed1ab8b25e4a2d8d60020566009de3ae760d57231eba
SHA512 ad49996b89fd5eeef0736072c1470f37fc6dc415d23dd3b2631b04fd183d50c4f34ce76233c31d4264f5ab132fcbbdc22158a19475937f211cbc3188a899f53f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7768253.exe

MD5 f0f6f170df1d271c552b0d02d9cfd00c
SHA1 81772a39f54f09e087fe647a2f29d00300ec790e
SHA256 d5e3c032af376571e939c53f9842783cf42e3bec65d504cad97ac08dedbb9e30
SHA512 7d0beb6f2f7f02f9664d840df1651846dad6332ba4d7df53870263af432bcd6ee66503e907efe2118196fb886fd0e9798ca2f03b77277281764847c226fb09fb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3476318.exe

MD5 b521dd3035f27c010fee90054ae2676b
SHA1 b14d984181669f3e60e628d4ccb22087098d18f7
SHA256 7042a4553944787fcb60549bdef9787f955632186eb343f892b892b221e1e260
SHA512 8e0a111b4d67a316f26d6bb046b486c302bbaa6202215a51e4370103cd200ae78e2b4111393bfe020e6e6c6e0107059c30d2252b12ae00cd829f15daafffe5d4

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9380383.exe

MD5 bd77385922ae5ed4007eb7317819e44a
SHA1 fc068ca58ab2d5ba7089df2507ff9c3842d9d7a1
SHA256 7a6f2da386b5ab2e68859fe2b034068fde5c4c988d44edd3308364dbc95c9556
SHA512 091e158952f5f4a7e71c5f49792b2b5bb05939071e14cbe2702d9c0a9255122118a930a48003ba56918f4f1a14c1bb9f87c0bf5a540fadc28a28e3ae0e915cb3

memory/3844-28-0x0000000000590000-0x00000000005CE000-memory.dmp

memory/3844-34-0x0000000000590000-0x00000000005CE000-memory.dmp

memory/3844-35-0x00000000044B0000-0x00000000044B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7088417.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4788-41-0x0000000000A90000-0x0000000000A9A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3299072.exe

MD5 67cb989f9d39ef2dc25805925f57cdd2
SHA1 72de5155bbe113cecabc724e967c10080c2d656c
SHA256 a56d1c14695ffe3d85956ba7c177b854a815455c54d2f6d7fb5a62b8581f6b6d
SHA512 dad3cef23beb97eaf54ae22432059de154e7ddb30ddb6431615230ed299b4fadd740cc483fe808c8b303c7a58b2008a560dc7bbc163e0f8928e9475c64aab943

memory/4804-46-0x0000000001F90000-0x000000000201C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/4804-53-0x0000000001F90000-0x000000000201C000-memory.dmp

memory/4804-55-0x0000000004560000-0x0000000004566000-memory.dmp

memory/4804-56-0x000000000A660000-0x000000000AC78000-memory.dmp

memory/4804-57-0x000000000A040000-0x000000000A14A000-memory.dmp

memory/4804-58-0x0000000006CF0000-0x0000000006D02000-memory.dmp

memory/4804-59-0x0000000006D10000-0x0000000006D4C000-memory.dmp

memory/4804-60-0x0000000006A10000-0x0000000006A5C000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-10 13:06

Reported

2024-05-10 13:09

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5.exe

"C:\Users\Admin\AppData\Local\Temp\5f7c9e83d80a652c6bde9ce18eaca08f9cb8a8012568629c5813a8e40f7e7ac5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 52

Network

N/A

Files

memory/2184-0-0x0000000000030000-0x0000000000031000-memory.dmp

memory/2184-1-0x0000000000030000-0x0000000000031000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 13:06

