Malware Analysis Report

2025-01-23 07:40

Sample ID 241104-q5q5aatjgq
Target 03a2cd59ebe842f8e4c549c1da8900db5ba8b67b9da4e71514bc5828f7abb0a4
SHA256 03a2cd59ebe842f8e4c549c1da8900db5ba8b67b9da4e71514bc5828f7abb0a4
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

03a2cd59ebe842f8e4c549c1da8900db5ba8b67b9da4e71514bc5828f7abb0a4

Threat Level: Known bad

The file 03a2cd59ebe842f8e4c549c1da8900db5ba8b67b9da4e71514bc5828f7abb0a4 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Amadey family

RedLine

Healer

Redline family

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine payload

Amadey

Healer family

Windows security modification

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 13:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 13:50

Reported

2024-11-04 13:53

Platform

win7-20241010-en

Max time kernel

146s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03a2cd59ebe842f8e4c549c1da8900db5ba8b67b9da4e71514bc5828f7abb0a4.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\03a2cd59ebe842f8e4c549c1da8900db5ba8b67b9da4e71514bc5828f7abb0a4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\03a2cd59ebe842f8e4c549c1da8900db5ba8b67b9da4e71514bc5828f7abb0a4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2328 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\03a2cd59ebe842f8e4c549c1da8900db5ba8b67b9da4e71514bc5828f7abb0a4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe
PID 2328 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\03a2cd59ebe842f8e4c549c1da8900db5ba8b67b9da4e71514bc5828f7abb0a4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe
PID 2328 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\03a2cd59ebe842f8e4c549c1da8900db5ba8b67b9da4e71514bc5828f7abb0a4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe
PID 2328 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\03a2cd59ebe842f8e4c549c1da8900db5ba8b67b9da4e71514bc5828f7abb0a4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe
PID 2328 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\03a2cd59ebe842f8e4c549c1da8900db5ba8b67b9da4e71514bc5828f7abb0a4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe
PID 2328 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\03a2cd59ebe842f8e4c549c1da8900db5ba8b67b9da4e71514bc5828f7abb0a4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe
PID 2328 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\03a2cd59ebe842f8e4c549c1da8900db5ba8b67b9da4e71514bc5828f7abb0a4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe
PID 2512 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe
PID 2512 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe
PID 2512 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe
PID 2512 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe
PID 2512 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe
PID 2512 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe
PID 2512 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe
PID 2944 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe
PID 2944 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe
PID 2944 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe
PID 2944 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe
PID 2944 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe
PID 2944 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe
PID 2944 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe
PID 2884 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe
PID 2884 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe
PID 2884 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe
PID 2884 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe
PID 2884 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe
PID 2884 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe
PID 2884 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe
PID 2884 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe
PID 2884 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe
PID 2884 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe
PID 2884 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe
PID 2884 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe
PID 2884 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe
PID 2884 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe
PID 2840 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2840 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2840 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2840 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2840 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2840 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2840 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2944 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe
PID 2944 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe
PID 2944 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe
PID 2944 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe
PID 2944 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe
PID 2944 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe
PID 2944 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe
PID 2544 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2544 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2544 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2544 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2544 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2544 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2544 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2544 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 1352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\03a2cd59ebe842f8e4c549c1da8900db5ba8b67b9da4e71514bc5828f7abb0a4.exe

"C:\Users\Admin\AppData\Local\Temp\03a2cd59ebe842f8e4c549c1da8900db5ba8b67b9da4e71514bc5828f7abb0a4.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Windows\system32\taskeng.exe

taskeng.exe {D9C21B1B-5AFE-4F16-BA89-CF26A3AC0561} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp

Files

memory/2328-0-0x00000000044E0000-0x00000000045EA000-memory.dmp

memory/2328-1-0x00000000044E0000-0x00000000045EA000-memory.dmp

memory/2328-2-0x00000000045F0000-0x0000000004703000-memory.dmp

memory/2328-3-0x0000000000400000-0x0000000000517000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe

