Analysis Overview
SHA256
b5984f3db63a02963c0fd77711d8d07f8f5d35069d366f3b26c6272162ead140
Threat Level: Known bad
The file b5984f3db63a02963c0fd77711d8d07f8f5d35069d366f3b26c6272162ead140 was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
Healer
Redline family
RedLine payload
RedLine
Amadey family
Amadey
Healer family
Modifies Windows Defender Real-time Protection settings
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Windows security modification
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 13:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 13:59
Reported
2024-11-04 14:01
Platform
win7-20241010-en
Max time kernel
145s
Max time network
153s
Command Line
Signatures
Amadey
Amadey family
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
Loads dropped DLL
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\b5984f3db63a02963c0fd77711d8d07f8f5d35069d366f3b26c6272162ead140.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b5984f3db63a02963c0fd77711d8d07f8f5d35069d366f3b26c6272162ead140.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b5984f3db63a02963c0fd77711d8d07f8f5d35069d366f3b26c6272162ead140.exe
"C:\Users\Admin\AppData\Local\Temp\b5984f3db63a02963c0fd77711d8d07f8f5d35069d366f3b26c6272162ead140.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb7ae701b3" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb7ae701b3" /P "Admin:R" /E
C:\Windows\system32\taskeng.exe
taskeng.exe {37D6712D-8E11-4568-BF65-A056678BBBE8} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
Network
| Country | Destination | Domain | Proto |
| RU | 193.3.19.154:80 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 193.3.19.154:80 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 193.3.19.154:80 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 193.3.19.154:80 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 193.3.19.154:80 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 193.3.19.154:80 | tcp | |
| RU | 185.161.248.142:38452 | tcp |
Files
memory/572-0-0x00000000045F0000-0x00000000046F8000-memory.dmp
memory/572-2-0x0000000004700000-0x0000000004811000-memory.dmp
memory/572-1-0x00000000045F0000-0x00000000046F8000-memory.dmp
memory/572-3-0x0000000000400000-0x0000000000515000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe
| MD5 | fd787ded7d81f4225f02fbbda4d701aa |
| SHA1 | 37068badb001ca45eb72e8205180018b092ff22c |
| SHA256 | b4569d6d38b72a5add91a0d44346930a4768f159e12e136d46108e2c65ff0f84 |
| SHA512 | ce6f7ba739c0aa2cf94512bd72216b52d9ec44ea8fddadb9d983ef01fa739e91a7552fed05bae371a887020b08aa4a9e0198ad87872f24e4fcead7e3f3154756 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe
| MD5 | 164c0811d27c9d5c90cdfc9f1a29dc75 |
| SHA1 | 0a5580ecffce9bb9853a144c832721a8424dbd75 |
| SHA256 | 3ca19e61360c2f7036ed478f64576680fc366ab84f5762ce91def9b068e334d3 |
| SHA512 | 98b132b08f0817d396394f04dfaecdb543fd7f4ebdc2bba969af63b6736d112e7715d75294050b52322545166ac25d1307c1dd604d58f820a3fbefdbe424582c |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe
| MD5 | d900d5cb1a70475f439b5d5c376c79c3 |
| SHA1 | df4c6cfa35eb56a1f570dfad90fc824fb7993591 |
| SHA256 | 8e40107d48d41bf340bc3d6537d19d93767a48d1fd9218ab4a1995cea0ce98bf |
| SHA512 | aac9fc1c27e447c674e5bdbd60890b67a42b8992768bf4ac0f503f5255fc30aedb40631c5f09cc9a75e4ac7239aed5e7f384183193ad1d2377fb6aaa61bb0a8e |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/2868-42-0x00000000013A0000-0x00000000013AA000-memory.dmp
memory/572-43-0x00000000045F0000-0x00000000046F8000-memory.dmp
memory/572-45-0x0000000004700000-0x0000000004811000-memory.dmp
memory/572-44-0x0000000000400000-0x0000000002C98000-memory.dmp
memory/572-46-0x0000000000400000-0x0000000000515000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe
| MD5 | 1304f384653e08ae497008ff13498608 |
| SHA1 | d9a76ed63d74d4217c5027757cb9a7a0d0093080 |
| SHA256 | 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa |
| SHA512 | 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe
| MD5 | a575feadd9e1ae1bd80c73ba15228c5b |
| SHA1 | 958aaee2a77c003f21fcead2b9724513a572f44b |
| SHA256 | 02af7c4bf4245d836254d8006fa1230b774337c0ee0a490b98e6ba5802e6404c |
| SHA512 | c026477f698997bbc2fbd616e37a83fd71268ad0c2d728d78518a3362996c54ee433156b6f03ed499421cb8f40c577e94ab0fffbdeb7df60d733fa6c4ac6e987 |
memory/2296-73-0x0000000004930000-0x000000000496C000-memory.dmp
memory/2296-74-0x0000000004970000-0x00000000049AA000-memory.dmp
memory/2296-75-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-76-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-128-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-136-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-134-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-132-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-130-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-126-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-124-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-122-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-120-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-118-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-116-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-114-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-110-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-108-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-106-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-104-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-102-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-100-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-98-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-94-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-92-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-90-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-88-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-84-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-82-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-80-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-78-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-112-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-96-0x0000000004970000-0x00000000049A5000-memory.dmp
