Malware Analysis Report

2025-08-10 13:16

Sample ID 241109-eh7yqszlfk
Target 2e693b82fba2e08529c89f27c20c2af6ea8ad7499ba13e7b4d515f3aa3f7ec91
SHA256 2e693b82fba2e08529c89f27c20c2af6ea8ad7499ba13e7b4d515f3aa3f7ec91
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2e693b82fba2e08529c89f27c20c2af6ea8ad7499ba13e7b4d515f3aa3f7ec91

Threat Level: Known bad

The file 2e693b82fba2e08529c89f27c20c2af6ea8ad7499ba13e7b4d515f3aa3f7ec91 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

RedLine

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

RedLine payload

Healer family

Healer

Redline family

Executes dropped EXE

Windows security modification

Loads dropped DLL

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:57

Reported

2024-11-09 04:00

Platform

win7-20241023-en

Max time kernel

142s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e693b82fba2e08529c89f27c20c2af6ea8ad7499ba13e7b4d515f3aa3f7ec91.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2e693b82fba2e08529c89f27c20c2af6ea8ad7499ba13e7b4d515f3aa3f7ec91.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2e693b82fba2e08529c89f27c20c2af6ea8ad7499ba13e7b4d515f3aa3f7ec91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\211336502.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\211336502.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 772 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2e693b82fba2e08529c89f27c20c2af6ea8ad7499ba13e7b4d515f3aa3f7ec91.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe
PID 772 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2e693b82fba2e08529c89f27c20c2af6ea8ad7499ba13e7b4d515f3aa3f7ec91.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe
PID 772 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2e693b82fba2e08529c89f27c20c2af6ea8ad7499ba13e7b4d515f3aa3f7ec91.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe
PID 772 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2e693b82fba2e08529c89f27c20c2af6ea8ad7499ba13e7b4d515f3aa3f7ec91.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe
PID 772 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2e693b82fba2e08529c89f27c20c2af6ea8ad7499ba13e7b4d515f3aa3f7ec91.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe
PID 772 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2e693b82fba2e08529c89f27c20c2af6ea8ad7499ba13e7b4d515f3aa3f7ec91.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe
PID 772 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2e693b82fba2e08529c89f27c20c2af6ea8ad7499ba13e7b4d515f3aa3f7ec91.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe
PID 2484 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe
PID 2484 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe
PID 2484 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe
PID 2484 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe
PID 2484 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe
PID 2484 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe
PID 2484 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe
PID 3056 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe
PID 3056 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe
PID 3056 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe
PID 3056 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe
PID 3056 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe
PID 3056 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe
PID 3056 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe
PID 3056 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\211336502.exe
PID 3056 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\211336502.exe
PID 3056 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\211336502.exe
PID 3056 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\211336502.exe
PID 3056 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\211336502.exe
PID 3056 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\211336502.exe
PID 3056 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\211336502.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2e693b82fba2e08529c89f27c20c2af6ea8ad7499ba13e7b4d515f3aa3f7ec91.exe

"C:\Users\Admin\AppData\Local\Temp\2e693b82fba2e08529c89f27c20c2af6ea8ad7499ba13e7b4d515f3aa3f7ec91.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\211336502.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\211336502.exe

Network

Country Destination Domain Proto
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp

Files

memory/772-0-0x0000000002130000-0x000000000222C000-memory.dmp

memory/772-2-0x0000000002230000-0x0000000002336000-memory.dmp

memory/772-1-0x0000000002130000-0x000000000222C000-memory.dmp

memory/772-3-0x0000000000400000-0x0000000000509000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe

MD5 f06e39167486fc96f3eeb3ac7407b38b
SHA1 f330a5b7b428a395615b8f95c30107e1ab039b7e
SHA256 39a59c9411b604de582b4d0defd8af49451ed7bb019e4eb8bf66fee6250edcd8
SHA512 4b97f8d7443c6a4b193940f31673283e11b0751fd2594d5485ee1f26985651d3e32bd7cde6ade4150c804aa5c79faaffdbf5cf51ac7a4b0b3c592e3aa13c6048

