Analysis Overview
SHA256
541ae9709f2ec7e1f2e1b6a70d829b019ce1cddbb40d6367683254a3def0a29f
Threat Level: Known bad
The file 541ae9709f2ec7e1f2e1b6a70d829b019ce1cddbb40d6367683254a3def0a29f was found to be: Known bad.
Malicious Activity Summary
Healer
RedLine
RedLine payload
Detects Healer an antivirus disabler dropper
Healer family
Redline family
Modifies Windows Defender Real-time Protection settings
Loads dropped DLL
Windows security modification
Executes dropped EXE
Adds Run key to start application
Launches sc.exe
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 03:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 03:04
Reported
2024-11-10 03:07
Platform
win7-20240729-en
Max time kernel
142s
Max time network
136s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7633.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7633.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7633.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7633.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7633.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7633.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6742.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9436.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino5640.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7633.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpg51s94.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\541ae9709f2ec7e1f2e1b6a70d829b019ce1cddbb40d6367683254a3def0a29f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6742.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6742.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9436.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9436.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino5640.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino5640.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino5640.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino5640.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9436.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9436.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpg51s94.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7633.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7633.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\541ae9709f2ec7e1f2e1b6a70d829b019ce1cddbb40d6367683254a3def0a29f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6742.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9436.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino5640.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpg51s94.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\541ae9709f2ec7e1f2e1b6a70d829b019ce1cddbb40d6367683254a3def0a29f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6742.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9436.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino5640.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7633.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7633.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7633.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpg51s94.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\541ae9709f2ec7e1f2e1b6a70d829b019ce1cddbb40d6367683254a3def0a29f.exe
"C:\Users\Admin\AppData\Local\Temp\541ae9709f2ec7e1f2e1b6a70d829b019ce1cddbb40d6367683254a3def0a29f.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6742.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6742.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9436.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9436.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino5640.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino5640.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7633.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7633.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpg51s94.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpg51s94.exe
Network
| Country | Destination | Domain | Proto |
| RU | 193.233.20.28:4125 | tcp | |
| RU | 193.233.20.28:4125 | tcp | |
| RU | 193.233.20.28:4125 | tcp | |
| RU | 193.233.20.28:4125 | tcp | |
| RU | 193.233.20.28:4125 | tcp |
Files
memory/2420-0-0x00000000005C0000-0x00000000006BC000-memory.dmp
