Malware Analysis Report

2025-08-05 10:16

Sample ID 241109-fzav1aycqm
Target dc626ea4b01c71c51fd61688ae5856070cdb8be2dedabd20a0f6f45324c7dbbe
SHA256 dc626ea4b01c71c51fd61688ae5856070cdb8be2dedabd20a0f6f45324c7dbbe
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc626ea4b01c71c51fd61688ae5856070cdb8be2dedabd20a0f6f45324c7dbbe

Threat Level: Known bad

The file dc626ea4b01c71c51fd61688ae5856070cdb8be2dedabd20a0f6f45324c7dbbe was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Redline family

Healer family

RedLine

RedLine payload

Healer

Executes dropped EXE

Loads dropped DLL

Windows security modification

Adds Run key to start application

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 05:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 05:18

Reported

2024-11-09 05:20

Platform

win7-20241010-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc626ea4b01c71c51fd61688ae5856070cdb8be2dedabd20a0f6f45324c7dbbe.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\dc626ea4b01c71c51fd61688ae5856070cdb8be2dedabd20a0f6f45324c7dbbe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dc626ea4b01c71c51fd61688ae5856070cdb8be2dedabd20a0f6f45324c7dbbe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 108 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\dc626ea4b01c71c51fd61688ae5856070cdb8be2dedabd20a0f6f45324c7dbbe.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe
PID 108 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\dc626ea4b01c71c51fd61688ae5856070cdb8be2dedabd20a0f6f45324c7dbbe.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe
PID 108 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\dc626ea4b01c71c51fd61688ae5856070cdb8be2dedabd20a0f6f45324c7dbbe.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe
PID 108 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\dc626ea4b01c71c51fd61688ae5856070cdb8be2dedabd20a0f6f45324c7dbbe.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe
PID 108 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\dc626ea4b01c71c51fd61688ae5856070cdb8be2dedabd20a0f6f45324c7dbbe.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe
PID 108 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\dc626ea4b01c71c51fd61688ae5856070cdb8be2dedabd20a0f6f45324c7dbbe.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe
PID 108 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\dc626ea4b01c71c51fd61688ae5856070cdb8be2dedabd20a0f6f45324c7dbbe.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe
PID 2116 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe
PID 2116 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe
PID 2116 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe
PID 2116 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe
PID 2116 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe
PID 2116 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe
PID 2116 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe
PID 2172 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe
PID 2172 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe
PID 2172 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe
PID 2172 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe
PID 2172 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe
PID 2172 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe
PID 2172 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe
PID 2172 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe
PID 2172 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe
PID 2172 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe
PID 2172 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe
PID 2172 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe
PID 2172 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe
PID 2172 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dc626ea4b01c71c51fd61688ae5856070cdb8be2dedabd20a0f6f45324c7dbbe.exe

"C:\Users\Admin\AppData\Local\Temp\dc626ea4b01c71c51fd61688ae5856070cdb8be2dedabd20a0f6f45324c7dbbe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe

Network

Country Destination Domain Proto
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp

Files

memory/108-0-0x0000000002C70000-0x0000000002D51000-memory.dmp

memory/108-1-0x0000000002C70000-0x0000000002D51000-memory.dmp

memory/108-3-0x0000000000400000-0x00000000004EE000-memory.dmp

memory/108-2-0x0000000004600000-0x00000000046EB000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe

MD5 14f4eaa7ae2edf596ab5aa6259317026
SHA1 3cf20c0c6026b0ac23b17b49542a7c00f669ad82
SHA256 a502e76ab90fa397c80d0700c83ace1a300521b818c22d535ea0b115eadb63d8
SHA512 be6ec5e96f48f846369dff64261ef43420061b5a8d1d5969ba60ceaca8c1e72c664752d77d88b67cad935cd02a1cfe187eb2fd5cd5dd995e9d7f3eb0fc9ac6f9

\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe

MD5 f1f14512c243c673ed9d12b01b231c97
SHA1 9f459709c22bb68c003e059fa7c0748b36532f98
SHA256 9c2f308f4028ef90be0915e36b65aa516e610d536121048c598c833ee8dd7566
SHA512 d3440fe5279eae3cbfb8af837ea6f8917e630ac96ee0de66972f1a9ee54cd7e1fdb700cb5da10471ab762da16426a1deaccc38a9261989ff96485f828e01d300

