Malware Analysis Report

2025-01-23 07:38

Sample ID 241104-q8sghs1akg
Target 846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da
SHA256 846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da

Threat Level: Known bad

The file 846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

RedLine payload

Healer family

RedLine

Redline family

Healer

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Loads dropped DLL

Adds Run key to start application

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 13:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 13:56

Reported

2024-11-04 13:58

Platform

win7-20240903-en

Max time kernel

142s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1836 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 1836 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 1836 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 1836 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 1836 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 1836 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 1836 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 600 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 600 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 600 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 600 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 600 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 600 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 600 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 2464 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 2464 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 2464 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 2464 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 2464 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 2464 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 2464 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 2464 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 2464 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 2464 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 2464 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 2464 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 2464 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 2464 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

Processes

C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe

"C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

Network

Country Destination Domain Proto
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp

Files

memory/1836-0-0x0000000000230000-0x0000000000304000-memory.dmp

memory/1836-1-0x0000000000230000-0x0000000000304000-memory.dmp

memory/1836-2-0x0000000002C70000-0x0000000002D4D000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe

MD5 d65c8e9f391cf20655232c5c987b746f
SHA1 bfce684cea9f3ad1f8319e3dd581f58ec22df410
SHA256 0376e92c9fdd3170bd6c4589d0ab56494bbef6ebb0c1ec8c2be1ea0c637281dc
SHA512 226c17e238df5c15eb0a90d5e6922f131e45daa44bee1d7dffe934068cb0db54e03fb23d45826e6daf21f5251bc1cfa65948f19dc45c4c9099376f724e342597

memory/1836-9-0x0000000000400000-0x00000000004E1000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe

MD5 79bb8aa7f82a94ba01dc4b70c63957e0
SHA1 535a7c0407de96fdce4bf3017f07b4333e9acc01
SHA256 337c493481660ea88e0c92612f9caafff009cf7820f9fb84746b24ed2b64fff9
SHA512 c7adba7203490aee60aa1b678632df1b1b168f47810bc927978f9b8b7e8ace467446c58f8ae85f3f5bbd3fa4cbae2ace32f67b893c02282de618878b98b50139

\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe

MD5 e1b364b4b96ca742b39a069ca1390a0b
SHA1 970e15712c7b43117b2144d2dbf2aed590fff249
SHA256 dc2f6a4b3d395642bdd40c133807093078b2e6b7f4e683a878d63e258d58cb4b
SHA512 4b48624e84da9949c79e3116f9327cd1f1cd1a68cf495db1c7203db470fc668afca3f48674fc47244e6d6e9157a0d3adaa22183a20470a57df1c5f4a31f8573d

memory/1740-38-0x0000000002C10000-0x0000000002C2A000-memory.dmp

memory/1740-39-0x00000000046B0000-0x00000000046C8000-memory.dmp

memory/1740-40-0x00000000046B0000-0x00000000046C2000-memory.dmp

memory/1740-51-0x00000000046B0000-0x00000000046C2000-memory.dmp

memory/1740-67-0x00000000046B0000-0x00000000046C2000-memory.dmp

memory/1740-65-0x00000000046B0000-0x00000000046C2000-memory.dmp

memory/1740-63-0x00000000046B0000-0x00000000046C2000-memory.dmp

memory/1740-61-0x00000000046B0000-0x00000000046C2000-memory.dmp

memory/1740-59-0x00000000046B0000-0x00000000046C2000-memory.dmp

memory/1740-55-0x00000000046B0000-0x00000000046C2000-memory.dmp

memory/1740-53-0x00000000046B0000-0x00000000046C2000-memory.dmp

memory/1740-49-0x00000000046B0000-0x00000000046C2000-memory.dmp

memory/1740-47-0x00000000046B0000-0x00000000046C2000-memory.dmp

memory/1740-45-0x00000000046B0000-0x00000000046C2000-memory.dmp

memory/1740-43-0x00000000046B0000-0x00000000046C2000-memory.dmp

memory/1740-57-0x00000000046B0000-0x00000000046C2000-memory.dmp

memory/1740-41-0x00000000046B0000-0x00000000046C2000-memory.dmp

memory/1836-68-0x0000000000230000-0x0000000000304000-memory.dmp

memory/1836-69-0x0000000002C70000-0x0000000002D4D000-memory.dmp

memory/1836-71-0x0000000000400000-0x00000000004E1000-memory.dmp

memory/1836-70-0x0000000000400000-0x0000000002C64000-memory.dmp

memory/1740-73-0x0000000000400000-0x0000000002BAF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