\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe

MD5 b5d38b0b9fec4b6c942b149c0e893bbd
SHA1 2707e6fac8b5cf387d9fdcc489c9e9f3116c5ee0
SHA256 dfb7f1f7c6de8988f69b12dbcc4c9bf2ddb8ddaec696fe86a0be556ca94daadd
SHA512 4cbc1419c027daf6a762506c2d83d769758663c0ebbef8a7b1ea04facc20b2dea2774a31996779a06f61231480e1817d19f1b78831459830e960a38eaa6d151e

\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe

MD5 16143c4bd073fcf8abd2525f982c6190
SHA1 549358b2aa895b77df17f1d9fd597ed5b2798478
SHA256 14f7f92ecee0d34d1f2d355ecd7c1f45e0c5ed9bb2d2446260f042a9e330bbc9
SHA512 0c4d29781074baacd9d75299020938b68058ae91a78217cb07764d3d047af9171ba5f1630da15184c45dd6f20ea0872fdfcc68e6c4a49274eca5d11fe62bd497

memory/2476-38-0x0000000000930000-0x000000000094A000-memory.dmp

memory/2476-39-0x0000000000AF0000-0x0000000000B08000-memory.dmp

memory/2476-51-0x0000000000AF0000-0x0000000000B02000-memory.dmp

memory/2476-67-0x0000000000AF0000-0x0000000000B02000-memory.dmp

memory/2476-65-0x0000000000AF0000-0x0000000000B02000-memory.dmp

memory/2476-63-0x0000000000AF0000-0x0000000000B02000-memory.dmp

memory/2476-61-0x0000000000AF0000-0x0000000000B02000-memory.dmp

memory/2476-59-0x0000000000AF0000-0x0000000000B02000-memory.dmp

memory/2476-57-0x0000000000AF0000-0x0000000000B02000-memory.dmp

memory/2476-55-0x0000000000AF0000-0x0000000000B02000-memory.dmp

memory/2476-53-0x0000000000AF0000-0x0000000000B02000-memory.dmp

memory/2476-49-0x0000000000AF0000-0x0000000000B02000-memory.dmp

memory/2476-47-0x0000000000AF0000-0x0000000000B02000-memory.dmp

memory/2476-45-0x0000000000AF0000-0x0000000000B02000-memory.dmp

memory/2476-43-0x0000000000AF0000-0x0000000000B02000-memory.dmp

memory/2476-41-0x0000000000AF0000-0x0000000000B02000-memory.dmp

memory/2476-40-0x0000000000AF0000-0x0000000000B02000-memory.dmp

memory/772-68-0x0000000002230000-0x0000000002336000-memory.dmp

memory/772-70-0x0000000000400000-0x0000000000509000-memory.dmp

memory/772-69-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2476-71-0x0000000000400000-0x0000000000803000-memory.dmp

memory/2476-72-0x0000000000400000-0x0000000000803000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\211336502.exe

MD5 2186dc864e1223afb8e92fe85dc5c4ce
SHA1 ee85f66eb3a79d8e1791aebc68ca8992d82ac0c8
SHA256 566d0becdc1909aebbb4db85776e196fc0bd50a704f6731286852881723b5b78
SHA512 544dfeb63e25fe4dcd761bd653d18bd5fedb3eb24923a99f06415c28cc2f6297e644952f67b824c3a5ba5222afa640166d6e4f019da89e9c9ed469699c977cfa

