Malware Analysis Report

2025-01-23 07:33

Sample ID 241104-q65dastkal
Target 846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da
SHA256 846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da

Threat Level: Known bad

The file 846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

RedLine

Redline family

Modifies Windows Defender Real-time Protection settings

Healer

Healer family

RedLine payload

Executes dropped EXE

Loads dropped DLL

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 13:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 13:53

Reported

2024-11-04 13:55

Platform

win7-20240903-en

Max time kernel

143s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 264 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 264 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 264 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 264 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 264 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 264 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 264 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 2472 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 2472 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 2472 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 2472 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 2472 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 2472 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 2472 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 768 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 768 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 768 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 768 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 768 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 768 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 768 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 768 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 768 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 768 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 768 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 768 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 768 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 768 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

Processes

C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe

"C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

Network

Country Destination Domain Proto
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp

Files

memory/264-0-0x0000000000310000-0x00000000003E4000-memory.dmp

memory/264-1-0x0000000000310000-0x00000000003E4000-memory.dmp

memory/264-2-0x0000000002E40000-0x0000000002F1D000-memory.dmp

memory/264-3-0x0000000000400000-0x00000000004E1000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe

MD5 d65c8e9f391cf20655232c5c987b746f
SHA1 bfce684cea9f3ad1f8319e3dd581f58ec22df410
SHA256 0376e92c9fdd3170bd6c4589d0ab56494bbef6ebb0c1ec8c2be1ea0c637281dc
SHA512 226c17e238df5c15eb0a90d5e6922f131e45daa44bee1d7dffe934068cb0db54e03fb23d45826e6daf21f5251bc1cfa65948f19dc45c4c9099376f724e342597

\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe

MD5 79bb8aa7f82a94ba01dc4b70c63957e0
SHA1 535a7c0407de96fdce4bf3017f07b4333e9acc01
SHA256 337c493481660ea88e0c92612f9caafff009cf7820f9fb84746b24ed2b64fff9
SHA512 c7adba7203490aee60aa1b678632df1b1b168f47810bc927978f9b8b7e8ace467446c58f8ae85f3f5bbd3fa4cbae2ace32f67b893c02282de618878b98b50139

\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe

MD5 e1b364b4b96ca742b39a069ca1390a0b
SHA1 970e15712c7b43117b2144d2dbf2aed590fff249
SHA256 dc2f6a4b3d395642bdd40c133807093078b2e6b7f4e683a878d63e258d58cb4b
SHA512 4b48624e84da9949c79e3116f9327cd1f1cd1a68cf495db1c7203db470fc668afca3f48674fc47244e6d6e9157a0d3adaa22183a20470a57df1c5f4a31f8573d

memory/1932-38-0x00000000045D0000-0x00000000045EA000-memory.dmp

memory/1932-39-0x0000000004C10000-0x0000000004C28000-memory.dmp

memory/1932-45-0x0000000004C10000-0x0000000004C22000-memory.dmp

memory/1932-67-0x0000000004C10000-0x0000000004C22000-memory.dmp

memory/1932-63-0x0000000004C10000-0x0000000004C22000-memory.dmp

memory/1932-61-0x0000000004C10000-0x0000000004C22000-memory.dmp

memory/1932-59-0x0000000004C10000-0x0000000004C22000-memory.dmp

memory/1932-57-0x0000000004C10000-0x0000000004C22000-memory.dmp

memory/1932-53-0x0000000004C10000-0x0000000004C22000-memory.dmp

memory/1932-51-0x0000000004C10000-0x0000000004C22000-memory.dmp

memory/1932-49-0x0000000004C10000-0x0000000004C22000-memory.dmp

memory/1932-47-0x0000000004C10000-0x0000000004C22000-memory.dmp

memory/1932-44-0x0000000004C10000-0x0000000004C22000-memory.dmp

memory/1932-41-0x0000000004C10000-0x0000000004C22000-memory.dmp

memory/1932-65-0x0000000004C10000-0x0000000004C22000-memory.dmp

memory/1932-55-0x0000000004C10000-0x0000000004C22000-memory.dmp

memory/1932-40-0x0000000004C10000-0x0000000004C22000-memory.dmp

memory/264-68-0x0000000000310000-0x00000000003E4000-memory.dmp

memory/264-69-0x0000000002E40000-0x0000000002F1D000-memory.dmp

memory/264-71-0x0000000000400000-0x00000000004E1000-memory.dmp

memory/264-70-0x0000000000400000-0x0000000002C64000-memory.dmp

memory/1932-72-0x0000000000400000-0x0000000002BAF000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

