Malware Analysis Report

2024-12-06 03:01

Sample ID 241110-cfbfmswnct
Target 81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f
SHA256 81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f

Threat Level: Known bad

The file 81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

RedLine payload

Healer family

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

Redline family

Windows security modification

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:00

Reported

2024-11-10 02:03

Platform

win7-20240903-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2788 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe
PID 2788 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe
PID 2788 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe
PID 2788 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe
PID 2788 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe
PID 2788 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe
PID 2788 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe
PID 2748 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe
PID 2748 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe
PID 2748 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe
PID 2748 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe
PID 2748 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe
PID 2748 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe
PID 2748 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe
PID 2832 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe
PID 2832 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe
PID 2832 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe
PID 2832 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe
PID 2832 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe
PID 2832 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe
PID 2832 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe
PID 2832 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe
PID 2832 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe
PID 2832 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe
PID 2832 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe
PID 2832 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe
PID 2832 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe
PID 2832 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe

Processes

C:\Users\Admin\AppData\Local\Temp\81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f.exe

"C:\Users\Admin\AppData\Local\Temp\81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe

Network

Country Destination Domain Proto
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp

Files

memory/2788-0-0x0000000002C60000-0x0000000002D33000-memory.dmp

memory/2788-1-0x0000000002C60000-0x0000000002D33000-memory.dmp

memory/2788-2-0x00000000045C0000-0x000000000469D000-memory.dmp

memory/2788-3-0x0000000000400000-0x00000000004E0000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe

MD5 fa00be7caa8c76ecf693086a43a6fa72
SHA1 5a824c7908f9a759b12be9aa2c5d758e003f36eb
SHA256 47ad2bf46a37ecfa35b25a2a5e59bda6d82e8768361fc9726e2a84d84a85a4b1
SHA512 cd1f0cc4dfa573648f8979cdc448f45b4ab07ae5e760541725d6a0dba1fa398208b534bb224e5fff79c9953a3ac89bcd3e5aca2c518143bce9dc68a55e4c62ea

\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe

MD5 200afa6d30b530e30060f4732a7d7ad8
SHA1 cada950005d7c663e2076e0d8a8147e49b9fbdd2
SHA256 d4a96660a52626abf454197b499e0c0ab26ed25462b08bbd8b0c14cca16620be
SHA512 d91886c594ff70176cd81f319f63092058729fba82789bae3173f711d32eac6ae189d8b930178338dfac441ec2e8b5d28f18e20f3d58e4f1a26ca86fd49eae2d

\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe

MD5 4d86b1f078cf5b393a3c4c1977338041
SHA1 08ffce6e13ae74e83023e643ea97b0d9960e6e24
SHA256 a27c02ac2161eee8c4887a42c42af559a1be457c6b46d368c46eafeb3b878e1b
SHA512 f1a4aa45b0a55467d479dc23502556c8766a7551ad3f688fd3092c713f41775373d1a7d3e5c3193ee4d0d8c786bad6dfd0aa20a8702460632612dd992e4e07b0

memory/2736-38-0x0000000002BE0000-0x0000000002BFA000-memory.dmp

memory/2736-39-0x0000000002C70000-0x0000000002C88000-memory.dmp

memory/2736-40-0x0000000002C70000-0x0000000002C82000-memory.dmp

memory/2736-63-0x0000000002C70000-0x0000000002C82000-memory.dmp

memory/2736-67-0x0000000002C70000-0x0000000002C82000-memory.dmp

memory/2736-66-0x0000000002C70000-0x0000000002C82000-memory.dmp

memory/2736-61-0x0000000002C70000-0x0000000002C82000-memory.dmp

memory/2736-59-0x0000000002C70000-0x0000000002C82000-memory.dmp

memory/2736-57-0x0000000002C70000-0x0000000002C82000-memory.dmp

memory/2736-55-0x0000000002C70000-0x0000000002C82000-memory.dmp

memory/2736-53-0x0000000002C70000-0x0000000002C82000-memory.dmp

memory/2736-51-0x0000000002C70000-0x0000000002C82000-memory.dmp

memory/2736-49-0x0000000002C70000-0x0000000002C82000-memory.dmp

memory/2736-47-0x0000000002C70000-0x0000000002C82000-memory.dmp

memory/2736-45-0x0000000002C70000-0x0000000002C82000-memory.dmp

memory/2736-43-0x0000000002C70000-0x0000000002C82000-memory.dmp

memory/2736-41-0x0000000002C70000-0x0000000002C82000-memory.dmp

memory/2788-68-0x0000000002C60000-0x0000000002D33000-memory.dmp

memory/2788-69-0x00000000045C0000-0x000000000469D000-memory.dmp

memory/2788-71-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/2788-70-0x0000000000400000-0x0000000002C53000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe

