Analysis Overview
SHA256
58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66
Threat Level: Known bad
The file 58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66 was found to be: Known bad.
Malicious Activity Summary
RedLine
Redline family
Amadey
RedLine payload
Healer
Detects Healer an antivirus disabler dropper
Amadey family
Healer family
Modifies Windows Defender Real-time Protection settings
Checks computer location settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
Launches sc.exe
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 00:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 00:28
Reported
2024-11-07 00:31
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
160s
Command Line
Signatures
Amadey
Amadey family
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu784126.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si029103.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un557601.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu784126.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si029103.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un557601.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu784126.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un557601.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu784126.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si029103.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu784126.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si029103.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66.exe
"C:\Users\Admin\AppData\Local\Temp\58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un557601.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un557601.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4652 -ip 4652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 1084
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu784126.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu784126.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3732 -ip 3732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 1520
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si029103.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si029103.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| RU | 193.201.9.43:80 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 193.201.9.43:80 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| RU | 193.201.9.43:80 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| RU | 193.201.9.43:80 | tcp | |
| RU | 185.161.248.90:4125 | tcp | |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un557601.exe
| MD5 | 8582f3894b937a7d67f0d16aabee049c |
| SHA1 | 55318ea11a85a78d84dac2215f2082a7c5dfa7f8 |
| SHA256 | d1008ec070dd176afa659c4b8e4873ee8dc57fd87c885b32eb8c3ff855990474 |
| SHA512 | d6a9b8ad2bdc1f42bf716dc2cddc08f03e7edcaf93c322d32f7af88d14a6b07005dbf6c7b66347eddcdd3e9b392a01746014996bc83c33e2d431ac93de62a6b3 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe
| MD5 | fd2647385d09d8d08898f42855587530 |
| SHA1 | 53db344d786b5cc72115ad4e9f65338ccde2a36e |
| SHA256 | 718b1a008f42ecd30322ae330fe55cd9a0f8e703dddfc9395ba788ab66ef8119 |
| SHA512 | 7f86133b1819e5fc76b48baebffb97c8f174a843e8ba75c86ae2d4f83765c421b81a8ee79ad68cafd5c6241cc9e31f7c668055df2d007e788c593912e2a62ac2 |
memory/4652-16-0x00000000004B0000-0x00000000004DD000-memory.dmp
memory/4652-15-0x00000000004F0000-0x00000000005F0000-memory.dmp
memory/4652-17-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4652-18-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/4652-19-0x0000000002440000-0x000000000245A000-memory.dmp
memory/4652-20-0x00000000004F0000-0x00000000005F0000-memory.dmp
memory/4652-21-0x0000000004BA0000-0x0000000005144000-memory.dmp
memory/4652-22-0x00000000024F0000-0x0000000002508000-memory.dmp
memory/4652-24-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/4652-50-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/4652-48-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/4652-46-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/4652-44-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/4652-42-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/4652-40-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/4652-38-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/4652-36-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/4652-34-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/4652-30-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/4652-28-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/4652-26-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/4652-23-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/4652-32-0x00000000024F0000-0x0000000002502000-memory.dmp
memory/4652-51-0x00000000004B0000-0x00000000004DD000-memory.dmp
memory/4652-52-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4652-55-0x0000000000400000-0x00000000004AF000-memory.dmp
memory/4652-56-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu784126.exe
| MD5 | 9478db3f85ecae95a19d891116f4fba7 |
| SHA1 | f6456e962c76592151dbc92aeff835aa26dc3bbe |
| SHA256 | d94d1c5b103a575159a8f1eb9e479d99ed3cdd505b528c7aec959ffdc8aa6586 |
| SHA512 | d66319f2318e37c2a57d767a644b83e68fdc8dd735733d6d81391a22d021c660e5b95d5790a100220e771fc9ae4f1d768ead574cf631da606de8c83abde0f312 |
memory/3732-61-0x0000000002210000-0x0000000002278000-memory.dmp
memory/3732-62-0x0000000004C70000-0x0000000004CD6000-memory.dmp
memory/3732-63-0x0000000004C70000-0x0000000004CD0000-memory.dmp
memory/3732-68-0x0000000004C70000-0x0000000004CD0000-memory.dmp
memory/3732-96-0x0000000004C70000-0x0000000004CD0000-memory.dmp
memory/3732-94-0x0000000004C70000-0x0000000004CD0000-memory.dmp
memory/3732-92-0x0000000004C70000-0x0000000004CD0000-memory.dmp
memory/3732-90-0x0000000004C70000-0x0000000004CD0000-memory.dmp
memory/3732-88-0x0000000004C70000-0x0000000004CD0000-memory.dmp
memory/3732-86-0x0000000004C70000-0x0000000004CD0000-memory.dmp
memory/3732-84-0x0000000004C70000-0x0000000004CD0000-memory.dmp
memory/3732-80-0x0000000004C70000-0x0000000004CD0000-memory.dmp
memory/3732-78-0x0000000004C70000-0x0000000004CD0000-memory.dmp
memory/3732-76-0x0000000004C70000-0x0000000004CD0000-memory.dmp
memory/3732-74-0x0000000004C70000-0x0000000004CD0000-memory.dmp
memory/3732-72-0x0000000004C70000-0x0000000004CD0000-memory.dmp
memory/3732-70-0x0000000004C70000-0x0000000004CD0000-memory.dmp
memory/3732-66-0x0000000004C70000-0x0000000004CD0000-memory.dmp
memory/3732-64-0x0000000004C70000-0x0000000004CD0000-memory.dmp
memory/3732-83-0x0000000004C70000-0x0000000004CD0000-memory.dmp
memory/3732-2205-0x0000000005410000-0x0000000005442000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 03728fed675bcde5256342183b1d6f27 |
| SHA1 | d13eace7d3d92f93756504b274777cc269b222a2 |
| SHA256 | f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0 |
| SHA512 | 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1 |
memory/4464-2218-0x00000000008D0000-0x00000000008FE000-memory.dmp
memory/4464-2219-0x0000000001200000-0x0000000001206000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si029103.exe
| MD5 | ee1f5f0e1168ce5938997c932b4dcd27 |
| SHA1 | b8c0928da3a41d579c19f44b9e1fef6014d06452 |
| SHA256 | dea01b17d6e06c3bdf6f5387faa77a788ce9726a3110db90294b2e207b3d51ed |
| SHA512 | bacc2d22b71bc5bc73c0699aaf4e2271effa4fe47c3ac63f3ee3ae3385d963eb6f93db082a9530d75d5c6f13884f30b0375d41badfe540f31ef747003a36c0a8 |
memory/4464-2225-0x00000000058B0000-0x0000000005EC8000-memory.dmp
memory/4464-2226-0x00000000053A0000-0x00000000054AA000-memory.dmp
memory/4464-2227-0x0000000002AF0000-0x0000000002B02000-memory.dmp
memory/4464-2228-0x00000000052D0000-0x000000000530C000-memory.dmp
memory/4464-2239-0x0000000005310000-0x000000000535C000-memory.dmp