MD5 cec1ce5318555d73f57204ffa15da4f4
SHA1 8e7ecd5aa0e6b005fbea795900618e94b2880674
SHA256 5d5ffc47ae1d8ded67771c9d546a13793a0622cb98f5238d4069866f84a6f7bc
SHA512 2eb122871e256625688e9470d19518cb195ec233b018d0890a7d065403a3c5630ea9a049de48adfcb5d88cfb3f25b6674e1fc90191c48aea31194c616894ad26

\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe

MD5 4ae31f6e2fe3b5635820cc5936ce08c2
SHA1 78399a6911db1a73d83bb61df042a7b3b087e705
SHA256 7e8a5f1286d45a482013057e9aa18e9cfc1adc9237a32882683995241712d04b
SHA512 a5e376db14e26924139ce3dadcb1e3f8390f6e475948aca693f8d9936392134c4ebd8724950e0c46f9cb197fc2c0e4e8d0f286db892c990e099e0dd4f6f60091

\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe

MD5 336f38a46355bec86647c050e5457b7f
SHA1 8b5c06095b8f340abe622b75df17715cdec1515f
SHA256 c2acc3656220a7b5c1c4c5009680d326f439daff81f5269d9a45c54a20867f7f
SHA512 b6772ca9bcc9bed3fe52d167a28d1ab803be9b3daeefdf325909c6edb9cc85837fb1ea2d95b8b123945e642f342a04b9b13ba264ae75e3f6f0bf7021444d8cc7

\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2888-42-0x00000000008B0000-0x00000000008BA000-memory.dmp

memory/2328-43-0x00000000044E0000-0x00000000045EA000-memory.dmp

memory/2328-45-0x00000000045F0000-0x0000000004703000-memory.dmp

memory/2328-44-0x0000000000400000-0x0000000002C9C000-memory.dmp

memory/2328-46-0x0000000000400000-0x0000000000517000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe

MD5 f8b49ca0965b0a1a4989039c682f5ad3
SHA1 66322c1d801a7c90c46a289521401e5c6fd758a5
SHA256 6b6a03c0cea0d5c524201918e24ed767f2345dbb82f83da75653a31dc4a99d73
SHA512 33abef8277003f8f27eb364c60d2cd8c78f3acf6402a3036cbfea055f354bc7cc4a8355bdd9ed8e330e983caf7be01d0e27f9cfe67201896e62f313617f57062

memory/2572-73-0x0000000004640000-0x000000000467C000-memory.dmp

memory/2572-74-0x0000000004980000-0x00000000049BA000-memory.dmp

memory/2572-108-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-114-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-136-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-134-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-132-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-130-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-128-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-126-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-124-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-122-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-120-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-116-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-112-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-110-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-106-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-104-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-102-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-100-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-96-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-94-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-92-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-90-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-88-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-86-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-82-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-80-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-75-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-118-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-98-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-84-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-78-0x0000000004980000-0x00000000049B5000-memory.dmp

memory/2572-76-0x0000000004980000-0x00000000049B5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 13:50

Reported

2024-11-04 13:53

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03a2cd59ebe842f8e4c549c1da8900db5ba8b67b9da4e71514bc5828f7abb0a4.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\03a2cd59ebe842f8e4c549c1da8900db5ba8b67b9da4e71514bc5828f7abb0a4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\03a2cd59ebe842f8e4c549c1da8900db5ba8b67b9da4e71514bc5828f7abb0a4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\03a2cd59ebe842f8e4c549c1da8900db5ba8b67b9da4e71514bc5828f7abb0a4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe
PID 2132 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\03a2cd59ebe842f8e4c549c1da8900db5ba8b67b9da4e71514bc5828f7abb0a4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe
PID 2132 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\03a2cd59ebe842f8e4c549c1da8900db5ba8b67b9da4e71514bc5828f7abb0a4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe
PID 2232 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe
PID 2232 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe
PID 2232 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe
PID 208 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe
PID 208 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe
PID 208 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe
PID 4076 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe
PID 4076 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe
PID 4076 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe
PID 4076 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe
PID 4076 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe
PID 1000 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1000 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1000 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 208 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe
PID 208 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe
PID 208 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe
PID 3052 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3052 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3052 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3052 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1364 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1364 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1364 wrote to memory of 3836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1364 wrote to memory of 3836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1364 wrote to memory of 3836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1364 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1364 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1364 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1364 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1364 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1364 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\03a2cd59ebe842f8e4c549c1da8900db5ba8b67b9da4e71514bc5828f7abb0a4.exe

