Analysis Overview
SHA256
e6564b70fa3d9a9e989ad7c1bb2b027f2e5447273c0bb64f84c7940828ecb0ed
Threat Level: Known bad
The file e6564b70fa3d9a9e989ad7c1bb2b027f2e5447273c0bb64f84c7940828ecb0ed was found to be: Known bad.
Malicious Activity Summary
RedLine payload
RedLine
Healer
Rhadamanthys
Amadey
Suspicious use of NtCreateUserProcessOtherParentProcess
Detect ZGRat V1
Modifies Windows Defender Real-time Protection settings
SmokeLoader
Detects Healer an antivirus disabler dropper
ZGRat
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Checks computer location settings
UPX packed file
Windows security modification
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 13:04
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 13:04
Reported
2024-05-10 13:07
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
153s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4041009.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9124773.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4716388.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4041009.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2505651.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6192642.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4716388.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\05b48b2909386e117184a0bdde8c6718992cf21d07674042c9d076292b260729.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9124773.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2505651.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2505651.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2505651.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\05b48b2909386e117184a0bdde8c6718992cf21d07674042c9d076292b260729.exe
"C:\Users\Admin\AppData\Local\Temp\05b48b2909386e117184a0bdde8c6718992cf21d07674042c9d076292b260729.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9124773.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9124773.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4716388.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4716388.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4041009.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4041009.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2505651.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2505651.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6192642.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6192642.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9124773.exe
| MD5 | 1969cc55ecdb4ba432f9df129b085fde |
| SHA1 | 578c239149aa29ea2edad5c751a86d57b145e3f0 |
| SHA256 | 77f32b63d23c002e89fbbe13bd4a1cf8b005e7d988f6f580d58526a7882eb10f |
| SHA512 | 358147fba496d3222ad4bf76b7edba4121005a7413dc423db3b438b38f3ad33e979645961a5d0b4661f5557dc66ee0e1a4bdacbe4feb475df747f2a8397125ed |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4716388.exe
| MD5 | 4f02a923ce0a518b99841b16da953969 |
| SHA1 | 71b2bd669764fe784c80b0433dafe5e9e1564e5b |
| SHA256 | e12ecc6f8d8bc6e6c5ec72b084e0391fb9d6e2b23619536b9453e5a83feca66f |
| SHA512 | ff0f59f919005ec79a075dae8b13c07f508047c37eced3c7ad5c0c6c1199e74bf99f0c327e6c6536a451822397cc10e7d0231110e90d46aebafc093804e50ef5 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exe
| MD5 | 864b6322ef4be9192d857e078e2a69d8 |
| SHA1 | 24680c8fa196f0a1bf8cf51814149441f138f453 |
| SHA256 | 1deb97c02d57f4c00871baa9e93d96541a9419c22cdcfb4cb5d7c152f957b07b |
| SHA512 | 365f2222be84643e5008ba5999bfd38623787a92fc58b10194775275b5fb1804736206c47739438bae44c6ad5ae502a5bf1f3ce7823d594606f409bb2420a5cb |
memory/1952-21-0x0000000000540000-0x000000000054A000-memory.dmp
memory/1952-22-0x00007FFE80903000-0x00007FFE80905000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4041009.exe
| MD5 | 8c118872da7c5c6359306afdf405fb02 |
| SHA1 | 4caf741d452520d043d7010380149a25d9f44bd5 |
| SHA256 | ac1cd3a1d8a1f854838b8a97fed679078f7d4295ebba95f5a2e7e90bd687845d |
| SHA512 | f2037cf9435b1f976e43d6f5c737b50477c03d345054bfccf53075c75ee6de9c343bb55407078bf76fa4c0bad8c3ae13572edf85e34833dba952be507dc8c43c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2505651.exe
| MD5 | ba117cdee0f70dde00678528d15b0c49 |
| SHA1 | 003a382b1a54b86999d15334ab118792f8313399 |
| SHA256 | 65ba81cbbf5db895c8091707aec81f6c8390339700187299312c1b9c7ac8b0a0 |
| SHA512 | d395155fe71ba9073ef3154a03f974df8205c8fb7a57c11fcbab93209e862a12f4bcd8d51ce96f3095fa8cfb9cf7978f160065534dc01dc942b7a2458562f6d7 |
memory/2620-40-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6192642.exe
| MD5 | 660c745e3bc446aebd5e95bea410993b |
| SHA1 | c46d33504bc5ef550542d07f74bd4f1e7826da03 |
| SHA256 | bb97c8811add79cf2f4a231939bd29e2ef398b6c747a6810263782a90f7b9ef5 |
| SHA512 | a61ab6e6f9ab0bb17d1306967fcd6f6c9647c0d101ab1686451edccb641d7bb75acccb0ec13482f87d505d1508d56577ce7c22ae0102e4e4e526cbf6fdea08fa |
memory/2796-44-0x0000000000500000-0x0000000000530000-memory.dmp
memory/2796-45-0x0000000004E60000-0x0000000004E66000-memory.dmp
memory/2796-46-0x000000000AA00000-0x000000000B018000-memory.dmp
memory/2796-47-0x000000000A4F0000-0x000000000A5FA000-memory.dmp
memory/2796-48-0x000000000A400000-0x000000000A412000-memory.dmp
memory/2796-49-0x000000000A460000-0x000000000A49C000-memory.dmp
memory/2796-50-0x00000000027D0000-0x000000000281C000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-10 13:04
Reported
2024-05-10 13:07
Platform
win10v2004-20240426-en
Max time kernel
143s
Max time network
145s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7472544.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9263224.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1805423.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5289050.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4849613.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5289050.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\2e0a9b6a39ce81b93beb155ac3c237f4a6b9248d6b872ed22bfdf8851796b19b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7472544.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9263224.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1805423.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2e0a9b6a39ce81b93beb155ac3c237f4a6b9248d6b872ed22bfdf8851796b19b.exe
"C:\Users\Admin\AppData\Local\Temp\2e0a9b6a39ce81b93beb155ac3c237f4a6b9248d6b872ed22bfdf8851796b19b.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7472544.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7472544.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9263224.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9263224.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1805423.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1805423.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5289050.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5289050.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4849613.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4849613.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| NL | 23.62.61.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 106.61.62.23.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.68.56:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7472544.exe
| MD5 | 4f42b9b022fd8d85dcdd9f017b90ff04 |
| SHA1 | 676ba0ae4538adddc2b07f55a48cd628d12b7633 |
| SHA256 | b02ee275800185a8058ae8d737a10aa7ef514f4d772b4d85a2d65b2239545d4f |
| SHA512 | 38f9a1db8fb1505cb1ff738dc29aa61599c4e23a3b5fdd3cb75bfb8bfd3a300132e7c5b476e8bcaa36f5db240f3c6188e5b1028610e2f8d9ebc53f0932187c97 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9263224.exe
| MD5 | 9d65e889dc6cdf70ab7a92689cf92af2 |
| SHA1 | 507fd511af4528e94e1d2c6d37855380afb4a426 |
| SHA256 | 2203e5e15c34017bdb5d5dac6cba15f8d99920c65ef189076a1ce7d3af478ad1 |
| SHA512 | db30bd0c8afe77d711e58f68fb755e4cb4e762a90ed3aa6319ff4dda932abbd0b067dd9090cc87dac6e2a3b1c27a58bdad18836d609240d7f53714d699a2624c |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1805423.exe
| MD5 | 8592a6dc936028a99ace4532cd770d5d |
| SHA1 | 7e44db68b7ec9a089b8a4937ed6ebb5d84860656 |
| SHA256 | d1285e5b0d41a774b9207d576b7f7843892698c455ef32b279164721daefa805 |
| SHA512 | d433730289a88f71bc6ac17faae51ff07fa32e9398c84a00dfe54e70b158fa5d94d2e73a9a2bed44f45e36ae357c6a82c5f4b6e20d487529f3b43842f98510cd |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5289050.exe
| MD5 | edc75ffe5fa9ffa372060ebd5c09c2b3 |
| SHA1 | 1c075856c81f5648acc34d08fa5a41debd9387ae |
| SHA256 | 92d61909555ed2bddf1f59506648e79a53e769014afc63405405cbfea6979340 |
| SHA512 | 27943feab8ffb5635b6b886202f75d4f839a7bc4f326df0af1ea92560ee51a167a2d8aabe341b3861876fc7766abd1c8bab3d0dcad9cf69af81dabc89b797c13 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4992850.exe
| MD5 | 068c37a137de97b4569270eb0fd08b27 |
| SHA1 | 9cef9ddd66a3c3a18a6993eff25304d29e95bf6d |
| SHA256 | f9adeb967c811f699984b5a9d12d7d5c7090827a0c1ab3bea159c7d04f41286b |
| SHA512 | 98f1d6795cadb5ffe4f95c05fa3590832fe64cf1ea539199557fba0b4183c50ec7c0fdd210af23d4c769beb1158eca495e5b176d883ee29501334e88c0139cf1 |
memory/3188-35-0x0000000000490000-0x00000000004CE000-memory.dmp
memory/3188-42-0x0000000006BD0000-0x0000000006BD1000-memory.dmp
memory/3188-41-0x0000000000490000-0x00000000004CE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3460427.exe
| MD5 | 698c2c19db2d75dda748684546023df8 |
| SHA1 | f03d654d2459c82f0fbd407289c2b2f6458cfbfd |
