Malware Analysis Report

2024-12-06 03:01

Sample ID 241110-cd6trsxaqp
Target 1af89849bf4c1c794b611f5ccebad50b9c6c0b679fecdfde6a1ede6ff27340fa
SHA256 1af89849bf4c1c794b611f5ccebad50b9c6c0b679fecdfde6a1ede6ff27340fa
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1af89849bf4c1c794b611f5ccebad50b9c6c0b679fecdfde6a1ede6ff27340fa

Threat Level: Known bad

The file 1af89849bf4c1c794b611f5ccebad50b9c6c0b679fecdfde6a1ede6ff27340fa was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

RedLine

Healer

Redline family

Amadey

Detects Healer an antivirus disabler dropper

Amadey family

Healer family

RedLine payload

Windows security modification

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Program crash

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:58

Reported

2024-11-10 02:01

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1af89849bf4c1c794b611f5ccebad50b9c6c0b679fecdfde6a1ede6ff27340fa.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118665113.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\228679359.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\228679359.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\228679359.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118665113.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\228679359.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\228679359.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118665113.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118665113.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118665113.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118665113.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\340733027.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118665113.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\228679359.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118665113.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS820996.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1af89849bf4c1c794b611f5ccebad50b9c6c0b679fecdfde6a1ede6ff27340fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zZ037158.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lU322734.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zZ037158.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118665113.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS820996.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\228679359.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\475106733.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1af89849bf4c1c794b611f5ccebad50b9c6c0b679fecdfde6a1ede6ff27340fa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lU322734.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\340733027.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118665113.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\228679359.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\475106733.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 956 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\1af89849bf4c1c794b611f5ccebad50b9c6c0b679fecdfde6a1ede6ff27340fa.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zZ037158.exe
PID 956 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\1af89849bf4c1c794b611f5ccebad50b9c6c0b679fecdfde6a1ede6ff27340fa.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zZ037158.exe
PID 956 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\1af89849bf4c1c794b611f5ccebad50b9c6c0b679fecdfde6a1ede6ff27340fa.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zZ037158.exe
PID 4020 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zZ037158.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lU322734.exe
PID 4020 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zZ037158.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lU322734.exe
PID 4020 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zZ037158.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lU322734.exe
PID 2348 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lU322734.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS820996.exe
PID 2348 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lU322734.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS820996.exe
PID 2348 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lU322734.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS820996.exe
PID 3636 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS820996.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118665113.exe
PID 3636 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS820996.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118665113.exe
PID 3636 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS820996.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118665113.exe
PID 3636 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS820996.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\228679359.exe
PID 3636 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS820996.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\228679359.exe
PID 3636 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS820996.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\228679359.exe
PID 2348 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lU322734.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\340733027.exe
PID 2348 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lU322734.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\340733027.exe
PID 2348 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lU322734.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\340733027.exe
PID 4992 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\340733027.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4992 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\340733027.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4992 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\340733027.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4020 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zZ037158.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\475106733.exe
PID 4020 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zZ037158.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\475106733.exe
PID 4020 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zZ037158.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\475106733.exe
PID 2928 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2928 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2928 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2928 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2928 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2928 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 4140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 4140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 4140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 3820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 3820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 3820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 1756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 1756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 1756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1af89849bf4c1c794b611f5ccebad50b9c6c0b679fecdfde6a1ede6ff27340fa.exe

"C:\Users\Admin\AppData\Local\Temp\1af89849bf4c1c794b611f5ccebad50b9c6c0b679fecdfde6a1ede6ff27340fa.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zZ037158.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zZ037158.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lU322734.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lU322734.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS820996.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS820996.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118665113.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118665113.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\228679359.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\228679359.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4052 -ip 4052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 1088

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\340733027.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\340733027.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\475106733.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\475106733.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zZ037158.exe

MD5 02d277036b5b1b9f64c71c4e61b096b7
SHA1 4036fcffd01b83c473ea952234d87f182572c3b3
SHA256 d53153eeaf47103997fa4d04bcb134bd57d7af403e9a2c68629023cbb1de69a3
SHA512 fd1bfc636eaf0155f5b32920e81b125797b607bd95d65172429d4d0c386d59ab7f54fea92e3aef78f5b0c130fbc7c3f4032b5acebd5df9a57f948ca3041ac995

