Analysis Overview
SHA256
fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f
Threat Level: Known bad
The file fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe was found to be: Known bad.
Malicious Activity Summary
RedLine
Arkei
RedLine Payload
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-07 01:46
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-07 01:46
Reported
2022-05-07 01:55
Platform
win7-20220414-en
Max time kernel
150s
Max time network
160s
Command Line
Signatures
Arkei
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1640 set thread context of 1120 | N/A | C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe | C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe |
| PID 1328 set thread context of 1124 | N/A | C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe |
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"
C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
"C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe"
C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 62.204.41.166:27688 | tcp | |
| RU | 62.204.41.166:27688 | tcp | |
| RU | 62.204.41.166:27688 | tcp | |
| RU | 62.204.41.166:27688 | tcp | |
| RU | 62.204.41.166:27688 | tcp | |
| RU | 62.204.41.166:27688 | tcp |
Files
memory/1640-56-0x00000000762C1000-0x00000000762C3000-memory.dmp
\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
| MD5 | 2652215d4d7a57fc45691bb1d53fb6ce |
| SHA1 | 15838b55aa4b2dc05ca09b2b958056fcb17776bd |
| SHA256 | 326923ce18fd7a9c8210697d8ffab62481db036588c12f05a21798fcf67bd9a6 |
| SHA512 | f4694966c4beb4e9cca674b85311de400f7c9ebf7eb9e0e271074281447513d562757bb477a7884b02ba9cdc8caf9b3952afcc0e66b9a36c6c167aa5e731ca59 |
\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
| MD5 | 2652215d4d7a57fc45691bb1d53fb6ce |
| SHA1 | 15838b55aa4b2dc05ca09b2b958056fcb17776bd |
| SHA256 | 326923ce18fd7a9c8210697d8ffab62481db036588c12f05a21798fcf67bd9a6 |
| SHA512 | f4694966c4beb4e9cca674b85311de400f7c9ebf7eb9e0e271074281447513d562757bb477a7884b02ba9cdc8caf9b3952afcc0e66b9a36c6c167aa5e731ca59 |
memory/1328-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
| MD5 | 2652215d4d7a57fc45691bb1d53fb6ce |
| SHA1 | 15838b55aa4b2dc05ca09b2b958056fcb17776bd |
| SHA256 | 326923ce18fd7a9c8210697d8ffab62481db036588c12f05a21798fcf67bd9a6 |
| SHA512 | f4694966c4beb4e9cca674b85311de400f7c9ebf7eb9e0e271074281447513d562757bb477a7884b02ba9cdc8caf9b3952afcc0e66b9a36c6c167aa5e731ca59 |
memory/1120-64-0x0000000000408430-mapping.dmp
memory/1640-65-0x00000000024F0000-0x00000000024F7000-memory.dmp
memory/1124-66-0x000000000041BC2E-mapping.dmp
memory/1124-68-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1124-69-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1120-70-0x0000000000400000-0x000000000043C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-07 01:46
Reported
2022-05-07 01:55
Platform
win10v2004-20220414-en
Max time kernel
149s
Max time network
162s
Command Line
Signatures
Arkei
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3144 set thread context of 4668 | N/A | C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe | C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe |
| PID 4356 set thread context of 2016 | N/A | C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe |
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"
C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
"C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe"
C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 8.238.23.254:80 | tcp | |
| IE | 52.109.76.30:443 | tcp | |
| US | 20.189.173.6:443 | tcp | |
| RU | 62.204.41.166:27688 | tcp | |
| NL | 8.238.23.254:80 | tcp | |
| NL | 8.238.23.254:80 | tcp | |
| NL | 8.238.23.254:80 | tcp | |
| RU | 62.204.41.166:27688 | tcp | |
| RU | 62.204.41.166:27688 | tcp | |
| RU | 62.204.41.166:27688 | tcp | |
| RU | 62.204.41.166:27688 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
| MD5 | 2652215d4d7a57fc45691bb1d53fb6ce |
| SHA1 | 15838b55aa4b2dc05ca09b2b958056fcb17776bd |
| SHA256 | 326923ce18fd7a9c8210697d8ffab62481db036588c12f05a21798fcf67bd9a6 |
| SHA512 | f4694966c4beb4e9cca674b85311de400f7c9ebf7eb9e0e271074281447513d562757bb477a7884b02ba9cdc8caf9b3952afcc0e66b9a36c6c167aa5e731ca59 |
C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
| MD5 | 2652215d4d7a57fc45691bb1d53fb6ce |
| SHA1 | 15838b55aa4b2dc05ca09b2b958056fcb17776bd |
| SHA256 | 326923ce18fd7a9c8210697d8ffab62481db036588c12f05a21798fcf67bd9a6 |
| SHA512 | f4694966c4beb4e9cca674b85311de400f7c9ebf7eb9e0e271074281447513d562757bb477a7884b02ba9cdc8caf9b3952afcc0e66b9a36c6c167aa5e731ca59 |
memory/4356-132-0x0000000000000000-mapping.dmp
memory/4668-137-0x0000000000000000-mapping.dmp
memory/3144-138-0x0000000002A20000-0x0000000002A27000-memory.dmp
memory/4792-139-0x0000000000000000-mapping.dmp
memory/2016-140-0x0000000000000000-mapping.dmp
memory/2016-141-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2016-142-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4668-143-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2016-144-0x0000000005450000-0x0000000005A68000-memory.dmp
memory/2016-145-0x0000000004EF0000-0x0000000004F02000-memory.dmp
memory/2016-146-0x0000000005020000-0x000000000512A000-memory.dmp
memory/2016-147-0x0000000004F50000-0x0000000004F8C000-memory.dmp