Malware Analysis Report

2024-12-07 04:05

Sample ID 241113-y25r9ssjbm
Target d7145e24382aca6069302ea9e4b84a38256bafc675da1e7b5e2c74ebef80fa24.exe
SHA256 d7145e24382aca6069302ea9e4b84a38256bafc675da1e7b5e2c74ebef80fa24
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d7145e24382aca6069302ea9e4b84a38256bafc675da1e7b5e2c74ebef80fa24

Threat Level: Known bad

The file d7145e24382aca6069302ea9e4b84a38256bafc675da1e7b5e2c74ebef80fa24.exe was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Healer

Healer family

Amadey family

RedLine

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine payload

Amadey

Redline family

Checks computer location settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 20:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 20:17

Reported

2024-11-13 20:19

Platform

win10v2004-20241007-en

Max time kernel

114s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d7145e24382aca6069302ea9e4b84a38256bafc675da1e7b5e2c74ebef80fa24.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\247319193.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\247319193.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\177599695.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\177599695.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\177599695.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\177599695.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\247319193.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\177599695.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\177599695.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\247319193.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\247319193.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\391946372.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\177599695.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\177599695.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\247319193.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\d7145e24382aca6069302ea9e4b84a38256bafc675da1e7b5e2c74ebef80fa24.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC584175.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MM706574.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d7145e24382aca6069302ea9e4b84a38256bafc675da1e7b5e2c74ebef80fa24.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MM706574.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\247319193.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\495138537.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC584175.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\177599695.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\391946372.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\177599695.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\247319193.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\495138537.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\391946372.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 764 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\d7145e24382aca6069302ea9e4b84a38256bafc675da1e7b5e2c74ebef80fa24.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC584175.exe
PID 764 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\d7145e24382aca6069302ea9e4b84a38256bafc675da1e7b5e2c74ebef80fa24.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC584175.exe
PID 764 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\d7145e24382aca6069302ea9e4b84a38256bafc675da1e7b5e2c74ebef80fa24.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC584175.exe
PID 4760 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC584175.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MM706574.exe
PID 4760 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC584175.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MM706574.exe
PID 4760 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC584175.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MM706574.exe
PID 4132 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MM706574.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\177599695.exe
PID 4132 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MM706574.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\177599695.exe
PID 4132 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MM706574.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\177599695.exe
PID 4132 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MM706574.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\247319193.exe
PID 4132 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MM706574.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\247319193.exe
PID 4132 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MM706574.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\247319193.exe
PID 4760 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC584175.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\391946372.exe
PID 4760 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC584175.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\391946372.exe
PID 4760 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC584175.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\391946372.exe
PID 3408 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\391946372.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3408 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\391946372.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3408 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\391946372.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 764 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\d7145e24382aca6069302ea9e4b84a38256bafc675da1e7b5e2c74ebef80fa24.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\495138537.exe
PID 764 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\d7145e24382aca6069302ea9e4b84a38256bafc675da1e7b5e2c74ebef80fa24.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\495138537.exe
PID 764 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\d7145e24382aca6069302ea9e4b84a38256bafc675da1e7b5e2c74ebef80fa24.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\495138537.exe
PID 2096 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2096 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2096 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2096 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4324 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4324 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4324 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4324 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4324 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4324 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4324 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4324 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4324 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4324 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4324 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4324 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4324 wrote to memory of 1220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4324 wrote to memory of 1220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4324 wrote to memory of 1220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4324 wrote to memory of 632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4324 wrote to memory of 632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4324 wrote to memory of 632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d7145e24382aca6069302ea9e4b84a38256bafc675da1e7b5e2c74ebef80fa24.exe

"C:\Users\Admin\AppData\Local\Temp\d7145e24382aca6069302ea9e4b84a38256bafc675da1e7b5e2c74ebef80fa24.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC584175.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC584175.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MM706574.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MM706574.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\177599695.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\177599695.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\247319193.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\247319193.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3968 -ip 3968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\391946372.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\391946372.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\495138537.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\495138537.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 68.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 102.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC584175.exe

MD5 bd4b0a6f9be7b8b713c91d2a199f1eac
SHA1 c4e415998aced7d308de0b09887b24a0452e2e19
SHA256 a7c97e3362b69baf3537cd2f876a75fa6b72b05ad15c17924cafbe89b928c038
SHA512 ede4cb923e9d567e709b22bb4cfcd792049d034612b07428e337588092588878df10d2de757806ab6b1a4cdfa9b2110dc3b5037d20df5f73c7f9adf8c06f139a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MM706574.exe

MD5 247bb2fbcebdb8cd8b9ed119dd80bc1b
SHA1 1d31c5677b88e88cbb4eaeaadb568aff121f86f1
SHA256 582f3b5359c967de84c9a12ab00862335b5e7db2841c9bf65696a05f91ce17be
SHA512 1fe18699498e86482716e68dd1f275c7944036544367e4bd6959b4a52ac2a1e230e93fcc6b268e25032e5732f95f2d8fcff7fb9fbb85f777499bdd4f92987095

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\177599695.exe

MD5 2b71f4b18ac8214a2bff547b6ce2f64f
SHA1 b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5
SHA256 f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc
SHA512 33518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177

memory/3268-21-0x00000000022B0000-0x00000000022CA000-memory.dmp

memory/3268-22-0x0000000004BE0000-0x0000000005184000-memory.dmp

memory/3268-23-0x0000000004AC0000-0x0000000004AD8000-memory.dmp

memory/3268-24-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/3268-51-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/3268-49-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/3268-47-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/3268-45-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/3268-43-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/3268-41-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/3268-39-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/3268-37-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/3268-35-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/3268-33-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/3268-31-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/3268-27-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/3268-25-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/3268-29-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\247319193.exe

MD5 4be23deea693904a3bf2c324934a4d10
SHA1 a87f1d5b6f0acdfd569c8c44557f8641dfbb36f0
SHA256 ea25cc11c582cdccaa99fe7522cf254a2f027b7262cb7f69a1a78dcd70bc6500
SHA512 ec81136e377dec2929539a05325d5b3ea849ba9ecd6846b7105cdd952fb114f2f987ab5cce53f28839d3001196a4d4cd116850be185b8838b8c5ea871196d103

memory/3968-85-0x0000000000400000-0x0000000002B9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\391946372.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

memory/3968-87-0x0000000000400000-0x0000000002B9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\495138537.exe

MD5 931fe74df03308ec4eb8d089d3f9334e
SHA1 c8f428d2bdf48081c57e387073b078f7555ab867
SHA256 a965afcccb6dee0d27c95ad3eca73b8e5cb461da784a08e1f4e4638b63d2b819
SHA512 ba9b96530a42c0931ba660bc47069c97309b49d0606aaaeae8410a49396ffb326bbab130638ff92400ee6afae80147686f752daaeec7495ef882140567a5c6dc

memory/388-105-0x0000000004A60000-0x0000000004A9C000-memory.dmp

memory/388-106-0x0000000004B20000-0x0000000004B5A000-memory.dmp

memory/388-112-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/388-110-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/388-108-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/388-107-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/388-899-0x0000000009DE0000-0x000000000A3F8000-memory.dmp

memory/388-900-0x0000000004C80000-0x0000000004C92000-memory.dmp

memory/388-901-0x000000000A400000-0x000000000A50A000-memory.dmp

memory/388-902-0x0000000007420000-0x000000000745C000-memory.dmp

memory/388-903-0x00000000048B0000-0x00000000048FC000-memory.dmp