Malware Analysis Report

2025-05-28 18:49

Sample ID 241110-d8zjlssjdp
Target 9e1afba927d1940092b1a000b98cb46d6b5a2454cf6957fd11b72df739aa48d4
SHA256 9e1afba927d1940092b1a000b98cb46d6b5a2454cf6957fd11b72df739aa48d4
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9e1afba927d1940092b1a000b98cb46d6b5a2454cf6957fd11b72df739aa48d4

Threat Level: Known bad

The file 9e1afba927d1940092b1a000b98cb46d6b5a2454cf6957fd11b72df739aa48d4 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Redline family

RedLine

Healer family

RedLine payload

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Loads dropped DLL

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 03:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 03:41

Reported

2024-11-10 03:43

Platform

win7-20240903-en

Max time kernel

142s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9e1afba927d1940092b1a000b98cb46d6b5a2454cf6957fd11b72df739aa48d4.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv264349.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\9e1afba927d1940092b1a000b98cb46d6b5a2454cf6957fd11b72df739aa48d4.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\217307972.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9e1afba927d1940092b1a000b98cb46d6b5a2454cf6957fd11b72df739aa48d4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv264349.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\217307972.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2600 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\9e1afba927d1940092b1a000b98cb46d6b5a2454cf6957fd11b72df739aa48d4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv264349.exe
PID 2600 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\9e1afba927d1940092b1a000b98cb46d6b5a2454cf6957fd11b72df739aa48d4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv264349.exe
PID 2600 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\9e1afba927d1940092b1a000b98cb46d6b5a2454cf6957fd11b72df739aa48d4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv264349.exe
PID 2600 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\9e1afba927d1940092b1a000b98cb46d6b5a2454cf6957fd11b72df739aa48d4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv264349.exe
PID 2600 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\9e1afba927d1940092b1a000b98cb46d6b5a2454cf6957fd11b72df739aa48d4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv264349.exe
PID 2600 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\9e1afba927d1940092b1a000b98cb46d6b5a2454cf6957fd11b72df739aa48d4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv264349.exe
PID 2600 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\9e1afba927d1940092b1a000b98cb46d6b5a2454cf6957fd11b72df739aa48d4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv264349.exe
PID 1548 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv264349.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe
PID 1548 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv264349.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe
PID 1548 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv264349.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe
PID 1548 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv264349.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe
PID 1548 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv264349.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe
PID 1548 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv264349.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe
PID 1548 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv264349.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe
PID 2432 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe
PID 2432 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe
PID 2432 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe
PID 2432 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe
PID 2432 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe
PID 2432 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe
PID 2432 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe
PID 2432 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\217307972.exe
PID 2432 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\217307972.exe
PID 2432 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\217307972.exe
PID 2432 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\217307972.exe
PID 2432 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\217307972.exe
PID 2432 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\217307972.exe
PID 2432 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\217307972.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9e1afba927d1940092b1a000b98cb46d6b5a2454cf6957fd11b72df739aa48d4.exe

"C:\Users\Admin\AppData\Local\Temp\9e1afba927d1940092b1a000b98cb46d6b5a2454cf6957fd11b72df739aa48d4.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv264349.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv264349.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\217307972.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\217307972.exe

Network

Country Destination Domain Proto
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp

Files

memory/2600-0-0x00000000008E0000-0x00000000009DC000-memory.dmp

memory/2600-1-0x00000000008E0000-0x00000000009DC000-memory.dmp

memory/2600-2-0x0000000002280000-0x0000000002386000-memory.dmp

memory/2600-3-0x0000000000400000-0x0000000000509000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv264349.exe

MD5 0e3a87f5fbde6985aa586bb53da140d8
SHA1 f87d70a6bf68b017be78540cbceb35d9cf3267e8
SHA256 d13043c44eca8a7eb2415dc218d87a5d9b561783ff92d215dfb248b38d20b423
SHA512 52ec3ad56b9e3edb497ad4f2fd916162fbf35020b9c8931f31dff6e374ea505d42144a4ddb8e77214d2a562f3d15ea58bf091ca612826975cbcac72db1ae251c

