Analysis Overview
SHA256
51e92258193ecd9ae214c6940dea24683471bf912f183f21f98eabc8e9fa1403
Threat Level: Known bad
The file 51e92258193ecd9ae214c6940dea24683471bf912f183f21f98eabc8e9fa1403 was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Modifies Windows Defender Real-time Protection settings
RedLine
Redline family
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 06:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 06:48
Reported
2024-11-11 06:51
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3604953.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1994845.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2915517.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\51e92258193ecd9ae214c6940dea24683471bf912f183f21f98eabc8e9fa1403.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3604953.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1994845.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\51e92258193ecd9ae214c6940dea24683471bf912f183f21f98eabc8e9fa1403.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3604953.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1994845.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2915517.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\51e92258193ecd9ae214c6940dea24683471bf912f183f21f98eabc8e9fa1403.exe
"C:\Users\Admin\AppData\Local\Temp\51e92258193ecd9ae214c6940dea24683471bf912f183f21f98eabc8e9fa1403.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3604953.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3604953.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1994845.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1994845.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2915517.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2915517.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.75:4132 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| RU | 185.161.248.75:4132 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| RU | 185.161.248.75:4132 | tcp | |
| RU | 185.161.248.75:4132 | tcp | |
| RU | 185.161.248.75:4132 | tcp | |
| RU | 185.161.248.75:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3604953.exe
| MD5 | b8e462df97eb6c9b27bfa81dc5a6ec72 |
| SHA1 | c7c3fe68fdb9f5cea51900f0255c79276bdc89db |
| SHA256 | 36cf47120fcd4b71f989ce13edf46764c91c4ecbeb8ba49f455dad5a71c5f9e8 |
| SHA512 | 5d059f54958a4df6bb47bf5b57f0b869387c76d29538ba5ba0fe5d5ef2a0c9e865f95dde8ed0c0f89b036742c49aeda599930aebb7eeb70538a75328fcd80b12 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1994845.exe
| MD5 | 93ef0e9a3a2d6465200f788a722053e6 |
| SHA1 | c1367f9baa6ca778edc75b9ea9ce7ad380f9c3a2 |
| SHA256 | feb41c1421820612aea856752a440f5030ad82646383b722635a7f8e9aee6d0a |
| SHA512 | 47de94ce27749890b172c4ab4aa81ec71d89d904ca980b4d8d5bfc4e2fbc65c4df9590ffa81e9bbcd3b7761570ce90811cc11ec9ebbfa8cd080633f5dc6af0c9 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe
| MD5 | d4c640fb500618ad6c9fc5fe7d3e784d |
| SHA1 | 850df0880e1685ce709b44afbbb365cab4f0fec4 |
| SHA256 | a511ae2083565f7f66afa9902f2d6aaa5bdf56c8a148609bfe949880a74ff44b |
| SHA512 | a28a51e937a11c9d72f7450b86469609d972a1e65c176bf92a47922eaf9cf72d3a49f0d40702f6f22bfd3f2c9f9e36edfefecdd263e1d49f3546f44d4817cecd |
memory/2680-21-0x0000000002360000-0x000000000237E000-memory.dmp
memory/2680-22-0x0000000004C80000-0x0000000005224000-memory.dmp
memory/2680-23-0x0000000002780000-0x000000000279C000-memory.dmp
memory/2680-25-0x0000000002780000-0x0000000002796000-memory.dmp
memory/2680-41-0x0000000002780000-0x0000000002796000-memory.dmp
memory/2680-51-0x0000000002780000-0x0000000002796000-memory.dmp
memory/2680-49-0x0000000002780000-0x0000000002796000-memory.dmp
memory/2680-47-0x0000000002780000-0x0000000002796000-memory.dmp
memory/2680-45-0x0000000002780000-0x0000000002796000-memory.dmp
memory/2680-43-0x0000000002780000-0x0000000002796000-memory.dmp
memory/2680-39-0x0000000002780000-0x0000000002796000-memory.dmp
memory/2680-37-0x0000000002780000-0x0000000002796000-memory.dmp
memory/2680-35-0x0000000002780000-0x0000000002796000-memory.dmp
memory/2680-33-0x0000000002780000-0x0000000002796000-memory.dmp
memory/2680-31-0x0000000002780000-0x0000000002796000-memory.dmp
memory/2680-30-0x0000000002780000-0x0000000002796000-memory.dmp
memory/2680-27-0x0000000002780000-0x0000000002796000-memory.dmp
memory/2680-24-0x0000000002780000-0x0000000002796000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2915517.exe
| MD5 | 5366664936e30a322473778461d141fd |
| SHA1 | ef60738704e3518ee7d65ccdf956a73d16e7f130 |
| SHA256 | e35dcf4d09dcfca6db8a08755e7d2115a3ddd2dc4faa571d96482ffaf3669c01 |
| SHA512 | ab67b7995b4f8052f7fe287471cfb155744a8c9bf6e7cd00c1d592ef2de63b7eb89812f4c9612625026068d31ead1954fd3c30dabb11e9bb563c70eca9ad346d |
memory/4292-56-0x0000000000DA0000-0x0000000000DCE000-memory.dmp
memory/4292-57-0x00000000016B0000-0x00000000016B6000-memory.dmp
memory/4292-58-0x000000000B0C0000-0x000000000B6D8000-memory.dmp
memory/4292-59-0x000000000AC10000-0x000000000AD1A000-memory.dmp
memory/4292-60-0x000000000AB40000-0x000000000AB52000-memory.dmp
memory/4292-61-0x000000000ABA0000-0x000000000ABDC000-memory.dmp
memory/4292-62-0x0000000004F20000-0x0000000004F6C000-memory.dmp