| SHA256 | e27ddbbb48705cb0790690d176d326b1e68fac8960b25b65e56582c552d6a749 |
| SHA512 | b937e05949307bbf8da79c416c1ab9c844bab3065e2fcd690f6ff5bb403caebc89997b6d050eb82339dd9181a8842629602794bbda2436404381d0cf68f340e4 |
memory/4116-48-0x0000000000FD0000-0x0000000000FDA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4849613.exe
| MD5 | da6ff81c6f67611413531f823ea93e2b |
| SHA1 | 8e4244fe534ab3ae1ea22dc12f0665bcec0db34a |
| SHA256 | 69220a693e0059f35711ed1e66ec35c9b62de85afe4cdb9c282c2d24d9483193 |
| SHA512 | f4af9745c5dab137c04b0e86f34fc696c1a9d7fcb9ca9733fcd75256981aa6835f3aeffd4f3fc1fce1c07109096c2835a2b6c83bc246ccfd719372059ebe5d36 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/1664-54-0x0000000001FE0000-0x000000000206C000-memory.dmp
memory/1664-60-0x0000000001FE0000-0x000000000206C000-memory.dmp
memory/1664-62-0x00000000044E0000-0x00000000044E6000-memory.dmp
memory/1664-63-0x00000000049E0000-0x0000000004FF8000-memory.dmp
memory/1664-65-0x00000000051C0000-0x00000000051D2000-memory.dmp
memory/1664-66-0x00000000051E0000-0x000000000521C000-memory.dmp
memory/1664-64-0x0000000005090000-0x000000000519A000-memory.dmp
memory/1664-67-0x0000000005250000-0x000000000529C000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-10 13:04
Reported
2024-05-10 13:07
Platform
win10v2004-20240508-en
Max time kernel
94s
Max time network
111s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ZGRat
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 348 set thread context of 4540 | N/A | C:\Users\Admin\AppData\Local\Temp\e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228.exe
"C:\Users\Admin\AppData\Local\Temp\e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 348 -ip 348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 348
Network
| Country | Destination | Domain | Proto |
| RU | 147.45.47.64:11837 | tcp | |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.47.45.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 23.62.61.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 106.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/348-0-0x0000000000382000-0x0000000000383000-memory.dmp
memory/4540-1-0x0000000000400000-0x000000000044A000-memory.dmp
memory/4540-2-0x0000000074B5E000-0x0000000074B5F000-memory.dmp
memory/4540-3-0x0000000005990000-0x0000000005F34000-memory.dmp
memory/4540-4-0x0000000005310000-0x00000000053A2000-memory.dmp
memory/4540-5-0x0000000074B50000-0x0000000075300000-memory.dmp
memory/4540-6-0x00000000053C0000-0x00000000053CA000-memory.dmp
memory/4540-7-0x0000000006960000-0x0000000006F78000-memory.dmp
memory/4540-8-0x00000000064A0000-0x00000000065AA000-memory.dmp
memory/4540-9-0x00000000063D0000-0x00000000063E2000-memory.dmp
memory/4540-10-0x0000000006430000-0x000000000646C000-memory.dmp
memory/4540-11-0x00000000065B0000-0x00000000065FC000-memory.dmp
memory/4540-12-0x0000000006730000-0x0000000006796000-memory.dmp
memory/4540-13-0x0000000007080000-0x00000000070F6000-memory.dmp
memory/4540-14-0x00000000061C0000-0x00000000061DE000-memory.dmp
memory/4540-15-0x0000000007F00000-0x00000000080C2000-memory.dmp
memory/4540-16-0x0000000008BB0000-0x00000000090DC000-memory.dmp
memory/4540-18-0x0000000074B50000-0x0000000075300000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-10 13:04
Reported
2024-05-10 13:07
Platform
win10v2004-20240426-en
Max time kernel
142s
Max time network
153s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6394657.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6394657.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6394657.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6394657.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6394657.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6394657.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4651268.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7661534.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4651268.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6394657.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j3117914.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6394657.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\f943251c5b3ff162faabeb09676429800f82298b7971cbfb3dee652de07b391b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7661534.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6394657.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6394657.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6394657.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f943251c5b3ff162faabeb09676429800f82298b7971cbfb3dee652de07b391b.exe
"C:\Users\Admin\AppData\Local\Temp\f943251c5b3ff162faabeb09676429800f82298b7971cbfb3dee652de07b391b.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7661534.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7661534.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4651268.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4651268.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6394657.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6394657.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j3117914.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j3117914.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7661534.exe
| MD5 | b590de91b098593e9d552d46029e22a0 |
| SHA1 | 68efe1b06f4ff1415479c9401f6975fe8c5890a3 |
| SHA256 | 8ccb68574729f8a471c6ba81c8611248a1f3def44181a894a04f7fd2003df361 |
| SHA512 | 327f417030d7d54732c6687d693192dd95e9f53f0b1fa492fe73aef9668acde1cb5ebceea40a78903642f51a87888b4173adaf7ef21c12e627294d939c0c32cd |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4651268.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6394657.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/3336-27-0x0000000000F60000-0x0000000000F6A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j3117914.exe
| MD5 | 1447b4fb4151d764c146112f35fbd3e7 |
| SHA1 | 9094efd622b29020446376a29f77e58388cde97b |
| SHA256 | a524f189c161620e8ff49b7a6b2b71540a776ce6259e18e8286aa0c8a81beb20 |
| SHA512 | d1c81398785b34beb7cb1edab4a602dcbb993d49e43cdd029c21a16283f4f90c4fdb15c70b6adc8cff3d5aed2930298c21888276739c2b6fd9eaaac9c429da76 |
memory/372-32-0x0000000000BC0000-0x0000000000BF0000-memory.dmp
memory/372-33-0x0000000002FB0000-0x0000000002FB6000-memory.dmp
memory/372-34-0x000000000AFF0000-0x000000000B608000-memory.dmp
memory/372-35-0x000000000AB70000-0x000000000AC7A000-memory.dmp
memory/372-36-0x000000000AAB0000-0x000000000AAC2000-memory.dmp
memory/372-37-0x000000000AB10000-0x000000000AB4C000-memory.dmp
memory/372-38-0x0000000005010000-0x000000000505C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 13:04
Reported
2024-05-10 13:07
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5242522.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1359229.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5242522.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4765071.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\143e14de3ab20f2359132907b991db6a76d0d521ba132b83a736d149619409c5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1359229.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\143e14de3ab20f2359132907b991db6a76d0d521ba132b83a736d149619409c5.exe
"C:\Users\Admin\AppData\Local\Temp\143e14de3ab20f2359132907b991db6a76d0d521ba132b83a736d149619409c5.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1359229.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1359229.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5242522.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5242522.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4765071.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4765071.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.61:80 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| FI | 77.91.68.61:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1359229.exe
| MD5 | f5f946ac4583af832c2d637fd85246fb |
| SHA1 | dffad329cad828e547d1eb418a4fc709ba05fcc7 |
| SHA256 | 44e8ec63756866f0209362393b22273dd2106f5a207ff8f8e16f71ce45bf0455 |
| SHA512 | 0f5fbb1400818078d97964da427e24cedd8a998343cc2de79a28b0137c629070ba60f44ea0c03fa8424c03040fff403cf4b72597596917ca72ba1eed2a55e9b6 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7511157.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/2168-15-0x00007FFA33813000-0x00007FFA33815000-memory.dmp
memory/2168-14-0x0000000000D30000-0x0000000000D3A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5242522.exe
| MD5 | aea234064483f651010cf9d981f59fea |
| SHA1 | 002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6 |
| SHA256 | 58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 |
| SHA512 | eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4765071.exe
| MD5 | 2e579346644673daa171cbfbbf226e92 |
| SHA1 | 15c654470dda2e03c3579cc06f02f01756b8f220 |
| SHA256 | e7fa30eaa844288719a635b40bfa1bce8aeb1bade6683915e00b71891453019a |
| SHA512 | b5a0a0c869447ab586dfcb512b646b409139eb2e086c0c46f777fecb84d417fef7c75be688a3f63eea0fc704649b683f10afa20b9243e4e8d7363883daebe995 |
memory/3140-33-0x0000000000D10000-0x0000000000D40000-memory.dmp
memory/3140-34-0x0000000005630000-0x0000000005636000-memory.dmp
memory/3140-35-0x0000000005CA0000-0x00000000062B8000-memory.dmp
memory/3140-36-0x0000000005790000-0x000000000589A000-memory.dmp
memory/3140-37-0x00000000056A0000-0x00000000056B2000-memory.dmp
memory/3140-38-0x0000000005700000-0x000000000573C000-memory.dmp
