Analysis Overview
SHA256
dd4fa1020281d1b1667afeaa46b6235461f1cc064b264d85631e1112b39adcf1
Threat Level: Known bad
The file dd4fa1020281d1b1667afeaa46b6235461f1cc064b264d85631e1112b39adcf1 was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 09:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 09:06
Reported
2023-09-10 09:08
Platform
win10v2004-20230831-en
Max time kernel
130s
Max time network
150s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2063247.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8903813.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5118204.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1946282.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\dd4fa1020281d1b1667afeaa46b6235461f1cc064b264d85631e1112b39adcf1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2063247.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8903813.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dd4fa1020281d1b1667afeaa46b6235461f1cc064b264d85631e1112b39adcf1.exe
"C:\Users\Admin\AppData\Local\Temp\dd4fa1020281d1b1667afeaa46b6235461f1cc064b264d85631e1112b39adcf1.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2063247.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2063247.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8903813.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8903813.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5118204.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5118204.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1946282.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1946282.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.153.27.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| RU | 5.42.92.211:80 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2063247.exe
| MD5 | 4edea641c3a3132ed9bc073abdfc7d3b |
| SHA1 | da0adef304a4ad76c302abc66f376105cd1e226b |
| SHA256 | d34effcf4be765c829ccf687ff4601b83ac1e501df6f530e415e2066bbe37ea7 |
| SHA512 | 7289963354cf49e75cbda2ceebb8598549d09a02782657888976d0459ad2f7c33ccb3bee64a22ef5b628e26d4dc005c062ea340633e21effdb7338f90cc7f5ae |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2063247.exe
| MD5 | 4edea641c3a3132ed9bc073abdfc7d3b |
| SHA1 | da0adef304a4ad76c302abc66f376105cd1e226b |
| SHA256 | d34effcf4be765c829ccf687ff4601b83ac1e501df6f530e415e2066bbe37ea7 |
| SHA512 | 7289963354cf49e75cbda2ceebb8598549d09a02782657888976d0459ad2f7c33ccb3bee64a22ef5b628e26d4dc005c062ea340633e21effdb7338f90cc7f5ae |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8903813.exe
| MD5 | 6eb099dacb940e43311030eafdbc7a18 |
| SHA1 | 1de5fc1f1df49ef33ebeb53c348a4114577669d8 |
| SHA256 | d0eb30dc908f2a8ced2144dccce4e2ebb755222cc904919b8423ee53d697e42d |
| SHA512 | f3e5a9eb64580b12851c863c7d1be623912a3e5d083f532b498d182a83b1a57f54a4ce6908dc0813db34ea45b2aaa31113b2e635451ff3bf25cda5b278dc6067 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8903813.exe
| MD5 | 6eb099dacb940e43311030eafdbc7a18 |
| SHA1 | 1de5fc1f1df49ef33ebeb53c348a4114577669d8 |
| SHA256 | d0eb30dc908f2a8ced2144dccce4e2ebb755222cc904919b8423ee53d697e42d |
| SHA512 | f3e5a9eb64580b12851c863c7d1be623912a3e5d083f532b498d182a83b1a57f54a4ce6908dc0813db34ea45b2aaa31113b2e635451ff3bf25cda5b278dc6067 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5118204.exe
| MD5 | ca85750cd4d1e4eb1d595cf691ef5248 |
| SHA1 | e41a572e57b0277f48fbfbb346b44bdd82bebcc1 |
| SHA256 | b140022ae179125093ddaee563e62198fe025ac98d937f7d0830df075e640919 |
| SHA512 | a882dd9e6245ac890a73f12889f38268f2ef67a30c62da0a66e1706da70db3f8d5fb273dd548b35aedcc00509e93cdf53f8dcdfb0af420621f92b9a62772469d |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5118204.exe
| MD5 | ca85750cd4d1e4eb1d595cf691ef5248 |
| SHA1 | e41a572e57b0277f48fbfbb346b44bdd82bebcc1 |
| SHA256 | b140022ae179125093ddaee563e62198fe025ac98d937f7d0830df075e640919 |
| SHA512 | a882dd9e6245ac890a73f12889f38268f2ef67a30c62da0a66e1706da70db3f8d5fb273dd548b35aedcc00509e93cdf53f8dcdfb0af420621f92b9a62772469d |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1946282.exe
| MD5 | d4d8a656f1d87a0b924acdd174af2ae8 |
| SHA1 | 34d5f42bbc3bec2d5245d12499f2a051a0dddb6f |
| SHA256 | fbcf1abc4e8dd1cacaae77f7bc8d661a85d8a19b2a9ad33168394440da99523f |
| SHA512 | 895d85aae56a4b763ffed9fef20b4db113e3265e960099ca991c6e753a2dc779b065fd8d24213c1248358c5a2f750cf9af119efff18bac63e282e8a47eeabcba |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1946282.exe
| MD5 | d4d8a656f1d87a0b924acdd174af2ae8 |
| SHA1 | 34d5f42bbc3bec2d5245d12499f2a051a0dddb6f |
| SHA256 | fbcf1abc4e8dd1cacaae77f7bc8d661a85d8a19b2a9ad33168394440da99523f |
| SHA512 | 895d85aae56a4b763ffed9fef20b4db113e3265e960099ca991c6e753a2dc779b065fd8d24213c1248358c5a2f750cf9af119efff18bac63e282e8a47eeabcba |
memory/1720-24-0x0000000000D40000-0x0000000000D70000-memory.dmp
memory/1720-25-0x0000000074130000-0x00000000748E0000-memory.dmp
memory/1720-26-0x000000000B0B0000-0x000000000B6C8000-memory.dmp
memory/1720-27-0x000000000ABB0000-0x000000000ACBA000-memory.dmp
memory/1720-28-0x000000000AAF0000-0x000000000AB02000-memory.dmp
memory/1720-29-0x0000000005700000-0x0000000005710000-memory.dmp
memory/1720-30-0x000000000AB50000-0x000000000AB8C000-memory.dmp
memory/1720-31-0x0000000074130000-0x00000000748E0000-memory.dmp
memory/1720-32-0x0000000005700000-0x0000000005710000-memory.dmp