Malware Analysis Report

2024-12-06 02:40

Sample ID 241110-bads5swckp
Target 77939730800183b3ec813041156311b689926ef3028cd6c6c15ed96d1712d87d
SHA256 77939730800183b3ec813041156311b689926ef3028cd6c6c15ed96d1712d87d
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

77939730800183b3ec813041156311b689926ef3028cd6c6c15ed96d1712d87d

Threat Level: Known bad

The file 77939730800183b3ec813041156311b689926ef3028cd6c6c15ed96d1712d87d was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Healer

RedLine

Detects Healer an antivirus disabler dropper

Amadey family

Modifies Windows Defender Real-time Protection settings

RedLine payload

Redline family

Amadey

Healer family

Checks computer location settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:56

Reported

2024-11-10 00:58

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\77939730800183b3ec813041156311b689926ef3028cd6c6c15ed96d1712d87d.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\271050111.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\271050111.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\271050111.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\108499811.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\108499811.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\108499811.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\108499811.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\108499811.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\271050111.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\271050111.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\108499811.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\331697016.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\108499811.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\108499811.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\271050111.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\77939730800183b3ec813041156311b689926ef3028cd6c6c15ed96d1712d87d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nc550968.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qC913789.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OY726052.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\77939730800183b3ec813041156311b689926ef3028cd6c6c15ed96d1712d87d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nc550968.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qC913789.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\271050111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\403104661.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OY726052.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\108499811.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\331697016.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\108499811.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\271050111.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\403104661.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\331697016.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\77939730800183b3ec813041156311b689926ef3028cd6c6c15ed96d1712d87d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nc550968.exe
PID 2884 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\77939730800183b3ec813041156311b689926ef3028cd6c6c15ed96d1712d87d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nc550968.exe
PID 2884 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\77939730800183b3ec813041156311b689926ef3028cd6c6c15ed96d1712d87d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nc550968.exe
PID 2584 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nc550968.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qC913789.exe
PID 2584 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nc550968.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qC913789.exe
PID 2584 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nc550968.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qC913789.exe
PID 2952 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qC913789.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OY726052.exe
PID 2952 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qC913789.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OY726052.exe
PID 2952 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qC913789.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OY726052.exe
PID 3128 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OY726052.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\108499811.exe
PID 3128 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OY726052.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\108499811.exe
PID 3128 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OY726052.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\108499811.exe
PID 3128 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OY726052.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\271050111.exe
PID 3128 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OY726052.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\271050111.exe
PID 3128 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OY726052.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\271050111.exe
PID 2952 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qC913789.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\331697016.exe
PID 2952 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qC913789.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\331697016.exe
PID 2952 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qC913789.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\331697016.exe
PID 4844 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\331697016.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4844 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\331697016.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4844 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\331697016.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2584 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nc550968.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\403104661.exe
PID 2584 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nc550968.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\403104661.exe
PID 2584 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nc550968.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\403104661.exe
PID 3640 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3640 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3640 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3640 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3640 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3640 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2260 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2260 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2260 wrote to memory of 4404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2260 wrote to memory of 4404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2260 wrote to memory of 4404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2260 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2260 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2260 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2260 wrote to memory of 3992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2260 wrote to memory of 3992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2260 wrote to memory of 3992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\77939730800183b3ec813041156311b689926ef3028cd6c6c15ed96d1712d87d.exe

"C:\Users\Admin\AppData\Local\Temp\77939730800183b3ec813041156311b689926ef3028cd6c6c15ed96d1712d87d.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nc550968.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nc550968.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qC913789.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qC913789.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OY726052.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OY726052.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\108499811.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\108499811.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\271050111.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\271050111.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4908 -ip 4908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\331697016.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\331697016.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\403104661.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\403104661.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nc550968.exe

MD5 f0ba51fec2c673a12c1e9ccfa65b6a72
SHA1 e842e7bb427e0eb043de5e387374c85aac33f7ac
SHA256 8182c85a30579fcffef15b2124b8270e4255e01f2730779f0aa68dd5ce0a01d1
SHA512 755d15f3397cb9280a19c965dfde3905bd7a837061809046b19d65c287651f5e7906fa6f0aa90593a980c13135f4c7ad3c2fe7095f126deaad965297de087fe7