memory/3140-39-0x0000000005740000-0x000000000578C000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-10 13:04
Reported
2024-05-10 13:07
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1259467.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1259467.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1259467.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1259467.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1259467.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1259467.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5798448.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8665889.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5798448.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1259467.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j2087279.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1259467.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\59c1607382fbf89bf1ce30ceb0a4e1724a81c2e855e91e5f12e07c396e822a01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8665889.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1259467.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1259467.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1259467.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\59c1607382fbf89bf1ce30ceb0a4e1724a81c2e855e91e5f12e07c396e822a01.exe
"C:\Users\Admin\AppData\Local\Temp\59c1607382fbf89bf1ce30ceb0a4e1724a81c2e855e91e5f12e07c396e822a01.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8665889.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8665889.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5798448.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5798448.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1259467.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1259467.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j2087279.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j2087279.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| FI | 77.91.68.3:80 | tcp | |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8665889.exe
| MD5 | 63d9a22d700ce9c714aa0d465728b943 |
| SHA1 | e6b90e0a767c65c630eb2dcf016c99608601cc45 |
| SHA256 | 31cc48ae436597f1580485cfeefc44641b9a32ed1d1ab66a1aa4c99f089d8ce9 |
| SHA512 | cbefe1b911475c689d768a60b2f75f1ddb629f0d5dcb2747ec764e372f728e719e218459c341d96c9af650c68c401e8a83279c98d4c229fa7bebd3f047b116e5 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5798448.exe
| MD5 | 8c6b79ec436d7cf6950a804c1ec7d3e9 |
| SHA1 | 4a589d5605d8ef785fdc78b0bf64e769e3a21ad6 |
| SHA256 | 4e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d |
| SHA512 | 06f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1259467.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/2432-27-0x00000000000A0000-0x00000000000AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j2087279.exe
| MD5 | 76699b92c2c551112da1ccbcc32539d1 |
| SHA1 | e8975f08845150505619c1accaa40d0a074ac37c |
| SHA256 | 8b75aca063567d2dddd348262e9d5e19874077645d642d17839dc69939a98b18 |
| SHA512 | cef1b307f5c29aece6c6224623a52d094b74a682d0b9b8fc29ee4c45ebfd3fe058fb5acd21f9996e76b4e982cfa222479268fb37c32480ec1f8eba84ebd97fd0 |
memory/5068-32-0x0000000000C80000-0x0000000000CB0000-memory.dmp
memory/5068-33-0x0000000001480000-0x0000000001486000-memory.dmp
memory/5068-34-0x000000000B120000-0x000000000B738000-memory.dmp
memory/5068-35-0x000000000AC30000-0x000000000AD3A000-memory.dmp
memory/5068-36-0x000000000AB70000-0x000000000AB82000-memory.dmp
memory/5068-37-0x000000000ABD0000-0x000000000AC0C000-memory.dmp
memory/5068-38-0x0000000004FA0000-0x0000000004FEC000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-10 13:04
Reported
2024-05-10 13:07
Platform
win7-20240221-en
Max time kernel
117s
Max time network
125s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\68ca177d42ab79022ede5d703f2f3b4e3de42fc1ae56a531b50f66f3339721f8.exe
"C:\Users\Admin\AppData\Local\Temp\68ca177d42ab79022ede5d703f2f3b4e3de42fc1ae56a531b50f66f3339721f8.exe"
Network
Files
memory/1760-1-0x000000013F2D0000-0x000000013FE49000-memory.dmp
memory/1760-0-0x000000013F2D0000-0x000000013FE49000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-10 13:04
Reported
2024-05-10 13:07
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
160s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2882788.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4844943.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\ccc5c313f416465ffc57b4343c6e512d0568f618620aaa7b258b5d5721aaf394.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2882788.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ccc5c313f416465ffc57b4343c6e512d0568f618620aaa7b258b5d5721aaf394.exe
"C:\Users\Admin\AppData\Local\Temp\ccc5c313f416465ffc57b4343c6e512d0568f618620aaa7b258b5d5721aaf394.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2882788.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2882788.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4844943.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4844943.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2882788.exe
| MD5 | 6de9a950d4a4b7c0332b45a5bd235d01 |
| SHA1 | 841af90b26f4db62c4b8f90e28338191a6a7f828 |
| SHA256 | 3259015332b3c7d28f60d87021ad2c8774ee8fecdf700f3955e15f54889187a7 |
| SHA512 | 5020589a686c79d44bd60222e57d114a395b06e9d2a57d29097c2666ec76a8312558593415f55017d066964c49abe9a45ebd738d761666d1b0d93f1bb1e6ba3b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe
| MD5 | 96a788f0a5be814e86485a5a69530a9f |
| SHA1 | 2d3e089f1d1e6bcd963d905e4562b3f463795d85 |
| SHA256 | 49cb26c4643b21f4e6b5ac16f17256db971437aa4ad718cf747ffe01449a8e34 |
| SHA512 | d2f13b86e881b2663e32b77cdc3323c971a42737295766ad575bad1fbc21bf8e7c358e87145acbd092dace56b56c7c76203580b4cdf91afb0346b22cb00ecc0f |
memory/4224-14-0x0000000000830000-0x000000000083A000-memory.dmp
memory/4224-15-0x00007FFE30073000-0x00007FFE30075000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4844943.exe
| MD5 | 672fb4244fd74cff542f35696bd45875 |
| SHA1 | d1849efc41f2d286b13d036ef60417c318caf583 |
| SHA256 | b6f9f1e64fdbb0df744bf834291c6fc891188daf93e5630537498cf9c44141a6 |
| SHA512 | 33b1dc400c253744c08c4506ed95e1d8518e67508e4bd6a5a73cceac4b3c628ec001c20e415b0b1d85764cafb3306b9332f3ac2a046a690d7941ecfdadc1bef5 |
memory/3896-20-0x0000000000B80000-0x0000000000BB0000-memory.dmp
memory/3896-21-0x0000000002F70000-0x0000000002F76000-memory.dmp
memory/3896-22-0x000000000AFB0000-0x000000000B5C8000-memory.dmp
memory/3896-23-0x000000000AB30000-0x000000000AC3A000-memory.dmp
memory/3896-24-0x000000000AA70000-0x000000000AA82000-memory.dmp
memory/3896-25-0x000000000AAD0000-0x000000000AB0C000-memory.dmp
memory/3896-26-0x0000000005000000-0x000000000504C000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-10 13:04
Reported
2024-05-10 13:07
Platform
win7-20240221-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2320 wrote to memory of 2376 | N/A | C:\Users\Admin\AppData\Local\Temp\e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2320 wrote to memory of 2376 | N/A | C:\Users\Admin\AppData\Local\Temp\e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2320 wrote to memory of 2376 | N/A | C:\Users\Admin\AppData\Local\Temp\e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2320 wrote to memory of 2376 | N/A | C:\Users\Admin\AppData\Local\Temp\e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228.exe
"C:\Users\Admin\AppData\Local\Temp\e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 116
Network
Files
memory/2320-0-0x0000000001472000-0x0000000001473000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-10 13:04
Reported
2024-05-10 13:07
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
99s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\68ca177d42ab79022ede5d703f2f3b4e3de42fc1ae56a531b50f66f3339721f8.exe
"C:\Users\Admin\AppData\Local\Temp\68ca177d42ab79022ede5d703f2f3b4e3de42fc1ae56a531b50f66f3339721f8.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
Files
memory/2520-0-0x00007FF6A5E80000-0x00007FF6A69F9000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-10 13:04
Reported
2024-05-10 13:07
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1426625.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4288450.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0931522.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0829334.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1783125.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4288450.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0931522.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0829334.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1426625.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf.exe
"C:\Users\Admin\AppData\Local\Temp\4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1426625.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1426625.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4288450.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4288450.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0931522.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0931522.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0829334.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0829334.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1783125.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1783125.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1426625.exe
