Malware Analysis Report

2024-12-06 03:00

Sample ID 241110-cg3araxblj
Target b629cb37ed3017ecdb63f3ec73dc744aeaaf2b1b984dfc4aa7417e5e9f12fc98
SHA256 b629cb37ed3017ecdb63f3ec73dc744aeaaf2b1b984dfc4aa7417e5e9f12fc98
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b629cb37ed3017ecdb63f3ec73dc744aeaaf2b1b984dfc4aa7417e5e9f12fc98

Threat Level: Known bad

The file b629cb37ed3017ecdb63f3ec73dc744aeaaf2b1b984dfc4aa7417e5e9f12fc98 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Redline family

Modifies Windows Defender Real-time Protection settings

Healer family

Amadey family

Healer

Detects Healer an antivirus disabler dropper

Amadey

RedLine

RedLine payload

Executes dropped EXE

Windows security modification

Checks computer location settings

Adds Run key to start application

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:03

Reported

2024-11-10 02:06

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b629cb37ed3017ecdb63f3ec73dc744aeaaf2b1b984dfc4aa7417e5e9f12fc98.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156182991.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156182991.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\209851577.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\209851577.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\209851577.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\209851577.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156182991.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156182991.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156182991.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156182991.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\209851577.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\339063654.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156182991.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\209851577.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156182991.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b629cb37ed3017ecdb63f3ec73dc744aeaaf2b1b984dfc4aa7417e5e9f12fc98.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xD590917.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lN741280.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AP074569.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\474740553.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xD590917.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\339063654.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b629cb37ed3017ecdb63f3ec73dc744aeaaf2b1b984dfc4aa7417e5e9f12fc98.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\209851577.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lN741280.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AP074569.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156182991.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156182991.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\209851577.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\474740553.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\339063654.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1336 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\b629cb37ed3017ecdb63f3ec73dc744aeaaf2b1b984dfc4aa7417e5e9f12fc98.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xD590917.exe
PID 1336 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\b629cb37ed3017ecdb63f3ec73dc744aeaaf2b1b984dfc4aa7417e5e9f12fc98.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xD590917.exe
PID 1336 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\b629cb37ed3017ecdb63f3ec73dc744aeaaf2b1b984dfc4aa7417e5e9f12fc98.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xD590917.exe
PID 2340 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xD590917.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lN741280.exe
PID 2340 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xD590917.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lN741280.exe
PID 2340 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xD590917.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lN741280.exe
PID 3576 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lN741280.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AP074569.exe
PID 3576 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lN741280.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AP074569.exe
PID 3576 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lN741280.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AP074569.exe
PID 3976 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AP074569.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156182991.exe
PID 3976 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AP074569.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156182991.exe
PID 3976 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AP074569.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156182991.exe
PID 3976 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AP074569.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\209851577.exe
PID 3976 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AP074569.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\209851577.exe
PID 3976 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AP074569.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\209851577.exe
PID 3576 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lN741280.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\339063654.exe
PID 3576 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lN741280.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\339063654.exe
PID 3576 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lN741280.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\339063654.exe
PID 4528 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\339063654.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4528 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\339063654.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4528 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\339063654.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2340 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xD590917.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\474740553.exe
PID 2340 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xD590917.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\474740553.exe
PID 2340 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xD590917.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\474740553.exe
PID 404 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 404 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 404 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 404 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 404 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 404 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 4012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 4012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 4012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4772 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4772 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4772 wrote to memory of 916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4772 wrote to memory of 916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4772 wrote to memory of 916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4772 wrote to memory of 4840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 4840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 4840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 4084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4772 wrote to memory of 4084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4772 wrote to memory of 4084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4772 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4772 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4772 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b629cb37ed3017ecdb63f3ec73dc744aeaaf2b1b984dfc4aa7417e5e9f12fc98.exe

"C:\Users\Admin\AppData\Local\Temp\b629cb37ed3017ecdb63f3ec73dc744aeaaf2b1b984dfc4aa7417e5e9f12fc98.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xD590917.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xD590917.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lN741280.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lN741280.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AP074569.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AP074569.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156182991.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156182991.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\209851577.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\209851577.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4532 -ip 4532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\339063654.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\339063654.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\474740553.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\474740553.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xD590917.exe

MD5 ef46e01b12a9c97d5d9716fa72de9dfd
SHA1 63a7b610e90026871f699204483111e7e1737d49
SHA256 deec716dc0f39bca709aed3beb82bbf8fd682ee1b8ea634bd114d8bc91171a25
SHA512 fc210b33329a8d52d5778c04934ff483011489e02dedcd53e32314da850f722568edd01251123a4362580d1c2da0c2571a8d06c327000fc0c24b5446f7943ba3

