Malware Analysis Report

2024-12-07 03:49

Sample ID 241113-sgrr1stmat
Target 09b0b3566b2f2275859f5eb8b666ec067f5fee3937e3af3f3ab914625782246cN.exe
SHA256 09b0b3566b2f2275859f5eb8b666ec067f5fee3937e3af3f3ab914625782246c
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

09b0b3566b2f2275859f5eb8b666ec067f5fee3937e3af3f3ab914625782246c

Threat Level: Known bad

The file 09b0b3566b2f2275859f5eb8b666ec067f5fee3937e3af3f3ab914625782246cN.exe was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Amadey family

RedLine

Healer family

RedLine payload

Amadey

Healer

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Redline family

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 15:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 15:06

Reported

2024-11-13 15:08

Platform

win10v2004-20241007-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09b0b3566b2f2275859f5eb8b666ec067f5fee3937e3af3f3ab914625782246cN.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\218419667.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\218419667.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\218419667.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\132946563.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\132946563.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\132946563.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\132946563.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\218419667.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\218419667.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\132946563.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\132946563.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\386459983.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\132946563.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\132946563.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\218419667.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\09b0b3566b2f2275859f5eb8b666ec067f5fee3937e3af3f3ab914625782246cN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fW940192.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YO393998.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fW940192.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\218419667.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\09b0b3566b2f2275859f5eb8b666ec067f5fee3937e3af3f3ab914625782246cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\132946563.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\479721045.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YO393998.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\386459983.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\132946563.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\218419667.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\479721045.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\386459983.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4768 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\09b0b3566b2f2275859f5eb8b666ec067f5fee3937e3af3f3ab914625782246cN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fW940192.exe
PID 4768 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\09b0b3566b2f2275859f5eb8b666ec067f5fee3937e3af3f3ab914625782246cN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fW940192.exe
PID 4768 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\09b0b3566b2f2275859f5eb8b666ec067f5fee3937e3af3f3ab914625782246cN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fW940192.exe
PID 2916 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fW940192.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YO393998.exe
PID 2916 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fW940192.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YO393998.exe
PID 2916 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fW940192.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YO393998.exe
PID 2084 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YO393998.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\132946563.exe
PID 2084 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YO393998.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\132946563.exe
PID 2084 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YO393998.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\132946563.exe
PID 2084 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YO393998.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\218419667.exe
PID 2084 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YO393998.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\218419667.exe
PID 2084 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YO393998.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\218419667.exe
PID 2916 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fW940192.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\386459983.exe
PID 2916 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fW940192.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\386459983.exe
PID 2916 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fW940192.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\386459983.exe
PID 2276 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\386459983.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2276 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\386459983.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2276 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\386459983.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4768 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\09b0b3566b2f2275859f5eb8b666ec067f5fee3937e3af3f3ab914625782246cN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\479721045.exe
PID 4768 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\09b0b3566b2f2275859f5eb8b666ec067f5fee3937e3af3f3ab914625782246cN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\479721045.exe
PID 4768 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\09b0b3566b2f2275859f5eb8b666ec067f5fee3937e3af3f3ab914625782246cN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\479721045.exe
PID 2304 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2304 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2304 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2304 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2708 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2708 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2708 wrote to memory of 4252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2708 wrote to memory of 4252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2708 wrote to memory of 4252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2708 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2708 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2708 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2708 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2708 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2708 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\09b0b3566b2f2275859f5eb8b666ec067f5fee3937e3af3f3ab914625782246cN.exe

"C:\Users\Admin\AppData\Local\Temp\09b0b3566b2f2275859f5eb8b666ec067f5fee3937e3af3f3ab914625782246cN.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fW940192.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fW940192.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YO393998.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YO393998.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\132946563.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\132946563.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\218419667.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\218419667.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4624 -ip 4624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\386459983.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\386459983.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\479721045.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\479721045.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fW940192.exe

MD5 447567beaa0602ab4d8cf1fb89e1e4a9
SHA1 e89ba3a2f4e751888ea707fbb5304ef29c5d0b78
SHA256 f5105580324bf567370c2d1832c45f38a28efbbf0b9525f6c2008b3c1ea2c074
SHA512 48e5fe5a89c52eb39de3c0de853a17be1fdfd1cc3c4e27f73e2ca46f162af7c85735d759a338d2254c93a3e95e159c6b0ad92e65298b4d8956e03ddddb68368e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YO393998.exe