| MD5 | 0ffebb1f8e07e9e177551ddfe1e5deb3 |
| SHA1 | 126013412bc3d49f5c8e3beafe9cfd92fdf59c65 |
| SHA256 | cd6bdea7c7a6c6ade538cf5d4567881d67e82dd72d473179cb47986367bae628 |
| SHA512 | 1a23a319a9d8c4f025ede357e008d6ee0a656f88e7efa0901a46eef7b6c56248dad5a4b251f82b3d7c1aa73562ff5fa00e5ae2f9262554232badebe4dc71918a |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4288450.exe
| MD5 | 05b31cc1f873f663da8a3673ee1c1e70 |
| SHA1 | da64bfd433ce785b9d26fb0f6fe4883d9d790b09 |
| SHA256 | 2a5782027e95953e6a505c58e691fc2324135b202c38c437ad4dc8ced47a2feb |
| SHA512 | d902b06aebe522c883f782dd299f57d3d1925ab3e4955b8ce6882e53523bd63b9d3f35b8c0f0c6ad8aea0a5e9f9e3ad01fd2bc2096dbe62196ce38bb0f6f40d8 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0931522.exe
| MD5 | 50f2ebe7886d7ecf35f81f720ac270ed |
| SHA1 | 59f616bc7d655575d54e58c256de026dd0c82c6e |
| SHA256 | e127f2e8fb3406e6ce6497ebf04e41c01b95f4a7c2d3c89ecc5fe462dfa62ffd |
| SHA512 | d685afabb0bb488b1d6d0c3d69b0175593658f5920d25841086759be73ed79ee426883485013fa5b6f5398372c36145c559404ac7892e559d75846fbaf5adf44 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0829334.exe
| MD5 | c045adc356c9935a873d1cd91cd54989 |
| SHA1 | 06b1b8c34e396a09a69a425af0f8b00671a4f953 |
| SHA256 | bb2374a0251dd291e217e7c74eac6881cc229a2778ba0047f54e014bebc75a62 |
| SHA512 | bcab8a6331c4ceb7beeff395fc6d3b8d0ae7e1ae3ea0c45692870aad586563ed8313d24b02d45c69cb0496f7115f6580422637edcb4c188575960819e86f54f0 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5137020.exe
| MD5 | c43930fbf73244831a96682aba907e8c |
| SHA1 | 44db4ec9c11a04d56d2bfab7f993abf37a23e6fe |
| SHA256 | 9beeaf6651baa5e2597a933df6eee18cf168ba41865e18001185613e0949bba3 |
| SHA512 | 6cb91d5c9317f693a04eec12cddef55760619ed65944df60986b009eb1c782833d121788d4352519e6391bed2a06f0f602b1f4a753623c7ac92dd0440dd307af |
memory/3976-35-0x00000000005B0000-0x00000000005EE000-memory.dmp
memory/3976-41-0x00000000005B0000-0x00000000005EE000-memory.dmp
memory/3976-42-0x0000000006BD0000-0x0000000006BD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3677044.exe
| MD5 | f77d78af12b9628421ed4e1dfb7deb13 |
| SHA1 | 9b6fa06af3564e2fe4724d8b5ebfdfd2a7ec0fd5 |
| SHA256 | 10d806abe4d088bbb95c43a04c91f68a10888bd256de9c9a58c4c7642a9572ab |
| SHA512 | 6c01f44fdb412a58a19ddb4caf73a502a5aae10aecb959a67142ab267ef6732a7e5e6346c1a5ce5aa52823ae5b50372c083e4e59f650c835a38c75d334303e00 |
memory/3620-48-0x0000000000290000-0x000000000029A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1783125.exe
| MD5 | 1bc0f3239045d44d169496f3b247f881 |
| SHA1 | 1884266973607585ec1b134f6009c17e54f3b18f |
| SHA256 | 8d09dd356bd29f5d38121849999e828d955e116d03542444d0b4f40073596e7f |
| SHA512 | dc3a2358d4d2613bb82c60362c409590a8699d53625efd9fd8b853f5e19afed07c798cf66b59d38bd526a80559bc4cc486b23b0f40f3fb120bd61a67946f87a9 |
memory/4972-53-0x0000000001F90000-0x000000000201C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/4972-60-0x0000000001F90000-0x000000000201C000-memory.dmp
memory/4972-62-0x0000000004420000-0x0000000004426000-memory.dmp
memory/4972-63-0x0000000005E30000-0x0000000006448000-memory.dmp
memory/4972-64-0x0000000006470000-0x000000000657A000-memory.dmp
memory/4972-65-0x00000000065A0000-0x00000000065B2000-memory.dmp
memory/4972-66-0x00000000065C0000-0x00000000065FC000-memory.dmp
memory/4972-67-0x0000000006630000-0x000000000667C000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-10 13:04
Reported
2024-05-10 13:08
Platform
win10v2004-20240426-en
Max time kernel
142s
Max time network
144s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8193530.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7356747.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1869910.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6266876.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9863785.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1869910.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6266876.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8193530.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7356747.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9.exe
"C:\Users\Admin\AppData\Local\Temp\b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8193530.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8193530.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7356747.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7356747.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1869910.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1869910.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6266876.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6266876.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9863785.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9863785.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp | |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.68.56:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8193530.exe
| MD5 | 8f452b4a4326c38e4571b85753f14835 |
| SHA1 | 39e82691dbf838c5929a85c0ccea571b2eeaa762 |
| SHA256 | 2c425603871cfae47a16427da45eb520a5ed3d232c7cd61f40106132368da097 |
| SHA512 | 5a562cd0ba0c785afe7121fd99bc39173a2121452c011bdb7424ffe30c95e181d4848dbe70996f40d02e03518328159b8913ae7351cfb4da9d4da1b4cd36a061 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7356747.exe
| MD5 | c01e50a9b08254b6225359b71398aec4 |
| SHA1 | 69290aa4f0cfff274bd47cbea733cd1494329fff |
| SHA256 | e11371b57008d6851d429072eb585f23a66ef95ba1f2fe63bd2ee922b8583a12 |
| SHA512 | 73b878812254dbf5854e5cd330bcb063eca437b2f84b127f6f8fae664d274b3de5904a97ea070c77f32fe3838d69926aa7e9f19d3abaa4b81cc8684c9acc0b5d |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1869910.exe
| MD5 | b047020daecfcd4d6486280843970ca3 |
| SHA1 | 1126405fb85088855aa5c5b0a4fe8c53deff0d25 |
| SHA256 | 6347410a710cfe628661defb8efdb525f50735c3eeb0911a1b4c40888708bab8 |
| SHA512 | 78d6bbedafae407382fb5e27982c03d04c8036406742168203577974d0632915125324292665ff07e82ef42faeca5a24add5ac0ccf0ac7a5ced4152bfad44a65 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6266876.exe
| MD5 | 3700b23c6984dc6b04ae254478422acf |
| SHA1 | c96f67a6cd8c1c5c421a2f7268fdb0cbbcf5969d |
| SHA256 | 53432dba21043cefad2ee82a5077c1aea9238fa7a57f8701799c03717b27b344 |
| SHA512 | 5c9b84a799ae5178ff835fb31e8a9b986bd923fc6fa5d13aff1df33ed66f0eea4826066ec741b04deafd5370a08dbdf154668c3dfde2177c9b1378198fb1ce75 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe
| MD5 | 52a2bfba5bb378ef0d888bff0a0a9a4c |
| SHA1 | e407c2042a2751b2643c4ba379b37f5c98242c07 |
| SHA256 | 46aedf9813ed0c38fac92d5493e5dde9b57dbc6304456fc2ececa49e07feed65 |
| SHA512 | cd46b3f4f4165ddc64c3c87ad8ef0b855c032e8ecb863092b9fb08cd5885a31178f8538dfd447c4e0848cdf09cd7e2ce4e972c2ac4719cb60dd5c36ae8713ec8 |
memory/4976-35-0x0000000000560000-0x000000000059E000-memory.dmp
memory/4976-42-0x0000000002390000-0x0000000002391000-memory.dmp
memory/4976-41-0x0000000000560000-0x000000000059E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe
| MD5 | a489f76b1e20676c44e20a1265d95bd2 |
| SHA1 | 4adea8e3285c282db000d943bb98a5a7b9f797b7 |
| SHA256 | 4c2d887e30ef21d4754b422f989dd02647ffd5ecfeea4342034e646e914ea32d |
| SHA512 | 06b205ec385ac02692a039cff628c8c5dcc4d1e388a05d4bdc8ad6b7f6efc61a3caf8c9bd9f18d08f321a4e11d27932af8a0ca8bc60bf62d2dbf0a8075bbcfa3 |
memory/3960-48-0x0000000000080000-0x000000000008A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9863785.exe
| MD5 | c0cb72fd5b63fa6a0e23311a69b60989 |
| SHA1 | bc1d486836b34d78d9169fec03e4b60433e1374c |
| SHA256 | 875aa2484a1a2abf76d5e4888f69df5ef6eac968473931e34bfd7a571eaa3a1d |
| SHA512 | a469239d9e7178b1127af703d1347670173ec45f446bc47e96b1edc8f6ecc1482de44d055a9183b8e9f441a9b0d1625da2b48d36392c919ca5be3ad6f542c805 |
memory/3876-54-0x0000000000590000-0x000000000061C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/3876-60-0x0000000000590000-0x000000000061C000-memory.dmp
memory/3876-62-0x00000000023E0000-0x00000000023E6000-memory.dmp
memory/3876-63-0x0000000005B20000-0x0000000006138000-memory.dmp
memory/3876-64-0x00000000061D0000-0x00000000062DA000-memory.dmp
memory/3876-65-0x0000000006300000-0x0000000006312000-memory.dmp
memory/3876-66-0x0000000006320000-0x000000000635C000-memory.dmp
memory/3876-67-0x0000000006390000-0x00000000063DC000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-10 13:04
Reported
2024-05-10 13:07
Platform
win7-20240508-en
Max time kernel
117s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2952 wrote to memory of 2476 | N/A | C:\Users\Admin\AppData\Local\Temp\fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2952 wrote to memory of 2476 | N/A | C:\Users\Admin\AppData\Local\Temp\fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2952 wrote to memory of 2476 | N/A | C:\Users\Admin\AppData\Local\Temp\fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2952 wrote to memory of 2476 | N/A | C:\Users\Admin\AppData\Local\Temp\fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390.exe
"C:\Users\Admin\AppData\Local\Temp\fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 52
Network
Files
memory/2952-0-0x0000000000030000-0x0000000000031000-memory.dmp
memory/2952-1-0x0000000000030000-0x0000000000031000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-05-10 13:04
Reported
2024-05-10 13:07
