Malware Analysis Report

2025-05-06 00:51

Sample ID 241109-y9hmps1hjp
Target e504ad32a7457aa63d92a7a97d78498854f0c17935afed7c1f08de010fe59b8a
SHA256 e504ad32a7457aa63d92a7a97d78498854f0c17935afed7c1f08de010fe59b8a
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e504ad32a7457aa63d92a7a97d78498854f0c17935afed7c1f08de010fe59b8a

Threat Level: Known bad

The file e504ad32a7457aa63d92a7a97d78498854f0c17935afed7c1f08de010fe59b8a was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

RedLine

RedLine payload

Modifies Windows Defender Real-time Protection settings

Healer

Healer family

Detects Healer an antivirus disabler dropper

Redline family

Windows security modification

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 20:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 20:28

Reported

2024-11-09 20:31

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e504ad32a7457aa63d92a7a97d78498854f0c17935afed7c1f08de010fe59b8a.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\e504ad32a7457aa63d92a7a97d78498854f0c17935afed7c1f08de010fe59b8a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e504ad32a7457aa63d92a7a97d78498854f0c17935afed7c1f08de010fe59b8a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\e504ad32a7457aa63d92a7a97d78498854f0c17935afed7c1f08de010fe59b8a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 2296 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\e504ad32a7457aa63d92a7a97d78498854f0c17935afed7c1f08de010fe59b8a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 2296 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\e504ad32a7457aa63d92a7a97d78498854f0c17935afed7c1f08de010fe59b8a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 3384 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 3384 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 3384 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 2108 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 2108 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 2108 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 2108 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 2108 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 2108 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e504ad32a7457aa63d92a7a97d78498854f0c17935afed7c1f08de010fe59b8a.exe

"C:\Users\Admin\AppData\Local\Temp\e504ad32a7457aa63d92a7a97d78498854f0c17935afed7c1f08de010fe59b8a.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1068 -ip 1068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp

Files

memory/2296-1-0x0000000004A80000-0x0000000004B5A000-memory.dmp

memory/2296-2-0x0000000004B60000-0x0000000004C3D000-memory.dmp

memory/2296-3-0x0000000000400000-0x00000000004E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe

MD5 d65c8e9f391cf20655232c5c987b746f
SHA1 bfce684cea9f3ad1f8319e3dd581f58ec22df410
SHA256 0376e92c9fdd3170bd6c4589d0ab56494bbef6ebb0c1ec8c2be1ea0c637281dc
SHA512 226c17e238df5c15eb0a90d5e6922f131e45daa44bee1d7dffe934068cb0db54e03fb23d45826e6daf21f5251bc1cfa65948f19dc45c4c9099376f724e342597

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe

MD5 79bb8aa7f82a94ba01dc4b70c63957e0
SHA1 535a7c0407de96fdce4bf3017f07b4333e9acc01
SHA256 337c493481660ea88e0c92612f9caafff009cf7820f9fb84746b24ed2b64fff9
SHA512 c7adba7203490aee60aa1b678632df1b1b168f47810bc927978f9b8b7e8ace467446c58f8ae85f3f5bbd3fa4cbae2ace32f67b893c02282de618878b98b50139

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe

MD5 e1b364b4b96ca742b39a069ca1390a0b
SHA1 970e15712c7b43117b2144d2dbf2aed590fff249
SHA256 dc2f6a4b3d395642bdd40c133807093078b2e6b7f4e683a878d63e258d58cb4b
SHA512 4b48624e84da9949c79e3116f9327cd1f1cd1a68cf495db1c7203db470fc668afca3f48674fc47244e6d6e9157a0d3adaa22183a20470a57df1c5f4a31f8573d

