Malware Analysis Report

2025-08-11 07:14

Sample ID 241109-fmptdsxmdw
Target e11f5a2414831f728a7e1623c17544d92ab9932b4116a88c380a1b3916ffbde0
SHA256 e11f5a2414831f728a7e1623c17544d92ab9932b4116a88c380a1b3916ffbde0
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e11f5a2414831f728a7e1623c17544d92ab9932b4116a88c380a1b3916ffbde0

Threat Level: Known bad

The file e11f5a2414831f728a7e1623c17544d92ab9932b4116a88c380a1b3916ffbde0 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Healer family

RedLine

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Healer

RedLine payload

Redline family

Loads dropped DLL

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 04:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 04:59

Reported

2024-11-09 05:02

Platform

win7-20240708-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e11f5a2414831f728a7e1623c17544d92ab9932b4116a88c380a1b3916ffbde0.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\e11f5a2414831f728a7e1623c17544d92ab9932b4116a88c380a1b3916ffbde0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e11f5a2414831f728a7e1623c17544d92ab9932b4116a88c380a1b3916ffbde0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1960 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\e11f5a2414831f728a7e1623c17544d92ab9932b4116a88c380a1b3916ffbde0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 1960 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\e11f5a2414831f728a7e1623c17544d92ab9932b4116a88c380a1b3916ffbde0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 1960 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\e11f5a2414831f728a7e1623c17544d92ab9932b4116a88c380a1b3916ffbde0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 1960 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\e11f5a2414831f728a7e1623c17544d92ab9932b4116a88c380a1b3916ffbde0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 1960 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\e11f5a2414831f728a7e1623c17544d92ab9932b4116a88c380a1b3916ffbde0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 1960 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\e11f5a2414831f728a7e1623c17544d92ab9932b4116a88c380a1b3916ffbde0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 1960 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\e11f5a2414831f728a7e1623c17544d92ab9932b4116a88c380a1b3916ffbde0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 2772 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 2772 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 2772 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 2772 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 2772 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 2772 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 2772 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 608 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 608 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 608 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 608 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 608 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 608 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 608 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 608 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 608 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 608 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 608 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 608 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 608 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 608 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e11f5a2414831f728a7e1623c17544d92ab9932b4116a88c380a1b3916ffbde0.exe

"C:\Users\Admin\AppData\Local\Temp\e11f5a2414831f728a7e1623c17544d92ab9932b4116a88c380a1b3916ffbde0.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

Network

Country Destination Domain Proto
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp

Files

memory/1960-0-0x00000000020C0000-0x0000000002194000-memory.dmp

memory/1960-1-0x00000000020C0000-0x0000000002194000-memory.dmp

memory/1960-2-0x00000000021A0000-0x000000000227D000-memory.dmp

memory/1960-3-0x0000000000400000-0x00000000004E1000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe

MD5 d65c8e9f391cf20655232c5c987b746f
SHA1 bfce684cea9f3ad1f8319e3dd581f58ec22df410
SHA256 0376e92c9fdd3170bd6c4589d0ab56494bbef6ebb0c1ec8c2be1ea0c637281dc
SHA512 226c17e238df5c15eb0a90d5e6922f131e45daa44bee1d7dffe934068cb0db54e03fb23d45826e6daf21f5251bc1cfa65948f19dc45c4c9099376f724e342597

\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe

MD5 79bb8aa7f82a94ba01dc4b70c63957e0
SHA1 535a7c0407de96fdce4bf3017f07b4333e9acc01
SHA256 337c493481660ea88e0c92612f9caafff009cf7820f9fb84746b24ed2b64fff9
SHA512 c7adba7203490aee60aa1b678632df1b1b168f47810bc927978f9b8b7e8ace467446c58f8ae85f3f5bbd3fa4cbae2ace32f67b893c02282de618878b98b50139

\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe

MD5 e1b364b4b96ca742b39a069ca1390a0b
SHA1 970e15712c7b43117b2144d2dbf2aed590fff249
SHA256 dc2f6a4b3d395642bdd40c133807093078b2e6b7f4e683a878d63e258d58cb4b
SHA512 4b48624e84da9949c79e3116f9327cd1f1cd1a68cf495db1c7203db470fc668afca3f48674fc47244e6d6e9157a0d3adaa22183a20470a57df1c5f4a31f8573d