MD5 848ce28183931ae67c8a0d8ce3a1efc3
SHA1 a39582bf82be42b8cf83b0015130273ab0e51c90
SHA256 1920e51f6e64752f4dd7474638b8d86c646e1b8cc4099415d2319d038fe1aff3
SHA512 430e793cac623274f0082eaec2377e946d9238f394837272ea4237ef305a00b3db28c081d6c82d2fbcadab0dc5a11769ebd9423e9129279a91ffe4b7aeae4b1d

memory/1932-73-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/2588-84-0x0000000004B40000-0x0000000004B7C000-memory.dmp

memory/2588-85-0x0000000004DA0000-0x0000000004DDA000-memory.dmp

memory/2588-99-0x0000000004DA0000-0x0000000004DD5000-memory.dmp

memory/2588-103-0x0000000004DA0000-0x0000000004DD5000-memory.dmp

memory/2588-111-0x0000000004DA0000-0x0000000004DD5000-memory.dmp

memory/2588-117-0x0000000004DA0000-0x0000000004DD5000-memory.dmp

memory/2588-115-0x0000000004DA0000-0x0000000004DD5000-memory.dmp

memory/2588-113-0x0000000004DA0000-0x0000000004DD5000-memory.dmp

memory/2588-109-0x0000000004DA0000-0x0000000004DD5000-memory.dmp

memory/2588-107-0x0000000004DA0000-0x0000000004DD5000-memory.dmp

memory/2588-105-0x0000000004DA0000-0x0000000004DD5000-memory.dmp

memory/2588-101-0x0000000004DA0000-0x0000000004DD5000-memory.dmp

memory/2588-97-0x0000000004DA0000-0x0000000004DD5000-memory.dmp

memory/2588-95-0x0000000004DA0000-0x0000000004DD5000-memory.dmp

memory/2588-93-0x0000000004DA0000-0x0000000004DD5000-memory.dmp

memory/2588-91-0x0000000004DA0000-0x0000000004DD5000-memory.dmp

memory/2588-89-0x0000000004DA0000-0x0000000004DD5000-memory.dmp

memory/2588-87-0x0000000004DA0000-0x0000000004DD5000-memory.dmp

memory/2588-86-0x0000000004DA0000-0x0000000004DD5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 13:53

Reported

2024-11-04 13:55

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3276 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 3276 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 3276 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 4076 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 4076 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 4076 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 2280 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 2280 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 2280 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 2280 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 2280 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 2280 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

Processes

C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe

"C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

memory/3276-2-0x0000000004960000-0x0000000004A3D000-memory.dmp

memory/3276-1-0x0000000004880000-0x0000000004960000-memory.dmp

memory/3276-3-0x0000000000400000-0x00000000004E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe

MD5 d65c8e9f391cf20655232c5c987b746f
SHA1 bfce684cea9f3ad1f8319e3dd581f58ec22df410
SHA256 0376e92c9fdd3170bd6c4589d0ab56494bbef6ebb0c1ec8c2be1ea0c637281dc
SHA512 226c17e238df5c15eb0a90d5e6922f131e45daa44bee1d7dffe934068cb0db54e03fb23d45826e6daf21f5251bc1cfa65948f19dc45c4c9099376f724e342597

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe

MD5 79bb8aa7f82a94ba01dc4b70c63957e0
SHA1 535a7c0407de96fdce4bf3017f07b4333e9acc01
SHA256 337c493481660ea88e0c92612f9caafff009cf7820f9fb84746b24ed2b64fff9
SHA512 c7adba7203490aee60aa1b678632df1b1b168f47810bc927978f9b8b7e8ace467446c58f8ae85f3f5bbd3fa4cbae2ace32f67b893c02282de618878b98b50139

