Analysis Overview
SHA256
a6611cf5bb80de16b1205ff16d98046ae510ff28ad823d1bc83496417ca477fd
Threat Level: Known bad
The file a6611cf5bb80de16b1205ff16d98046ae510ff28ad823d1bc83496417ca477fd was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 09:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 09:03
Reported
2023-09-10 09:06
Platform
win10-20230703-en
Max time kernel
129s
Max time network
142s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5188826.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8424682.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1877451.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3604841.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8424682.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\a6611cf5bb80de16b1205ff16d98046ae510ff28ad823d1bc83496417ca477fd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5188826.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a6611cf5bb80de16b1205ff16d98046ae510ff28ad823d1bc83496417ca477fd.exe
"C:\Users\Admin\AppData\Local\Temp\a6611cf5bb80de16b1205ff16d98046ae510ff28ad823d1bc83496417ca477fd.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5188826.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5188826.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8424682.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8424682.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1877451.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1877451.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3604841.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3604841.exe
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.92.211:80 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5188826.exe
| MD5 | 1aab740ecde0662d1aecf713c58b00a5 |
| SHA1 | 01223131fa180b9310ec7752def8212ba9fbfd0b |
| SHA256 | 37b2a62c5e9f25dc77399bf706ae5e3c0dd9acc260b12654da73d284ba1ba4ad |
| SHA512 | 96a9c9a1947f903b96f5037f1c35b1eb7a754e3a025fb64c2cbe44b14bba1bd5850dd7354e288c4b98ea2e19580a759b6d8b2f94b58e00e937e45bd12edf48a8 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5188826.exe
| MD5 | 1aab740ecde0662d1aecf713c58b00a5 |
| SHA1 | 01223131fa180b9310ec7752def8212ba9fbfd0b |
| SHA256 | 37b2a62c5e9f25dc77399bf706ae5e3c0dd9acc260b12654da73d284ba1ba4ad |
| SHA512 | 96a9c9a1947f903b96f5037f1c35b1eb7a754e3a025fb64c2cbe44b14bba1bd5850dd7354e288c4b98ea2e19580a759b6d8b2f94b58e00e937e45bd12edf48a8 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8424682.exe
| MD5 | 5747dcfd715baf8b76c4c4ab564f3dba |
| SHA1 | 96fd0616dde5c2a63bb2fe4e5dec6fd3d0a7bbcf |
| SHA256 | 0e29696b3d32c35c98a9b04c41b96a3071e278f7c450a703cba90f59189cb9e4 |
| SHA512 | 3fe92cd99e6d8add131bce498c0a7ba04bfef5d9036d416d413b4073be85ac603f6c5e883088c16e75a774146fe942a9c09b553be25582381d5992bafa130d25 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8424682.exe
| MD5 | 5747dcfd715baf8b76c4c4ab564f3dba |
| SHA1 | 96fd0616dde5c2a63bb2fe4e5dec6fd3d0a7bbcf |
| SHA256 | 0e29696b3d32c35c98a9b04c41b96a3071e278f7c450a703cba90f59189cb9e4 |
| SHA512 | 3fe92cd99e6d8add131bce498c0a7ba04bfef5d9036d416d413b4073be85ac603f6c5e883088c16e75a774146fe942a9c09b553be25582381d5992bafa130d25 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1877451.exe
| MD5 | ae3847506c22f17b08bdc023ae9556cc |
| SHA1 | 62a39020a1136400374506ea42f6c92d96a07e3e |
| SHA256 | 412ca3c78e4d6a6d485afa65958012013d95cbb9e27368789b41f48ccdd3b6a6 |
| SHA512 | b477f854efcc5707446975658427560ab90f2d9113cca541fe23aafa47b4db81a925d64d165ecf47fe0a3f12f5affed8d6b95accd616a2d585e3843b16f5c2bc |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1877451.exe
| MD5 | ae3847506c22f17b08bdc023ae9556cc |
| SHA1 | 62a39020a1136400374506ea42f6c92d96a07e3e |
| SHA256 | 412ca3c78e4d6a6d485afa65958012013d95cbb9e27368789b41f48ccdd3b6a6 |
| SHA512 | b477f854efcc5707446975658427560ab90f2d9113cca541fe23aafa47b4db81a925d64d165ecf47fe0a3f12f5affed8d6b95accd616a2d585e3843b16f5c2bc |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3604841.exe
| MD5 | ebe90bd0c4935cbd06cebbf7e0105aec |
| SHA1 | 6181bd225af7ea88d30bd826309a16579b66eb69 |
| SHA256 | e364d795aeb8ae009f415a69fc0d4ae0b9ad950c2c4ef932b6dcd817a4c32858 |
| SHA512 | 7206e7abc8648aad5a2b34de50110aec2139456d27e85d695f0488d4bae9996d856c6f5095cad7777e45ce62ed38f6e2a6e6f521aa7b9afc3bff836f450c3a15 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3604841.exe
| MD5 | ebe90bd0c4935cbd06cebbf7e0105aec |
| SHA1 | 6181bd225af7ea88d30bd826309a16579b66eb69 |
| SHA256 | e364d795aeb8ae009f415a69fc0d4ae0b9ad950c2c4ef932b6dcd817a4c32858 |
| SHA512 | 7206e7abc8648aad5a2b34de50110aec2139456d27e85d695f0488d4bae9996d856c6f5095cad7777e45ce62ed38f6e2a6e6f521aa7b9afc3bff836f450c3a15 |
memory/4880-24-0x00000000000E0000-0x0000000000110000-memory.dmp
memory/4880-25-0x0000000072BC0000-0x00000000732AE000-memory.dmp
memory/4880-26-0x00000000009D0000-0x00000000009D6000-memory.dmp
memory/4880-27-0x000000000A400000-0x000000000AA06000-memory.dmp
memory/4880-28-0x0000000009F00000-0x000000000A00A000-memory.dmp
memory/4880-29-0x0000000009E20000-0x0000000009E32000-memory.dmp
memory/4880-30-0x0000000009E80000-0x0000000009EBE000-memory.dmp
memory/4880-31-0x000000000A010000-0x000000000A05B000-memory.dmp
memory/4880-32-0x0000000072BC0000-0x00000000732AE000-memory.dmp