\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe

MD5 dbf7b7943e0bbfbfe2ff3081429310c2
SHA1 4633b71d0234283b80e9cd8cf3ae8a638866b8d0
SHA256 93394041a467699908ec68b26301930ab36f0bf0164bde2a1b195f6c9b919d2d
SHA512 884eb3bd5c1cca47c47406ff2834129ee971b2480659450bb775b39cdf3a7ade843e2a359ab5b76bd7bd04877698c1fa58df484daa80a6433e0757d3ac4f803e

\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe

MD5 808c6015ca73ae5171c3cb969a156c6b
SHA1 3ab3439a5c48623a248166eed4f20e73437b2e36
SHA256 bb8e0f54593b23da5b272eb1734b6eec66f09d07b2699162f8e77b73094346fc
SHA512 a1821b2168460260a28aeb0b881be02e264f4abbf8ef3800f3ac442da72667bfb3406b6941ceea92e86a50e764f0e882c3d767766ed88ac71c34809002ca6483

memory/1540-38-0x00000000003D0000-0x00000000003EA000-memory.dmp

memory/1540-39-0x00000000023C0000-0x00000000023D8000-memory.dmp

memory/1540-40-0x00000000023C0000-0x00000000023D2000-memory.dmp

memory/1540-49-0x00000000023C0000-0x00000000023D2000-memory.dmp

memory/1540-67-0x00000000023C0000-0x00000000023D2000-memory.dmp

memory/1540-65-0x00000000023C0000-0x00000000023D2000-memory.dmp

memory/1540-61-0x00000000023C0000-0x00000000023D2000-memory.dmp

memory/1540-59-0x00000000023C0000-0x00000000023D2000-memory.dmp

memory/1540-57-0x00000000023C0000-0x00000000023D2000-memory.dmp

memory/1540-55-0x00000000023C0000-0x00000000023D2000-memory.dmp

memory/1540-53-0x00000000023C0000-0x00000000023D2000-memory.dmp

memory/1540-47-0x00000000023C0000-0x00000000023D2000-memory.dmp

memory/1540-45-0x00000000023C0000-0x00000000023D2000-memory.dmp

memory/1540-43-0x00000000023C0000-0x00000000023D2000-memory.dmp

memory/1540-41-0x00000000023C0000-0x00000000023D2000-memory.dmp

memory/1540-63-0x00000000023C0000-0x00000000023D2000-memory.dmp

memory/1540-51-0x00000000023C0000-0x00000000023D2000-memory.dmp

memory/2600-68-0x00000000008E0000-0x00000000009DC000-memory.dmp

memory/2600-69-0x0000000002280000-0x0000000002386000-memory.dmp

memory/2600-71-0x0000000000400000-0x0000000000509000-memory.dmp

memory/2600-70-0x0000000000400000-0x00000000008E0000-memory.dmp

memory/1540-72-0x0000000000400000-0x0000000000803000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\217307972.exe

MD5 28c9569fdfa17a87ada4d354430339f8
SHA1 d14414d275ead078c603ff60c08ce452475d3c5a
SHA256 3640ff98e63f79701d453338015bb2053e359016fb7e0d82b681b751adae04b1
SHA512 354bf9c17a39487f5d3125eb7aff5735f9fe7eb5a926d78f21ce5d0f7ee532da15b0b231151b772a2b6f79707e3eb21f77968a98ce59c31179ea62dac82d1610