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AP074569.exe

MD5 2f8ca509e576a7e4c90db3f7727853e9
SHA1 d7c11c2a19e2f83f6d2687bd437669e0f5be7993
SHA256 3ffb2cd52dd8b34c1aceb913dddc241c663418e9d04bcb4c43b01be34a4b3cda
SHA512 7ec64449f4202c0043fedb4c7275540d56e390dd03f260174bab68698b52dadc2d82b7fd5d343e68cf0783a2373fce8e1a02702044960928dd086a5b5035b2cf

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lN741280.exe

MD5 edc0f960ba72a817778ffae5485f9a10
SHA1 356a3117e44cf7bb8e848ed90be9502aa828bf05
SHA256 a505638ed1407b5d6ec2405a45f2cbf240804949f0105e66e9e57e6c0f0cab4a
SHA512 2c2caa83755fd790c0a08510a72c3336db2f42bfafb8f5fc69c26fc0ba7a526070863ecb5ef4499bd88492b40e00e016cd7e9902828c706740dc21dacf1b8d4d

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156182991.exe

MD5 2b71f4b18ac8214a2bff547b6ce2f64f
SHA1 b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5
SHA256 f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc
SHA512 33518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177

memory/1176-28-0x0000000002460000-0x000000000247A000-memory.dmp

memory/1176-29-0x0000000004B40000-0x00000000050E4000-memory.dmp

memory/1176-30-0x0000000004980000-0x0000000004998000-memory.dmp

memory/1176-42-0x0000000004980000-0x0000000004993000-memory.dmp

memory/1176-58-0x0000000004980000-0x0000000004993000-memory.dmp

memory/1176-56-0x0000000004980000-0x0000000004993000-memory.dmp

memory/1176-54-0x0000000004980000-0x0000000004993000-memory.dmp

memory/1176-52-0x0000000004980000-0x0000000004993000-memory.dmp

memory/1176-50-0x0000000004980000-0x0000000004993000-memory.dmp

memory/1176-48-0x0000000004980000-0x0000000004993000-memory.dmp

memory/1176-46-0x0000000004980000-0x0000000004993000-memory.dmp

memory/1176-44-0x0000000004980000-0x0000000004993000-memory.dmp

memory/1176-40-0x0000000004980000-0x0000000004993000-memory.dmp

memory/1176-38-0x0000000004980000-0x0000000004993000-memory.dmp

memory/1176-36-0x0000000004980000-0x0000000004993000-memory.dmp

memory/1176-34-0x0000000004980000-0x0000000004993000-memory.dmp

memory/1176-32-0x0000000004980000-0x0000000004993000-memory.dmp

memory/1176-31-0x0000000004980000-0x0000000004993000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\209851577.exe

MD5 71b79c1c3d10f31cdae485114973692f
SHA1 4d4b7be89271b129b92f02031f16edc3952dc44d
SHA256 b7b3fc75c21585d89383f950814d4035abea8d92e1bfd2e57910ec54c2d0dda5
SHA512 7d4ee0aff221573415e020137e958160d62eb9bb74725a6589f590b2909079ab9e21f8c914082a1a606d3e84033fc8974f1330d2781c364e514627ec0e9520f3

memory/4532-92-0x0000000000400000-0x0000000002B9D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\339063654.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

memory/4532-94-0x0000000000400000-0x0000000002B9D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\474740553.exe

MD5 73ea0216a1ab026f8cad126a768205a5
SHA1 979c1a6e65b6bf8aac3f26cb8a96ff0261460c4b
SHA256 e099fb5f2018f4d3646082c4aaa9401c60e8800bc04321999a9854a13b87c08f
SHA512 d23367126aea4c437ed5bcc0ef1510aa3a2157c2ed1cabab6a746bc921e5b26654f889643ef79afac499efc48b5d012e554074dc0a33f13486bba6f4258fa81d

memory/4172-112-0x0000000007050000-0x000000000708C000-memory.dmp

memory/4172-113-0x00000000077F0000-0x000000000782A000-memory.dmp

memory/4172-114-0x00000000077F0000-0x0000000007825000-memory.dmp

memory/4172-119-0x00000000077F0000-0x0000000007825000-memory.dmp

memory/4172-117-0x00000000077F0000-0x0000000007825000-memory.dmp

memory/4172-115-0x00000000077F0000-0x0000000007825000-memory.dmp

memory/4172-906-0x0000000009CF0000-0x000000000A308000-memory.dmp

memory/4172-907-0x000000000A350000-0x000000000A362000-memory.dmp

memory/4172-908-0x000000000A370000-0x000000000A47A000-memory.dmp

memory/4172-909-0x000000000A480000-0x000000000A4BC000-memory.dmp

memory/4172-910-0x0000000004B50000-0x0000000004B9C000-memory.dmp