Malware Analysis Report

2024-12-07 03:49

Sample ID 241113-slvpgavbkm
Target b6b3cee0e734f0a7d882e5ae8f15b108eb462f4d57db6a6f06e6ac2c7e5955b5.exe
SHA256 b6b3cee0e734f0a7d882e5ae8f15b108eb462f4d57db6a6f06e6ac2c7e5955b5
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b6b3cee0e734f0a7d882e5ae8f15b108eb462f4d57db6a6f06e6ac2c7e5955b5

Threat Level: Known bad

The file b6b3cee0e734f0a7d882e5ae8f15b108eb462f4d57db6a6f06e6ac2c7e5955b5.exe was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Amadey family

RedLine

Healer family

RedLine payload

Redline family

Healer

Amadey

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Windows security modification

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 15:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 15:13

Reported

2024-11-13 15:15

Platform

win10v2004-20241007-en

Max time kernel

113s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b6b3cee0e734f0a7d882e5ae8f15b108eb462f4d57db6a6f06e6ac2c7e5955b5.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\172966433.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\172966433.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\172966433.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\251501393.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\251501393.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\251501393.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\251501393.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\172966433.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\172966433.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\172966433.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\251501393.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\373202146.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\172966433.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\172966433.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\251501393.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vq374829.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tp072936.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b6b3cee0e734f0a7d882e5ae8f15b108eb462f4d57db6a6f06e6ac2c7e5955b5.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vq374829.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\251501393.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\373202146.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b6b3cee0e734f0a7d882e5ae8f15b108eb462f4d57db6a6f06e6ac2c7e5955b5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tp072936.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\172966433.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\473666270.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\172966433.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\251501393.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\473666270.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\373202146.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\b6b3cee0e734f0a7d882e5ae8f15b108eb462f4d57db6a6f06e6ac2c7e5955b5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vq374829.exe
PID 3020 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\b6b3cee0e734f0a7d882e5ae8f15b108eb462f4d57db6a6f06e6ac2c7e5955b5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vq374829.exe
PID 3020 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\b6b3cee0e734f0a7d882e5ae8f15b108eb462f4d57db6a6f06e6ac2c7e5955b5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vq374829.exe
PID 760 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vq374829.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tp072936.exe
PID 760 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vq374829.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tp072936.exe
PID 760 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vq374829.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tp072936.exe
PID 2732 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tp072936.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\172966433.exe
PID 2732 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tp072936.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\172966433.exe
PID 2732 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tp072936.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\172966433.exe
PID 2732 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tp072936.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\251501393.exe
PID 2732 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tp072936.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\251501393.exe
PID 2732 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tp072936.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\251501393.exe
PID 760 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vq374829.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\373202146.exe
PID 760 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vq374829.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\373202146.exe
PID 760 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vq374829.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\373202146.exe
PID 2344 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\373202146.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2344 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\373202146.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2344 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\373202146.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3020 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\b6b3cee0e734f0a7d882e5ae8f15b108eb462f4d57db6a6f06e6ac2c7e5955b5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\473666270.exe
PID 3020 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\b6b3cee0e734f0a7d882e5ae8f15b108eb462f4d57db6a6f06e6ac2c7e5955b5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\473666270.exe
PID 3020 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\b6b3cee0e734f0a7d882e5ae8f15b108eb462f4d57db6a6f06e6ac2c7e5955b5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\473666270.exe
PID 3800 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3800 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3800 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3800 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3800 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3800 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4768 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4768 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4768 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4768 wrote to memory of 4716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4768 wrote to memory of 4716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4768 wrote to memory of 4716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4768 wrote to memory of 3716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4768 wrote to memory of 3716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4768 wrote to memory of 3716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4768 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4768 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4768 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4768 wrote to memory of 4784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4768 wrote to memory of 4784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4768 wrote to memory of 4784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4768 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4768 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4768 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b6b3cee0e734f0a7d882e5ae8f15b108eb462f4d57db6a6f06e6ac2c7e5955b5.exe

"C:\Users\Admin\AppData\Local\Temp\b6b3cee0e734f0a7d882e5ae8f15b108eb462f4d57db6a6f06e6ac2c7e5955b5.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vq374829.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vq374829.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tp072936.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tp072936.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\172966433.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\172966433.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\251501393.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\251501393.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 828 -ip 828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\373202146.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\373202146.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\473666270.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\473666270.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 66.208.201.84.in-addr.arpa udp
RU 185.161.248.72:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vq374829.exe

MD5 ad725c7c0df4a7a09d5f36caa1afd323
SHA1 5e88add664aac3b2a9cf2f8a8c57496a167c40ad
SHA256 fa4a5be3bde48e5e419c33e45d431c27513f1b7a07ec9e79db257f834f9c00a7
SHA512 5f4c14a273923d5c7c6c6ec5b0dd28a586e3204120b5e9b6ad99bd18f5f0962781a03e9affaf4ff1f164c3de03dd500a094b1f8dfdededc307cd4a9f81424c4f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tp072936.exe

MD5 1c0c94df28042b2b30e5ece218885fbb
SHA1 e79fb5ee446e4725bc8eabb5e9c99687f590ab20
SHA256 72f5c802942edef1110e409fec3ba03a96fbf56819e64a1271b06b01a32e8514
SHA512 09ec0a7f846c8a1cde4fe6029512c22c6919090c7e676e7832093bfdbc3b8c2cdf097baca282cc2831c527a96e50f20e2b40dd7f94debebf091f01df2cd0d70b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\172966433.exe

