Analysis Overview
SHA256
a5ab0a682a53e9a62a8f84a3a4a0af33e2d91c0e700fe733ec072884bf213a28
Threat Level: Known bad
The file a5ab0a682a53e9a62a8f84a3a4a0af33e2d91c0e700fe733ec072884bf213a28 was found to be: Known bad.
Malicious Activity Summary
Redline family
Detects Healer an antivirus disabler dropper
Healer family
RedLine
Modifies Windows Defender Real-time Protection settings
Healer
RedLine payload
Loads dropped DLL
Executes dropped EXE
Windows security modification
Adds Run key to start application
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:57
Reported
2024-11-10 02:00
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
152s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\a5ab0a682a53e9a62a8f84a3a4a0af33e2d91c0e700fe733ec072884bf213a28.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a5ab0a682a53e9a62a8f84a3a4a0af33e2d91c0e700fe733ec072884bf213a28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a5ab0a682a53e9a62a8f84a3a4a0af33e2d91c0e700fe733ec072884bf213a28.exe
"C:\Users\Admin\AppData\Local\Temp\a5ab0a682a53e9a62a8f84a3a4a0af33e2d91c0e700fe733ec072884bf213a28.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3480 -ip 3480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 1084
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp |
Files
memory/3904-1-0x00000000026B0000-0x000000000278D000-memory.dmp
memory/3904-2-0x0000000002840000-0x000000000291D000-memory.dmp
memory/3904-3-0x0000000000400000-0x00000000004E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
| MD5 | d65c8e9f391cf20655232c5c987b746f |
| SHA1 | bfce684cea9f3ad1f8319e3dd581f58ec22df410 |
| SHA256 | 0376e92c9fdd3170bd6c4589d0ab56494bbef6ebb0c1ec8c2be1ea0c637281dc |
| SHA512 | 226c17e238df5c15eb0a90d5e6922f131e45daa44bee1d7dffe934068cb0db54e03fb23d45826e6daf21f5251bc1cfa65948f19dc45c4c9099376f724e342597 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
| MD5 | 79bb8aa7f82a94ba01dc4b70c63957e0 |
| SHA1 | 535a7c0407de96fdce4bf3017f07b4333e9acc01 |
| SHA256 | 337c493481660ea88e0c92612f9caafff009cf7820f9fb84746b24ed2b64fff9 |
| SHA512 | c7adba7203490aee60aa1b678632df1b1b168f47810bc927978f9b8b7e8ace467446c58f8ae85f3f5bbd3fa4cbae2ace32f67b893c02282de618878b98b50139 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
| MD5 | e1b364b4b96ca742b39a069ca1390a0b |
| SHA1 | 970e15712c7b43117b2144d2dbf2aed590fff249 |
| SHA256 | dc2f6a4b3d395642bdd40c133807093078b2e6b7f4e683a878d63e258d58cb4b |
| SHA512 | 4b48624e84da9949c79e3116f9327cd1f1cd1a68cf495db1c7203db470fc668afca3f48674fc47244e6d6e9157a0d3adaa22183a20470a57df1c5f4a31f8573d |
memory/3480-26-0x0000000004760000-0x000000000477A000-memory.dmp
memory/3480-27-0x0000000007320000-0x00000000078C4000-memory.dmp
memory/3480-28-0x0000000004850000-0x0000000004868000-memory.dmp
memory/3480-29-0x0000000004850000-0x0000000004862000-memory.dmp
memory/3480-36-0x0000000004850000-0x0000000004862000-memory.dmp
memory/3480-56-0x0000000004850000-0x0000000004862000-memory.dmp
memory/3480-54-0x0000000004850000-0x0000000004862000-memory.dmp
memory/3480-52-0x0000000004850000-0x0000000004862000-memory.dmp
memory/3480-50-0x0000000004850000-0x0000000004862000-memory.dmp
memory/3480-48-0x0000000004850000-0x0000000004862000-memory.dmp
memory/3480-46-0x0000000004850000-0x0000000004862000-memory.dmp
memory/3480-44-0x0000000004850000-0x0000000004862000-memory.dmp
memory/3480-42-0x0000000004850000-0x0000000004862000-memory.dmp
memory/3480-40-0x0000000004850000-0x0000000004862000-memory.dmp
memory/3480-38-0x0000000004850000-0x0000000004862000-memory.dmp
memory/3480-34-0x0000000004850000-0x0000000004862000-memory.dmp
memory/3480-32-0x0000000004850000-0x0000000004862000-memory.dmp
