Malware Analysis Report

2024-11-13 17:36

Sample ID 241110-b38tzswlax
Target 4eefa74bbffe7b07f5e6b6f6abc5e99110f3009e1fade6b64e5328ab9cf5cd8e
SHA256 4eefa74bbffe7b07f5e6b6f6abc5e99110f3009e1fade6b64e5328ab9cf5cd8e
Tags
amadey healer 9c0adb discovery dropper evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4eefa74bbffe7b07f5e6b6f6abc5e99110f3009e1fade6b64e5328ab9cf5cd8e

Threat Level: Known bad

The file 4eefa74bbffe7b07f5e6b6f6abc5e99110f3009e1fade6b64e5328ab9cf5cd8e was found to be: Known bad.

Malicious Activity Summary

amadey healer 9c0adb discovery dropper evasion persistence trojan

Amadey family

Amadey

Healer

Modifies Windows Defender Real-time Protection settings

Healer family

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Windows security modification

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:41

Reported

2024-11-10 01:43

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4eefa74bbffe7b07f5e6b6f6abc5e99110f3009e1fade6b64e5328ab9cf5cd8e.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\191128083.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\224564375.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\224564375.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\224564375.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\191128083.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\191128083.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\191128083.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\191128083.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\224564375.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\224564375.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\191128083.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\342430835.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\191128083.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\191128083.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\224564375.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4eefa74bbffe7b07f5e6b6f6abc5e99110f3009e1fade6b64e5328ab9cf5cd8e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm377075.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uA186996.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nk527797.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4eefa74bbffe7b07f5e6b6f6abc5e99110f3009e1fade6b64e5328ab9cf5cd8e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uA186996.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\342430835.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\419018709.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\191128083.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\224564375.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm377075.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nk527797.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\191128083.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\224564375.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\342430835.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4796 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\4eefa74bbffe7b07f5e6b6f6abc5e99110f3009e1fade6b64e5328ab9cf5cd8e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm377075.exe
PID 4796 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\4eefa74bbffe7b07f5e6b6f6abc5e99110f3009e1fade6b64e5328ab9cf5cd8e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm377075.exe
PID 4796 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\4eefa74bbffe7b07f5e6b6f6abc5e99110f3009e1fade6b64e5328ab9cf5cd8e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm377075.exe
PID 3460 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm377075.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uA186996.exe
PID 3460 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm377075.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uA186996.exe
PID 3460 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm377075.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uA186996.exe
PID 4868 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uA186996.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nk527797.exe
PID 4868 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uA186996.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nk527797.exe
PID 4868 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uA186996.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nk527797.exe
PID 4840 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nk527797.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\191128083.exe
PID 4840 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nk527797.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\191128083.exe
PID 4840 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nk527797.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\191128083.exe
PID 4840 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nk527797.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\224564375.exe
PID 4840 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nk527797.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\224564375.exe
PID 4840 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nk527797.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\224564375.exe
PID 4868 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uA186996.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\342430835.exe
PID 4868 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uA186996.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\342430835.exe
PID 4868 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uA186996.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\342430835.exe
PID 4764 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\342430835.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4764 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\342430835.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4764 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\342430835.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3460 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm377075.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\419018709.exe
PID 3460 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm377075.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\419018709.exe
PID 3460 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm377075.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\419018709.exe
PID 2452 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2452 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2452 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2452 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3900 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3900 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3900 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3900 wrote to memory of 4124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3900 wrote to memory of 4124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3900 wrote to memory of 4124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3900 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3900 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3900 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3900 wrote to memory of 4900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3900 wrote to memory of 4900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3900 wrote to memory of 4900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3900 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3900 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3900 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3900 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3900 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3900 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4eefa74bbffe7b07f5e6b6f6abc5e99110f3009e1fade6b64e5328ab9cf5cd8e.exe

"C:\Users\Admin\AppData\Local\Temp\4eefa74bbffe7b07f5e6b6f6abc5e99110f3009e1fade6b64e5328ab9cf5cd8e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm377075.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm377075.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uA186996.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uA186996.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nk527797.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nk527797.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\191128083.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\191128083.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\224564375.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\224564375.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 744 -ip 744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\342430835.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\342430835.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\419018709.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\419018709.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm377075.exe

MD5 9c37c740ee5b8656f4ab6b6f319fee3c
SHA1 8dd071367add5dde87c700fdc168c0a2e70ede84
SHA256 cef7ff0b661ec4df262544159c9c933a8c5d28b97eb4f43f2347bfba9506b665
SHA512 baf79a71dea92bdfd62f2e48f1b76279127aa132c835d34cbbeebd08ab5da9eae4fe11e801f833e085090de780162eaec0844f0cd54c510e51612245313a3d79

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uA186996.exe

MD5 6a8cc952ea33ee20ac935dcc65e77f47
SHA1 9bf9a3ea30431c7096c23a34b7e80306a687c081
SHA256 0572cfdce917c2f8166f7d5a965a44ec11de3220d6ffd6ef3edc6e5a67bc8226
SHA512 2c5f848da52fb55510fcc42a4f04ce7ed48117035999c1be35b54a9e750b9f33b5dbda41b52dcbd6f987d1c1869e87e5ff6ee5e380b02251624b1a67cc4652dc

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nk527797.exe

MD5 308a36bd3ff93d7d4cdd7b64460a477f
SHA1 873b4122bb1853d7866ef5f76f9b80afc65e93cd
SHA256 9d297fe08e84c52933f3b8f7ee393b3453f1de91fb0f65d53881cc7419375533
SHA512 2a141704322fb5c7f22326b5ec2da48ce410819c28da49e0eb813b6ef1b674013f87667ee741d4ca91f3c26694afa18b46ee1760accf47906318a948e3c75810

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\191128083.exe

MD5 a165b5f6b0a4bdf808b71de57bf9347d
SHA1 39a7b301e819e386c162a47e046fa384bb5ab437
SHA256 68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a
SHA512 3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

memory/2652-28-0x0000000002400000-0x000000000241A000-memory.dmp

memory/2652-29-0x0000000004B20000-0x00000000050C4000-memory.dmp

memory/2652-30-0x0000000004AC0000-0x0000000004AD8000-memory.dmp

memory/2652-48-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2652-58-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2652-56-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2652-54-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2652-52-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2652-50-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2652-46-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2652-45-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2652-42-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2652-40-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2652-39-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2652-36-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2652-34-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2652-32-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2652-31-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\224564375.exe

MD5 367810cfb8234e9307fdfcb87f95f9c1
SHA1 5c2f3ba80dee60aeebf5f754552922fcb3ec48ad
SHA256 d9471f9b964e8af0c3d7663303a79a33e043771e8f2374c16bf60ccb42ae2cd8
SHA512 9bafbe41a0144e4af0e7922dde352132fe2da74f356fccf4b8c4bb4c3dc47c9ef0b3bd6c46ca8499eeb8b49dfe3a61ccd71818d79caf3c3e0aaebaf0e86a7135

memory/744-93-0x0000000000400000-0x0000000000455000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\342430835.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\419018709.exe

MD5 84857a5b385d0a97fa08c0e197a6ce4a
SHA1 a50d9eb8e737570652b018c8266db6c7571a0984
SHA256 42a4e9e3ced0b7f7fda8dea3a3b6775cf53e839b2e5dfd6e8f20a026e2b80c48
SHA512 eae9ae7b1ba08a2d982a2658ce112c04b8def95526c870f716e12485dbcecfac5551e4718be82dc424a828f251bdb97df632778f6632a192d35590893218503f

memory/3272-110-0x0000000000400000-0x000000000046A000-memory.dmp