Reported

2024-05-10 13:09

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\082abd50bc322e65df7b85b918d5bc248c652483544b6e4c453e9531969df172.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2226444.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2226444.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2226444.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2226444.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2226444.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2226444.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1782109.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2226444.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\082abd50bc322e65df7b85b918d5bc248c652483544b6e4c453e9531969df172.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8720694.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2226444.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2226444.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2226444.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 224 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\082abd50bc322e65df7b85b918d5bc248c652483544b6e4c453e9531969df172.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8720694.exe
PID 224 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\082abd50bc322e65df7b85b918d5bc248c652483544b6e4c453e9531969df172.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8720694.exe
PID 224 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\082abd50bc322e65df7b85b918d5bc248c652483544b6e4c453e9531969df172.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8720694.exe
PID 60 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8720694.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2226444.exe
PID 60 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8720694.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2226444.exe
PID 60 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8720694.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1782109.exe
PID 60 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8720694.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1782109.exe
PID 60 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8720694.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1782109.exe
PID 2836 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1782109.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 2836 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1782109.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 2836 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1782109.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 224 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\082abd50bc322e65df7b85b918d5bc248c652483544b6e4c453e9531969df172.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8194596.exe
PID 224 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\082abd50bc322e65df7b85b918d5bc248c652483544b6e4c453e9531969df172.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8194596.exe
PID 224 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\082abd50bc322e65df7b85b918d5bc248c652483544b6e4c453e9531969df172.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8194596.exe
PID 3896 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3896 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3896 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 3896 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3896 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 3896 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 4800 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4800 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4800 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4800 wrote to memory of 3196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4800 wrote to memory of 3196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4800 wrote to memory of 3196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4800 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4800 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4800 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4800 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4800 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4800 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4800 wrote to memory of 3200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4800 wrote to memory of 3200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4800 wrote to memory of 3200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4800 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4800 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4800 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\082abd50bc322e65df7b85b918d5bc248c652483544b6e4c453e9531969df172.exe

"C:\Users\Admin\AppData\Local\Temp\082abd50bc322e65df7b85b918d5bc248c652483544b6e4c453e9531969df172.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8720694.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8720694.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2226444.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2226444.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1782109.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1782109.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8194596.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8194596.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.57:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 57.61.62.23.in-addr.arpa udp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
FI 77.91.68.61:80 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
FI 77.91.124.84:19071 tcp
FI 77.91.124.84:19071 tcp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8720694.exe

MD5 da189977109d11d32e33bdc6d5cdea9b
SHA1 ccae29dd9531ca909a8eceee7be37ab7ccb1ea3b
SHA256 619342e7a2d2a56110b4861ea944b7b5400c15fa20f096a7b8ee7abc335b74de
SHA512 2a30512da0f7e7daa952479d8d48fcbb504ffe39f4a7772bb9507ea0eb4fca5396acd95290c2eace9a32608930e8a087986d2505f9b979ecc06f659047fb8fa3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2226444.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3588-15-0x00007FF8007F3000-0x00007FF8007F5000-memory.dmp

memory/3588-14-0x0000000000370000-0x000000000037A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1782109.exe

MD5 aea234064483f651010cf9d981f59fea
SHA1 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6
SHA256 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503
SHA512 eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8194596.exe

MD5 e8cab8397cf45f1981e4d264fe17ee31
SHA1 3c86b93b49b33045dfe3ea7a69895215a88bbf12
SHA256 a885dd87ad27a729a388d38f048b1741da3dcf55fde65d787ac8467cec83c61b
SHA512 2cc95545111eace1d05b09694dc4439a88dc0e1cf6eed7dcad77e029ad03fa46ac6b121e6543fef4b71685b03c281a70458d55484d79d75573c85d667705d679

memory/980-33-0x0000000000520000-0x0000000000550000-memory.dmp

memory/980-34-0x0000000004D40000-0x0000000004D46000-memory.dmp

memory/980-35-0x0000000005530000-0x0000000005B48000-memory.dmp

memory/980-36-0x0000000005020000-0x000000000512A000-memory.dmp

memory/980-37-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/980-38-0x0000000004F10000-0x0000000004F4C000-memory.dmp

memory/980-39-0x0000000004F50000-0x0000000004F9C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 13:06