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4816 set thread context of 2732 | N/A | C:\Users\Admin\AppData\Local\Temp\fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390.exe
"C:\Users\Admin\AppData\Local\Temp\fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
Files
memory/4816-0-0x0000000000DE0000-0x0000000000DE1000-memory.dmp
memory/4816-1-0x0000000000DE0000-0x0000000000DE1000-memory.dmp
memory/2732-2-0x0000000000400000-0x0000000000422000-memory.dmp
memory/4816-3-0x0000000000DE0000-0x0000000000DE1000-memory.dmp
memory/2732-4-0x000000007448E000-0x000000007448F000-memory.dmp
memory/2732-5-0x00000000057E0000-0x0000000005846000-memory.dmp
memory/2732-6-0x0000000006340000-0x0000000006958000-memory.dmp
memory/2732-7-0x0000000005DD0000-0x0000000005DE2000-memory.dmp
memory/2732-8-0x0000000005F00000-0x000000000600A000-memory.dmp
memory/2732-9-0x0000000074480000-0x0000000074C30000-memory.dmp
memory/2732-10-0x000000007448E000-0x000000007448F000-memory.dmp
memory/2732-11-0x0000000074480000-0x0000000074C30000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-10 13:04
Reported
2024-05-10 13:07
Platform
win7-20240221-en
Max time kernel
122s
Max time network
128s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2020 wrote to memory of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2020 wrote to memory of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2020 wrote to memory of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2020 wrote to memory of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b.exe
"C:\Users\Admin\AppData\Local\Temp\e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 116
Network
Files
memory/2020-0-0x0000000000393000-0x0000000000395000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-10 13:04
Reported
2024-05-10 13:08
Platform
win10v2004-20240226-en
Max time kernel
154s
Max time network
162s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6050394.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6050394.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6050394.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6050394.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6050394.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6050394.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5038122.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2439283.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6626793.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6050394.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5038122.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9387752.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9946860.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6050394.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\6ba0db3b66f5f3df269e1eb1b3241575d1ec8d58b19767274aae0af44946bbb3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2439283.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6626793.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9387752.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9387752.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9387752.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6050394.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6050394.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9387752.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9387752.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9387752.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6050394.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5038122.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6ba0db3b66f5f3df269e1eb1b3241575d1ec8d58b19767274aae0af44946bbb3.exe
"C:\Users\Admin\AppData\Local\Temp\6ba0db3b66f5f3df269e1eb1b3241575d1ec8d58b19767274aae0af44946bbb3.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2439283.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2439283.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6626793.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6626793.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6050394.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6050394.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5038122.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5038122.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2660 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9387752.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9387752.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9946860.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9946860.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| GB | 216.58.201.106:443 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | tcp | |
| FI | 77.91.68.29:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2439283.exe
| MD5 | 1867f755c2e50bec05eb667e0d0a1184 |
| SHA1 | 8fb81278c740f702f51a45a067b28c2b2564e2ed |
| SHA256 | f34e8c5cb56f19f07740954bfbda5b828aec62e6cb8d7cadbf1354b3f811c2d2 |
| SHA512 | 30148c0a3b0fc230fa4f455493319343186b7f9d71b33388133ab772ea0a10460d40514bda15486591f0da714904f7a1239c40274fd18fd19b8eb872c4be0cb3 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6626793.exe
| MD5 | f4707a9db7540780ee9da722fde3e0d8 |
| SHA1 | 38c1069235780f3b2132f28cf526557d418b62b5 |
| SHA256 | cb1f767773f8b86ba74d1fac8848b3130be3bc93cc3930e1d123abe7d9329de9 |
| SHA512 | 1e61b996234ad10e82753fdd995d3a87781b57585e4e24ea8bd11b506541bf57e2f4915f6ea6d8ed0665d23920a0e556723143cb0a4986a46c637f1d02431290 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6050394.exe
| MD5 | a74dd029101a25504d8fc7ca33c1adc2 |
| SHA1 | 22cc29079d98d3ff79f13b8ebf9a27c67757594e |
| SHA256 | 1361d5cc17da4688d29e0a60cdb9fe1669d80f3c999292e2467969cf898f3f84 |
| SHA512 | 2a6bb5b8fe48c838d9af2c95a32b69729e32ee0d2ce1fe35d281b286e910657a8792037d3a52b825d24d7e69730eff09f99ec549ecd3da6e4cb69a277a81f5d0 |
memory/3260-21-0x00007FFC22A33000-0x00007FFC22A35000-memory.dmp
memory/3260-22-0x0000000000620000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5038122.exe
| MD5 | 787410f258f680e28c135ac0ecc645ca |
| SHA1 | 06505649a3c2729796b57e7de0869c8b5a2fd84c |
| SHA256 | 064ca5e3fc52bd168e29697fc755b7310781344cafad50e1cd14555e7255641e |
| SHA512 | 3c5c3d74569766c30fabe448ec04e1560de75ba10244c4179b0b19deda31ecf5207b7545b6e1c8411e2587409f7d5ca54f35cb04f2bcba109239f83d48294580 |
memory/3188-39-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9387752.exe
| MD5 | df6d3dd8d25c7c1afe3a7756ed9e9ecc |
| SHA1 | a66f386ff69133f8ba6478ae69d56b7880ac0177 |
| SHA256 | 9916aae975cc1b7af1360bc7de341ddc914a619eeb9cb468cc713147ca4e95f8 |
| SHA512 | 4c6ec99bd9b06fc4723aefd5a7a637f641aba4fca5d40ae89555a52ec286557675335f2d22ab83710c07a0cd93bbbbcb55614288b4a3cb436c484b7ba173d59b |
memory/3316-41-0x0000000002BF0000-0x0000000002C06000-memory.dmp
memory/3188-44-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9946860.exe
| MD5 | b787561ef39443cd949621f9c189edce |
| SHA1 | 6fa6607cb82c22e522547240c8fc40a69cc7c3f7 |
| SHA256 | 75fe759176072d5688b12d57a87b086cd843600351d953b9ae7672dfe407fc56 |
| SHA512 | 3fc333966851e5179410aee1b2cfc788d20ce8057af2f1205c2a15add8c77f87e474f404c5cf91d6b5f37e35270ff3596c8c22cfbde61e6b93766f37f575a59e |
memory/4800-48-0x0000000000090000-0x00000000000C0000-memory.dmp
memory/4800-49-0x0000000002420000-0x0000000002426000-memory.dmp
memory/4800-50-0x000000000A4E0000-0x000000000AAF8000-memory.dmp
memory/4800-51-0x000000000A040000-0x000000000A14A000-memory.dmp
memory/4800-52-0x0000000009F80000-0x0000000009F92000-memory.dmp
memory/4800-53-0x0000000009FE0000-0x000000000A01C000-memory.dmp
memory/4800-55-0x000000000A150000-0x000000000A19C000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-10 13:04
Reported
2024-05-10 13:07
Platform
win10v2004-20240508-en
Max time kernel
126s
Max time network
143s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7479313.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7958004.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2151231.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8826700.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7479313.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7958004.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2151231.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b.exe
"C:\Users\Admin\AppData\Local\Temp\61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7479313.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7479313.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7958004.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7958004.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2151231.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2151231.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8826700.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8826700.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.185:443 | www.bing.com | tcp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| FI | 77.91.68.48:19071 | tcp | |
| FI | 77.91.68.48:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7479313.exe
| MD5 | f322468f7b64cecefaf9a0f0faccce20 |
| SHA1 | 3d70724ebe7a280468c06cec4aeff4723eb530be |
| SHA256 | d0d0aa49f6e37875f9b5dd0f21ab7ea9a9a366ff47cf69e224a1aa6e5089a24c |
| SHA512 | b73f96b0eae3a1ca5da4a964cf56c7a991e5d30796a0f56bd6729dd4dfe542ed1053b7e0d3284bac2d5a1c7e646002fdf11866c094543e2e94847a9ed16b1fff |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7958004.exe