memory/2420-7-0x0000000000400000-0x0000000000508000-memory.dmp
memory/2420-6-0x0000000001EF0000-0x0000000001FF5000-memory.dmp
memory/2420-1-0x00000000005C0000-0x00000000006BC000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6742.exe
| MD5 | d002e028bd1862c880c32fd09eec0045 |
| SHA1 | e6dea77f2fb0e00cc0a433f8085ce364483f5baf |
| SHA256 | 15168784e897c58005ec226eecf7e8cee53a31f730b8b1dc599ac677d56e8c3d |
| SHA512 | 124777f67f8db216309b8f9c97b6a52f4552fe9c4a0012653e064301154621267104a049fcb18ef44be9832ded47fa28849fdd29d81ab9d5a05db3126f43c6cb |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9436.exe
| MD5 | a5e5c10ad66cdb985bdce37e30dd8420 |
| SHA1 | 48cd762daf9154ed659ea582a60e1c3630d08ab3 |
| SHA256 | 2aad3eeacf1054d8d6216ff2e7b339d268f52f21c20c4a1c82a7f171fcaaecda |
| SHA512 | 6cb1e818cd52e9f5c25631f9e25e6833844ea6fbe5c74f5a73f819e509e3eeed19e40e684bcd6be94143bde37d10f2b23cc2779002fb3715eff378ba9e496d23 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7633.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino5640.exe
| MD5 | b7b557baccaca94e616f5c0b15b7705f |
| SHA1 | 96b24a5c203dcc436ee855a2e5865f0cbf4c3a6a |
| SHA256 | 8731df5a7994a7b63322005beb16b04439e2ed91f755520a147f7da97233feed |
| SHA512 | 9bacaec4f03bca1568044743f24908f450bd0daebb40de9f00bbb4b2de302883f84d8c8874a113bef9be14cef71bc4a84f62aeba33a91433143c37746e40c31f |
memory/2792-42-0x0000000000E50000-0x0000000000E5A000-memory.dmp
memory/2420-43-0x0000000000400000-0x00000000005BD000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe
| MD5 | eb18febec8a2d2e4513f61b1a136fdb0 |
| SHA1 | 85737459ebfb938d87872cb5d168324deb949dce |
| SHA256 | 8fad4d01624fe82405c0147b9e92343ce5047cc1d2d151c97e77e5be740eea11 |
| SHA512 | d09179235717fc3c0f07494e7d980327ca3b37a8037cbfae9b148b624f81c73dba961913894bcf26b9099a2a5ec22b3387e7cdaebe64f243036188f78d342b5b |
memory/2848-54-0x00000000009A0000-0x00000000009BA000-memory.dmp
memory/2848-55-0x00000000009D0000-0x00000000009E8000-memory.dmp
memory/2848-63-0x00000000009D0000-0x00000000009E2000-memory.dmp
memory/2848-83-0x00000000009D0000-0x00000000009E2000-memory.dmp
memory/2848-81-0x00000000009D0000-0x00000000009E2000-memory.dmp
memory/2848-79-0x00000000009D0000-0x00000000009E2000-memory.dmp
memory/2848-77-0x00000000009D0000-0x00000000009E2000-memory.dmp
memory/2848-75-0x00000000009D0000-0x00000000009E2000-memory.dmp
memory/2848-73-0x00000000009D0000-0x00000000009E2000-memory.dmp
memory/2848-71-0x00000000009D0000-0x00000000009E2000-memory.dmp
memory/2848-69-0x00000000009D0000-0x00000000009E2000-memory.dmp
memory/2848-67-0x00000000009D0000-0x00000000009E2000-memory.dmp
memory/2848-65-0x00000000009D0000-0x00000000009E2000-memory.dmp
memory/2848-61-0x00000000009D0000-0x00000000009E2000-memory.dmp
memory/2848-59-0x00000000009D0000-0x00000000009E2000-memory.dmp
memory/2848-57-0x00000000009D0000-0x00000000009E2000-memory.dmp
memory/2848-56-0x00000000009D0000-0x00000000009E2000-memory.dmp
memory/2848-85-0x0000000000400000-0x00000000004DF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpg51s94.exe
| MD5 | a05d319fe69e0221aec1629ee79c7108 |
| SHA1 | a2e2d9170c53e2c7a4e922b6ca0fe0a511f2e6e8 |
| SHA256 | 142ea8c91df09af566345bb8426eccf9966ebc868fbd5ea17e9d911df7abb7c8 |
| SHA512 | 89c2d15de903a3db7500e44193db49adacdadb36a4e641b5e4c3a10ea90a41d59b436ac47f62e9612b475057cb67c20ec456633dedf39060192871781aebcc2a |
memory/2516-96-0x00000000028E0000-0x0000000002926000-memory.dmp
memory/2516-97-0x0000000004EB0000-0x0000000004EF4000-memory.dmp
memory/2516-98-0x0000000004EB0000-0x0000000004EEE000-memory.dmp
memory/2516-103-0x0000000004EB0000-0x0000000004EEE000-memory.dmp
memory/2516-121-0x0000000004EB0000-0x0000000004EEE000-memory.dmp
memory/2516-99-0x0000000004EB0000-0x0000000004EEE000-memory.dmp
memory/2516-101-0x0000000004EB0000-0x0000000004EEE000-memory.dmp
memory/2516-129-0x0000000004EB0000-0x0000000004EEE000-memory.dmp
memory/2516-127-0x0000000004EB0000-0x0000000004EEE000-memory.dmp
memory/2516-125-0x0000000004EB0000-0x0000000004EEE000-memory.dmp
memory/2516-123-0x0000000004EB0000-0x0000000004EEE000-memory.dmp
memory/2516-119-0x0000000004EB0000-0x0000000004EEE000-memory.dmp
memory/2516-117-0x0000000004EB0000-0x0000000004EEE000-memory.dmp
memory/2516-115-0x0000000004EB0000-0x0000000004EEE000-memory.dmp
