Malware Analysis Report

2025-08-11 06:41

Sample ID 241109-ec8cbaxbkl
Target 9b002f8fa2ae9837746556b41e165ee691b4fe5190eba57ba5838c2094195e0e
SHA256 9b002f8fa2ae9837746556b41e165ee691b4fe5190eba57ba5838c2094195e0e
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b002f8fa2ae9837746556b41e165ee691b4fe5190eba57ba5838c2094195e0e

Threat Level: Known bad

The file 9b002f8fa2ae9837746556b41e165ee691b4fe5190eba57ba5838c2094195e0e was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Redline family

RedLine

Healer family

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

RedLine payload

Healer

Executes dropped EXE

Windows security modification

Loads dropped DLL

Adds Run key to start application

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:48

Reported

2024-11-09 03:51

Platform

win7-20240903-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b002f8fa2ae9837746556b41e165ee691b4fe5190eba57ba5838c2094195e0e.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\9b002f8fa2ae9837746556b41e165ee691b4fe5190eba57ba5838c2094195e0e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9b002f8fa2ae9837746556b41e165ee691b4fe5190eba57ba5838c2094195e0e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1016 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\9b002f8fa2ae9837746556b41e165ee691b4fe5190eba57ba5838c2094195e0e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe
PID 1016 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\9b002f8fa2ae9837746556b41e165ee691b4fe5190eba57ba5838c2094195e0e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe
PID 1016 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\9b002f8fa2ae9837746556b41e165ee691b4fe5190eba57ba5838c2094195e0e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe
PID 1016 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\9b002f8fa2ae9837746556b41e165ee691b4fe5190eba57ba5838c2094195e0e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe
PID 1016 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\9b002f8fa2ae9837746556b41e165ee691b4fe5190eba57ba5838c2094195e0e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe
PID 1016 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\9b002f8fa2ae9837746556b41e165ee691b4fe5190eba57ba5838c2094195e0e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe
PID 1016 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\9b002f8fa2ae9837746556b41e165ee691b4fe5190eba57ba5838c2094195e0e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe
PID 2452 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe
PID 2452 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe
PID 2452 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe
PID 2452 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe
PID 2452 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe
PID 2452 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe
PID 2452 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe
PID 1712 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe
PID 1712 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe
PID 1712 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe
PID 1712 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe
PID 1712 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe
PID 1712 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe
PID 1712 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe
PID 1712 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe
PID 1712 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe
PID 1712 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe
PID 1712 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe
PID 1712 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe
PID 1712 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe
PID 1712 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9b002f8fa2ae9837746556b41e165ee691b4fe5190eba57ba5838c2094195e0e.exe

"C:\Users\Admin\AppData\Local\Temp\9b002f8fa2ae9837746556b41e165ee691b4fe5190eba57ba5838c2094195e0e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe

Network

Country Destination Domain Proto
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp

Files

memory/1016-0-0x0000000002C70000-0x0000000002D51000-memory.dmp

memory/1016-1-0x0000000002C70000-0x0000000002D51000-memory.dmp

memory/1016-2-0x0000000004600000-0x00000000046EB000-memory.dmp

memory/1016-9-0x0000000000400000-0x00000000004EE000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe

MD5 14f4eaa7ae2edf596ab5aa6259317026
SHA1 3cf20c0c6026b0ac23b17b49542a7c00f669ad82
SHA256 a502e76ab90fa397c80d0700c83ace1a300521b818c22d535ea0b115eadb63d8
SHA512 be6ec5e96f48f846369dff64261ef43420061b5a8d1d5969ba60ceaca8c1e72c664752d77d88b67cad935cd02a1cfe187eb2fd5cd5dd995e9d7f3eb0fc9ac6f9

\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe

MD5 f1f14512c243c673ed9d12b01b231c97
SHA1 9f459709c22bb68c003e059fa7c0748b36532f98
SHA256 9c2f308f4028ef90be0915e36b65aa516e610d536121048c598c833ee8dd7566
SHA512 d3440fe5279eae3cbfb8af837ea6f8917e630ac96ee0de66972f1a9ee54cd7e1fdb700cb5da10471ab762da16426a1deaccc38a9261989ff96485f828e01d300

\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe

MD5 d8a23874a3620e74d09c39cfe54b852b
SHA1 48fc01f5c560a7863e9c4aef279a30ddb63f0378
SHA256 313d8545a08d26b195af8d1ef8227f35d84f2c6b868af382ec091e9c25ffba50
SHA512 d40f7e1512ed8d3e7125a69c6bce16675d14f965a0f4a4ad9d546c6110fc3026b377d346732d32e34850593ca728aa3528254430cd1a22d558248afb48027b6b