MD5 848ce28183931ae67c8a0d8ce3a1efc3
SHA1 a39582bf82be42b8cf83b0015130273ab0e51c90
SHA256 1920e51f6e64752f4dd7474638b8d86c646e1b8cc4099415d2319d038fe1aff3
SHA512 430e793cac623274f0082eaec2377e946d9238f394837272ea4237ef305a00b3db28c081d6c82d2fbcadab0dc5a11769ebd9423e9129279a91ffe4b7aeae4b1d

memory/1740-72-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/2516-84-0x0000000004F60000-0x0000000004F9C000-memory.dmp

memory/2516-85-0x0000000004FA0000-0x0000000004FDA000-memory.dmp

memory/2516-97-0x0000000004FA0000-0x0000000004FD5000-memory.dmp

memory/2516-117-0x0000000004FA0000-0x0000000004FD5000-memory.dmp

memory/2516-115-0x0000000004FA0000-0x0000000004FD5000-memory.dmp

memory/2516-113-0x0000000004FA0000-0x0000000004FD5000-memory.dmp

memory/2516-111-0x0000000004FA0000-0x0000000004FD5000-memory.dmp

memory/2516-109-0x0000000004FA0000-0x0000000004FD5000-memory.dmp

memory/2516-107-0x0000000004FA0000-0x0000000004FD5000-memory.dmp

memory/2516-105-0x0000000004FA0000-0x0000000004FD5000-memory.dmp

memory/2516-103-0x0000000004FA0000-0x0000000004FD5000-memory.dmp

memory/2516-101-0x0000000004FA0000-0x0000000004FD5000-memory.dmp

memory/2516-99-0x0000000004FA0000-0x0000000004FD5000-memory.dmp

memory/2516-95-0x0000000004FA0000-0x0000000004FD5000-memory.dmp

memory/2516-93-0x0000000004FA0000-0x0000000004FD5000-memory.dmp

memory/2516-91-0x0000000004FA0000-0x0000000004FD5000-memory.dmp

memory/2516-89-0x0000000004FA0000-0x0000000004FD5000-memory.dmp

memory/2516-87-0x0000000004FA0000-0x0000000004FD5000-memory.dmp

memory/2516-86-0x0000000004FA0000-0x0000000004FD5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 13:56

Reported

2024-11-04 13:58

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4788 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 4788 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 4788 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 3148 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 3148 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 3148 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 8 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 8 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 8 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 8 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 8 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 8 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

Processes

C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe

"C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2284 -ip 2284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp

Files

memory/4788-2-0x00000000049D0000-0x0000000004AAD000-memory.dmp

memory/4788-1-0x00000000048F0000-0x00000000049CD000-memory.dmp

memory/4788-3-0x0000000000400000-0x00000000004E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe

MD5 d65c8e9f391cf20655232c5c987b746f
SHA1 bfce684cea9f3ad1f8319e3dd581f58ec22df410
SHA256 0376e92c9fdd3170bd6c4589d0ab56494bbef6ebb0c1ec8c2be1ea0c637281dc
SHA512 226c17e238df5c15eb0a90d5e6922f131e45daa44bee1d7dffe934068cb0db54e03fb23d45826e6daf21f5251bc1cfa65948f19dc45c4c9099376f724e342597

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe

MD5 79bb8aa7f82a94ba01dc4b70c63957e0
SHA1 535a7c0407de96fdce4bf3017f07b4333e9acc01
SHA256 337c493481660ea88e0c92612f9caafff009cf7820f9fb84746b24ed2b64fff9
SHA512 c7adba7203490aee60aa1b678632df1b1b168f47810bc927978f9b8b7e8ace467446c58f8ae85f3f5bbd3fa4cbae2ace32f67b893c02282de618878b98b50139