| MD5 | 208b54dec1def07b191289f2f777b350 |
| SHA1 | 10bf86ca447e4aa9d59a244824788350d4b4f071 |
| SHA256 | 09b9055edb7d51a08a4b7a7b2ee1d982379fff43c34637084fdd32a412a20974 |
| SHA512 | 06ebe2071211a221f939aa666849012f4d6e1b7855ff8e0df4bda2c0fe1430b564ad1d4209b945cfead695f1503a2dc57af84fae7bd1cf62e71691184a772b2e |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2151231.exe
| MD5 | 4b1a2d09d57bf0b2fc99d5da960562d5 |
| SHA1 | d72c7391e795ee360ad860d870d03c58372e5d19 |
| SHA256 | df3d2938bcbf97d8977a8fe236a2471d529e1b484ba5090635dc3fec80b7b8e3 |
| SHA512 | 4a69463ab5fcb25140b9ce4fece0c2d0e7c3d2827d7d2addc26a38a8c9aeb1787837ade0084c578c46efa2d4b3c98b4fc0b645334796d40d2a73ea4e55d28684 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe
| MD5 | ae98a36da0e47b966ed93d845206ce38 |
| SHA1 | 1ea9b655c02f2073c92e4a010c25a2c5bcad1ed8 |
| SHA256 | 1c262ccffb16c31cdf0cc414038a3da52f58e209027e5a915f3b6e40be5d3bee |
| SHA512 | 975b325fdd9cf5f47778742bf53b10a2903caace94b69d59a16c7c8ade15e8bd7d29ed372269bdde0bf76ac8898771601549f993e69c9801ffc11da4168cb1dc |
memory/4616-28-0x0000000000640000-0x000000000064A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/2516-37-0x0000000000970000-0x000000000097A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8826700.exe
| MD5 | 066240575f50b7f5987e95a3be5d62dc |
| SHA1 | 3edf9ff59b4ee474b5d828763d9c4df55bd51179 |
| SHA256 | 5d78ef153cc6b04717c89d059e6b2c6200834f3945d6e762603d53c118bddfd5 |
| SHA512 | 702b9df12dcfb2038eb71e0286f1c6d036df628fee3b9c44b295bf5089ce07c88fd70ac44091eb092c941217a7437210ff792190706568d8608f3a689450d76c |
memory/4924-42-0x0000000000490000-0x00000000004C0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/4924-47-0x0000000002470000-0x0000000002476000-memory.dmp
memory/4924-48-0x0000000009EA0000-0x000000000A4B8000-memory.dmp
memory/4924-49-0x000000000A500000-0x000000000A60A000-memory.dmp
memory/4924-50-0x000000000A640000-0x000000000A652000-memory.dmp
memory/4924-51-0x000000000A660000-0x000000000A69C000-memory.dmp
memory/4924-52-0x0000000004500000-0x000000000454C000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-10 13:04
Reported
2024-05-10 13:07
Platform
win10v2004-20240426-en
Max time kernel
140s
Max time network
130s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe
"C:\Users\Admin\AppData\Local\Temp\a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.cmd
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" /v Release 2>nul
C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" /v Release
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic product where name="FiatLink" call uninstall
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe
Setup.exe
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FiatLinkSetup.msi"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 41476A10976E48F41C3A8A623BBAF52C C
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.57:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | evcs-ocsp.ws.symantec.com | udp |
| US | 152.199.19.74:80 | evcs-ocsp.ws.symantec.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.cmd
| MD5 | 83a8232021f3f7690a57948dd1fd3f53 |
| SHA1 | 785cab55143c51cf13714c7c3827e0324a767b62 |
| SHA256 | 5bc380a39e687d214b52d425634db1490a44c4e56ae4be1658275a5282db00f0 |
| SHA512 | b9347fb089d2f81f61b40c830a578f47614e48da573ba318b020cc89dcfb65fd50a5dcfdba6e8bf6b5eb914ab441fd461db6ebadfa043b008e92018dee3383a1 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CheckNF.bat
| MD5 | 1f4c5332b3e3f7668c6c0fbd730ef6f7 |
| SHA1 | f68d224c39e3d472a4cadfbad6f9f3a57ae6f643 |
| SHA256 | 2f31c813c6d6c132fdfc1c09cf995944170db0a382f799d9dc32c249407e966c |
| SHA512 | df673b727e5853716de4803d2ce98054a46dfdbcfbb7a7523e8fc34aa4c7fbd3354ea5990e6abf511606bf917c3e50e3bb5489a0f10572dd9aa1e9dea23818ea |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe
| MD5 | a71a3c02f397b830524176f5e7545723 |
| SHA1 | d15dfb49314fd2de949b223837b14e9156355122 |
| SHA256 | 5a8925e95d243ffaeda81be2210fea56fa4e9626484cfadf59da95b485a17ddf |
| SHA512 | a3ba63d54c6afc715bb1e28c90d678ca4f3db6ff8e6a572d984f9c9efaa0fd83a512226aba06a0bf1bdab9780cf922c212b7a9be2e134cec0d395916978b0bb2 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FiatLinkSetup.msi
| MD5 | 56869026644b80263adc10bba0e982f9 |
| SHA1 | bdaba3405adf504e32fae5abecc27fc6220f7241 |
| SHA256 | 223b118ec8bc03fcfa63a2cb530b1359eb288830de4b923b1457ce19c0523797 |
| SHA512 | ffe4b25bd5f08d665b46ed389b625de34e6c0c52b8a69471b3df269ed1ef47ddfccc99ade895a70539c5e38b571f2a778ba8827a5e518e503a295314c84ba263 |
C:\Users\Admin\AppData\Local\Temp\MSI7A7F.tmp
| MD5 | b05f77f77b0f12c6774adf5b1d039b44 |
| SHA1 | cbf3aa9477641cc0fc39fbecf0c3b6ff7dbb8487 |
| SHA256 | 344efb1f63e5ca99558a5b45e8462188447fef13252213761b61a2825919e410 |
| SHA512 | f93470597cb77156188de0f5675ae1e4d9b09f3b2ff744ad43b96fb2418e2452624a128c656fd5b26b435ac5dc8efaaaab52ad5dc9dc03017f67d1438da04305 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-10 13:04
Reported
2024-05-10 13:07
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
152s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9740927.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8089495.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\2c899ff55cbbdd4c5b9be75b0893daed295266b8392bd0365eb55f6acf67f731.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9740927.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2c899ff55cbbdd4c5b9be75b0893daed295266b8392bd0365eb55f6acf67f731.exe
"C:\Users\Admin\AppData\Local\Temp\2c899ff55cbbdd4c5b9be75b0893daed295266b8392bd0365eb55f6acf67f731.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9740927.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9740927.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4624,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=3404 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8089495.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8089495.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| DE | 217.196.96.101:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9740927.exe
| MD5 | 9bdf388e7097e941c78a00799f4f4782 |
| SHA1 | b7c8e585a79710202c51201e0a064a924a4960dc |
| SHA256 | 70a63809823a29da0e2c059f044c0eebb88b69b423048530558c4d81695821cc |
| SHA512 | 45a0b0cae69e4950f4b5e9f11ee97f5cd958f0d87c78a78f4f0c3cbf13457f1f7be99c0e6d78a0dbfab736d707fa16f1a846586a985d582644f09ee5585fa0d2 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5841347.exe
| MD5 | 2abc60bf01928f91b0fd732fc843bded |
| SHA1 | 7c3fa32805ff83b21b9791085c19d91929d9da98 |
| SHA256 | be2409ec07808dd991d967c3a801f6bfc0849d8ac62fa13e6b6368277a9e2cff |
| SHA512 | faa77cb7adc0772a07e6822a73d8831bd892a18d44bdc880c48daa5ebcd7888fef918252b1170c03bfe43ec76d5de3ec04d1763cf21abe2095adc95869140748 |
memory/5028-14-0x00000000746EE000-0x00000000746EF000-memory.dmp
memory/5028-15-0x0000000002360000-0x000000000237A000-memory.dmp
memory/5028-16-0x00000000746E0000-0x0000000074E90000-memory.dmp
memory/5028-17-0x0000000004AD0000-0x0000000005074000-memory.dmp
memory/5028-18-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/5028-46-0x0000000004990000-0x00000000049A2000-memory.dmp
memory/5028-42-0x0000000004990000-0x00000000049A2000-memory.dmp
memory/5028-40-0x0000000004990000-0x00000000049A2000-memory.dmp
memory/5028-38-0x0000000004990000-0x00000000049A2000-memory.dmp
memory/5028-36-0x0000000004990000-0x00000000049A2000-memory.dmp
memory/5028-34-0x0000000004990000-0x00000000049A2000-memory.dmp
memory/5028-32-0x0000000004990000-0x00000000049A2000-memory.dmp
memory/5028-30-0x0000000004990000-0x00000000049A2000-memory.dmp
memory/5028-28-0x0000000004990000-0x00000000049A2000-memory.dmp
memory/5028-26-0x0000000004990000-0x00000000049A2000-memory.dmp
memory/5028-24-0x0000000004990000-0x00000000049A2000-memory.dmp
memory/5028-20-0x0000000004990000-0x00000000049A2000-memory.dmp
memory/5028-19-0x0000000004990000-0x00000000049A2000-memory.dmp
memory/5028-44-0x0000000004990000-0x00000000049A2000-memory.dmp
memory/5028-22-0x0000000004990000-0x00000000049A2000-memory.dmp
memory/5028-47-0x00000000746E0000-0x0000000074E90000-memory.dmp
memory/5028-48-0x00000000746E0000-0x0000000074E90000-memory.dmp
memory/5028-50-0x00000000746E0000-0x0000000074E90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8089495.exe
| MD5 | 0bc5f2797494eb6b5f6e022d890f153f |
| SHA1 | 9fbecbe0e9f8f2f3c9f343a75e9086476c153cf6 |
| SHA256 | f5aaa70292c55d01baabc02cfa987a86ebee42f448d2e1ec1909c8ce72670901 |
| SHA512 | 96d04febe6df69fa587c746330adefbe76a2cc8e2ac7aa34db80e13dbde5fa8a7544b91902d5bea73681fbd1910153653de26a2d756287269607340917a216fc |
memory/2492-54-0x00000000000E0000-0x0000000000110000-memory.dmp
memory/2492-55-0x0000000002280000-0x0000000002286000-memory.dmp
memory/2492-56-0x00000000051D0000-0x00000000057E8000-memory.dmp
memory/2492-57-0x0000000004CC0000-0x0000000004DCA000-memory.dmp
memory/2492-58-0x0000000004BB0000-0x0000000004BC2000-memory.dmp
memory/2492-59-0x0000000004BD0000-0x0000000004C0C000-memory.dmp
memory/2492-60-0x0000000004C50000-0x0000000004C9C000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-10 13:04
Reported
2024-05-10 13:08