memory/2736-83-0x00000000027C0000-0x00000000027FC000-memory.dmp

memory/2736-84-0x0000000002840000-0x000000000287A000-memory.dmp

memory/2736-102-0x0000000002840000-0x0000000002875000-memory.dmp

memory/2736-116-0x0000000002840000-0x0000000002875000-memory.dmp

memory/2736-114-0x0000000002840000-0x0000000002875000-memory.dmp

memory/2736-112-0x0000000002840000-0x0000000002875000-memory.dmp

memory/2736-110-0x0000000002840000-0x0000000002875000-memory.dmp

memory/2736-108-0x0000000002840000-0x0000000002875000-memory.dmp

memory/2736-106-0x0000000002840000-0x0000000002875000-memory.dmp

memory/2736-104-0x0000000002840000-0x0000000002875000-memory.dmp

memory/2736-100-0x0000000002840000-0x0000000002875000-memory.dmp

memory/2736-98-0x0000000002840000-0x0000000002875000-memory.dmp

memory/2736-96-0x0000000002840000-0x0000000002875000-memory.dmp

memory/2736-94-0x0000000002840000-0x0000000002875000-memory.dmp

memory/2736-92-0x0000000002840000-0x0000000002875000-memory.dmp

memory/2736-90-0x0000000002840000-0x0000000002875000-memory.dmp

memory/2736-88-0x0000000002840000-0x0000000002875000-memory.dmp

memory/2736-86-0x0000000002840000-0x0000000002875000-memory.dmp

memory/2736-85-0x0000000002840000-0x0000000002875000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 03:57

Reported

2024-11-09 04:00

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e693b82fba2e08529c89f27c20c2af6ea8ad7499ba13e7b4d515f3aa3f7ec91.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2e693b82fba2e08529c89f27c20c2af6ea8ad7499ba13e7b4d515f3aa3f7ec91.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\211336502.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2e693b82fba2e08529c89f27c20c2af6ea8ad7499ba13e7b4d515f3aa3f7ec91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\211336502.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4976 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2e693b82fba2e08529c89f27c20c2af6ea8ad7499ba13e7b4d515f3aa3f7ec91.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe
PID 4976 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2e693b82fba2e08529c89f27c20c2af6ea8ad7499ba13e7b4d515f3aa3f7ec91.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe
PID 4976 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2e693b82fba2e08529c89f27c20c2af6ea8ad7499ba13e7b4d515f3aa3f7ec91.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe
PID 1716 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe
PID 1716 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe
PID 1716 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe
PID 2780 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe
PID 2780 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe
PID 2780 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe
PID 2780 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\211336502.exe
PID 2780 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\211336502.exe
PID 2780 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\211336502.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2e693b82fba2e08529c89f27c20c2af6ea8ad7499ba13e7b4d515f3aa3f7ec91.exe

"C:\Users\Admin\AppData\Local\Temp\2e693b82fba2e08529c89f27c20c2af6ea8ad7499ba13e7b4d515f3aa3f7ec91.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3024 -ip 3024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\211336502.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\211336502.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp

Files

memory/4976-1-0x0000000002640000-0x000000000273E000-memory.dmp

memory/4976-2-0x00000000027E0000-0x00000000028E6000-memory.dmp

memory/4976-3-0x0000000000400000-0x0000000000509000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xW437664.exe

MD5 f06e39167486fc96f3eeb3ac7407b38b
SHA1 f330a5b7b428a395615b8f95c30107e1ab039b7e
SHA256 39a59c9411b604de582b4d0defd8af49451ed7bb019e4eb8bf66fee6250edcd8
SHA512 4b97f8d7443c6a4b193940f31673283e11b0751fd2594d5485ee1f26985651d3e32bd7cde6ade4150c804aa5c79faaffdbf5cf51ac7a4b0b3c592e3aa13c6048

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\be231436.exe

MD5 b5d38b0b9fec4b6c942b149c0e893bbd
SHA1 2707e6fac8b5cf387d9fdcc489c9e9f3116c5ee0
SHA256 dfb7f1f7c6de8988f69b12dbcc4c9bf2ddb8ddaec696fe86a0be556ca94daadd
SHA512 4cbc1419c027daf6a762506c2d83d769758663c0ebbef8a7b1ea04facc20b2dea2774a31996779a06f61231480e1817d19f1b78831459830e960a38eaa6d151e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\150960642.exe