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe

MD5 e1b364b4b96ca742b39a069ca1390a0b
SHA1 970e15712c7b43117b2144d2dbf2aed590fff249
SHA256 dc2f6a4b3d395642bdd40c133807093078b2e6b7f4e683a878d63e258d58cb4b
SHA512 4b48624e84da9949c79e3116f9327cd1f1cd1a68cf495db1c7203db470fc668afca3f48674fc47244e6d6e9157a0d3adaa22183a20470a57df1c5f4a31f8573d

memory/2284-26-0x0000000004930000-0x000000000494A000-memory.dmp

memory/2284-27-0x0000000007310000-0x00000000078B4000-memory.dmp

memory/2284-28-0x0000000004CF0000-0x0000000004D08000-memory.dmp

memory/2284-51-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/2284-56-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/2284-54-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/2284-52-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/2284-49-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/2284-46-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/2284-44-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/2284-42-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/2284-40-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/2284-38-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/2284-36-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/2284-34-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/2284-32-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/2284-30-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/2284-29-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/4788-57-0x00000000048F0000-0x00000000049CD000-memory.dmp

memory/4788-59-0x00000000049D0000-0x0000000004AAD000-memory.dmp

memory/4788-58-0x0000000000400000-0x0000000002C64000-memory.dmp

memory/4788-61-0x0000000000400000-0x00000000004E1000-memory.dmp

memory/2284-60-0x0000000000400000-0x0000000002BAF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

MD5 848ce28183931ae67c8a0d8ce3a1efc3
SHA1 a39582bf82be42b8cf83b0015130273ab0e51c90
SHA256 1920e51f6e64752f4dd7474638b8d86c646e1b8cc4099415d2319d038fe1aff3
SHA512 430e793cac623274f0082eaec2377e946d9238f394837272ea4237ef305a00b3db28c081d6c82d2fbcadab0dc5a11769ebd9423e9129279a91ffe4b7aeae4b1d

memory/2284-63-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/3272-68-0x0000000003020000-0x000000000305C000-memory.dmp

memory/3272-69-0x0000000004CC0000-0x0000000004CFA000-memory.dmp

memory/3272-75-0x0000000004CC0000-0x0000000004CF5000-memory.dmp

memory/3272-87-0x0000000004CC0000-0x0000000004CF5000-memory.dmp

memory/3272-101-0x0000000004CC0000-0x0000000004CF5000-memory.dmp

memory/3272-99-0x0000000004CC0000-0x0000000004CF5000-memory.dmp

memory/3272-98-0x0000000004CC0000-0x0000000004CF5000-memory.dmp

memory/3272-95-0x0000000004CC0000-0x0000000004CF5000-memory.dmp

memory/3272-94-0x0000000004CC0000-0x0000000004CF5000-memory.dmp

memory/3272-91-0x0000000004CC0000-0x0000000004CF5000-memory.dmp

memory/3272-90-0x0000000004CC0000-0x0000000004CF5000-memory.dmp

memory/3272-85-0x0000000004CC0000-0x0000000004CF5000-memory.dmp

memory/3272-83-0x0000000004CC0000-0x0000000004CF5000-memory.dmp

memory/3272-81-0x0000000004CC0000-0x0000000004CF5000-memory.dmp

memory/3272-79-0x0000000004CC0000-0x0000000004CF5000-memory.dmp

memory/3272-77-0x0000000004CC0000-0x0000000004CF5000-memory.dmp

memory/3272-73-0x0000000004CC0000-0x0000000004CF5000-memory.dmp

memory/3272-71-0x0000000004CC0000-0x0000000004CF5000-memory.dmp

memory/3272-70-0x0000000004CC0000-0x0000000004CF5000-memory.dmp

memory/3272-862-0x0000000009D00000-0x000000000A318000-memory.dmp

memory/3272-863-0x000000000A360000-0x000000000A372000-memory.dmp

memory/3272-864-0x000000000A380000-0x000000000A48A000-memory.dmp

memory/3272-865-0x000000000A490000-0x000000000A4CC000-memory.dmp

memory/3272-866-0x0000000004A30000-0x0000000004A7C000-memory.dmp