memory/2296-86-0x0000000004970000-0x00000000049A5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-04 13:59
Reported
2024-11-04 14:01
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
156s
Command Line
Signatures
Amadey
Amadey family
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\b5984f3db63a02963c0fd77711d8d07f8f5d35069d366f3b26c6272162ead140.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b5984f3db63a02963c0fd77711d8d07f8f5d35069d366f3b26c6272162ead140.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b5984f3db63a02963c0fd77711d8d07f8f5d35069d366f3b26c6272162ead140.exe
"C:\Users\Admin\AppData\Local\Temp\b5984f3db63a02963c0fd77711d8d07f8f5d35069d366f3b26c6272162ead140.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb7ae701b3" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb7ae701b3" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| RU | 193.3.19.154:80 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 193.3.19.154:80 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 193.3.19.154:80 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| RU | 185.161.248.142:38452 | tcp | |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| RU | 193.3.19.154:80 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 193.3.19.154:80 | tcp | |
| RU | 185.161.248.142:38452 | tcp |
Files
memory/2244-1-0x0000000004AF0000-0x0000000004BFB000-memory.dmp
memory/2244-2-0x0000000004C00000-0x0000000004D11000-memory.dmp
memory/2244-3-0x0000000000400000-0x0000000000515000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe
| MD5 | fd787ded7d81f4225f02fbbda4d701aa |
| SHA1 | 37068badb001ca45eb72e8205180018b092ff22c |
| SHA256 | b4569d6d38b72a5add91a0d44346930a4768f159e12e136d46108e2c65ff0f84 |
| SHA512 | ce6f7ba739c0aa2cf94512bd72216b52d9ec44ea8fddadb9d983ef01fa739e91a7552fed05bae371a887020b08aa4a9e0198ad87872f24e4fcead7e3f3154756 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe
| MD5 | 164c0811d27c9d5c90cdfc9f1a29dc75 |
| SHA1 | 0a5580ecffce9bb9853a144c832721a8424dbd75 |
| SHA256 | 3ca19e61360c2f7036ed478f64576680fc366ab84f5762ce91def9b068e334d3 |
| SHA512 | 98b132b08f0817d396394f04dfaecdb543fd7f4ebdc2bba969af63b6736d112e7715d75294050b52322545166ac25d1307c1dd604d58f820a3fbefdbe424582c |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe
| MD5 | d900d5cb1a70475f439b5d5c376c79c3 |
| SHA1 | df4c6cfa35eb56a1f570dfad90fc824fb7993591 |
| SHA256 | 8e40107d48d41bf340bc3d6537d19d93767a48d1fd9218ab4a1995cea0ce98bf |
| SHA512 | aac9fc1c27e447c674e5bdbd60890b67a42b8992768bf4ac0f503f5255fc30aedb40631c5f09cc9a75e4ac7239aed5e7f384183193ad1d2377fb6aaa61bb0a8e |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/5000-32-0x0000000000810000-0x000000000081A000-memory.dmp
memory/2244-33-0x0000000004AF0000-0x0000000004BFB000-memory.dmp
memory/2244-35-0x0000000004C00000-0x0000000004D11000-memory.dmp
memory/2244-34-0x0000000000400000-0x0000000002C98000-memory.dmp
memory/2244-36-0x0000000000400000-0x0000000000515000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe
| MD5 | 1304f384653e08ae497008ff13498608 |
| SHA1 | d9a76ed63d74d4217c5027757cb9a7a0d0093080 |
| SHA256 | 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa |
| SHA512 | 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe
| MD5 | a575feadd9e1ae1bd80c73ba15228c5b |
| SHA1 | 958aaee2a77c003f21fcead2b9724513a572f44b |
| SHA256 | 02af7c4bf4245d836254d8006fa1230b774337c0ee0a490b98e6ba5802e6404c |
| SHA512 | c026477f698997bbc2fbd616e37a83fd71268ad0c2d728d78518a3362996c54ee433156b6f03ed499421cb8f40c577e94ab0fffbdeb7df60d733fa6c4ac6e987 |
memory/1776-55-0x0000000007260000-0x000000000729C000-memory.dmp
memory/1776-56-0x00000000073C0000-0x0000000007964000-memory.dmp
memory/1776-57-0x00000000072E0000-0x000000000731A000-memory.dmp
memory/1776-59-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-119-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-117-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-115-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-113-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-111-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-107-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-105-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-103-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-99-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-97-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-95-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-93-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-91-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-87-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-85-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-83-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-81-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-79-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-77-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-76-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-73-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-71-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-69-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-67-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-66-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-63-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-62-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-58-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-109-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-101-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-89-0x00000000072E0000-0x0000000007315000-memory.dmp
memory/1776-850-0x0000000009DF0000-0x000000000A408000-memory.dmp
memory/1776-851-0x000000000A490000-0x000000000A4A2000-memory.dmp
memory/1776-852-0x000000000A4B0000-0x000000000A5BA000-memory.dmp
memory/1776-853-0x000000000A5D0000-0x000000000A60C000-memory.dmp
memory/1776-854-0x0000000004CF0000-0x0000000004D3C000-memory.dmp