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1280327.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1280327.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1280327.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1280327.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1280327.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1280327.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1561163.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4763657.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1280327.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1561163.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t1649035.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1280327.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\4250b0250d540350db8a017ad70a9992b46d70a0d5ab9438c3c0597af56f27ee.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4763657.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1280327.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1280327.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1280327.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4250b0250d540350db8a017ad70a9992b46d70a0d5ab9438c3c0597af56f27ee.exe
"C:\Users\Admin\AppData\Local\Temp\4250b0250d540350db8a017ad70a9992b46d70a0d5ab9438c3c0597af56f27ee.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4763657.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4763657.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1280327.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1280327.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1561163.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1561163.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
"C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t1649035.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t1649035.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legola.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legola.exe" /P "Admin:N"&&CACLS "legola.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "legola.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "legola.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\ebb444342c" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\ebb444342c" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| SE | 5.42.92.67:80 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| SE | 5.42.92.67:80 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| SE | 5.42.92.67:80 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.124.84:19071 | tcp | |
| FI | 77.91.124.84:19071 | tcp | |
| US | 8.8.8.8:53 | udp | |
| SE | 192.229.221.95:80 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/1444-15-0x00007FFF45413000-0x00007FFF45415000-memory.dmp
memory/1444-14-0x00000000005E0000-0x00000000005EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1280327.exe
| MD5 | e3e75031d0e39505ed432a196cc418f5 |
| SHA1 | 13fad2d1ed1a5d2d47397a3d7ee024061bc3a690 |
| SHA256 | 0b7746585a83c221a064e3a81bd9885cdbb10de4bf3f3d0fd44421ecce838c48 |
| SHA512 | a46b44977b3e58e07ef67945ef72980d8fe5bceaf86f86e27173f6c96d4bda5cc8d8ddeac90eb417ee17427afba414abe570f26d18aee525fa8802eb64a2855a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4763657.exe
| MD5 | d9607af6726ade173eff154940caf1b6 |
| SHA1 | d083816e1455d9b2964d007c9344f8739a26952a |
| SHA256 | 0d7b7b2df1c4380d28f39f6d1bf4574c393658df66eb6ae7e4da82556bf3d9a4 |
| SHA512 | 94cf37a2428dab11a6678987787e84cf67314aa74a5dff6b1457be180c3b7c0cf59371a538c2be4e20af34177c533d911008baf10067e610a46affb5620e289c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1561163.exe
| MD5 | eb3b429d21756dbe557fc8bcd82f4d64 |
| SHA1 | e621b5506d1d54d5fadef00aba0985d157e4b3fb |
| SHA256 | 779ef2f7698e7d637ff300bab9f7180aa4381bf7889d29dfc596a9298fa33887 |
| SHA512 | 7209c8d47d7923841002af9b9517fa14b375fb4f4dce238d12091e1ef8baf47215f30762e24f4e0a479454a95d105e060ac70227baabfc72ca7cf2355f03b3e4 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t1649035.exe
| MD5 | 6031d2b63a9ba8752c1f761f764435a8 |
| SHA1 | ccbe4b4cc1ca749608ad0b5a9ba77b66e414cede |
| SHA256 | c4d3bee83333cdf60f6d329c2583643db4439db62583a5fa2d4eff17a1ae13e3 |
| SHA512 | 9fe233a0c6f44ad8ff160c007c6d81484e9afffdcbc707285594f9965821a961fe28754b4da2f5e34884abadbf00f5b347825450541d199700de9ff94b2c7bd8 |
memory/4476-33-0x0000000000940000-0x0000000000970000-memory.dmp
memory/4476-35-0x0000000005900000-0x0000000005F18000-memory.dmp
memory/4476-37-0x00000000052E0000-0x00000000052F2000-memory.dmp
memory/4476-38-0x0000000005340000-0x000000000537C000-memory.dmp
memory/4476-36-0x00000000053F0000-0x00000000054FA000-memory.dmp
memory/4476-39-0x0000000005380000-0x00000000053CC000-memory.dmp
memory/4476-34-0x0000000002C10000-0x0000000002C16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
| MD5 | 54a8ddd917aad5922314a32e9ce6d807 |
| SHA1 | 47153e68a66ce17a4c55f3925003612b8805715a |
| SHA256 | 41132963a75ab605421ac933968a3ec1df003f42380cec47372a973608b781f3 |
| SHA512 | 130246edce86f1c90203836a390aa0f77e3a8afa4387d569b65946fc562d754b98eddfe85a1b07e66ebddd52eb7f27a0bde5990f3b53a387924ca381a469292f |
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-10 13:04
Reported
2024-05-10 13:07
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
157s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4391517.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3543593.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\464a7168620633d6f4e27494eec6c1cedff2ae39e5ffda7f9913f43efd93bd38.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4391517.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\464a7168620633d6f4e27494eec6c1cedff2ae39e5ffda7f9913f43efd93bd38.exe
"C:\Users\Admin\AppData\Local\Temp\464a7168620633d6f4e27494eec6c1cedff2ae39e5ffda7f9913f43efd93bd38.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4391517.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4391517.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3543593.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3543593.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| DE | 217.196.96.101:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4391517.exe
| MD5 | 8067106c1a967b7bb5811be1ae14865c |
| SHA1 | 5c73dab5e1086c66477eec2ffc87f2d307c6c2e8 |
| SHA256 | 8bf51808036692b58c97fc2ad6b9831492c31663235b3c6a04fc5d1febdef994 |
| SHA512 | 69d7dc4f4584e1155e6b30f8a82af04c217512de3dcaa1867e673f9fcd1501f476040ef69cb176d4e00f08aaa3c05bc20104d9c462d7bb7c957e44993f623079 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1342500.exe
| MD5 | fb624114dcc06c40c7d5a5dd6638c9e3 |
| SHA1 | 169dfd4765ce943492d1bc716e3c865bb21b2382 |
| SHA256 | d8c78b8289dbcba18306ffa4f2e5ce2cb545f767634849fbfde4c7b0d3d9f06c |
| SHA512 | db80b5fc4017036322cfbade1a5b5146cb41e1edc69d018204b380297f426f0c669fe8b8f8f401c8ad7fd967815c242e6fac7376f56f59eb7cb3ef4c05c27223 |
memory/916-14-0x0000000073DBE000-0x0000000073DBF000-memory.dmp
memory/916-15-0x0000000002490000-0x00000000024AA000-memory.dmp
memory/916-16-0x0000000004C80000-0x0000000005224000-memory.dmp
memory/916-18-0x0000000073DB0000-0x0000000074560000-memory.dmp
memory/916-17-0x0000000004AC0000-0x0000000004AD8000-memory.dmp
memory/916-38-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/916-46-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/916-47-0x0000000073DB0000-0x0000000074560000-memory.dmp
memory/916-44-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/916-48-0x0000000073DB0000-0x0000000074560000-memory.dmp
memory/916-42-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/916-40-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/916-36-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/916-34-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/916-32-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/916-30-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/916-28-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/916-26-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/916-24-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/916-23-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/916-20-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/916-19-0x0000000004AC0000-0x0000000004AD2000-memory.dmp
memory/916-50-0x0000000073DB0000-0x0000000074560000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3543593.exe
| MD5 | b28f0616ae5d240ea35b31918179ecfe |
| SHA1 | 5c275f432426411ca46193a4e12bbe38b89c814c |
| SHA256 | 61d42fbe74bb90f8d932a8ad63ced2f82409b7cab8b3378aba0981d6c9f46dba |
| SHA512 | 527aa8f0e6045af3d85fa4537bd83d2977411dfd6d17a704e68f11afe1523f4cb302e1112d4acbc0aefb70b8008cb648930afaf135c5071036bd4b447d8946b7 |
memory/5064-54-0x0000000000200000-0x0000000000230000-memory.dmp
memory/5064-55-0x00000000049E0000-0x00000000049E6000-memory.dmp
memory/5064-56-0x0000000005230000-0x0000000005848000-memory.dmp
memory/5064-57-0x0000000004D90000-0x0000000004E9A000-memory.dmp
memory/5064-58-0x0000000004CC0000-0x0000000004CD2000-memory.dmp
memory/5064-59-0x0000000004D20000-0x0000000004D5C000-memory.dmp
memory/5064-60-0x0000000004EA0000-0x0000000004EEC000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-10 13:04
Reported
2024-05-10 13:07
Platform
win10v2004-20240508-en
Max time kernel
94s
Max time network
152s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 452 created 2568 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\system32\sihost.exe |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3312 set thread context of 452 | N/A | C:\Users\Admin\AppData\Local\Temp\e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Program crash
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b.exe