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lU322734.exe

MD5 faadccb56b1a38b07d169e120b5947ce
SHA1 6f22625c8ba3d9b41656e434bad54844e98fe6b4
SHA256 95fc2be5737760edaa51439205581d43890ff83afec992cc499387f65a1a392f
SHA512 75a963b7e3a702e4a8b8856f6e4f3656d2199bdcc08e72bf89c221fdcf1e0f0ed1f95280b74c5969d1381e8e495d5e7bbcdd6b2f5cee4f907da5f25a6fe56089

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS820996.exe

MD5 c44d72888d38f35251f68382c402bf7b
SHA1 c017978aa2aaa222887b51aaec737e87aa3b4292
SHA256 91df2628df467213faff5f4a0d9d5932cca7ef4248d53e74727c27a227d0e6c7
SHA512 e13fbe568df3f8991285f48981e717819d64973b6996db6b694f69ad36b19c827a48f381bb6e03876322f722d6b0f37c3d9cad64686d2d7d1d343a91a4793255

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118665113.exe

MD5 a165b5f6b0a4bdf808b71de57bf9347d
SHA1 39a7b301e819e386c162a47e046fa384bb5ab437
SHA256 68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a
SHA512 3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

memory/5008-28-0x0000000002160000-0x000000000217A000-memory.dmp

memory/5008-29-0x00000000049A0000-0x0000000004F44000-memory.dmp

memory/5008-30-0x00000000023C0000-0x00000000023D8000-memory.dmp

memory/5008-42-0x00000000023C0000-0x00000000023D3000-memory.dmp

memory/5008-52-0x00000000023C0000-0x00000000023D3000-memory.dmp

memory/5008-58-0x00000000023C0000-0x00000000023D3000-memory.dmp

memory/5008-57-0x00000000023C0000-0x00000000023D3000-memory.dmp

memory/5008-54-0x00000000023C0000-0x00000000023D3000-memory.dmp

memory/5008-50-0x00000000023C0000-0x00000000023D3000-memory.dmp

memory/5008-48-0x00000000023C0000-0x00000000023D3000-memory.dmp

memory/5008-46-0x00000000023C0000-0x00000000023D3000-memory.dmp

memory/5008-44-0x00000000023C0000-0x00000000023D3000-memory.dmp

memory/5008-40-0x00000000023C0000-0x00000000023D3000-memory.dmp

memory/5008-38-0x00000000023C0000-0x00000000023D3000-memory.dmp

memory/5008-36-0x00000000023C0000-0x00000000023D3000-memory.dmp

memory/5008-34-0x00000000023C0000-0x00000000023D3000-memory.dmp

memory/5008-32-0x00000000023C0000-0x00000000023D3000-memory.dmp

memory/5008-31-0x00000000023C0000-0x00000000023D3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\228679359.exe

MD5 8243c9a05f55de6fb0b2ceeaad557148
SHA1 90d3c5faae322e22c9c588611930331f702b4c2f
SHA256 6ad0701074b501d1c4f835d130f8a9b95a1cdcf9c286597b208f04a4e3bf7611
SHA512 3120af180e1cf131e3c15c81633504b07e7e8c5266a782851d3230e4344ada3d3d254a20b9c88c24bda72eeebd1c15c8df9c2d4980ace5940c0fbf7c3d023ca2

memory/4052-93-0x0000000000400000-0x0000000000455000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\340733027.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\475106733.exe

MD5 e01d08683e6cc337bb5a17b10538c282
SHA1 3e198f1135cbadae4e0376e7606228c26066c736
SHA256 d0eeb83c6d9518f12242d831a503358971d77d571cd20764a5644c1082ce711e
SHA512 c4c5ab1e7c9c862b592fa893db03f67ac0289d81afd71c0ae00875dc74665838234fafb61f20c03b64d2a9b49e87c1045e28b333bfe155f2c56faf15ed1eeeca

memory/3032-112-0x00000000049B0000-0x00000000049EC000-memory.dmp

memory/3032-113-0x0000000005000000-0x000000000503A000-memory.dmp

memory/3032-117-0x0000000005000000-0x0000000005035000-memory.dmp

memory/3032-120-0x0000000005000000-0x0000000005035000-memory.dmp

memory/3032-115-0x0000000005000000-0x0000000005035000-memory.dmp

memory/3032-114-0x0000000005000000-0x0000000005035000-memory.dmp

memory/3032-906-0x0000000007B50000-0x0000000008168000-memory.dmp

memory/3032-907-0x00000000075D0000-0x00000000075E2000-memory.dmp

memory/3032-908-0x00000000075F0000-0x00000000076FA000-memory.dmp

memory/3032-909-0x0000000007710000-0x000000000774C000-memory.dmp

memory/3032-910-0x0000000002380000-0x00000000023CC000-memory.dmp