Analysis Overview
SHA256
fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f
Threat Level: Known bad
The file fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe was found to be: Known bad.
Malicious Activity Summary
RedLine
Arkei
RedLine Payload
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-07 13:46
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-07 13:46
Reported
2022-05-07 13:54
Platform
win7-20220414-en
Max time kernel
147s
Max time network
156s
Command Line
Signatures
Arkei
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1488 set thread context of 1996 | N/A | C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe | C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe |
| PID 1984 set thread context of 948 | N/A | C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe |
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"
C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
"C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe"
C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 62.204.41.166:27688 | tcp | |
| RU | 62.204.41.166:27688 | tcp | |
| RU | 62.204.41.166:27688 | tcp | |
| RU | 62.204.41.166:27688 | tcp | |
| RU | 62.204.41.166:27688 | tcp | |
| RU | 62.204.41.166:27688 | tcp |
Files
memory/1488-56-0x0000000076C81000-0x0000000076C83000-memory.dmp
\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
| MD5 | 2652215d4d7a57fc45691bb1d53fb6ce |
| SHA1 | 15838b55aa4b2dc05ca09b2b958056fcb17776bd |
| SHA256 | 326923ce18fd7a9c8210697d8ffab62481db036588c12f05a21798fcf67bd9a6 |
| SHA512 | f4694966c4beb4e9cca674b85311de400f7c9ebf7eb9e0e271074281447513d562757bb477a7884b02ba9cdc8caf9b3952afcc0e66b9a36c6c167aa5e731ca59 |
\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
| MD5 | 2652215d4d7a57fc45691bb1d53fb6ce |
| SHA1 | 15838b55aa4b2dc05ca09b2b958056fcb17776bd |
| SHA256 | 326923ce18fd7a9c8210697d8ffab62481db036588c12f05a21798fcf67bd9a6 |
| SHA512 | f4694966c4beb4e9cca674b85311de400f7c9ebf7eb9e0e271074281447513d562757bb477a7884b02ba9cdc8caf9b3952afcc0e66b9a36c6c167aa5e731ca59 |
memory/1984-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
| MD5 | 2652215d4d7a57fc45691bb1d53fb6ce |
| SHA1 | 15838b55aa4b2dc05ca09b2b958056fcb17776bd |
| SHA256 | 326923ce18fd7a9c8210697d8ffab62481db036588c12f05a21798fcf67bd9a6 |
| SHA512 | f4694966c4beb4e9cca674b85311de400f7c9ebf7eb9e0e271074281447513d562757bb477a7884b02ba9cdc8caf9b3952afcc0e66b9a36c6c167aa5e731ca59 |
memory/1996-64-0x0000000000408430-mapping.dmp
memory/1488-65-0x00000000008F0000-0x00000000008F7000-memory.dmp
memory/948-66-0x000000000041BC2E-mapping.dmp
memory/948-68-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1996-69-0x0000000000400000-0x000000000043C000-memory.dmp
memory/948-70-0x0000000000400000-0x0000000000420000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-07 13:46
Reported
2022-05-07 13:55
Platform
win10v2004-20220414-en
Max time kernel
157s
Max time network
168s
Command Line
Signatures
Arkei
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3028 set thread context of 5088 | N/A | C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe |
| PID 4292 set thread context of 4792 | N/A | C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe | C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe |
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"
C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
"C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe
"C:\Users\Admin\AppData\Local\Temp\fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f.exe"
Network
| Country | Destination | Domain | Proto |
| US | 52.168.117.170:443 | tcp | |
| BE | 67.27.153.254:80 | tcp | |
| BE | 67.27.153.254:80 | tcp | |
| NL | 88.221.144.179:80 | tcp | |
| RU | 62.204.41.166:27688 | tcp | |
| RU | 62.204.41.166:27688 | tcp | |
| RU | 62.204.41.166:27688 | tcp | |
| RU | 62.204.41.166:27688 | tcp | |
| RU | 62.204.41.166:27688 | tcp |
Files
memory/3028-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
| MD5 | 2652215d4d7a57fc45691bb1d53fb6ce |
| SHA1 | 15838b55aa4b2dc05ca09b2b958056fcb17776bd |
| SHA256 | 326923ce18fd7a9c8210697d8ffab62481db036588c12f05a21798fcf67bd9a6 |
| SHA512 | f4694966c4beb4e9cca674b85311de400f7c9ebf7eb9e0e271074281447513d562757bb477a7884b02ba9cdc8caf9b3952afcc0e66b9a36c6c167aa5e731ca59 |
C:\Users\Admin\AppData\Local\Temp\dcaqbmme.exe
| MD5 | 2652215d4d7a57fc45691bb1d53fb6ce |
| SHA1 | 15838b55aa4b2dc05ca09b2b958056fcb17776bd |
| SHA256 | 326923ce18fd7a9c8210697d8ffab62481db036588c12f05a21798fcf67bd9a6 |
| SHA512 | f4694966c4beb4e9cca674b85311de400f7c9ebf7eb9e0e271074281447513d562757bb477a7884b02ba9cdc8caf9b3952afcc0e66b9a36c6c167aa5e731ca59 |
memory/5088-138-0x0000000000000000-mapping.dmp
memory/4792-139-0x0000000000000000-mapping.dmp
memory/3028-140-0x0000000001FC0000-0x0000000001FC7000-memory.dmp
memory/5088-141-0x0000000000400000-0x0000000000420000-memory.dmp
memory/5088-142-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4792-143-0x0000000000400000-0x000000000043C000-memory.dmp
memory/5088-144-0x0000000005580000-0x0000000005B98000-memory.dmp
memory/5088-145-0x0000000005020000-0x0000000005032000-memory.dmp
memory/5088-146-0x0000000005150000-0x000000000525A000-memory.dmp
memory/5088-147-0x00000000050A0000-0x00000000050DC000-memory.dmp