memory/1068-26-0x0000000004C60000-0x0000000004C7A000-memory.dmp

memory/1068-27-0x0000000007400000-0x00000000079A4000-memory.dmp

memory/1068-28-0x0000000007280000-0x0000000007298000-memory.dmp

memory/1068-29-0x0000000007280000-0x0000000007292000-memory.dmp

memory/1068-42-0x0000000007280000-0x0000000007292000-memory.dmp

memory/1068-56-0x0000000007280000-0x0000000007292000-memory.dmp

memory/1068-54-0x0000000007280000-0x0000000007292000-memory.dmp

memory/1068-52-0x0000000007280000-0x0000000007292000-memory.dmp

memory/1068-50-0x0000000007280000-0x0000000007292000-memory.dmp

memory/1068-48-0x0000000007280000-0x0000000007292000-memory.dmp

memory/1068-46-0x0000000007280000-0x0000000007292000-memory.dmp

memory/1068-44-0x0000000007280000-0x0000000007292000-memory.dmp

memory/1068-40-0x0000000007280000-0x0000000007292000-memory.dmp

memory/1068-38-0x0000000007280000-0x0000000007292000-memory.dmp

memory/1068-36-0x0000000007280000-0x0000000007292000-memory.dmp

memory/1068-34-0x0000000007280000-0x0000000007292000-memory.dmp

memory/1068-32-0x0000000007280000-0x0000000007292000-memory.dmp

memory/1068-30-0x0000000007280000-0x0000000007292000-memory.dmp

memory/2296-57-0x0000000004A80000-0x0000000004B5A000-memory.dmp

memory/2296-59-0x0000000004B60000-0x0000000004C3D000-memory.dmp

memory/2296-58-0x0000000000400000-0x0000000002C64000-memory.dmp

memory/2296-60-0x0000000000400000-0x00000000004E1000-memory.dmp

memory/1068-61-0x0000000000400000-0x0000000002BAF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

MD5 848ce28183931ae67c8a0d8ce3a1efc3
SHA1 a39582bf82be42b8cf83b0015130273ab0e51c90
SHA256 1920e51f6e64752f4dd7474638b8d86c646e1b8cc4099415d2319d038fe1aff3
SHA512 430e793cac623274f0082eaec2377e946d9238f394837272ea4237ef305a00b3db28c081d6c82d2fbcadab0dc5a11769ebd9423e9129279a91ffe4b7aeae4b1d

memory/1068-63-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/2340-68-0x0000000004B00000-0x0000000004B3C000-memory.dmp

memory/2340-69-0x0000000004BA0000-0x0000000004BDA000-memory.dmp

memory/2340-85-0x0000000004BA0000-0x0000000004BD5000-memory.dmp

memory/2340-87-0x0000000004BA0000-0x0000000004BD5000-memory.dmp

memory/2340-101-0x0000000004BA0000-0x0000000004BD5000-memory.dmp

memory/2340-99-0x0000000004BA0000-0x0000000004BD5000-memory.dmp

memory/2340-97-0x0000000004BA0000-0x0000000004BD5000-memory.dmp

memory/2340-95-0x0000000004BA0000-0x0000000004BD5000-memory.dmp

memory/2340-93-0x0000000004BA0000-0x0000000004BD5000-memory.dmp

memory/2340-91-0x0000000004BA0000-0x0000000004BD5000-memory.dmp

memory/2340-89-0x0000000004BA0000-0x0000000004BD5000-memory.dmp

memory/2340-83-0x0000000004BA0000-0x0000000004BD5000-memory.dmp

memory/2340-81-0x0000000004BA0000-0x0000000004BD5000-memory.dmp

memory/2340-79-0x0000000004BA0000-0x0000000004BD5000-memory.dmp

memory/2340-77-0x0000000004BA0000-0x0000000004BD5000-memory.dmp

memory/2340-75-0x0000000004BA0000-0x0000000004BD5000-memory.dmp

memory/2340-73-0x0000000004BA0000-0x0000000004BD5000-memory.dmp

memory/2340-71-0x0000000004BA0000-0x0000000004BD5000-memory.dmp

memory/2340-70-0x0000000004BA0000-0x0000000004BD5000-memory.dmp

memory/2340-862-0x0000000009D20000-0x000000000A338000-memory.dmp

memory/2340-863-0x000000000A350000-0x000000000A362000-memory.dmp

memory/2340-864-0x000000000A370000-0x000000000A47A000-memory.dmp

memory/2340-865-0x000000000A490000-0x000000000A4CC000-memory.dmp

memory/2340-866-0x0000000004D10000-0x0000000004D5C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 20:28