MD5 07416dbcd810d415efba4f1022ffc367
SHA1 71c0d1a3f6514b6f6798f5922818704a91abaa20
SHA256 f411ff2c50d07db40130ec1bb17afb49873c43e2fa77cc007a661ee426cd3e17
SHA512 59c46aa432a263ff90d6523e62b80f1303d2aa714114f2ca2994d0501333c7d9722f1f959ecd7365d3f43c9290f5582b1253bc6fd34a0996072d50e28c0b2bc0

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\132946563.exe

MD5 2b71f4b18ac8214a2bff547b6ce2f64f
SHA1 b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5
SHA256 f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc
SHA512 33518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177

memory/2784-21-0x00000000025C0000-0x00000000025DA000-memory.dmp

memory/2784-22-0x0000000004CD0000-0x0000000005274000-memory.dmp

memory/2784-23-0x0000000002670000-0x0000000002688000-memory.dmp

memory/2784-41-0x0000000002670000-0x0000000002683000-memory.dmp

memory/2784-51-0x0000000002670000-0x0000000002683000-memory.dmp

memory/2784-49-0x0000000002670000-0x0000000002683000-memory.dmp

memory/2784-47-0x0000000002670000-0x0000000002683000-memory.dmp

memory/2784-45-0x0000000002670000-0x0000000002683000-memory.dmp

memory/2784-43-0x0000000002670000-0x0000000002683000-memory.dmp

memory/2784-37-0x0000000002670000-0x0000000002683000-memory.dmp

memory/2784-35-0x0000000002670000-0x0000000002683000-memory.dmp

memory/2784-33-0x0000000002670000-0x0000000002683000-memory.dmp

memory/2784-31-0x0000000002670000-0x0000000002683000-memory.dmp

memory/2784-29-0x0000000002670000-0x0000000002683000-memory.dmp

memory/2784-27-0x0000000002670000-0x0000000002683000-memory.dmp

memory/2784-25-0x0000000002670000-0x0000000002683000-memory.dmp

memory/2784-24-0x0000000002670000-0x0000000002683000-memory.dmp

memory/2784-40-0x0000000002670000-0x0000000002683000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\218419667.exe

MD5 4cbbb5f8bc108552a095e268420a366d
SHA1 c99590a5766ab038a1804adff8493afc93bc96d1
SHA256 c3c36540cf2f1a6ca24e02a9de6fdbbba60236e8627784f4713e988d199f61e4
SHA512 3c1c0983e17f541fbd6f7cfc4f48accdd37fe18672bdf702ca3c5967285e9233b17d5cdf0e01f0cb2a1840ff74a09f5db1e78c6406fba3306ac3389347935522

memory/4624-85-0x0000000000400000-0x0000000002B9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\386459983.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

memory/4624-87-0x0000000000400000-0x0000000002B9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\479721045.exe

MD5 40f8492cde4cca136ba6d6208ad2084a
SHA1 747d7c340cd0d7594ec0ef2e09c5c73cceb698b2
SHA256 3551fb51026ec66938676a8edb0011bded27f0fea8ae9b76290dad627cc752f3
SHA512 2727a49fb342285e921e801880df13d724705b26f25f44c0d48e11b3d144b85ee808f8b1c11e34d2b1764e1c7427c81261013a821e397547b82fa69627e7e346

memory/1028-105-0x0000000004AB0000-0x0000000004AEC000-memory.dmp

memory/1028-106-0x00000000071B0000-0x00000000071EA000-memory.dmp

memory/1028-110-0x00000000071B0000-0x00000000071E5000-memory.dmp

memory/1028-112-0x00000000071B0000-0x00000000071E5000-memory.dmp

memory/1028-108-0x00000000071B0000-0x00000000071E5000-memory.dmp

memory/1028-107-0x00000000071B0000-0x00000000071E5000-memory.dmp

memory/1028-899-0x0000000009C70000-0x000000000A288000-memory.dmp

memory/1028-900-0x000000000A330000-0x000000000A342000-memory.dmp

memory/1028-901-0x000000000A350000-0x000000000A45A000-memory.dmp

memory/1028-902-0x000000000A470000-0x000000000A4AC000-memory.dmp

memory/1028-903-0x0000000004990000-0x00000000049DC000-memory.dmp