MD5 a57403199ddf1fad6096938e90ccc21e
SHA1 45bcfc93e33259f76bfb8a68b19b4b43dd28678e
SHA256 eb0fb8fabb95798d507af3ed1999ab280efb55d61f62222aad3fc59be9551c3e
SHA512 eeeba09adb6171e9a56481e4b68b53359a0d94c16716e0783d7cfd69d61c923f627d41c1e47f0164a705445bf182cbf912347577bb45418fbe44c242bdba4bb7

memory/2736-73-0x0000000000400000-0x0000000002B9E000-memory.dmp

memory/2736-72-0x0000000000400000-0x0000000002B9E000-memory.dmp

memory/2884-84-0x0000000004EA0000-0x0000000004EDC000-memory.dmp

memory/2884-85-0x0000000007580000-0x00000000075BA000-memory.dmp

memory/2884-86-0x0000000007580000-0x00000000075B5000-memory.dmp

memory/2884-87-0x0000000007580000-0x00000000075B5000-memory.dmp

memory/2884-89-0x0000000007580000-0x00000000075B5000-memory.dmp

memory/2884-91-0x0000000007580000-0x00000000075B5000-memory.dmp

memory/2884-93-0x0000000007580000-0x00000000075B5000-memory.dmp

memory/2884-95-0x0000000007580000-0x00000000075B5000-memory.dmp

memory/2884-97-0x0000000007580000-0x00000000075B5000-memory.dmp

memory/2884-99-0x0000000007580000-0x00000000075B5000-memory.dmp

memory/2884-101-0x0000000007580000-0x00000000075B5000-memory.dmp

memory/2884-103-0x0000000007580000-0x00000000075B5000-memory.dmp

memory/2884-105-0x0000000007580000-0x00000000075B5000-memory.dmp

memory/2884-107-0x0000000007580000-0x00000000075B5000-memory.dmp

memory/2884-109-0x0000000007580000-0x00000000075B5000-memory.dmp

memory/2884-111-0x0000000007580000-0x00000000075B5000-memory.dmp

memory/2884-113-0x0000000007580000-0x00000000075B5000-memory.dmp

memory/2884-115-0x0000000007580000-0x00000000075B5000-memory.dmp

memory/2884-117-0x0000000007580000-0x00000000075B5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 02:00

Reported

2024-11-10 02:03

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4416 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe
PID 4416 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe
PID 4416 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe
PID 4900 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe
PID 4900 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe
PID 4900 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe
PID 4524 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe
PID 4524 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe
PID 4524 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe
PID 4524 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe
PID 4524 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe
PID 4524 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe

Processes

C:\Users\Admin\AppData\Local\Temp\81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f.exe

"C:\Users\Admin\AppData\Local\Temp\81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2624 -ip 2624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 1092

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp

Files

memory/4416-1-0x0000000004A00000-0x0000000004AD7000-memory.dmp

memory/4416-2-0x0000000004AE0000-0x0000000004BBD000-memory.dmp

memory/4416-3-0x0000000000400000-0x00000000004E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe

MD5 fa00be7caa8c76ecf693086a43a6fa72
SHA1 5a824c7908f9a759b12be9aa2c5d758e003f36eb
SHA256 47ad2bf46a37ecfa35b25a2a5e59bda6d82e8768361fc9726e2a84d84a85a4b1
SHA512 cd1f0cc4dfa573648f8979cdc448f45b4ab07ae5e760541725d6a0dba1fa398208b534bb224e5fff79c9953a3ac89bcd3e5aca2c518143bce9dc68a55e4c62ea