MD5 a657a00c376942540a5db8cdaac4b607
SHA1 892ed30921d44ad02dd7cb99fef00ed7bae71cc3
SHA256 6c3fa69d2e5bf45f0ec4ed05b7aee178af8cf8c09c7b71682c68fa4922b9c8d5
SHA512 696a024ccf151b830a563f099d78807578af09c769984770953c3e0bda3ea5c37ef1e194261ef00d473b30415f1e7c9916cc876b93ca665bc12bb9c0e12e1978

memory/4024-21-0x0000000002120000-0x000000000213A000-memory.dmp

memory/4024-22-0x0000000004B40000-0x00000000050E4000-memory.dmp

memory/4024-23-0x0000000002170000-0x0000000002188000-memory.dmp

memory/4024-33-0x0000000002170000-0x0000000002183000-memory.dmp

memory/4024-51-0x0000000002170000-0x0000000002183000-memory.dmp

memory/4024-49-0x0000000002170000-0x0000000002183000-memory.dmp

memory/4024-47-0x0000000002170000-0x0000000002183000-memory.dmp

memory/4024-45-0x0000000002170000-0x0000000002183000-memory.dmp

memory/4024-43-0x0000000002170000-0x0000000002183000-memory.dmp

memory/4024-41-0x0000000002170000-0x0000000002183000-memory.dmp

memory/4024-39-0x0000000002170000-0x0000000002183000-memory.dmp

memory/4024-37-0x0000000002170000-0x0000000002183000-memory.dmp

memory/4024-35-0x0000000002170000-0x0000000002183000-memory.dmp

memory/4024-31-0x0000000002170000-0x0000000002183000-memory.dmp

memory/4024-29-0x0000000002170000-0x0000000002183000-memory.dmp

memory/4024-27-0x0000000002170000-0x0000000002183000-memory.dmp

memory/4024-25-0x0000000002170000-0x0000000002183000-memory.dmp

memory/4024-24-0x0000000002170000-0x0000000002183000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\251501393.exe

MD5 70f0d3c8a40e6f71eed4815d2c1f6024
SHA1 549dab5d11aee5d01233a93e485fb661cf77fa9b
SHA256 6bd40df4f7bd4a1aea4176f5e258f6a2cd4d3c06649d8a5515bb18b33120ae91
SHA512 74a077b198b1249fd406e2b3b1a7f64ccc783ba170f18abba6d0b1357a7a679310541ad33b83546032f8a8ecbb95b29698a44e77c30cbc10e551889c9de820d7

memory/828-57-0x00000000024B0000-0x00000000024CA000-memory.dmp

memory/828-58-0x0000000002960000-0x0000000002978000-memory.dmp

memory/828-59-0x0000000002960000-0x0000000002972000-memory.dmp

memory/828-71-0x0000000002960000-0x0000000002972000-memory.dmp

memory/828-86-0x0000000002960000-0x0000000002972000-memory.dmp

memory/828-84-0x0000000002960000-0x0000000002972000-memory.dmp

memory/828-82-0x0000000002960000-0x0000000002972000-memory.dmp

memory/828-81-0x0000000002960000-0x0000000002972000-memory.dmp

memory/828-78-0x0000000002960000-0x0000000002972000-memory.dmp

memory/828-77-0x0000000002960000-0x0000000002972000-memory.dmp

memory/828-74-0x0000000002960000-0x0000000002972000-memory.dmp

memory/828-72-0x0000000002960000-0x0000000002972000-memory.dmp

memory/828-68-0x0000000002960000-0x0000000002972000-memory.dmp

memory/828-66-0x0000000002960000-0x0000000002972000-memory.dmp

memory/828-64-0x0000000002960000-0x0000000002972000-memory.dmp

memory/828-62-0x0000000002960000-0x0000000002972000-memory.dmp

memory/828-60-0x0000000002960000-0x0000000002972000-memory.dmp

memory/828-88-0x0000000000400000-0x0000000000802000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\373202146.exe

MD5 cb0dc3334b5743206b848d2a955e7bb6
SHA1 46447ab8ea2cfd1849706ef12718ecf217821ad2
SHA256 269859056b115dbc1cac9324a40006a77db5c7774e4a9b33a4afd17c57710b21
SHA512 b43d0fd62c140ebfdc0d2aa8f694c487e2e7215bc55a5b31750d802a73846b72ecd5c52dc281f7378237999e9edffb34a70e7f76cda080f7c406546c3ee037ba

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\473666270.exe

MD5 5a90dc193cca28c379847da544b15907
SHA1 4b2e7f14765c4cfbca801438605e4b189c66efc6
SHA256 cfd00b9844c2b29fe94d282c63ff4bd2b30986469bbfa37a7fe24a656e59b5fb
SHA512 41580e1f731f507af71080288189c65dfacdd30d133e1ee5ee153ff65fb80c9452ca89af4834a17763d7ba3308c5073b5a44ddac55cf1426752ccf7233cb1faf

memory/3160-107-0x0000000002810000-0x000000000284C000-memory.dmp

memory/3160-108-0x00000000028F0000-0x000000000292A000-memory.dmp

memory/3160-110-0x00000000028F0000-0x0000000002925000-memory.dmp

memory/3160-109-0x00000000028F0000-0x0000000002925000-memory.dmp

memory/3160-114-0x00000000028F0000-0x0000000002925000-memory.dmp

memory/3160-112-0x00000000028F0000-0x0000000002925000-memory.dmp

memory/3160-901-0x0000000007F70000-0x0000000008588000-memory.dmp

memory/3160-902-0x0000000007980000-0x0000000007992000-memory.dmp

memory/3160-903-0x00000000079A0000-0x0000000007AAA000-memory.dmp

memory/3160-904-0x0000000007AC0000-0x0000000007AFC000-memory.dmp

memory/3160-905-0x0000000002650000-0x000000000269C000-memory.dmp