memory/2416-38-0x00000000045A0000-0x00000000045BA000-memory.dmp

memory/2416-39-0x00000000045E0000-0x00000000045F8000-memory.dmp

memory/2416-45-0x00000000045E0000-0x00000000045F2000-memory.dmp

memory/2416-51-0x00000000045E0000-0x00000000045F2000-memory.dmp

memory/2416-67-0x00000000045E0000-0x00000000045F2000-memory.dmp

memory/2416-65-0x00000000045E0000-0x00000000045F2000-memory.dmp

memory/2416-63-0x00000000045E0000-0x00000000045F2000-memory.dmp

memory/2416-61-0x00000000045E0000-0x00000000045F2000-memory.dmp

memory/2416-59-0x00000000045E0000-0x00000000045F2000-memory.dmp

memory/2416-57-0x00000000045E0000-0x00000000045F2000-memory.dmp

memory/2416-55-0x00000000045E0000-0x00000000045F2000-memory.dmp

memory/2416-49-0x00000000045E0000-0x00000000045F2000-memory.dmp

memory/2416-47-0x00000000045E0000-0x00000000045F2000-memory.dmp

memory/2416-43-0x00000000045E0000-0x00000000045F2000-memory.dmp

memory/2416-41-0x00000000045E0000-0x00000000045F2000-memory.dmp

memory/2416-53-0x00000000045E0000-0x00000000045F2000-memory.dmp

memory/2416-40-0x00000000045E0000-0x00000000045F2000-memory.dmp

memory/1960-68-0x00000000021A0000-0x000000000227D000-memory.dmp

memory/1960-70-0x0000000000400000-0x00000000004E1000-memory.dmp

memory/1960-69-0x0000000000400000-0x00000000008BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

MD5 848ce28183931ae67c8a0d8ce3a1efc3
SHA1 a39582bf82be42b8cf83b0015130273ab0e51c90
SHA256 1920e51f6e64752f4dd7474638b8d86c646e1b8cc4099415d2319d038fe1aff3
SHA512 430e793cac623274f0082eaec2377e946d9238f394837272ea4237ef305a00b3db28c081d6c82d2fbcadab0dc5a11769ebd9423e9129279a91ffe4b7aeae4b1d

memory/2416-71-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/2600-82-0x0000000003210000-0x000000000324C000-memory.dmp

memory/2600-83-0x0000000004770000-0x00000000047AA000-memory.dmp

memory/2600-107-0x0000000004770000-0x00000000047A5000-memory.dmp

memory/2600-84-0x0000000004770000-0x00000000047A5000-memory.dmp

memory/2600-87-0x0000000004770000-0x00000000047A5000-memory.dmp

memory/2600-85-0x0000000004770000-0x00000000047A5000-memory.dmp

memory/2600-89-0x0000000004770000-0x00000000047A5000-memory.dmp

memory/2600-91-0x0000000004770000-0x00000000047A5000-memory.dmp

memory/2600-93-0x0000000004770000-0x00000000047A5000-memory.dmp

memory/2600-95-0x0000000004770000-0x00000000047A5000-memory.dmp

memory/2600-97-0x0000000004770000-0x00000000047A5000-memory.dmp

memory/2600-105-0x0000000004770000-0x00000000047A5000-memory.dmp

memory/2600-109-0x0000000004770000-0x00000000047A5000-memory.dmp

memory/2600-115-0x0000000004770000-0x00000000047A5000-memory.dmp

memory/2600-113-0x0000000004770000-0x00000000047A5000-memory.dmp

memory/2600-111-0x0000000004770000-0x00000000047A5000-memory.dmp

memory/2600-103-0x0000000004770000-0x00000000047A5000-memory.dmp

memory/2600-101-0x0000000004770000-0x00000000047A5000-memory.dmp

memory/2600-99-0x0000000004770000-0x00000000047A5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 04:59

Reported

2024-11-09 05:02

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e11f5a2414831f728a7e1623c17544d92ab9932b4116a88c380a1b3916ffbde0.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\e11f5a2414831f728a7e1623c17544d92ab9932b4116a88c380a1b3916ffbde0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e11f5a2414831f728a7e1623c17544d92ab9932b4116a88c380a1b3916ffbde0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4816 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\e11f5a2414831f728a7e1623c17544d92ab9932b4116a88c380a1b3916ffbde0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 4816 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\e11f5a2414831f728a7e1623c17544d92ab9932b4116a88c380a1b3916ffbde0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 4816 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\e11f5a2414831f728a7e1623c17544d92ab9932b4116a88c380a1b3916ffbde0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 3876 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 3876 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 3876 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 4000 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 4000 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 4000 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 4000 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 4000 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 4000 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e11f5a2414831f728a7e1623c17544d92ab9932b4116a88c380a1b3916ffbde0.exe

"C:\Users\Admin\AppData\Local\Temp\e11f5a2414831f728a7e1623c17544d92ab9932b4116a88c380a1b3916ffbde0.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4352 -ip 4352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp

Files

memory/4816-2-0x0000000002860000-0x000000000293D000-memory.dmp

memory/4816-1-0x0000000002740000-0x0000000002819000-memory.dmp

memory/4816-3-0x0000000000400000-0x00000000004E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe