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe

MD5 e1b364b4b96ca742b39a069ca1390a0b
SHA1 970e15712c7b43117b2144d2dbf2aed590fff249
SHA256 dc2f6a4b3d395642bdd40c133807093078b2e6b7f4e683a878d63e258d58cb4b
SHA512 4b48624e84da9949c79e3116f9327cd1f1cd1a68cf495db1c7203db470fc668afca3f48674fc47244e6d6e9157a0d3adaa22183a20470a57df1c5f4a31f8573d

memory/2524-26-0x0000000004A50000-0x0000000004A6A000-memory.dmp

memory/2524-27-0x0000000007300000-0x00000000078A4000-memory.dmp

memory/2524-28-0x0000000004AE0000-0x0000000004AF8000-memory.dmp

memory/2524-56-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

memory/2524-54-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

memory/2524-52-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

memory/2524-50-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

memory/2524-48-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

memory/2524-46-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

memory/2524-44-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

memory/2524-42-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

memory/2524-40-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

memory/2524-38-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

memory/2524-36-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

memory/2524-34-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

memory/2524-32-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

memory/2524-30-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

memory/2524-29-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

memory/3276-57-0x0000000004880000-0x0000000004960000-memory.dmp

memory/3276-59-0x0000000004960000-0x0000000004A3D000-memory.dmp

memory/3276-58-0x0000000000400000-0x0000000002C64000-memory.dmp

memory/3276-60-0x0000000000400000-0x00000000004E1000-memory.dmp

memory/2524-61-0x0000000000400000-0x0000000002BAF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

MD5 848ce28183931ae67c8a0d8ce3a1efc3
SHA1 a39582bf82be42b8cf83b0015130273ab0e51c90
SHA256 1920e51f6e64752f4dd7474638b8d86c646e1b8cc4099415d2319d038fe1aff3
SHA512 430e793cac623274f0082eaec2377e946d9238f394837272ea4237ef305a00b3db28c081d6c82d2fbcadab0dc5a11769ebd9423e9129279a91ffe4b7aeae4b1d

memory/2524-63-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/3824-68-0x0000000007140000-0x000000000717C000-memory.dmp

memory/3824-69-0x00000000071C0000-0x00000000071FA000-memory.dmp

memory/3824-89-0x00000000071C0000-0x00000000071F5000-memory.dmp

memory/3824-79-0x00000000071C0000-0x00000000071F5000-memory.dmp

memory/3824-75-0x00000000071C0000-0x00000000071F5000-memory.dmp

memory/3824-73-0x00000000071C0000-0x00000000071F5000-memory.dmp

memory/3824-71-0x00000000071C0000-0x00000000071F5000-memory.dmp

memory/3824-70-0x00000000071C0000-0x00000000071F5000-memory.dmp

memory/3824-103-0x00000000071C0000-0x00000000071F5000-memory.dmp

memory/3824-101-0x00000000071C0000-0x00000000071F5000-memory.dmp

memory/3824-100-0x00000000071C0000-0x00000000071F5000-memory.dmp

memory/3824-97-0x00000000071C0000-0x00000000071F5000-memory.dmp

memory/3824-96-0x00000000071C0000-0x00000000071F5000-memory.dmp

memory/3824-93-0x00000000071C0000-0x00000000071F5000-memory.dmp

memory/3824-91-0x00000000071C0000-0x00000000071F5000-memory.dmp

memory/3824-87-0x00000000071C0000-0x00000000071F5000-memory.dmp

memory/3824-85-0x00000000071C0000-0x00000000071F5000-memory.dmp

memory/3824-83-0x00000000071C0000-0x00000000071F5000-memory.dmp

memory/3824-81-0x00000000071C0000-0x00000000071F5000-memory.dmp

memory/3824-77-0x00000000071C0000-0x00000000071F5000-memory.dmp

memory/3824-862-0x0000000009CF0000-0x000000000A308000-memory.dmp

memory/3824-863-0x000000000A350000-0x000000000A362000-memory.dmp

memory/3824-864-0x000000000A370000-0x000000000A47A000-memory.dmp

memory/3824-865-0x000000000A490000-0x000000000A4CC000-memory.dmp

memory/3824-866-0x0000000004B40000-0x0000000004B8C000-memory.dmp