memory/3480-30-0x0000000004850000-0x0000000004862000-memory.dmp
memory/3904-57-0x00000000026B0000-0x000000000278D000-memory.dmp
memory/3904-58-0x0000000002840000-0x000000000291D000-memory.dmp
memory/3904-60-0x0000000000400000-0x00000000004E1000-memory.dmp
memory/3904-59-0x0000000000400000-0x00000000008BD000-memory.dmp
memory/3480-61-0x0000000000400000-0x0000000002BAF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
| MD5 | 848ce28183931ae67c8a0d8ce3a1efc3 |
| SHA1 | a39582bf82be42b8cf83b0015130273ab0e51c90 |
| SHA256 | 1920e51f6e64752f4dd7474638b8d86c646e1b8cc4099415d2319d038fe1aff3 |
| SHA512 | 430e793cac623274f0082eaec2377e946d9238f394837272ea4237ef305a00b3db28c081d6c82d2fbcadab0dc5a11769ebd9423e9129279a91ffe4b7aeae4b1d |
memory/3480-63-0x0000000000400000-0x0000000002BAF000-memory.dmp
memory/4168-68-0x0000000004910000-0x000000000494C000-memory.dmp
memory/4168-69-0x0000000007780000-0x00000000077BA000-memory.dmp
memory/4168-75-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/4168-93-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/4168-101-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/4168-99-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/4168-97-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/4168-91-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/4168-89-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/4168-88-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/4168-85-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/4168-83-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/4168-81-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/4168-79-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/4168-77-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/4168-95-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/4168-73-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/4168-71-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/4168-70-0x0000000007780000-0x00000000077B5000-memory.dmp
memory/4168-862-0x0000000009C90000-0x000000000A2A8000-memory.dmp
memory/4168-863-0x000000000A350000-0x000000000A362000-memory.dmp
memory/4168-864-0x000000000A370000-0x000000000A47A000-memory.dmp
memory/4168-865-0x000000000A490000-0x000000000A4CC000-memory.dmp
memory/4168-866-0x0000000004A80000-0x0000000004ACC000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:57
Reported
2024-11-10 02:00
Platform
win7-20241023-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5ab0a682a53e9a62a8f84a3a4a0af33e2d91c0e700fe733ec072884bf213a28.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\a5ab0a682a53e9a62a8f84a3a4a0af33e2d91c0e700fe733ec072884bf213a28.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a5ab0a682a53e9a62a8f84a3a4a0af33e2d91c0e700fe733ec072884bf213a28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a5ab0a682a53e9a62a8f84a3a4a0af33e2d91c0e700fe733ec072884bf213a28.exe
"C:\Users\Admin\AppData\Local\Temp\a5ab0a682a53e9a62a8f84a3a4a0af33e2d91c0e700fe733ec072884bf213a28.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp |
Files
memory/2556-0-0x0000000002190000-0x0000000002264000-memory.dmp
memory/2556-2-0x0000000002270000-0x000000000234D000-memory.dmp
memory/2556-1-0x0000000002190000-0x0000000002264000-memory.dmp
memory/2556-3-0x0000000000400000-0x00000000004E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
| MD5 | d65c8e9f391cf20655232c5c987b746f |
| SHA1 | bfce684cea9f3ad1f8319e3dd581f58ec22df410 |
| SHA256 | 0376e92c9fdd3170bd6c4589d0ab56494bbef6ebb0c1ec8c2be1ea0c637281dc |
| SHA512 | 226c17e238df5c15eb0a90d5e6922f131e45daa44bee1d7dffe934068cb0db54e03fb23d45826e6daf21f5251bc1cfa65948f19dc45c4c9099376f724e342597 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