Reported

2024-05-10 13:09

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a70b4612b5a8fdde3e7cb75dcc0caca23c46bd980d396bb52f7efc9d122c8f6.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2973718.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2973718.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2973718.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2973718.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2973718.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2973718.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3759546.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2973718.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0a70b4612b5a8fdde3e7cb75dcc0caca23c46bd980d396bb52f7efc9d122c8f6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2955265.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2973718.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2973718.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2973718.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4428 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\0a70b4612b5a8fdde3e7cb75dcc0caca23c46bd980d396bb52f7efc9d122c8f6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2955265.exe
PID 4428 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\0a70b4612b5a8fdde3e7cb75dcc0caca23c46bd980d396bb52f7efc9d122c8f6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2955265.exe
PID 4428 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\0a70b4612b5a8fdde3e7cb75dcc0caca23c46bd980d396bb52f7efc9d122c8f6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2955265.exe
PID 2520 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2955265.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2973718.exe
PID 2520 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2955265.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2973718.exe
PID 2520 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2955265.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3759546.exe
PID 2520 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2955265.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3759546.exe
PID 2520 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2955265.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3759546.exe
PID 1244 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3759546.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 1244 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3759546.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 1244 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3759546.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 4428 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\0a70b4612b5a8fdde3e7cb75dcc0caca23c46bd980d396bb52f7efc9d122c8f6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8940839.exe
PID 4428 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\0a70b4612b5a8fdde3e7cb75dcc0caca23c46bd980d396bb52f7efc9d122c8f6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8940839.exe
PID 4428 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\0a70b4612b5a8fdde3e7cb75dcc0caca23c46bd980d396bb52f7efc9d122c8f6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8940839.exe
PID 4344 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 4344 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 4344 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 4344 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 4344 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 4344 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 3712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 3712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 3712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 3644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4284 wrote to memory of 3644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4284 wrote to memory of 3644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4284 wrote to memory of 412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4284 wrote to memory of 412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4284 wrote to memory of 412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4284 wrote to memory of 1396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 1396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 1396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 4168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4284 wrote to memory of 4168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4284 wrote to memory of 4168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4284 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4284 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4284 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0a70b4612b5a8fdde3e7cb75dcc0caca23c46bd980d396bb52f7efc9d122c8f6.exe

"C:\Users\Admin\AppData\Local\Temp\0a70b4612b5a8fdde3e7cb75dcc0caca23c46bd980d396bb52f7efc9d122c8f6.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2955265.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2955265.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2973718.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2973718.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3759546.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3759546.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8940839.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8940839.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
FI 77.91.68.61:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
FI 77.91.68.61:80 tcp
FI 77.91.68.68:19071 tcp
FI 77.91.68.61:80 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
FI 77.91.68.68:19071 tcp
FI 77.91.68.68:19071 tcp
US 8.8.8.8:53 131.109.69.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2955265.exe

MD5 34ee2fbadc86926a5ebdae520d8b8bc7
SHA1 81a7e1c0c107c166b732c62c5cde6ae607262f84
SHA256 c3419ca6d3b5652bbbf590d16bb76558d2e50db7c19a5c8b75d5d778331fc72a
SHA512 d6b26df54abb97810541d5aa959f8027b745cd5961ea73774c17600eeb73a5e8e895f4d4d82bb7a691156b6d745c60eb112b9b88ab76cd46e6c4cf96b667ceff

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2973718.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4888-14-0x00007FFF0EC83000-0x00007FFF0EC85000-memory.dmp

memory/4888-15-0x0000000000D10000-0x0000000000D1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3759546.exe

MD5 aea234064483f651010cf9d981f59fea
SHA1 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6
SHA256 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503
SHA512 eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n8940839.exe

MD5 040c2fc21e60fd1273e32e83c974cd88
SHA1 ef82ffc72b30abcb11808f6b3eb4dc7d8d6673c9
SHA256 17e4580522ac41d966ae2ea23fdef97db420a6f218ae6ad2901fab76585acd97
SHA512 9350416c817b76a12f41eff48c8fbad4cbcb51cde9aa80af969609d065554f69d8b51a91f07c5e0cbc2fb7b8d3be06053a979e01c2ae3fe77cc1c6fce2740a26

memory/632-33-0x00000000001F0000-0x0000000000220000-memory.dmp

memory/632-34-0x0000000004B10000-0x0000000004B16000-memory.dmp

memory/632-35-0x00000000051E0000-0x00000000057F8000-memory.dmp

memory/632-36-0x0000000004CD0000-0x0000000004DDA000-memory.dmp

memory/632-37-0x0000000004B70000-0x0000000004B82000-memory.dmp

memory/632-38-0x0000000004C00000-0x0000000004C3C000-memory.dmp

memory/632-39-0x0000000004C40000-0x0000000004C8C000-memory.dmp