memory/2512-84-0x0000000002AD0000-0x0000000002B0C000-memory.dmp

memory/2512-85-0x0000000002C70000-0x0000000002CAA000-memory.dmp

memory/2512-99-0x0000000002C70000-0x0000000002CA5000-memory.dmp

memory/2512-107-0x0000000002C70000-0x0000000002CA5000-memory.dmp

memory/2512-117-0x0000000002C70000-0x0000000002CA5000-memory.dmp

memory/2512-115-0x0000000002C70000-0x0000000002CA5000-memory.dmp

memory/2512-113-0x0000000002C70000-0x0000000002CA5000-memory.dmp

memory/2512-111-0x0000000002C70000-0x0000000002CA5000-memory.dmp

memory/2512-109-0x0000000002C70000-0x0000000002CA5000-memory.dmp

memory/2512-105-0x0000000002C70000-0x0000000002CA5000-memory.dmp

memory/2512-103-0x0000000002C70000-0x0000000002CA5000-memory.dmp

memory/2512-101-0x0000000002C70000-0x0000000002CA5000-memory.dmp

memory/2512-97-0x0000000002C70000-0x0000000002CA5000-memory.dmp

memory/2512-95-0x0000000002C70000-0x0000000002CA5000-memory.dmp

memory/2512-93-0x0000000002C70000-0x0000000002CA5000-memory.dmp

memory/2512-91-0x0000000002C70000-0x0000000002CA5000-memory.dmp

memory/2512-89-0x0000000002C70000-0x0000000002CA5000-memory.dmp

memory/2512-87-0x0000000002C70000-0x0000000002CA5000-memory.dmp

memory/2512-86-0x0000000002C70000-0x0000000002CA5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 03:41

Reported

2024-11-10 03:43

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9e1afba927d1940092b1a000b98cb46d6b5a2454cf6957fd11b72df739aa48d4.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\9e1afba927d1940092b1a000b98cb46d6b5a2454cf6957fd11b72df739aa48d4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv264349.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\217307972.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9e1afba927d1940092b1a000b98cb46d6b5a2454cf6957fd11b72df739aa48d4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv264349.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\217307972.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2460 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\9e1afba927d1940092b1a000b98cb46d6b5a2454cf6957fd11b72df739aa48d4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv264349.exe
PID 2460 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\9e1afba927d1940092b1a000b98cb46d6b5a2454cf6957fd11b72df739aa48d4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv264349.exe
PID 2460 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\9e1afba927d1940092b1a000b98cb46d6b5a2454cf6957fd11b72df739aa48d4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv264349.exe
PID 3764 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv264349.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe
PID 3764 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv264349.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe
PID 3764 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv264349.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe
PID 3432 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe
PID 3432 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe
PID 3432 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe
PID 3432 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\217307972.exe
PID 3432 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\217307972.exe
PID 3432 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\217307972.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9e1afba927d1940092b1a000b98cb46d6b5a2454cf6957fd11b72df739aa48d4.exe

"C:\Users\Admin\AppData\Local\Temp\9e1afba927d1940092b1a000b98cb46d6b5a2454cf6957fd11b72df739aa48d4.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv264349.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv264349.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3192 -ip 3192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\217307972.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\217307972.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 udp

Files

memory/2460-1-0x00000000025E0000-0x00000000026DE000-memory.dmp

memory/2460-2-0x0000000002730000-0x0000000002836000-memory.dmp

memory/2460-3-0x0000000000400000-0x0000000000509000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv264349.exe

MD5 0e3a87f5fbde6985aa586bb53da140d8
SHA1 f87d70a6bf68b017be78540cbceb35d9cf3267e8
SHA256 d13043c44eca8a7eb2415dc218d87a5d9b561783ff92d215dfb248b38d20b423
SHA512 52ec3ad56b9e3edb497ad4f2fd916162fbf35020b9c8931f31dff6e374ea505d42144a4ddb8e77214d2a562f3d15ea58bf091ca612826975cbcac72db1ae251c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gv434705.exe

MD5 dbf7b7943e0bbfbfe2ff3081429310c2
SHA1 4633b71d0234283b80e9cd8cf3ae8a638866b8d0
SHA256 93394041a467699908ec68b26301930ab36f0bf0164bde2a1b195f6c9b919d2d
SHA512 884eb3bd5c1cca47c47406ff2834129ee971b2480659450bb775b39cdf3a7ade843e2a359ab5b76bd7bd04877698c1fa58df484daa80a6433e0757d3ac4f803e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\137239924.exe

MD5 808c6015ca73ae5171c3cb969a156c6b
SHA1 3ab3439a5c48623a248166eed4f20e73437b2e36
SHA256 bb8e0f54593b23da5b272eb1734b6eec66f09d07b2699162f8e77b73094346fc
SHA512 a1821b2168460260a28aeb0b881be02e264f4abbf8ef3800f3ac442da72667bfb3406b6941ceea92e86a50e764f0e882c3d767766ed88ac71c34809002ca6483