MD5 16143c4bd073fcf8abd2525f982c6190
SHA1 549358b2aa895b77df17f1d9fd597ed5b2798478
SHA256 14f7f92ecee0d34d1f2d355ecd7c1f45e0c5ed9bb2d2446260f042a9e330bbc9
SHA512 0c4d29781074baacd9d75299020938b68058ae91a78217cb07764d3d047af9171ba5f1630da15184c45dd6f20ea0872fdfcc68e6c4a49274eca5d11fe62bd497

memory/3024-26-0x0000000000400000-0x0000000000803000-memory.dmp

memory/3024-27-0x0000000000400000-0x0000000000803000-memory.dmp

memory/3024-28-0x0000000000BE0000-0x0000000000BFA000-memory.dmp

memory/3024-29-0x0000000004E50000-0x00000000053F4000-memory.dmp

memory/3024-30-0x0000000004DB0000-0x0000000004DC8000-memory.dmp

memory/3024-38-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/3024-58-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/3024-56-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/3024-54-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/3024-53-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/3024-50-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/3024-48-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/3024-46-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/3024-44-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/3024-42-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/3024-40-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/3024-36-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/3024-34-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/3024-32-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/3024-31-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/4976-59-0x0000000002640000-0x000000000273E000-memory.dmp

memory/4976-60-0x00000000027E0000-0x00000000028E6000-memory.dmp

memory/4976-61-0x0000000000400000-0x0000000000509000-memory.dmp

memory/4976-62-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3024-65-0x0000000000400000-0x0000000000803000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\211336502.exe

MD5 2186dc864e1223afb8e92fe85dc5c4ce
SHA1 ee85f66eb3a79d8e1791aebc68ca8992d82ac0c8
SHA256 566d0becdc1909aebbb4db85776e196fc0bd50a704f6731286852881723b5b78
SHA512 544dfeb63e25fe4dcd761bd653d18bd5fedb3eb24923a99f06415c28cc2f6297e644952f67b824c3a5ba5222afa640166d6e4f019da89e9c9ed469699c977cfa

memory/4416-70-0x00000000028E0000-0x000000000291C000-memory.dmp

memory/4416-71-0x00000000053F0000-0x000000000542A000-memory.dmp

memory/4416-72-0x00000000053F0000-0x0000000005425000-memory.dmp

memory/4416-89-0x00000000053F0000-0x0000000005425000-memory.dmp

memory/4416-103-0x00000000053F0000-0x0000000005425000-memory.dmp

memory/4416-101-0x00000000053F0000-0x0000000005425000-memory.dmp

memory/4416-99-0x00000000053F0000-0x0000000005425000-memory.dmp

memory/4416-97-0x00000000053F0000-0x0000000005425000-memory.dmp

memory/4416-95-0x00000000053F0000-0x0000000005425000-memory.dmp

memory/4416-93-0x00000000053F0000-0x0000000005425000-memory.dmp

memory/4416-91-0x00000000053F0000-0x0000000005425000-memory.dmp

memory/4416-87-0x00000000053F0000-0x0000000005425000-memory.dmp

memory/4416-85-0x00000000053F0000-0x0000000005425000-memory.dmp

memory/4416-83-0x00000000053F0000-0x0000000005425000-memory.dmp

memory/4416-81-0x00000000053F0000-0x0000000005425000-memory.dmp

memory/4416-79-0x00000000053F0000-0x0000000005425000-memory.dmp

memory/4416-77-0x00000000053F0000-0x0000000005425000-memory.dmp

memory/4416-75-0x00000000053F0000-0x0000000005425000-memory.dmp

memory/4416-73-0x00000000053F0000-0x0000000005425000-memory.dmp

memory/4416-864-0x00000000078F0000-0x0000000007F08000-memory.dmp

memory/4416-865-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

memory/4416-866-0x0000000007FC0000-0x00000000080CA000-memory.dmp

memory/4416-867-0x00000000080E0000-0x000000000811C000-memory.dmp

memory/4416-868-0x0000000002600000-0x000000000264C000-memory.dmp