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qC913789.exe

MD5 87a7f7c88de6778036898f5c9b64a32d
SHA1 8a20228bb372231d22580a14c77bf4a0e1f6e31f
SHA256 ef8146e574d3e59180cfc0c2c0e922f4bb58067ca7dce57dc037004eeb58a192
SHA512 f8e6bc41cb0eb4b6922b644739f099aa2e0974cc4ccce642f32530c7b55d842b567a9b3966105f915a6fbec1836ae45c37c3feaca7fe9cb953b18adaa8a3362e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OY726052.exe

MD5 d63f74c76a4a895e1ac66486c58fb584
SHA1 f5f128ab5bb1308e1f0c452878327e159d8c47c2
SHA256 5558a583c904a43a8bb8d60870a03f2ebb280023c1dfc6d47124aa61d8507940
SHA512 8ef3f1551529339721bbb5159a714f62bd9b283158ca0ae15915d2bec0493236b54601e4893ec933fd7cc88387e3ff970dc7026b6866bc5fb00d6eaa3f0d21eb

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\108499811.exe

MD5 a165b5f6b0a4bdf808b71de57bf9347d
SHA1 39a7b301e819e386c162a47e046fa384bb5ab437
SHA256 68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a
SHA512 3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

memory/3424-28-0x00000000007D0000-0x00000000007EA000-memory.dmp

memory/3424-29-0x0000000004AA0000-0x0000000005044000-memory.dmp

memory/3424-30-0x0000000004980000-0x0000000004998000-memory.dmp

memory/3424-31-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3424-42-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3424-56-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3424-54-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3424-52-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3424-50-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3424-48-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3424-46-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3424-45-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3424-58-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3424-40-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3424-38-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3424-36-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3424-34-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3424-32-0x0000000004980000-0x0000000004993000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\271050111.exe

MD5 1e7b1d24018d71b00a318b298524beac
SHA1 18690ba006911c68483d7419cf6335ea1c5ff075
SHA256 b9cd0347cdec7364b1887e0fbd39edf9786be18f5edab0de00cff338a220c302
SHA512 38a28d7c61836a3855ce863693a3f2e8296673c0ed71b03d01ae55e8aef4d74fa340c0d35af29ab05766543f0f6108f8ab5955290786a1f49a7b99a427166b16

memory/4908-92-0x0000000000400000-0x0000000000455000-memory.dmp

memory/4908-94-0x0000000000400000-0x0000000000455000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\331697016.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\403104661.exe

MD5 5c5ec010413b95672947ad0a10b345e9
SHA1 1368c433c235998b35834fd6ac289dc127c844ed
SHA256 b6335a8a354f5898aca88c04de6995afe6a47fa442eb4b9823ff8e35b2a1f732
SHA512 9263aa29b09c78cf9ef352164fdad32cb85913f619ebebf9de9409ecb0809d5c31979c93448fad903b550efe28309f7d869e9670cdc795beca45a468476b8290

memory/3552-112-0x0000000002590000-0x00000000025CC000-memory.dmp

memory/3552-113-0x0000000005060000-0x000000000509A000-memory.dmp

memory/3552-119-0x0000000005060000-0x0000000005095000-memory.dmp

memory/3552-117-0x0000000005060000-0x0000000005095000-memory.dmp

memory/3552-115-0x0000000005060000-0x0000000005095000-memory.dmp

memory/3552-114-0x0000000005060000-0x0000000005095000-memory.dmp

memory/3552-906-0x0000000007560000-0x0000000007B78000-memory.dmp

memory/3552-907-0x0000000007BF0000-0x0000000007C02000-memory.dmp

memory/3552-908-0x0000000007C10000-0x0000000007D1A000-memory.dmp

memory/3552-909-0x0000000007D30000-0x0000000007D6C000-memory.dmp

memory/3552-910-0x0000000002370000-0x00000000023BC000-memory.dmp