Reported

2024-11-09 20:31

Platform

win7-20240903-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e504ad32a7457aa63d92a7a97d78498854f0c17935afed7c1f08de010fe59b8a.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\e504ad32a7457aa63d92a7a97d78498854f0c17935afed7c1f08de010fe59b8a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e504ad32a7457aa63d92a7a97d78498854f0c17935afed7c1f08de010fe59b8a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\e504ad32a7457aa63d92a7a97d78498854f0c17935afed7c1f08de010fe59b8a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 2380 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\e504ad32a7457aa63d92a7a97d78498854f0c17935afed7c1f08de010fe59b8a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 2380 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\e504ad32a7457aa63d92a7a97d78498854f0c17935afed7c1f08de010fe59b8a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 2380 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\e504ad32a7457aa63d92a7a97d78498854f0c17935afed7c1f08de010fe59b8a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 2380 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\e504ad32a7457aa63d92a7a97d78498854f0c17935afed7c1f08de010fe59b8a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 2380 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\e504ad32a7457aa63d92a7a97d78498854f0c17935afed7c1f08de010fe59b8a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 2380 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\e504ad32a7457aa63d92a7a97d78498854f0c17935afed7c1f08de010fe59b8a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
PID 2760 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 2760 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 2760 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 2760 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 2760 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 2760 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 2760 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
PID 2680 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 2680 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 2680 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 2680 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 2680 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 2680 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 2680 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
PID 2680 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 2680 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 2680 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 2680 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 2680 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 2680 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
PID 2680 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e504ad32a7457aa63d92a7a97d78498854f0c17935afed7c1f08de010fe59b8a.exe

"C:\Users\Admin\AppData\Local\Temp\e504ad32a7457aa63d92a7a97d78498854f0c17935afed7c1f08de010fe59b8a.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

Network

Country Destination Domain Proto
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp

Files

memory/2380-0-0x0000000002C70000-0x0000000002D44000-memory.dmp

memory/2380-1-0x0000000002C70000-0x0000000002D44000-memory.dmp

memory/2380-2-0x00000000045E0000-0x00000000046BD000-memory.dmp

memory/2380-3-0x0000000000400000-0x00000000004E1000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe

MD5 d65c8e9f391cf20655232c5c987b746f
SHA1 bfce684cea9f3ad1f8319e3dd581f58ec22df410
SHA256 0376e92c9fdd3170bd6c4589d0ab56494bbef6ebb0c1ec8c2be1ea0c637281dc
SHA512 226c17e238df5c15eb0a90d5e6922f131e45daa44bee1d7dffe934068cb0db54e03fb23d45826e6daf21f5251bc1cfa65948f19dc45c4c9099376f724e342597

\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe

MD5 79bb8aa7f82a94ba01dc4b70c63957e0
SHA1 535a7c0407de96fdce4bf3017f07b4333e9acc01
SHA256 337c493481660ea88e0c92612f9caafff009cf7820f9fb84746b24ed2b64fff9
SHA512 c7adba7203490aee60aa1b678632df1b1b168f47810bc927978f9b8b7e8ace467446c58f8ae85f3f5bbd3fa4cbae2ace32f67b893c02282de618878b98b50139