\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe

MD5 d8a23874a3620e74d09c39cfe54b852b
SHA1 48fc01f5c560a7863e9c4aef279a30ddb63f0378
SHA256 313d8545a08d26b195af8d1ef8227f35d84f2c6b868af382ec091e9c25ffba50
SHA512 d40f7e1512ed8d3e7125a69c6bce16675d14f965a0f4a4ad9d546c6110fc3026b377d346732d32e34850593ca728aa3528254430cd1a22d558248afb48027b6b

memory/2820-38-0x0000000002F70000-0x0000000002F8A000-memory.dmp

memory/2820-39-0x00000000045E0000-0x00000000045F8000-memory.dmp

memory/2820-57-0x00000000045E0000-0x00000000045F2000-memory.dmp

memory/2820-59-0x00000000045E0000-0x00000000045F2000-memory.dmp

memory/2820-67-0x00000000045E0000-0x00000000045F2000-memory.dmp

memory/2820-63-0x00000000045E0000-0x00000000045F2000-memory.dmp

memory/2820-61-0x00000000045E0000-0x00000000045F2000-memory.dmp

memory/2820-55-0x00000000045E0000-0x00000000045F2000-memory.dmp

memory/2820-53-0x00000000045E0000-0x00000000045F2000-memory.dmp

memory/2820-49-0x00000000045E0000-0x00000000045F2000-memory.dmp

memory/2820-47-0x00000000045E0000-0x00000000045F2000-memory.dmp

memory/2820-45-0x00000000045E0000-0x00000000045F2000-memory.dmp

memory/2820-41-0x00000000045E0000-0x00000000045F2000-memory.dmp

memory/2820-65-0x00000000045E0000-0x00000000045F2000-memory.dmp

memory/2820-40-0x00000000045E0000-0x00000000045F2000-memory.dmp

memory/2820-51-0x00000000045E0000-0x00000000045F2000-memory.dmp

memory/2820-43-0x00000000045E0000-0x00000000045F2000-memory.dmp

memory/108-68-0x0000000002C70000-0x0000000002D51000-memory.dmp

memory/108-69-0x0000000004600000-0x00000000046EB000-memory.dmp

memory/108-70-0x0000000000400000-0x0000000002C62000-memory.dmp

memory/108-71-0x0000000000400000-0x00000000004EE000-memory.dmp

memory/2820-72-0x0000000000400000-0x0000000002B9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe

MD5 73cb8f16cb86208e26b37812bb3a91e8
SHA1 acc61d785ca8f3aeaa557414cce48abafe8f6969
SHA256 78238405fadaa7fdf788eb336ae4d5592a516442967b2563e5fb7a18131f312c
SHA512 9a06bb7570cc84d0e7d1fb6f2570fa171bb2b20da61003d8630057ccf10a0dfe7486beeb3bc89107e5e1ba5acda02fbc0a1a52a060f46a4f3c49f9e1e2b00945

memory/2820-73-0x0000000000400000-0x0000000002B9E000-memory.dmp

memory/2812-85-0x0000000004D80000-0x0000000004DBA000-memory.dmp

memory/2812-84-0x0000000004D40000-0x0000000004D7C000-memory.dmp

memory/2812-117-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2812-115-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2812-113-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2812-111-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2812-109-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2812-107-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2812-105-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2812-103-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2812-101-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2812-99-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2812-97-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2812-95-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2812-93-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2812-91-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2812-89-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2812-87-0x0000000004D80000-0x0000000004DB5000-memory.dmp

memory/2812-86-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 05:18

Reported

2024-11-09 05:20

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc626ea4b01c71c51fd61688ae5856070cdb8be2dedabd20a0f6f45324c7dbbe.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\dc626ea4b01c71c51fd61688ae5856070cdb8be2dedabd20a0f6f45324c7dbbe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dc626ea4b01c71c51fd61688ae5856070cdb8be2dedabd20a0f6f45324c7dbbe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4276 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\dc626ea4b01c71c51fd61688ae5856070cdb8be2dedabd20a0f6f45324c7dbbe.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe
PID 4276 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\dc626ea4b01c71c51fd61688ae5856070cdb8be2dedabd20a0f6f45324c7dbbe.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe
PID 4276 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\dc626ea4b01c71c51fd61688ae5856070cdb8be2dedabd20a0f6f45324c7dbbe.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe
PID 2296 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe
PID 2296 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe
PID 2296 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe
PID 4700 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe
PID 4700 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe
PID 4700 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe
PID 4700 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe
PID 4700 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe
PID 4700 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dc626ea4b01c71c51fd61688ae5856070cdb8be2dedabd20a0f6f45324c7dbbe.exe