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe

MD5 200afa6d30b530e30060f4732a7d7ad8
SHA1 cada950005d7c663e2076e0d8a8147e49b9fbdd2
SHA256 d4a96660a52626abf454197b499e0c0ab26ed25462b08bbd8b0c14cca16620be
SHA512 d91886c594ff70176cd81f319f63092058729fba82789bae3173f711d32eac6ae189d8b930178338dfac441ec2e8b5d28f18e20f3d58e4f1a26ca86fd49eae2d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe

MD5 4d86b1f078cf5b393a3c4c1977338041
SHA1 08ffce6e13ae74e83023e643ea97b0d9960e6e24
SHA256 a27c02ac2161eee8c4887a42c42af559a1be457c6b46d368c46eafeb3b878e1b
SHA512 f1a4aa45b0a55467d479dc23502556c8766a7551ad3f688fd3092c713f41775373d1a7d3e5c3193ee4d0d8c786bad6dfd0aa20a8702460632612dd992e4e07b0

memory/2624-26-0x0000000004990000-0x00000000049AA000-memory.dmp

memory/2624-27-0x00000000072D0000-0x0000000007874000-memory.dmp

memory/2624-28-0x0000000007130000-0x0000000007148000-memory.dmp

memory/2624-42-0x0000000007130000-0x0000000007142000-memory.dmp

memory/2624-56-0x0000000007130000-0x0000000007142000-memory.dmp

memory/2624-54-0x0000000007130000-0x0000000007142000-memory.dmp

memory/2624-52-0x0000000007130000-0x0000000007142000-memory.dmp

memory/2624-50-0x0000000007130000-0x0000000007142000-memory.dmp

memory/2624-48-0x0000000007130000-0x0000000007142000-memory.dmp

memory/2624-46-0x0000000007130000-0x0000000007142000-memory.dmp

memory/2624-44-0x0000000007130000-0x0000000007142000-memory.dmp

memory/2624-40-0x0000000007130000-0x0000000007142000-memory.dmp

memory/2624-29-0x0000000007130000-0x0000000007142000-memory.dmp

memory/2624-38-0x0000000007130000-0x0000000007142000-memory.dmp

memory/2624-36-0x0000000007130000-0x0000000007142000-memory.dmp

memory/2624-34-0x0000000007130000-0x0000000007142000-memory.dmp

memory/2624-32-0x0000000007130000-0x0000000007142000-memory.dmp

memory/2624-30-0x0000000007130000-0x0000000007142000-memory.dmp

memory/4416-57-0x0000000004A00000-0x0000000004AD7000-memory.dmp

memory/4416-59-0x0000000004AE0000-0x0000000004BBD000-memory.dmp

memory/4416-58-0x0000000000400000-0x0000000002C53000-memory.dmp

memory/4416-60-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/2624-61-0x0000000000400000-0x0000000002B9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe

MD5 a57403199ddf1fad6096938e90ccc21e
SHA1 45bcfc93e33259f76bfb8a68b19b4b43dd28678e
SHA256 eb0fb8fabb95798d507af3ed1999ab280efb55d61f62222aad3fc59be9551c3e
SHA512 eeeba09adb6171e9a56481e4b68b53359a0d94c16716e0783d7cfd69d61c923f627d41c1e47f0164a705445bf182cbf912347577bb45418fbe44c242bdba4bb7

memory/2624-63-0x0000000000400000-0x0000000002B9E000-memory.dmp

memory/4508-68-0x0000000007150000-0x000000000718C000-memory.dmp

memory/4508-69-0x00000000071D0000-0x000000000720A000-memory.dmp

memory/4508-73-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4508-83-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4508-101-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4508-99-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4508-97-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4508-95-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4508-93-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4508-91-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4508-89-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4508-87-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4508-81-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4508-79-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4508-77-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4508-75-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4508-85-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4508-71-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4508-70-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4508-862-0x0000000009CB0000-0x000000000A2C8000-memory.dmp

memory/4508-863-0x000000000A340000-0x000000000A352000-memory.dmp

memory/4508-864-0x000000000A360000-0x000000000A46A000-memory.dmp

memory/4508-865-0x000000000A480000-0x000000000A4BC000-memory.dmp

memory/4508-866-0x0000000006C80000-0x0000000006CCC000-memory.dmp