\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe

MD5 e1b364b4b96ca742b39a069ca1390a0b
SHA1 970e15712c7b43117b2144d2dbf2aed590fff249
SHA256 dc2f6a4b3d395642bdd40c133807093078b2e6b7f4e683a878d63e258d58cb4b
SHA512 4b48624e84da9949c79e3116f9327cd1f1cd1a68cf495db1c7203db470fc668afca3f48674fc47244e6d6e9157a0d3adaa22183a20470a57df1c5f4a31f8573d

memory/2944-38-0x0000000002C50000-0x0000000002C6A000-memory.dmp

memory/2944-39-0x0000000002C80000-0x0000000002C98000-memory.dmp

memory/2944-54-0x0000000002C80000-0x0000000002C92000-memory.dmp

memory/2944-67-0x0000000002C80000-0x0000000002C92000-memory.dmp

memory/2944-65-0x0000000002C80000-0x0000000002C92000-memory.dmp

memory/2944-63-0x0000000002C80000-0x0000000002C92000-memory.dmp

memory/2944-61-0x0000000002C80000-0x0000000002C92000-memory.dmp

memory/2944-60-0x0000000002C80000-0x0000000002C92000-memory.dmp

memory/2944-57-0x0000000002C80000-0x0000000002C92000-memory.dmp

memory/2944-55-0x0000000002C80000-0x0000000002C92000-memory.dmp

memory/2944-51-0x0000000002C80000-0x0000000002C92000-memory.dmp

memory/2944-49-0x0000000002C80000-0x0000000002C92000-memory.dmp

memory/2944-48-0x0000000002C80000-0x0000000002C92000-memory.dmp

memory/2944-45-0x0000000002C80000-0x0000000002C92000-memory.dmp

memory/2944-43-0x0000000002C80000-0x0000000002C92000-memory.dmp

memory/2944-41-0x0000000002C80000-0x0000000002C92000-memory.dmp

memory/2944-40-0x0000000002C80000-0x0000000002C92000-memory.dmp

memory/2380-68-0x0000000002C70000-0x0000000002D44000-memory.dmp

memory/2380-69-0x00000000045E0000-0x00000000046BD000-memory.dmp

memory/2380-71-0x0000000000400000-0x00000000004E1000-memory.dmp

memory/2380-70-0x0000000000400000-0x0000000002C64000-memory.dmp

memory/2944-72-0x0000000000400000-0x0000000002BAF000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe

MD5 848ce28183931ae67c8a0d8ce3a1efc3
SHA1 a39582bf82be42b8cf83b0015130273ab0e51c90
SHA256 1920e51f6e64752f4dd7474638b8d86c646e1b8cc4099415d2319d038fe1aff3
SHA512 430e793cac623274f0082eaec2377e946d9238f394837272ea4237ef305a00b3db28c081d6c82d2fbcadab0dc5a11769ebd9423e9129279a91ffe4b7aeae4b1d

memory/2944-73-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/2904-85-0x0000000003230000-0x000000000326A000-memory.dmp

memory/2904-117-0x0000000003230000-0x0000000003265000-memory.dmp

memory/2904-115-0x0000000003230000-0x0000000003265000-memory.dmp

memory/2904-113-0x0000000003230000-0x0000000003265000-memory.dmp

memory/2904-111-0x0000000003230000-0x0000000003265000-memory.dmp

memory/2904-109-0x0000000003230000-0x0000000003265000-memory.dmp

memory/2904-107-0x0000000003230000-0x0000000003265000-memory.dmp

memory/2904-105-0x0000000003230000-0x0000000003265000-memory.dmp

memory/2904-103-0x0000000003230000-0x0000000003265000-memory.dmp

memory/2904-101-0x0000000003230000-0x0000000003265000-memory.dmp

memory/2904-99-0x0000000003230000-0x0000000003265000-memory.dmp

memory/2904-97-0x0000000003230000-0x0000000003265000-memory.dmp

memory/2904-95-0x0000000003230000-0x0000000003265000-memory.dmp

memory/2904-93-0x0000000003230000-0x0000000003265000-memory.dmp

memory/2904-91-0x0000000003230000-0x0000000003265000-memory.dmp

memory/2904-89-0x0000000003230000-0x0000000003265000-memory.dmp

memory/2904-87-0x0000000003230000-0x0000000003265000-memory.dmp

memory/2904-86-0x0000000003230000-0x0000000003265000-memory.dmp

memory/2904-84-0x0000000002F10000-0x0000000002F4C000-memory.dmp