Analysis Overview
SHA256
e23ed4794ead3f85c8b72475a27e5962b603225e3d64d0d11cb2852c25617dde
Threat Level: Known bad
The file 06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345aN.exe was found to be: Known bad.
Malicious Activity Summary
Healer
RedLine payload
Redline family
Healer family
RedLine
Amadey family
Modifies Windows Defender Real-time Protection settings
Detects Healer an antivirus disabler dropper
Amadey
Executes dropped EXE
Windows security modification
Checks computer location settings
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 05:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 05:55
Reported
2024-11-11 05:57
Platform
win10v2004-20241007-en
Max time kernel
111s
Max time network
119s
Command Line
Signatures
Amadey
Amadey family
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Temp\1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Temp\1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Temp\1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Temp\1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Temp\1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Temp\1.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Windows\Temp\1.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345aN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Temp\1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345aN.exe
"C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345aN.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 212 -ip 212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 1256
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb7ae701b3" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb7ae701b3" /P "Admin:R" /E
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4664 -ip 4664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 1252
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| RU | 193.3.19.154:80 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| RU | 193.3.19.154:80 | tcp | |
| RU | 193.3.19.154:80 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| RU | 193.3.19.154:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe
| MD5 | 827ccbc4c11603646f8a3c69172e8a45 |
| SHA1 | 2017a8048034862c7e92e2d3ece454ed3e927779 |
| SHA256 | 525e8d353a3ec8dca403c848bb02e2f0f9cbbdc041f5ab6c7ff85aa2f14f0b67 |
| SHA512 | f32bf5eb824031eff1a497961cc6a3ad4de9eddab3944eadbefdd1d0e6f87f6a7abb4ab9794d96fc8f771ad60c9347cfe7ac3f44d74b04021ddcdaa5d28fa207 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe
| MD5 | fbd51d7e7ef4b74311ada32235dad4a3 |
| SHA1 | cd77bc5d2d0c52f65ee8ca49e413fc04436a0951 |
| SHA256 | 18a2596e9e9421902f25d1f2ff4b591f1489d8a716842c295b18c4bc5342abe6 |
| SHA512 | 8aabcdbb6cfa9fd24c0f3dd92b48d6eaedbf5625dfc819d7d065db795e4104facaf2126401e39df235107c9ec697fdbf4895d50f8d7c8231ac4b514e4a50af95 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe
| MD5 | f6d59c97a0ed988291f29786087dc183 |
| SHA1 | b441493c234cb87c634ba56b170372ab7c6ae6e3 |
| SHA256 | 8b77e63aa6736150639ebd0fd474f9c6fcf6cc7a4e6795e92e888b2ce52a14cb |
| SHA512 | 8ac6b127cec2616e637fef0bff71cc2360c48e3690958c66c9233844792276d912b8cfce0f63834b20d9a94fd2cadca9b0ced8846ec474686d91b3d402f21ea2 |
memory/3616-21-0x00000000023C0000-0x0000000002418000-memory.dmp
memory/3616-22-0x0000000004B10000-0x00000000050B4000-memory.dmp
memory/3616-23-0x0000000004A70000-0x0000000004AC6000-memory.dmp
memory/3616-24-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-71-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-53-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-49-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-45-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-41-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-37-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-33-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-30-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-27-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-87-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-85-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-84-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-81-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-79-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-77-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-75-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-73-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-69-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-67-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-65-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-63-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-61-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-59-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-57-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-55-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-51-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-47-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-43-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-39-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-35-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-31-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-25-0x0000000004A70000-0x0000000004AC1000-memory.dmp
memory/3616-2152-0x0000000002430000-0x000000000243A000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe
| MD5 | cd22ce939659072b194a1fa34ad136e3 |
| SHA1 | e6fe1c548efc7fae64a6a6569ed4747df39999b8 |
| SHA256 | cb90776180a118ffd70a5e77dfcb25217e04ba16fc0813436d15b68dc1f63240 |
| SHA512 | 70a29db233981f5800c9130626371bfee55973175e25b86a9f74832d03a38d47ee0e7d58e63e13e8410010062442334649a5c7f23f8c7391a36d2d2ab0dbeeaf |
memory/1152-2167-0x00000000008E0000-0x00000000008EA000-memory.dmp
memory/212-4298-0x0000000005870000-0x0000000005902000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe
| MD5 | c09473f87c87e6bd0ebab611067875bb |
| SHA1 | b42294e8ce5804dec65735d142a4a29e8a861cd6 |
| SHA256 | d7e3a6c78044fb393ebbc9d262dbe7609eb07acff787d6b43f96dc8107d287d1 |
| SHA512 | c3ddb62d12a1d0ee584815faecf616e8a3884d8b13ed9f832308fbf57ebb770c2b1dd7df38d32da4ee072eb8d61bfc9b37607cf37e1b52dccb1a986c247476a6 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe
| MD5 | 85648d9d3c25a9cae3d60bba38357e3e |
| SHA1 | f319e778b59b4b81158f6433a9d19d0145472217 |
| SHA256 | dd05dc35b6c6320abc834b7624bd557e4961aa1564de949f6bc0c386ff11f57f |
| SHA512 | cf8a4c68e50f17fd2000c11766656aa3a4162ea18a9cd51bb6027dae5604e3a48c1d555184cee656dc179a4a033fedcf78f04a5dff5fecadbf4ebd74e7341d15 |
memory/4664-4318-0x0000000004F10000-0x0000000004F78000-memory.dmp
memory/4664-4319-0x0000000005550000-0x00000000055B6000-memory.dmp
memory/4664-6466-0x0000000005740000-0x0000000005772000-memory.dmp