"C:\Users\Admin\AppData\Local\Temp\03a2cd59ebe842f8e4c549c1da8900db5ba8b67b9da4e71514bc5828f7abb0a4.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 225.162.46.104.in-addr.arpa udp

Files

memory/2132-1-0x0000000004AE0000-0x0000000004BF9000-memory.dmp

memory/2132-2-0x0000000004C00000-0x0000000004D13000-memory.dmp

memory/2132-3-0x0000000000400000-0x0000000000517000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe

MD5 cec1ce5318555d73f57204ffa15da4f4
SHA1 8e7ecd5aa0e6b005fbea795900618e94b2880674
SHA256 5d5ffc47ae1d8ded67771c9d546a13793a0622cb98f5238d4069866f84a6f7bc
SHA512 2eb122871e256625688e9470d19518cb195ec233b018d0890a7d065403a3c5630ea9a049de48adfcb5d88cfb3f25b6674e1fc90191c48aea31194c616894ad26

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe

MD5 4ae31f6e2fe3b5635820cc5936ce08c2
SHA1 78399a6911db1a73d83bb61df042a7b3b087e705
SHA256 7e8a5f1286d45a482013057e9aa18e9cfc1adc9237a32882683995241712d04b
SHA512 a5e376db14e26924139ce3dadcb1e3f8390f6e475948aca693f8d9936392134c4ebd8724950e0c46f9cb197fc2c0e4e8d0f286db892c990e099e0dd4f6f60091

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe

MD5 336f38a46355bec86647c050e5457b7f
SHA1 8b5c06095b8f340abe622b75df17715cdec1515f
SHA256 c2acc3656220a7b5c1c4c5009680d326f439daff81f5269d9a45c54a20867f7f
SHA512 b6772ca9bcc9bed3fe52d167a28d1ab803be9b3daeefdf325909c6edb9cc85837fb1ea2d95b8b123945e642f342a04b9b13ba264ae75e3f6f0bf7021444d8cc7

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3792-32-0x0000000000C10000-0x0000000000C1A000-memory.dmp

memory/2132-33-0x0000000004AE0000-0x0000000004BF9000-memory.dmp

memory/2132-35-0x0000000004C00000-0x0000000004D13000-memory.dmp

memory/2132-34-0x0000000000400000-0x0000000002C9C000-memory.dmp

memory/2132-36-0x0000000000400000-0x0000000000517000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe

MD5 f8b49ca0965b0a1a4989039c682f5ad3
SHA1 66322c1d801a7c90c46a289521401e5c6fd758a5
SHA256 6b6a03c0cea0d5c524201918e24ed767f2345dbb82f83da75653a31dc4a99d73
SHA512 33abef8277003f8f27eb364c60d2cd8c78f3acf6402a3036cbfea055f354bc7cc4a8355bdd9ed8e330e983caf7be01d0e27f9cfe67201896e62f313617f57062

memory/4168-55-0x0000000004CB0000-0x0000000004CEC000-memory.dmp

memory/4168-56-0x0000000007330000-0x00000000078D4000-memory.dmp

memory/4168-57-0x00000000071A0000-0x00000000071DA000-memory.dmp

memory/4168-119-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-117-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-115-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-113-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-111-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-109-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-107-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-852-0x000000000A380000-0x000000000A48A000-memory.dmp

memory/4168-853-0x000000000A490000-0x000000000A4CC000-memory.dmp

memory/4168-851-0x00000000072F0000-0x0000000007302000-memory.dmp

memory/4168-850-0x0000000009D60000-0x000000000A378000-memory.dmp

memory/4168-105-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-103-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-854-0x00000000049D0000-0x0000000004A1C000-memory.dmp

memory/4168-101-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-99-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-97-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-95-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-93-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-91-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-89-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-87-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-85-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-83-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-81-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-79-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-77-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-75-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-73-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-71-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-69-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-67-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-65-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-63-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-61-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-59-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4168-58-0x00000000071A0000-0x00000000071D5000-memory.dmp