MD5 d65c8e9f391cf20655232c5c987b746f
SHA1 bfce684cea9f3ad1f8319e3dd581f58ec22df410
SHA256 0376e92c9fdd3170bd6c4589d0ab56494bbef6ebb0c1ec8c2be1ea0c637281dc
SHA512 226c17e238df5c15eb0a90d5e6922f131e45daa44bee1d7dffe934068cb0db54e03fb23d45826e6daf21f5251bc1cfa65948f19dc45c4c9099376f724e342597

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe

MD5 79bb8aa7f82a94ba01dc4b70c63957e0
SHA1 535a7c0407de96fdce4bf3017f07b4333e9acc01
SHA256 337c493481660ea88e0c92612f9caafff009cf7820f9fb84746b24ed2b64fff9
SHA512 c7adba7203490aee60aa1b678632df1b1b168f47810bc927978f9b8b7e8ace467446c58f8ae85f3f5bbd3fa4cbae2ace32f67b893c02282de618878b98b50139

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe

MD5 e1b364b4b96ca742b39a069ca1390a0b
SHA1 970e15712c7b43117b2144d2dbf2aed590fff249
SHA256 dc2f6a4b3d395642bdd40c133807093078b2e6b7f4e683a878d63e258d58cb4b
SHA512 4b48624e84da9949c79e3116f9327cd1f1cd1a68cf495db1c7203db470fc668afca3f48674fc47244e6d6e9157a0d3adaa22183a20470a57df1c5f4a31f8573d

memory/4352-26-0x0000000004930000-0x000000000494A000-memory.dmp

memory/4352-27-0x0000000007160000-0x0000000007704000-memory.dmp

memory/4352-28-0x0000000007710000-0x0000000007728000-memory.dmp

memory/4352-54-0x0000000007710000-0x0000000007722000-memory.dmp

memory/4352-52-0x0000000007710000-0x0000000007722000-memory.dmp

memory/4352-51-0x0000000007710000-0x0000000007722000-memory.dmp

memory/4352-48-0x0000000007710000-0x0000000007722000-memory.dmp

memory/4352-46-0x0000000007710000-0x0000000007722000-memory.dmp

memory/4352-44-0x0000000007710000-0x0000000007722000-memory.dmp

memory/4352-42-0x0000000007710000-0x0000000007722000-memory.dmp

memory/4352-40-0x0000000007710000-0x0000000007722000-memory.dmp

memory/4352-38-0x0000000007710000-0x0000000007722000-memory.dmp

memory/4352-36-0x0000000007710000-0x0000000007722000-memory.dmp

memory/4352-56-0x0000000007710000-0x0000000007722000-memory.dmp

memory/4352-34-0x0000000007710000-0x0000000007722000-memory.dmp

memory/4352-32-0x0000000007710000-0x0000000007722000-memory.dmp

memory/4352-30-0x0000000007710000-0x0000000007722000-memory.dmp

memory/4352-29-0x0000000007710000-0x0000000007722000-memory.dmp

memory/4816-57-0x0000000002740000-0x0000000002819000-memory.dmp

memory/4816-58-0x0000000002860000-0x000000000293D000-memory.dmp

memory/4816-60-0x0000000000400000-0x00000000004E1000-memory.dmp

memory/4816-59-0x0000000000400000-0x00000000008BD000-memory.dmp

memory/4352-61-0x0000000000400000-0x0000000002BAF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

MD5 848ce28183931ae67c8a0d8ce3a1efc3
SHA1 a39582bf82be42b8cf83b0015130273ab0e51c90
SHA256 1920e51f6e64752f4dd7474638b8d86c646e1b8cc4099415d2319d038fe1aff3
SHA512 430e793cac623274f0082eaec2377e946d9238f394837272ea4237ef305a00b3db28c081d6c82d2fbcadab0dc5a11769ebd9423e9129279a91ffe4b7aeae4b1d

memory/4352-63-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/3616-68-0x0000000007130000-0x000000000716C000-memory.dmp

memory/3616-69-0x0000000007760000-0x000000000779A000-memory.dmp

memory/3616-85-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3616-87-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3616-99-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3616-97-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3616-95-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3616-93-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3616-91-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3616-89-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3616-83-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3616-81-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3616-79-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3616-77-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3616-101-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3616-75-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3616-73-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3616-71-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3616-70-0x0000000007760000-0x0000000007795000-memory.dmp

memory/3616-862-0x0000000009C90000-0x000000000A2A8000-memory.dmp

memory/3616-863-0x000000000A350000-0x000000000A362000-memory.dmp

memory/3616-864-0x000000000A370000-0x000000000A47A000-memory.dmp

memory/3616-865-0x000000000A490000-0x000000000A4CC000-memory.dmp

memory/3616-866-0x0000000006C60000-0x0000000006CAC000-memory.dmp