memory/3192-26-0x0000000000400000-0x0000000000803000-memory.dmp

memory/3192-27-0x0000000000400000-0x0000000000803000-memory.dmp

memory/3192-28-0x00000000024F0000-0x000000000250A000-memory.dmp

memory/3192-29-0x0000000005000000-0x00000000055A4000-memory.dmp

memory/3192-30-0x0000000002560000-0x0000000002578000-memory.dmp

memory/3192-54-0x0000000002560000-0x0000000002572000-memory.dmp

memory/3192-58-0x0000000002560000-0x0000000002572000-memory.dmp

memory/3192-56-0x0000000002560000-0x0000000002572000-memory.dmp

memory/3192-52-0x0000000002560000-0x0000000002572000-memory.dmp

memory/3192-50-0x0000000002560000-0x0000000002572000-memory.dmp

memory/3192-46-0x0000000002560000-0x0000000002572000-memory.dmp

memory/3192-44-0x0000000002560000-0x0000000002572000-memory.dmp

memory/3192-42-0x0000000002560000-0x0000000002572000-memory.dmp

memory/3192-40-0x0000000002560000-0x0000000002572000-memory.dmp

memory/3192-39-0x0000000002560000-0x0000000002572000-memory.dmp

memory/3192-36-0x0000000002560000-0x0000000002572000-memory.dmp

memory/3192-34-0x0000000002560000-0x0000000002572000-memory.dmp

memory/3192-32-0x0000000002560000-0x0000000002572000-memory.dmp

memory/3192-31-0x0000000002560000-0x0000000002572000-memory.dmp

memory/3192-49-0x0000000002560000-0x0000000002572000-memory.dmp

memory/2460-59-0x00000000025E0000-0x00000000026DE000-memory.dmp

memory/2460-60-0x0000000002730000-0x0000000002836000-memory.dmp

memory/2460-61-0x0000000000400000-0x0000000000509000-memory.dmp

memory/2460-62-0x0000000000400000-0x00000000008E0000-memory.dmp

memory/3192-66-0x0000000000400000-0x0000000000803000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\217307972.exe

MD5 28c9569fdfa17a87ada4d354430339f8
SHA1 d14414d275ead078c603ff60c08ce452475d3c5a
SHA256 3640ff98e63f79701d453338015bb2053e359016fb7e0d82b681b751adae04b1
SHA512 354bf9c17a39487f5d3125eb7aff5735f9fe7eb5a926d78f21ce5d0f7ee532da15b0b231151b772a2b6f79707e3eb21f77968a98ce59c31179ea62dac82d1610

memory/5024-71-0x0000000002410000-0x000000000244C000-memory.dmp

memory/5024-72-0x0000000004E00000-0x0000000004E3A000-memory.dmp

memory/5024-74-0x0000000004E00000-0x0000000004E35000-memory.dmp

memory/5024-94-0x0000000004E00000-0x0000000004E35000-memory.dmp

memory/5024-92-0x0000000004E00000-0x0000000004E35000-memory.dmp

memory/5024-90-0x0000000004E00000-0x0000000004E35000-memory.dmp

memory/5024-88-0x0000000004E00000-0x0000000004E35000-memory.dmp

memory/5024-86-0x0000000004E00000-0x0000000004E35000-memory.dmp

memory/5024-84-0x0000000004E00000-0x0000000004E35000-memory.dmp

memory/5024-82-0x0000000004E00000-0x0000000004E35000-memory.dmp

memory/5024-80-0x0000000004E00000-0x0000000004E35000-memory.dmp

memory/5024-78-0x0000000004E00000-0x0000000004E35000-memory.dmp

memory/5024-76-0x0000000004E00000-0x0000000004E35000-memory.dmp

memory/5024-102-0x0000000004E00000-0x0000000004E35000-memory.dmp

memory/5024-73-0x0000000004E00000-0x0000000004E35000-memory.dmp

memory/5024-104-0x0000000004E00000-0x0000000004E35000-memory.dmp

memory/5024-100-0x0000000004E00000-0x0000000004E35000-memory.dmp

memory/5024-98-0x0000000004E00000-0x0000000004E35000-memory.dmp

memory/5024-96-0x0000000004E00000-0x0000000004E35000-memory.dmp

memory/5024-865-0x0000000007940000-0x0000000007F58000-memory.dmp

memory/5024-866-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

memory/5024-867-0x0000000007FC0000-0x00000000080CA000-memory.dmp

memory/5024-868-0x00000000080E0000-0x000000000811C000-memory.dmp

memory/5024-869-0x00000000027D0000-0x000000000281C000-memory.dmp