| MD5 | 79bb8aa7f82a94ba01dc4b70c63957e0 |
| SHA1 | 535a7c0407de96fdce4bf3017f07b4333e9acc01 |
| SHA256 | 337c493481660ea88e0c92612f9caafff009cf7820f9fb84746b24ed2b64fff9 |
| SHA512 | c7adba7203490aee60aa1b678632df1b1b168f47810bc927978f9b8b7e8ace467446c58f8ae85f3f5bbd3fa4cbae2ace32f67b893c02282de618878b98b50139 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
| MD5 | e1b364b4b96ca742b39a069ca1390a0b |
| SHA1 | 970e15712c7b43117b2144d2dbf2aed590fff249 |
| SHA256 | dc2f6a4b3d395642bdd40c133807093078b2e6b7f4e683a878d63e258d58cb4b |
| SHA512 | 4b48624e84da9949c79e3116f9327cd1f1cd1a68cf495db1c7203db470fc668afca3f48674fc47244e6d6e9157a0d3adaa22183a20470a57df1c5f4a31f8573d |
memory/1668-38-0x0000000002BB0000-0x0000000002BCA000-memory.dmp
memory/1668-39-0x0000000002CF0000-0x0000000002D08000-memory.dmp
memory/1668-51-0x0000000002CF0000-0x0000000002D02000-memory.dmp
memory/1668-59-0x0000000002CF0000-0x0000000002D02000-memory.dmp
memory/1668-67-0x0000000002CF0000-0x0000000002D02000-memory.dmp
memory/1668-65-0x0000000002CF0000-0x0000000002D02000-memory.dmp
memory/1668-61-0x0000000002CF0000-0x0000000002D02000-memory.dmp
memory/1668-57-0x0000000002CF0000-0x0000000002D02000-memory.dmp
memory/1668-55-0x0000000002CF0000-0x0000000002D02000-memory.dmp
memory/1668-53-0x0000000002CF0000-0x0000000002D02000-memory.dmp
memory/1668-49-0x0000000002CF0000-0x0000000002D02000-memory.dmp
memory/1668-47-0x0000000002CF0000-0x0000000002D02000-memory.dmp
memory/1668-45-0x0000000002CF0000-0x0000000002D02000-memory.dmp
memory/1668-43-0x0000000002CF0000-0x0000000002D02000-memory.dmp
memory/1668-41-0x0000000002CF0000-0x0000000002D02000-memory.dmp
memory/1668-64-0x0000000002CF0000-0x0000000002D02000-memory.dmp
memory/1668-40-0x0000000002CF0000-0x0000000002D02000-memory.dmp
memory/2556-68-0x0000000002270000-0x000000000234D000-memory.dmp
memory/2556-70-0x0000000000400000-0x00000000004E1000-memory.dmp
memory/2556-69-0x0000000000400000-0x00000000008BD000-memory.dmp
memory/1668-71-0x0000000000400000-0x0000000002BAF000-memory.dmp
memory/1668-72-0x0000000000400000-0x0000000002BAF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
| MD5 | 848ce28183931ae67c8a0d8ce3a1efc3 |
| SHA1 | a39582bf82be42b8cf83b0015130273ab0e51c90 |
| SHA256 | 1920e51f6e64752f4dd7474638b8d86c646e1b8cc4099415d2319d038fe1aff3 |
| SHA512 | 430e793cac623274f0082eaec2377e946d9238f394837272ea4237ef305a00b3db28c081d6c82d2fbcadab0dc5a11769ebd9423e9129279a91ffe4b7aeae4b1d |
memory/2752-83-0x00000000049B0000-0x00000000049EC000-memory.dmp
memory/2752-84-0x0000000007410000-0x000000000744A000-memory.dmp
memory/2752-90-0x0000000007410000-0x0000000007445000-memory.dmp
memory/2752-116-0x0000000007410000-0x0000000007445000-memory.dmp
memory/2752-114-0x0000000007410000-0x0000000007445000-memory.dmp
memory/2752-112-0x0000000007410000-0x0000000007445000-memory.dmp
memory/2752-110-0x0000000007410000-0x0000000007445000-memory.dmp
memory/2752-108-0x0000000007410000-0x0000000007445000-memory.dmp
memory/2752-106-0x0000000007410000-0x0000000007445000-memory.dmp
memory/2752-104-0x0000000007410000-0x0000000007445000-memory.dmp
memory/2752-102-0x0000000007410000-0x0000000007445000-memory.dmp
memory/2752-100-0x0000000007410000-0x0000000007445000-memory.dmp
memory/2752-98-0x0000000007410000-0x0000000007445000-memory.dmp
memory/2752-96-0x0000000007410000-0x0000000007445000-memory.dmp
memory/2752-94-0x0000000007410000-0x0000000007445000-memory.dmp
memory/2752-93-0x0000000007410000-0x0000000007445000-memory.dmp
memory/2752-88-0x0000000007410000-0x0000000007445000-memory.dmp
memory/2752-86-0x0000000007410000-0x0000000007445000-memory.dmp
memory/2752-85-0x0000000007410000-0x0000000007445000-memory.dmp