"C:\Users\Admin\AppData\Local\Temp\dc626ea4b01c71c51fd61688ae5856070cdb8be2dedabd20a0f6f45324c7dbbe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1092 -ip 1092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 1096

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp

Files

memory/4276-1-0x00000000049E0000-0x0000000004AC9000-memory.dmp

memory/4276-2-0x0000000004AE0000-0x0000000004BCB000-memory.dmp

memory/4276-3-0x0000000000400000-0x00000000004EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lF272076.exe

MD5 14f4eaa7ae2edf596ab5aa6259317026
SHA1 3cf20c0c6026b0ac23b17b49542a7c00f669ad82
SHA256 a502e76ab90fa397c80d0700c83ace1a300521b818c22d535ea0b115eadb63d8
SHA512 be6ec5e96f48f846369dff64261ef43420061b5a8d1d5969ba60ceaca8c1e72c664752d77d88b67cad935cd02a1cfe187eb2fd5cd5dd995e9d7f3eb0fc9ac6f9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qD163070.exe

MD5 f1f14512c243c673ed9d12b01b231c97
SHA1 9f459709c22bb68c003e059fa7c0748b36532f98
SHA256 9c2f308f4028ef90be0915e36b65aa516e610d536121048c598c833ee8dd7566
SHA512 d3440fe5279eae3cbfb8af837ea6f8917e630ac96ee0de66972f1a9ee54cd7e1fdb700cb5da10471ab762da16426a1deaccc38a9261989ff96485f828e01d300

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\162451254.exe

MD5 d8a23874a3620e74d09c39cfe54b852b
SHA1 48fc01f5c560a7863e9c4aef279a30ddb63f0378
SHA256 313d8545a08d26b195af8d1ef8227f35d84f2c6b868af382ec091e9c25ffba50
SHA512 d40f7e1512ed8d3e7125a69c6bce16675d14f965a0f4a4ad9d546c6110fc3026b377d346732d32e34850593ca728aa3528254430cd1a22d558248afb48027b6b

memory/1092-26-0x0000000004980000-0x000000000499A000-memory.dmp

memory/1092-27-0x00000000073E0000-0x0000000007984000-memory.dmp

memory/1092-28-0x0000000004BC0000-0x0000000004BD8000-memory.dmp

memory/1092-34-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

memory/1092-55-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

memory/1092-52-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

memory/1092-50-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

memory/1092-48-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

memory/1092-46-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

memory/1092-44-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

memory/1092-42-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

memory/1092-40-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

memory/1092-56-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

memory/1092-38-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

memory/1092-36-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

memory/1092-32-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

memory/1092-30-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

memory/1092-29-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

memory/4276-57-0x00000000049E0000-0x0000000004AC9000-memory.dmp

memory/4276-59-0x0000000004AE0000-0x0000000004BCB000-memory.dmp

memory/4276-58-0x0000000000400000-0x0000000002C62000-memory.dmp

memory/4276-60-0x0000000000400000-0x00000000004EE000-memory.dmp

memory/1092-61-0x0000000000400000-0x0000000002B9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\272189732.exe

MD5 73cb8f16cb86208e26b37812bb3a91e8
SHA1 acc61d785ca8f3aeaa557414cce48abafe8f6969
SHA256 78238405fadaa7fdf788eb336ae4d5592a516442967b2563e5fb7a18131f312c
SHA512 9a06bb7570cc84d0e7d1fb6f2570fa171bb2b20da61003d8630057ccf10a0dfe7486beeb3bc89107e5e1ba5acda02fbc0a1a52a060f46a4f3c49f9e1e2b00945

memory/1092-63-0x0000000000400000-0x0000000002B9E000-memory.dmp

memory/1852-68-0x0000000007150000-0x000000000718C000-memory.dmp

memory/1852-69-0x00000000071D0000-0x000000000720A000-memory.dmp

memory/1852-81-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/1852-85-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/1852-101-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/1852-99-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/1852-95-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/1852-93-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/1852-91-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/1852-89-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/1852-87-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/1852-83-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/1852-79-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/1852-77-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/1852-97-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/1852-75-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/1852-73-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/1852-71-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/1852-70-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/1852-862-0x0000000009D00000-0x000000000A318000-memory.dmp

memory/1852-863-0x000000000A340000-0x000000000A352000-memory.dmp

memory/1852-864-0x000000000A360000-0x000000000A46A000-memory.dmp

memory/1852-865-0x000000000A480000-0x000000000A4BC000-memory.dmp

memory/1852-866-0x0000000006C80000-0x0000000006CCC000-memory.dmp