"C:\Users\Admin\AppData\Local\Temp\e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3312 -ip 3312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 320
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 452 -ip 452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 452 -ip 452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 568
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.185:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 185.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/3312-0-0x0000000000283000-0x0000000000285000-memory.dmp
memory/452-1-0x0000000000400000-0x000000000046D000-memory.dmp
memory/452-3-0x0000000000400000-0x000000000046D000-memory.dmp
memory/452-4-0x0000000000400000-0x000000000046D000-memory.dmp
memory/452-5-0x0000000004170000-0x0000000004570000-memory.dmp
memory/452-7-0x0000000004170000-0x0000000004570000-memory.dmp
memory/452-6-0x0000000004170000-0x0000000004570000-memory.dmp
memory/452-8-0x00007FFE95150000-0x00007FFE95345000-memory.dmp
memory/4628-11-0x0000000000840000-0x0000000000849000-memory.dmp
memory/452-12-0x0000000004170000-0x0000000004570000-memory.dmp
memory/452-10-0x0000000077990000-0x0000000077BA5000-memory.dmp
memory/4628-15-0x00000000027D0000-0x0000000002BD0000-memory.dmp
memory/4628-19-0x00000000027D0000-0x0000000002BD0000-memory.dmp
memory/452-20-0x0000000004170000-0x0000000004570000-memory.dmp
memory/4628-18-0x0000000077990000-0x0000000077BA5000-memory.dmp
memory/4628-16-0x00007FFE95150000-0x00007FFE95345000-memory.dmp
memory/4628-21-0x00000000027D0000-0x0000000002BD0000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-10 13:04
Reported
2024-05-10 13:07
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3094357.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3094357.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3094357.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3094357.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3094357.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3094357.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1028562.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2466934.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1028562.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3094357.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j1568602.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3094357.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\8b549a868852eb291819180cd971dd7b163003efa16b8efacf685d2d5f879a5b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2466934.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3094357.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3094357.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3094357.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8b549a868852eb291819180cd971dd7b163003efa16b8efacf685d2d5f879a5b.exe
"C:\Users\Admin\AppData\Local\Temp\8b549a868852eb291819180cd971dd7b163003efa16b8efacf685d2d5f879a5b.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2466934.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2466934.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1028562.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1028562.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3094357.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3094357.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j1568602.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j1568602.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| FI | 77.91.68.3:80 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp | |
| FI | 77.91.68.3:80 | tcp | |
| FI | 77.91.68.68:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2466934.exe
| MD5 | 15fb4786a2f674c7576ff4150828ae51 |
| SHA1 | 71dc0a584da2277291d73acd6862ea5e187d0c10 |
| SHA256 | 3f6b4f35bbb4e5e4a0af042fa4b811ecc1d56e4f74c435460ee9772b0149743e |
| SHA512 | 0211b2529bffb8ca57c01e6505e8af1788db85f7d691b367e1ffa0e4b5b368eb5e7176668cb7e0970ea20f4f1ce51f6ebbecfe1d85b915e393942b0a4b0ae32c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1028562.exe
| MD5 | 8c6b79ec436d7cf6950a804c1ec7d3e9 |
| SHA1 | 4a589d5605d8ef785fdc78b0bf64e769e3a21ad6 |
| SHA256 | 4e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d |
| SHA512 | 06f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3094357.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/884-27-0x0000000000DF0000-0x0000000000DFA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j1568602.exe
| MD5 | 45c91a14170a0e302dd52df2938617aa |
| SHA1 | cc88a849ff3e75b46a2a0c4e7a69ede018ec254e |
| SHA256 | 1baba3253f3576a5314576f444a3353b4d6c5b34c3e296b8f9fc9d6c8264a1dd |
| SHA512 | 70c370676a4d3f7d95f640aa8894573eea2212d8a2b0da1b4a0a8ec3ac90fc23414fe8200feb156f30efceaba994c6ab2082216773a0d284f63d7dacb86f4b06 |
memory/2324-32-0x0000000000ED0000-0x0000000000F00000-memory.dmp
memory/2324-33-0x00000000031A0000-0x00000000031A6000-memory.dmp
memory/2324-35-0x000000000AD40000-0x000000000AE4A000-memory.dmp
memory/2324-36-0x000000000AC80000-0x000000000AC92000-memory.dmp
memory/2324-37-0x000000000ACE0000-0x000000000AD1C000-memory.dmp
memory/2324-34-0x000000000B240000-0x000000000B858000-memory.dmp
memory/2324-38-0x0000000003060000-0x00000000030AC000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-10 13:04
Reported
2024-05-10 13:07
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8516316.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7564883.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\eab14d8dada2d5205db79e415c61561de2646a3a67f4615bfffa2f0c272f8738.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8516316.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\eab14d8dada2d5205db79e415c61561de2646a3a67f4615bfffa2f0c272f8738.exe
"C:\Users\Admin\AppData\Local\Temp\eab14d8dada2d5205db79e415c61561de2646a3a67f4615bfffa2f0c272f8738.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8516316.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8516316.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7564883.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7564883.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| DE | 217.196.96.101:4132 | tcp | |
| DE | 217.196.96.101:4132 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| DE | 217.196.96.101:4132 | tcp | |
| DE | 217.196.96.101:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8516316.exe
| MD5 | 216c883d69e5b676dadcbbc3c49b2ea7 |
| SHA1 | bd25ba694b75cfc5c747073abbe9344001c05d48 |
| SHA256 | cd05c707896cf6721f13c5f314b2a73e413a8bc42acd0b01164a2d36426728c7 |
| SHA512 | b3b74dea447966ffde82d33e7ae96df894e8145a431eb795af1d882358814ceafc2b22406a522c114a6abcd9b43f2ee166f6c492ed1194aab257b314c3bb5120 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2001440.exe
| MD5 | 769430943362861334421dba770826e7 |
| SHA1 | f4452cae4df613a4a7cb22da4ff12a671e0debb4 |
| SHA256 | 9eb85dd00a91711de4dbcb01f144368839954d6ec1bdc80bf3df63123b55089d |
| SHA512 | a33420ec4fdda34810b86899b12d38449a85af6b46ac88d630b71bd92f5e9f74fad13b0f51d948bbd3de43d060632af5b81deffb692a5e3e4e6a327614434741 |
memory/2904-14-0x0000000073C3E000-0x0000000073C3F000-memory.dmp
memory/2904-15-0x00000000021A0000-0x00000000021BA000-memory.dmp
memory/2904-16-0x0000000004BE0000-0x0000000005184000-memory.dmp
memory/2904-18-0x0000000073C30000-0x00000000743E0000-memory.dmp
memory/2904-17-0x00000000024A0000-0x00000000024B8000-memory.dmp
memory/2904-38-0x00000000024A0000-0x00000000024B2000-memory.dmp
memory/2904-46-0x00000000024A0000-0x00000000024B2000-memory.dmp
memory/2904-44-0x00000000024A0000-0x00000000024B2000-memory.dmp
memory/2904-42-0x00000000024A0000-0x00000000024B2000-memory.dmp
memory/2904-40-0x00000000024A0000-0x00000000024B2000-memory.dmp
memory/2904-32-0x00000000024A0000-0x00000000024B2000-memory.dmp
memory/2904-30-0x00000000024A0000-0x00000000024B2000-memory.dmp
memory/2904-47-0x0000000073C30000-0x00000000743E0000-memory.dmp
memory/2904-28-0x00000000024A0000-0x00000000024B2000-memory.dmp
memory/2904-26-0x00000000024A0000-0x00000000024B2000-memory.dmp
memory/2904-24-0x00000000024A0000-0x00000000024B2000-memory.dmp
memory/2904-48-0x0000000073C30000-0x00000000743E0000-memory.dmp
memory/2904-22-0x00000000024A0000-0x00000000024B2000-memory.dmp
memory/2904-20-0x00000000024A0000-0x00000000024B2000-memory.dmp
memory/2904-19-0x00000000024A0000-0x00000000024B2000-memory.dmp
memory/2904-36-0x00000000024A0000-0x00000000024B2000-memory.dmp
memory/2904-34-0x00000000024A0000-0x00000000024B2000-memory.dmp
memory/2904-50-0x0000000073C30000-0x00000000743E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7564883.exe
| MD5 | c89a4c50b55d8b6f3a41d465a1aec944 |
| SHA1 | 5ffbb28b771af6bc8f9f327294605c4bb4edfa65 |
| SHA256 | b1266f818eaf91dfe5c7aa2deaf6a428374e2bee21deffb52a3b1c22a49b8759 |
| SHA512 | 29d7856defe832254a4e0f5d90ada57090bb9f960a8d53deb49273702e3eee04bfe25ac7c0ea1367a76687a1061e16302dcb6147bed30acec4901a2c83418d12 |
memory/4956-55-0x0000000002F10000-0x0000000002F16000-memory.dmp
memory/4956-54-0x0000000000C20000-0x0000000000C50000-memory.dmp
memory/4956-56-0x000000000AFA0000-0x000000000B5B8000-memory.dmp
memory/4956-58-0x000000000A9C0000-0x000000000A9D2000-memory.dmp
memory/4956-57-0x000000000AA90000-0x000000000AB9A000-memory.dmp
memory/4956-59-0x000000000AA20000-0x000000000AA5C000-memory.dmp
memory/4956-60-0x0000000004F70000-0x0000000004FBC000-memory.dmp