Malware Analysis Report

2024-12-07 04:09

Sample ID 241113-yt533a1rcm
Target e94b5b152df619d7ff90fd7234ada64ef81d40eafd37336768ce71ee354e14d2N.exe
SHA256 e94b5b152df619d7ff90fd7234ada64ef81d40eafd37336768ce71ee354e14d2
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e94b5b152df619d7ff90fd7234ada64ef81d40eafd37336768ce71ee354e14d2

Threat Level: Known bad

The file e94b5b152df619d7ff90fd7234ada64ef81d40eafd37336768ce71ee354e14d2N.exe was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

RedLine payload

Redline family

Amadey

Detects Healer an antivirus disabler dropper

Amadey family

Healer family

Modifies Windows Defender Real-time Protection settings

Healer

RedLine

Windows security modification

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 20:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 20:05

Reported

2024-11-13 20:07

Platform

win10v2004-20241007-en

Max time kernel

115s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e94b5b152df619d7ff90fd7234ada64ef81d40eafd37336768ce71ee354e14d2N.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\196889709.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\196889709.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\196889709.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\298975515.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\196889709.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\196889709.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\196889709.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\298975515.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\298975515.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\298975515.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\298975515.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\307287663.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\196889709.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\196889709.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\298975515.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\e94b5b152df619d7ff90fd7234ada64ef81d40eafd37336768ce71ee354e14d2N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mX373939.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ch077982.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mX373939.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\298975515.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\437029961.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\196889709.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\307287663.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e94b5b152df619d7ff90fd7234ada64ef81d40eafd37336768ce71ee354e14d2N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ch077982.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\196889709.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\298975515.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\437029961.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1748 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\e94b5b152df619d7ff90fd7234ada64ef81d40eafd37336768ce71ee354e14d2N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mX373939.exe
PID 1748 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\e94b5b152df619d7ff90fd7234ada64ef81d40eafd37336768ce71ee354e14d2N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mX373939.exe
PID 1748 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\e94b5b152df619d7ff90fd7234ada64ef81d40eafd37336768ce71ee354e14d2N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mX373939.exe
PID 60 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mX373939.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ch077982.exe
PID 60 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mX373939.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ch077982.exe
PID 60 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mX373939.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ch077982.exe
PID 3236 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ch077982.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\196889709.exe
PID 3236 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ch077982.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\196889709.exe
PID 3236 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ch077982.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\196889709.exe
PID 3236 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ch077982.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\298975515.exe
PID 3236 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ch077982.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\298975515.exe
PID 3236 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ch077982.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\298975515.exe
PID 60 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mX373939.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\307287663.exe
PID 60 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mX373939.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\307287663.exe
PID 60 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mX373939.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\307287663.exe
PID 3452 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\307287663.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3452 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\307287663.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3452 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\307287663.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1748 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\e94b5b152df619d7ff90fd7234ada64ef81d40eafd37336768ce71ee354e14d2N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\437029961.exe
PID 1748 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\e94b5b152df619d7ff90fd7234ada64ef81d40eafd37336768ce71ee354e14d2N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\437029961.exe
PID 1748 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\e94b5b152df619d7ff90fd7234ada64ef81d40eafd37336768ce71ee354e14d2N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\437029961.exe
PID 4472 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4472 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4472 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4472 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4472 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4472 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4160 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4160 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4160 wrote to memory of 4044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4160 wrote to memory of 4044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4160 wrote to memory of 4044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4160 wrote to memory of 4348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 4348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 4348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4160 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4160 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4160 wrote to memory of 4376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4160 wrote to memory of 4376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4160 wrote to memory of 4376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e94b5b152df619d7ff90fd7234ada64ef81d40eafd37336768ce71ee354e14d2N.exe

"C:\Users\Admin\AppData\Local\Temp\e94b5b152df619d7ff90fd7234ada64ef81d40eafd37336768ce71ee354e14d2N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mX373939.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mX373939.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ch077982.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ch077982.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\196889709.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\196889709.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\298975515.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\298975515.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5004 -ip 5004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\307287663.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\307287663.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\437029961.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\437029961.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 82.190.18.2.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mX373939.exe

MD5 798065c8074fa23e41570aeedd3dccfc
SHA1 6e1fafc5945a3156ab6b46b608f0958c961cdeda
SHA256 9c0844793e5fe0be7afcfa9a14f15b3eda14d481d21da61b275eccf2b0324e8a
SHA512 06c2d872f04cb9d721db8e281a864aff0e71a7b68565dd36b814eb1f4073f94bd26eaec5d59be5a65e77e805458d23a7b55b3e3fed2b714e893ed821fbb1017b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ch077982.exe

