Malware Analysis Report

2024-12-06 02:40

Sample ID 241110-bacabavpat
Target cd19ecafe6a0315fa145d9a57be7773fc826fe8d9348c2e98d158a3caa87770c
SHA256 cd19ecafe6a0315fa145d9a57be7773fc826fe8d9348c2e98d158a3caa87770c
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cd19ecafe6a0315fa145d9a57be7773fc826fe8d9348c2e98d158a3caa87770c

Threat Level: Known bad

The file cd19ecafe6a0315fa145d9a57be7773fc826fe8d9348c2e98d158a3caa87770c was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

RedLine

Redline family

Amadey

Amadey family

Healer

Healer family

Detects Healer an antivirus disabler dropper

RedLine payload

Windows security modification

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 00:56

Reported

2024-11-10 00:58

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd19ecafe6a0315fa145d9a57be7773fc826fe8d9348c2e98d158a3caa87770c.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\cd19ecafe6a0315fa145d9a57be7773fc826fe8d9348c2e98d158a3caa87770c.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cd19ecafe6a0315fa145d9a57be7773fc826fe8d9348c2e98d158a3caa87770c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1336 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\cd19ecafe6a0315fa145d9a57be7773fc826fe8d9348c2e98d158a3caa87770c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe
PID 1336 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\cd19ecafe6a0315fa145d9a57be7773fc826fe8d9348c2e98d158a3caa87770c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe
PID 1336 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\cd19ecafe6a0315fa145d9a57be7773fc826fe8d9348c2e98d158a3caa87770c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe
PID 3456 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe
PID 3456 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe
PID 3456 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe
PID 4092 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe
PID 4092 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe
PID 4092 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe
PID 4836 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe
PID 4836 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe
PID 4836 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe
PID 4836 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe
PID 4836 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe
PID 3880 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3880 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3880 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4092 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe
PID 4092 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe
PID 4092 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe
PID 336 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 336 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 336 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 336 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 336 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 336 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4148 wrote to memory of 968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4148 wrote to memory of 968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4148 wrote to memory of 968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4148 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4148 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4148 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4148 wrote to memory of 4600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4148 wrote to memory of 4600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4148 wrote to memory of 4600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4148 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4148 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4148 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4148 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4148 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4148 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4148 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4148 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4148 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cd19ecafe6a0315fa145d9a57be7773fc826fe8d9348c2e98d158a3caa87770c.exe

"C:\Users\Admin\AppData\Local\Temp\cd19ecafe6a0315fa145d9a57be7773fc826fe8d9348c2e98d158a3caa87770c.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp

Files

memory/1336-1-0x0000000004A00000-0x0000000004B15000-memory.dmp

memory/1336-2-0x0000000004BF0000-0x0000000004D01000-memory.dmp

memory/1336-3-0x0000000000400000-0x0000000000515000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe

MD5 fd787ded7d81f4225f02fbbda4d701aa
SHA1 37068badb001ca45eb72e8205180018b092ff22c
SHA256 b4569d6d38b72a5add91a0d44346930a4768f159e12e136d46108e2c65ff0f84
SHA512 ce6f7ba739c0aa2cf94512bd72216b52d9ec44ea8fddadb9d983ef01fa739e91a7552fed05bae371a887020b08aa4a9e0198ad87872f24e4fcead7e3f3154756

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe

MD5 164c0811d27c9d5c90cdfc9f1a29dc75
SHA1 0a5580ecffce9bb9853a144c832721a8424dbd75
SHA256 3ca19e61360c2f7036ed478f64576680fc366ab84f5762ce91def9b068e334d3
SHA512 98b132b08f0817d396394f04dfaecdb543fd7f4ebdc2bba969af63b6736d112e7715d75294050b52322545166ac25d1307c1dd604d58f820a3fbefdbe424582c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe

MD5 d900d5cb1a70475f439b5d5c376c79c3
SHA1 df4c6cfa35eb56a1f570dfad90fc824fb7993591
SHA256 8e40107d48d41bf340bc3d6537d19d93767a48d1fd9218ab4a1995cea0ce98bf
SHA512 aac9fc1c27e447c674e5bdbd60890b67a42b8992768bf4ac0f503f5255fc30aedb40631c5f09cc9a75e4ac7239aed5e7f384183193ad1d2377fb6aaa61bb0a8e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2388-32-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1336-33-0x0000000004A00000-0x0000000004B15000-memory.dmp

memory/1336-35-0x0000000004BF0000-0x0000000004D01000-memory.dmp

memory/1336-34-0x0000000000400000-0x0000000002C98000-memory.dmp

memory/1336-36-0x0000000000400000-0x0000000000515000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe

MD5 a575feadd9e1ae1bd80c73ba15228c5b
SHA1 958aaee2a77c003f21fcead2b9724513a572f44b
SHA256 02af7c4bf4245d836254d8006fa1230b774337c0ee0a490b98e6ba5802e6404c
SHA512 c026477f698997bbc2fbd616e37a83fd71268ad0c2d728d78518a3362996c54ee433156b6f03ed499421cb8f40c577e94ab0fffbdeb7df60d733fa6c4ac6e987

memory/4076-55-0x0000000007120000-0x000000000715C000-memory.dmp

memory/4076-56-0x0000000007160000-0x0000000007704000-memory.dmp

memory/4076-57-0x0000000007760000-0x000000000779A000-memory.dmp

memory/4076-63-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-65-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-113-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-91-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-69-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-61-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-59-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-58-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-119-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-117-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-116-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-111-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-109-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-108-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-105-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-103-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-101-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-99-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-97-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-95-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-93-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-89-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-87-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-86-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-83-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-81-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-79-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-77-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-75-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-73-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-71-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-67-0x0000000007760000-0x0000000007795000-memory.dmp

memory/4076-850-0x0000000009C90000-0x000000000A2A8000-memory.dmp

memory/4076-851-0x000000000A350000-0x000000000A362000-memory.dmp

memory/4076-852-0x000000000A370000-0x000000000A47A000-memory.dmp

memory/4076-853-0x000000000A490000-0x000000000A4CC000-memory.dmp

memory/4076-854-0x00000000049A0000-0x00000000049EC000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:56

Reported

2024-11-10 00:58

Platform

win7-20241010-en

Max time kernel

146s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd19ecafe6a0315fa145d9a57be7773fc826fe8d9348c2e98d158a3caa87770c.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\cd19ecafe6a0315fa145d9a57be7773fc826fe8d9348c2e98d158a3caa87770c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cd19ecafe6a0315fa145d9a57be7773fc826fe8d9348c2e98d158a3caa87770c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2792 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\cd19ecafe6a0315fa145d9a57be7773fc826fe8d9348c2e98d158a3caa87770c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe
PID 2792 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\cd19ecafe6a0315fa145d9a57be7773fc826fe8d9348c2e98d158a3caa87770c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe
PID 2792 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\cd19ecafe6a0315fa145d9a57be7773fc826fe8d9348c2e98d158a3caa87770c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe
PID 2792 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\cd19ecafe6a0315fa145d9a57be7773fc826fe8d9348c2e98d158a3caa87770c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe
PID 2792 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\cd19ecafe6a0315fa145d9a57be7773fc826fe8d9348c2e98d158a3caa87770c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe
PID 2792 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\cd19ecafe6a0315fa145d9a57be7773fc826fe8d9348c2e98d158a3caa87770c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe
PID 2792 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\cd19ecafe6a0315fa145d9a57be7773fc826fe8d9348c2e98d158a3caa87770c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe
PID 2288 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe
PID 2288 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe
PID 2288 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe
PID 2288 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe
PID 2288 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe
PID 2288 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe
PID 2288 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe
PID 2840 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe
PID 2840 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe
PID 2840 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe
PID 2840 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe
PID 2840 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe
PID 2840 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe
PID 2840 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe
PID 2336 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe
PID 2336 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe
PID 2336 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe
PID 2336 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe
PID 2336 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe
PID 2336 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe
PID 2336 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe
PID 2336 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe
PID 2336 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe
PID 2336 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe
PID 2336 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe
PID 2336 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe
PID 2336 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe
PID 2336 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe
PID 2824 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2824 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2824 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2824 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2824 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2824 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2824 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2840 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe
PID 2840 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe
PID 2840 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe
PID 2840 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe
PID 2840 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe
PID 2840 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe
PID 2840 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe
PID 2440 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2440 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2440 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2440 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2440 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2440 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2440 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2440 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cd19ecafe6a0315fa145d9a57be7773fc826fe8d9348c2e98d158a3caa87770c.exe