memory/2516-113-0x0000000004EB0000-0x0000000004EEE000-memory.dmp
memory/2516-111-0x0000000004EB0000-0x0000000004EEE000-memory.dmp
memory/2516-109-0x0000000004EB0000-0x0000000004EEE000-memory.dmp
memory/2516-107-0x0000000004EB0000-0x0000000004EEE000-memory.dmp
memory/2516-105-0x0000000004EB0000-0x0000000004EEE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 03:04
Reported
2024-11-10 03:07
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
144s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7633.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7633.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7633.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7633.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7633.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7633.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6742.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9436.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino5640.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7633.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpg51s94.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7633.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino5640.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\541ae9709f2ec7e1f2e1b6a70d829b019ce1cddbb40d6367683254a3def0a29f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6742.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9436.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\541ae9709f2ec7e1f2e1b6a70d829b019ce1cddbb40d6367683254a3def0a29f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6742.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9436.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino5640.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpg51s94.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7633.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7633.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7633.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpg51s94.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\541ae9709f2ec7e1f2e1b6a70d829b019ce1cddbb40d6367683254a3def0a29f.exe
"C:\Users\Admin\AppData\Local\Temp\541ae9709f2ec7e1f2e1b6a70d829b019ce1cddbb40d6367683254a3def0a29f.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6742.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6742.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9436.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9436.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino5640.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino5640.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7633.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7633.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3528 -ip 3528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 976
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpg51s94.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpg51s94.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.28:4125 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| RU | 193.233.20.28:4125 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| RU | 193.233.20.28:4125 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| RU | 193.233.20.28:4125 | tcp | |
| RU | 193.233.20.28:4125 | tcp |
Files
memory/4208-1-0x0000000002320000-0x0000000002426000-memory.dmp
memory/4208-2-0x0000000002450000-0x0000000002555000-memory.dmp
memory/4208-3-0x0000000000400000-0x0000000000508000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6742.exe
| MD5 | d002e028bd1862c880c32fd09eec0045 |
| SHA1 | e6dea77f2fb0e00cc0a433f8085ce364483f5baf |
| SHA256 | 15168784e897c58005ec226eecf7e8cee53a31f730b8b1dc599ac677d56e8c3d |
| SHA512 | 124777f67f8db216309b8f9c97b6a52f4552fe9c4a0012653e064301154621267104a049fcb18ef44be9832ded47fa28849fdd29d81ab9d5a05db3126f43c6cb |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9436.exe
| MD5 | a5e5c10ad66cdb985bdce37e30dd8420 |
| SHA1 | 48cd762daf9154ed659ea582a60e1c3630d08ab3 |
| SHA256 | 2aad3eeacf1054d8d6216ff2e7b339d268f52f21c20c4a1c82a7f171fcaaecda |
| SHA512 | 6cb1e818cd52e9f5c25631f9e25e6833844ea6fbe5c74f5a73f819e509e3eeed19e40e684bcd6be94143bde37d10f2b23cc2779002fb3715eff378ba9e496d23 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino5640.exe
