Analysis Overview
SHA256
09e8ffb2f1318e8ac8d4af88c773297a4a48678088cdd1d8dee2f05862c90417
Threat Level: Known bad
The file 09e8ffb2f1318e8ac8d4af88c773297a4a48678088cdd1d8dee2f05862c90417 was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Redline family
RedLine
RedLine payload
Windows security modification
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 19:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 19:18
Reported
2024-11-09 19:20
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3571422.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5777065.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0555378.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\09e8ffb2f1318e8ac8d4af88c773297a4a48678088cdd1d8dee2f05862c90417.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3571422.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5777065.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0555378.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\09e8ffb2f1318e8ac8d4af88c773297a4a48678088cdd1d8dee2f05862c90417.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3571422.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5777065.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\09e8ffb2f1318e8ac8d4af88c773297a4a48678088cdd1d8dee2f05862c90417.exe
"C:\Users\Admin\AppData\Local\Temp\09e8ffb2f1318e8ac8d4af88c773297a4a48678088cdd1d8dee2f05862c90417.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3571422.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3571422.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5777065.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5777065.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0555378.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0555378.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| RU | 185.161.248.75:4132 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 185.161.248.75:4132 | tcp | |
| RU | 185.161.248.75:4132 | tcp | |
| RU | 185.161.248.75:4132 | tcp | |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| RU | 185.161.248.75:4132 | tcp | |
| RU | 185.161.248.75:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3571422.exe
| MD5 | 0e779946ef77a1d3780750706a47cf77 |
| SHA1 | 360b12f8421cfd4a52870421d1042d24d82cad24 |
| SHA256 | 4995b38a203abefa69ad4c7ff61247651b74049010128f0e07345a7d025a9861 |
| SHA512 | 3a65f0c8e6c581b8811509716a959089397badb6048bdd0d91db61b8ec73aa64704c28a9ec307a099421ded4a4e058674fcd25d2c4edac784c481c818c7075e8 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5777065.exe
| MD5 | 9463742fa3592a60dc9a34da6d187ad5 |
| SHA1 | a9ae15f432098b65c67e95362ff651c567e296be |
| SHA256 | 80281ca13faefaa480c7084504bf24b888857fd46b0cbf123e35fb1199cb45db |
| SHA512 | 21d3e653148499097e755cfdae8fce57904a0f02328a005eeda3cbe977821c88e76c6897c160307850ba853fcdf8fbab1a1dafabf2f5f9fcb9e51ec78d0239f8 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe
| MD5 | 491f1f61aa027e4cbd3a4c768eafa7d1 |
| SHA1 | a4405e21b14e50e94430c2c3b30cd22c47a9f9f8 |
| SHA256 | a40b4bb316921cf8ad107871fcff524518c0040925afd6ee9e638f0232c18a55 |
| SHA512 | d87c7398fe703b7b628cf45060e9f830332a7e188f172e1c51f0e32342cd6ff318a0ab976ef8a828ee9fb26d81907963a53d3270d03174937daff2ace248ec05 |
memory/1476-21-0x0000000002330000-0x000000000234E000-memory.dmp
memory/1476-22-0x0000000004AE0000-0x0000000005084000-memory.dmp
memory/1476-23-0x00000000024C0000-0x00000000024DC000-memory.dmp
memory/1476-51-0x00000000024C0000-0x00000000024D6000-memory.dmp
memory/1476-49-0x00000000024C0000-0x00000000024D6000-memory.dmp
memory/1476-47-0x00000000024C0000-0x00000000024D6000-memory.dmp
memory/1476-45-0x00000000024C0000-0x00000000024D6000-memory.dmp
memory/1476-43-0x00000000024C0000-0x00000000024D6000-memory.dmp
memory/1476-41-0x00000000024C0000-0x00000000024D6000-memory.dmp
memory/1476-39-0x00000000024C0000-0x00000000024D6000-memory.dmp
memory/1476-37-0x00000000024C0000-0x00000000024D6000-memory.dmp
memory/1476-35-0x00000000024C0000-0x00000000024D6000-memory.dmp
memory/1476-33-0x00000000024C0000-0x00000000024D6000-memory.dmp
memory/1476-31-0x00000000024C0000-0x00000000024D6000-memory.dmp
memory/1476-29-0x00000000024C0000-0x00000000024D6000-memory.dmp
memory/1476-27-0x00000000024C0000-0x00000000024D6000-memory.dmp
memory/1476-25-0x00000000024C0000-0x00000000024D6000-memory.dmp
memory/1476-24-0x00000000024C0000-0x00000000024D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0555378.exe
| MD5 | 7d467150c58638fda1accd402ffc9db4 |
| SHA1 | 7b485acdbbe4ac9afd8dfcf27a4cfc07fa5d5539 |
| SHA256 | 87ff4718b356f6b9d7c4b26ffc3c92ed806e23203cc9b314797a9b97fb12d917 |
| SHA512 | 6f526880626c2725c1d59859fa39a914ae9826de4def771897b7dc839c13d97d4256f58b0da339adc27122b181bc76c4e5f68aa3809b7c9eaa094094b694fd3e |
memory/536-56-0x0000000000570000-0x000000000059A000-memory.dmp
memory/536-57-0x0000000005390000-0x00000000059A8000-memory.dmp
memory/536-58-0x0000000004F00000-0x000000000500A000-memory.dmp
memory/536-59-0x0000000004E30000-0x0000000004E42000-memory.dmp
memory/536-60-0x0000000004EC0000-0x0000000004EFC000-memory.dmp
memory/536-61-0x0000000004E50000-0x0000000004E9C000-memory.dmp