"C:\Users\Admin\AppData\Local\Temp\cd19ecafe6a0315fa145d9a57be7773fc826fe8d9348c2e98d158a3caa87770c.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Windows\system32\taskeng.exe

taskeng.exe {E1484604-27E7-4E6B-AE1E-7E91CA1F55F9} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp

Files

memory/2792-0-0x00000000044A0000-0x00000000045A8000-memory.dmp

memory/2792-1-0x00000000044A0000-0x00000000045A8000-memory.dmp

memory/2792-2-0x00000000045B0000-0x00000000046C1000-memory.dmp

memory/2792-3-0x0000000000400000-0x0000000000515000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki741926.exe

MD5 fd787ded7d81f4225f02fbbda4d701aa
SHA1 37068badb001ca45eb72e8205180018b092ff22c
SHA256 b4569d6d38b72a5add91a0d44346930a4768f159e12e136d46108e2c65ff0f84
SHA512 ce6f7ba739c0aa2cf94512bd72216b52d9ec44ea8fddadb9d983ef01fa739e91a7552fed05bae371a887020b08aa4a9e0198ad87872f24e4fcead7e3f3154756

\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki102121.exe

MD5 164c0811d27c9d5c90cdfc9f1a29dc75
SHA1 0a5580ecffce9bb9853a144c832721a8424dbd75
SHA256 3ca19e61360c2f7036ed478f64576680fc366ab84f5762ce91def9b068e334d3
SHA512 98b132b08f0817d396394f04dfaecdb543fd7f4ebdc2bba969af63b6736d112e7715d75294050b52322545166ac25d1307c1dd604d58f820a3fbefdbe424582c

\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki795295.exe

MD5 d900d5cb1a70475f439b5d5c376c79c3
SHA1 df4c6cfa35eb56a1f570dfad90fc824fb7993591
SHA256 8e40107d48d41bf340bc3d6537d19d93767a48d1fd9218ab4a1995cea0ce98bf
SHA512 aac9fc1c27e447c674e5bdbd60890b67a42b8992768bf4ac0f503f5255fc30aedb40631c5f09cc9a75e4ac7239aed5e7f384183193ad1d2377fb6aaa61bb0a8e

\Users\Admin\AppData\Local\Temp\IXP003.TMP\az762080.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2828-42-0x0000000000C80000-0x0000000000C8A000-memory.dmp

memory/2792-43-0x00000000044A0000-0x00000000045A8000-memory.dmp

memory/2792-45-0x00000000045B0000-0x00000000046C1000-memory.dmp

memory/2792-44-0x0000000000400000-0x0000000002C98000-memory.dmp

memory/2792-46-0x0000000000400000-0x0000000000515000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu286232.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf612071.exe

MD5 a575feadd9e1ae1bd80c73ba15228c5b
SHA1 958aaee2a77c003f21fcead2b9724513a572f44b
SHA256 02af7c4bf4245d836254d8006fa1230b774337c0ee0a490b98e6ba5802e6404c
SHA512 c026477f698997bbc2fbd616e37a83fd71268ad0c2d728d78518a3362996c54ee433156b6f03ed499421cb8f40c577e94ab0fffbdeb7df60d733fa6c4ac6e987

memory/1064-73-0x0000000004790000-0x00000000047CC000-memory.dmp

memory/1064-74-0x0000000004920000-0x000000000495A000-memory.dmp

memory/1064-86-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-124-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-136-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-134-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-132-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-130-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-128-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-126-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-122-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-120-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-119-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-116-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-114-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-112-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-110-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-109-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-106-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-104-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-102-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-100-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-98-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-96-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-94-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-92-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-90-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-88-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-84-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-82-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-80-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-78-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-76-0x0000000004920000-0x0000000004955000-memory.dmp

memory/1064-75-0x0000000004920000-0x0000000004955000-memory.dmp