memory/2300-38-0x00000000032F0000-0x000000000330A000-memory.dmp

memory/2300-39-0x0000000003330000-0x0000000003348000-memory.dmp

memory/2300-49-0x0000000003330000-0x0000000003342000-memory.dmp

memory/2300-67-0x0000000003330000-0x0000000003342000-memory.dmp

memory/2300-65-0x0000000003330000-0x0000000003342000-memory.dmp

memory/2300-63-0x0000000003330000-0x0000000003342000-memory.dmp

memory/2300-62-0x0000000003330000-0x0000000003342000-memory.dmp

memory/2300-59-0x0000000003330000-0x0000000003342000-memory.dmp

memory/2300-57-0x0000000003330000-0x0000000003342000-memory.dmp

memory/2300-55-0x0000000003330000-0x0000000003342000-memory.dmp

memory/2300-53-0x0000000003330000-0x0000000003342000-memory.dmp

memory/2300-51-0x0000000003330000-0x0000000003342000-memory.dmp

memory/2300-47-0x0000000003330000-0x0000000003342000-memory.dmp

memory/2300-45-0x0000000003330000-0x0000000003342000-memory.dmp

memory/2300-43-0x0000000003330000-0x0000000003342000-memory.dmp

memory/2300-41-0x0000000003330000-0x0000000003342000-memory.dmp

memory/2300-40-0x0000000003330000-0x0000000003342000-memory.dmp

memory/1016-68-0x0000000002C70000-0x0000000002D51000-memory.dmp

memory/1016-69-0x0000000004600000-0x00000000046EB000-memory.dmp

memory/1016-71-0x0000000000400000-0x00000000004EE000-memory.dmp

memory/1016-70-0x0000000000400000-0x0000000002C62000-memory.dmp

memory/2300-73-0x0000000000400000-0x0000000002B9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe

MD5 73cb8f16cb86208e26b37812bb3a91e8
SHA1 acc61d785ca8f3aeaa557414cce48abafe8f6969
SHA256 78238405fadaa7fdf788eb336ae4d5592a516442967b2563e5fb7a18131f312c
SHA512 9a06bb7570cc84d0e7d1fb6f2570fa171bb2b20da61003d8630057ccf10a0dfe7486beeb3bc89107e5e1ba5acda02fbc0a1a52a060f46a4f3c49f9e1e2b00945

memory/2700-85-0x0000000004A30000-0x0000000004A6A000-memory.dmp

memory/2700-84-0x00000000049D0000-0x0000000004A0C000-memory.dmp

memory/2700-99-0x0000000004A30000-0x0000000004A65000-memory.dmp

memory/2700-117-0x0000000004A30000-0x0000000004A65000-memory.dmp

memory/2700-115-0x0000000004A30000-0x0000000004A65000-memory.dmp

memory/2700-113-0x0000000004A30000-0x0000000004A65000-memory.dmp

memory/2700-111-0x0000000004A30000-0x0000000004A65000-memory.dmp

memory/2700-109-0x0000000004A30000-0x0000000004A65000-memory.dmp

memory/2700-107-0x0000000004A30000-0x0000000004A65000-memory.dmp

memory/2700-105-0x0000000004A30000-0x0000000004A65000-memory.dmp

memory/2700-103-0x0000000004A30000-0x0000000004A65000-memory.dmp

memory/2700-101-0x0000000004A30000-0x0000000004A65000-memory.dmp

memory/2700-97-0x0000000004A30000-0x0000000004A65000-memory.dmp

memory/2700-95-0x0000000004A30000-0x0000000004A65000-memory.dmp

memory/2700-93-0x0000000004A30000-0x0000000004A65000-memory.dmp

memory/2700-91-0x0000000004A30000-0x0000000004A65000-memory.dmp

memory/2700-89-0x0000000004A30000-0x0000000004A65000-memory.dmp

memory/2700-87-0x0000000004A30000-0x0000000004A65000-memory.dmp

memory/2700-86-0x0000000004A30000-0x0000000004A65000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 03:48

Reported

2024-11-09 03:51

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b002f8fa2ae9837746556b41e165ee691b4fe5190eba57ba5838c2094195e0e.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\9b002f8fa2ae9837746556b41e165ee691b4fe5190eba57ba5838c2094195e0e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9b002f8fa2ae9837746556b41e165ee691b4fe5190eba57ba5838c2094195e0e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2080 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\9b002f8fa2ae9837746556b41e165ee691b4fe5190eba57ba5838c2094195e0e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe
PID 2080 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\9b002f8fa2ae9837746556b41e165ee691b4fe5190eba57ba5838c2094195e0e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe
PID 2080 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\9b002f8fa2ae9837746556b41e165ee691b4fe5190eba57ba5838c2094195e0e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe
PID 3692 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe
PID 3692 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe
PID 3692 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe
PID 3972 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe
PID 3972 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe
PID 3972 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe
PID 3972 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe
PID 3972 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe
PID 3972 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9b002f8fa2ae9837746556b41e165ee691b4fe5190eba57ba5838c2094195e0e.exe

"C:\Users\Admin\AppData\Local\Temp\9b002f8fa2ae9837746556b41e165ee691b4fe5190eba57ba5838c2094195e0e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 556 -ip 556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp

Files

memory/2080-1-0x00000000049E0000-0x0000000004AC4000-memory.dmp

memory/2080-2-0x0000000004AD0000-0x0000000004BBB000-memory.dmp

memory/2080-3-0x0000000000400000-0x00000000004EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe

MD5 14f4eaa7ae2edf596ab5aa6259317026
SHA1 3cf20c0c6026b0ac23b17b49542a7c00f669ad82
SHA256 a502e76ab90fa397c80d0700c83ace1a300521b818c22d535ea0b115eadb63d8
SHA512 be6ec5e96f48f846369dff64261ef43420061b5a8d1d5969ba60ceaca8c1e72c664752d77d88b67cad935cd02a1cfe187eb2fd5cd5dd995e9d7f3eb0fc9ac6f9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe

MD5 f1f14512c243c673ed9d12b01b231c97
SHA1 9f459709c22bb68c003e059fa7c0748b36532f98
SHA256 9c2f308f4028ef90be0915e36b65aa516e610d536121048c598c833ee8dd7566
SHA512 d3440fe5279eae3cbfb8af837ea6f8917e630ac96ee0de66972f1a9ee54cd7e1fdb700cb5da10471ab762da16426a1deaccc38a9261989ff96485f828e01d300

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe

MD5 d8a23874a3620e74d09c39cfe54b852b
SHA1 48fc01f5c560a7863e9c4aef279a30ddb63f0378
SHA256 313d8545a08d26b195af8d1ef8227f35d84f2c6b868af382ec091e9c25ffba50
SHA512 d40f7e1512ed8d3e7125a69c6bce16675d14f965a0f4a4ad9d546c6110fc3026b377d346732d32e34850593ca728aa3528254430cd1a22d558248afb48027b6b

memory/556-26-0x00000000046F0000-0x000000000470A000-memory.dmp

memory/556-27-0x0000000007240000-0x00000000077E4000-memory.dmp

memory/556-28-0x0000000004C40000-0x0000000004C58000-memory.dmp

memory/556-34-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/556-36-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/556-54-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/556-52-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/556-50-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/556-48-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/556-46-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/556-44-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/556-40-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/556-38-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/556-32-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/556-30-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/556-42-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/556-29-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/556-56-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/2080-57-0x00000000049E0000-0x0000000004AC4000-memory.dmp

memory/2080-59-0x0000000004AD0000-0x0000000004BBB000-memory.dmp

memory/2080-58-0x0000000000400000-0x0000000002C62000-memory.dmp

memory/2080-60-0x0000000000400000-0x00000000004EE000-memory.dmp

memory/556-61-0x0000000000400000-0x0000000002B9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe

MD5 73cb8f16cb86208e26b37812bb3a91e8
SHA1 acc61d785ca8f3aeaa557414cce48abafe8f6969
SHA256 78238405fadaa7fdf788eb336ae4d5592a516442967b2563e5fb7a18131f312c
SHA512 9a06bb7570cc84d0e7d1fb6f2570fa171bb2b20da61003d8630057ccf10a0dfe7486beeb3bc89107e5e1ba5acda02fbc0a1a52a060f46a4f3c49f9e1e2b00945

memory/556-63-0x0000000000400000-0x0000000002B9E000-memory.dmp

memory/1596-68-0x0000000007130000-0x000000000716C000-memory.dmp

memory/1596-69-0x0000000007760000-0x000000000779A000-memory.dmp

memory/1596-75-0x0000000007760000-0x0000000007795000-memory.dmp

memory/1596-77-0x0000000007760000-0x0000000007795000-memory.dmp

memory/1596-95-0x0000000007760000-0x0000000007795000-memory.dmp

memory/1596-81-0x0000000007760000-0x0000000007795000-memory.dmp

memory/1596-73-0x0000000007760000-0x0000000007795000-memory.dmp

memory/1596-71-0x0000000007760000-0x0000000007795000-memory.dmp

memory/1596-70-0x0000000007760000-0x0000000007795000-memory.dmp

memory/1596-101-0x0000000007760000-0x0000000007795000-memory.dmp

memory/1596-99-0x0000000007760000-0x0000000007795000-memory.dmp

memory/1596-97-0x0000000007760000-0x0000000007795000-memory.dmp

memory/1596-93-0x0000000007760000-0x0000000007795000-memory.dmp

memory/1596-91-0x0000000007760000-0x0000000007795000-memory.dmp

memory/1596-89-0x0000000007760000-0x0000000007795000-memory.dmp

memory/1596-87-0x0000000007760000-0x0000000007795000-memory.dmp

memory/1596-85-0x0000000007760000-0x0000000007795000-memory.dmp

memory/1596-83-0x0000000007760000-0x0000000007795000-memory.dmp

memory/1596-79-0x0000000007760000-0x0000000007795000-memory.dmp

memory/1596-862-0x0000000009C80000-0x000000000A298000-memory.dmp

memory/1596-863-0x000000000A340000-0x000000000A352000-memory.dmp

memory/1596-864-0x000000000A360000-0x000000000A46A000-memory.dmp

memory/1596-865-0x000000000A480000-0x000000000A4BC000-memory.dmp

memory/1596-866-0x0000000004C40000-0x0000000004C8C000-memory.dmp