MD5 ec6a641b77d428d90bccb167a1735374
SHA1 7dc8d38b228e6a20429b59ceb3f7aed799b47d31
SHA256 e92569b30d187d45de9fa76f8ec4b79277e8a2ce1af2076c3a2f8fb80a3a9052
SHA512 a8a53fc018e36444638bb0b6087c6306c1d27226cf8849621c07b38244fec35a677a8bdc7c128a224fb6e53d4ed6079e9f1378706b28d97ae8a94eafae803340

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\196889709.exe

MD5 2b71f4b18ac8214a2bff547b6ce2f64f
SHA1 b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5
SHA256 f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc
SHA512 33518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177

memory/1256-21-0x00000000021B0000-0x00000000021CA000-memory.dmp

memory/1256-22-0x0000000004B40000-0x00000000050E4000-memory.dmp

memory/1256-23-0x00000000023B0000-0x00000000023C8000-memory.dmp

memory/1256-24-0x00000000023B0000-0x00000000023C3000-memory.dmp

memory/1256-39-0x00000000023B0000-0x00000000023C3000-memory.dmp

memory/1256-51-0x00000000023B0000-0x00000000023C3000-memory.dmp

memory/1256-47-0x00000000023B0000-0x00000000023C3000-memory.dmp

memory/1256-45-0x00000000023B0000-0x00000000023C3000-memory.dmp

memory/1256-43-0x00000000023B0000-0x00000000023C3000-memory.dmp

memory/1256-41-0x00000000023B0000-0x00000000023C3000-memory.dmp

memory/1256-37-0x00000000023B0000-0x00000000023C3000-memory.dmp

memory/1256-35-0x00000000023B0000-0x00000000023C3000-memory.dmp

memory/1256-33-0x00000000023B0000-0x00000000023C3000-memory.dmp

memory/1256-31-0x00000000023B0000-0x00000000023C3000-memory.dmp

memory/1256-29-0x00000000023B0000-0x00000000023C3000-memory.dmp

memory/1256-27-0x00000000023B0000-0x00000000023C3000-memory.dmp

memory/1256-25-0x00000000023B0000-0x00000000023C3000-memory.dmp

memory/1256-49-0x00000000023B0000-0x00000000023C3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\298975515.exe

MD5 000884a143311eac38020e37f4545940
SHA1 5f3a0f682a151e8c91595e3b3dd8bf4bedf54c5a
SHA256 ac5c4a0f7b5e7b10d635309afa5b1b2c98dc304a4daa1f0575865846e79588f1
SHA512 be9bf84a3f3585fca2ccaaf86415069cc4d38d93d9156b71bdb063ecf3a1dbea3f0890979e9093358b84c52b8127f4dfec63e69cb1f8f4b6bbc2f8687c22811f

memory/5004-86-0x0000000000400000-0x0000000002B9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\307287663.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\437029961.exe

MD5 82ea93d5ce073ffea510b6b0a201be32
SHA1 1a3e68502a19f2f2c9d9aa02051857fe468a32f7
SHA256 f2f1079243eb6e8e00065f74e112a075b0260fd7c2b1dac06d5999e50cf17bbf
SHA512 1767a4201ab631406a21eb8bbc2da49262672c49ada388fa532b02b4f2742173b437ba29700ad13fd5eeb7eb06cc85b25d6b54b247c0b2b766af3382fca41343

memory/2344-105-0x0000000004A00000-0x0000000004A3C000-memory.dmp

memory/2344-106-0x0000000004CB0000-0x0000000004CEA000-memory.dmp

memory/2344-108-0x0000000004CB0000-0x0000000004CE5000-memory.dmp

memory/2344-112-0x0000000004CB0000-0x0000000004CE5000-memory.dmp

memory/2344-110-0x0000000004CB0000-0x0000000004CE5000-memory.dmp

memory/2344-107-0x0000000004CB0000-0x0000000004CE5000-memory.dmp

memory/2344-899-0x000000000A290000-0x000000000A8A8000-memory.dmp

memory/2344-900-0x0000000009D10000-0x0000000009D22000-memory.dmp

memory/2344-901-0x0000000009D30000-0x0000000009E3A000-memory.dmp

memory/2344-902-0x0000000009E50000-0x0000000009E8C000-memory.dmp

memory/2344-903-0x0000000006D20000-0x0000000006D6C000-memory.dmp