| MD5 | b7b557baccaca94e616f5c0b15b7705f |
| SHA1 | 96b24a5c203dcc436ee855a2e5865f0cbf4c3a6a |
| SHA256 | 8731df5a7994a7b63322005beb16b04439e2ed91f755520a147f7da97233feed |
| SHA512 | 9bacaec4f03bca1568044743f24908f450bd0daebb40de9f00bbb4b2de302883f84d8c8874a113bef9be14cef71bc4a84f62aeba33a91433143c37746e40c31f |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7633.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/4268-32-0x0000000000FB0000-0x0000000000FBA000-memory.dmp
memory/4208-33-0x0000000002320000-0x0000000002426000-memory.dmp
memory/4208-34-0x0000000002450000-0x0000000002555000-memory.dmp
memory/4208-35-0x0000000000400000-0x00000000005BD000-memory.dmp
memory/4208-36-0x0000000000400000-0x0000000000508000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con6268.exe
| MD5 | eb18febec8a2d2e4513f61b1a136fdb0 |
| SHA1 | 85737459ebfb938d87872cb5d168324deb949dce |
| SHA256 | 8fad4d01624fe82405c0147b9e92343ce5047cc1d2d151c97e77e5be740eea11 |
| SHA512 | d09179235717fc3c0f07494e7d980327ca3b37a8037cbfae9b148b624f81c73dba961913894bcf26b9099a2a5ec22b3387e7cdaebe64f243036188f78d342b5b |
memory/3528-42-0x00000000025D0000-0x00000000025EA000-memory.dmp
memory/3528-43-0x0000000004B80000-0x0000000005124000-memory.dmp
memory/3528-44-0x0000000005170000-0x0000000005188000-memory.dmp
memory/3528-45-0x0000000005170000-0x0000000005182000-memory.dmp
memory/3528-54-0x0000000005170000-0x0000000005182000-memory.dmp
memory/3528-72-0x0000000005170000-0x0000000005182000-memory.dmp
memory/3528-70-0x0000000005170000-0x0000000005182000-memory.dmp
memory/3528-68-0x0000000005170000-0x0000000005182000-memory.dmp
memory/3528-66-0x0000000005170000-0x0000000005182000-memory.dmp
memory/3528-64-0x0000000005170000-0x0000000005182000-memory.dmp
memory/3528-62-0x0000000005170000-0x0000000005182000-memory.dmp
memory/3528-60-0x0000000005170000-0x0000000005182000-memory.dmp
memory/3528-56-0x0000000005170000-0x0000000005182000-memory.dmp
memory/3528-52-0x0000000005170000-0x0000000005182000-memory.dmp
memory/3528-50-0x0000000005170000-0x0000000005182000-memory.dmp
memory/3528-48-0x0000000005170000-0x0000000005182000-memory.dmp
memory/3528-46-0x0000000005170000-0x0000000005182000-memory.dmp
memory/3528-58-0x0000000005170000-0x0000000005182000-memory.dmp
memory/3528-75-0x0000000000400000-0x00000000004DF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpg51s94.exe
| MD5 | a05d319fe69e0221aec1629ee79c7108 |
| SHA1 | a2e2d9170c53e2c7a4e922b6ca0fe0a511f2e6e8 |
| SHA256 | 142ea8c91df09af566345bb8426eccf9966ebc868fbd5ea17e9d911df7abb7c8 |
| SHA512 | 89c2d15de903a3db7500e44193db49adacdadb36a4e641b5e4c3a10ea90a41d59b436ac47f62e9612b475057cb67c20ec456633dedf39060192871781aebcc2a |
memory/2988-81-0x0000000004A80000-0x0000000004AC6000-memory.dmp
memory/2988-82-0x00000000050D0000-0x0000000005114000-memory.dmp
memory/2988-88-0x00000000050D0000-0x000000000510E000-memory.dmp
memory/2988-94-0x00000000050D0000-0x000000000510E000-memory.dmp
memory/2988-92-0x00000000050D0000-0x000000000510E000-memory.dmp
memory/2988-90-0x00000000050D0000-0x000000000510E000-memory.dmp
memory/2988-110-0x00000000050D0000-0x000000000510E000-memory.dmp
memory/2988-104-0x00000000050D0000-0x000000000510E000-memory.dmp
memory/2988-98-0x00000000050D0000-0x000000000510E000-memory.dmp
memory/2988-86-0x00000000050D0000-0x000000000510E000-memory.dmp
memory/2988-84-0x00000000050D0000-0x000000000510E000-memory.dmp
memory/2988-83-0x00000000050D0000-0x000000000510E000-memory.dmp
memory/2988-114-0x00000000050D0000-0x000000000510E000-memory.dmp
memory/2988-112-0x00000000050D0000-0x000000000510E000-memory.dmp
memory/2988-108-0x00000000050D0000-0x000000000510E000-memory.dmp
memory/2988-106-0x00000000050D0000-0x000000000510E000-memory.dmp
memory/2988-102-0x00000000050D0000-0x000000000510E000-memory.dmp
memory/2988-100-0x00000000050D0000-0x000000000510E000-memory.dmp
memory/2988-96-0x00000000050D0000-0x000000000510E000-memory.dmp
memory/2988-989-0x0000000005120000-0x0000000005738000-memory.dmp
memory/2988-990-0x00000000057C0000-0x00000000058CA000-memory.dmp
memory/2988-991-0x0000000005900000-0x0000000005912000-memory.dmp
memory/2988-992-0x0000000005920000-0x000000000595C000-memory.dmp
memory/2988-993-0x0000000005A70000-0x0000000005ABC000-memory.dmp