Analysis Overview
SHA256
b15ecbbc7a245f9e0448b6d292f5c53316d491917d371488562d4ede0044cf66
Threat Level: Known bad
The file b15ecbbc7a245f9e0448b6d292f5c53316d491917d371488562d4ede0044cf66 was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 08:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 08:28
Reported
2023-09-10 08:30
Platform
win10v2004-20230831-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5251886.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7051169.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1568105.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9944352.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\b15ecbbc7a245f9e0448b6d292f5c53316d491917d371488562d4ede0044cf66.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5251886.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7051169.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b15ecbbc7a245f9e0448b6d292f5c53316d491917d371488562d4ede0044cf66.exe
"C:\Users\Admin\AppData\Local\Temp\b15ecbbc7a245f9e0448b6d292f5c53316d491917d371488562d4ede0044cf66.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5251886.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5251886.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7051169.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7051169.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1568105.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1568105.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9944352.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9944352.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| RU | 5.42.92.211:80 | tcp | |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.121.18.2.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5251886.exe
| MD5 | aa0f2c7c178bf410dabdd9966bc797b6 |
| SHA1 | a5428edb56c0340db3e9fe2442cd722ca1b89273 |
| SHA256 | 30020020da0e8d00593ea90883aad11494098407a108a94e27e3ca2fda31155d |
| SHA512 | b6068f3badf72ef789d509f4bf520ce0e879411f84bd9892fe654d4976565d21975d13ed3f1a9b0d317fb3839dddd24f5c8ec25cc3672bfcaf2557b5df979f0a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5251886.exe
| MD5 | aa0f2c7c178bf410dabdd9966bc797b6 |
| SHA1 | a5428edb56c0340db3e9fe2442cd722ca1b89273 |
| SHA256 | 30020020da0e8d00593ea90883aad11494098407a108a94e27e3ca2fda31155d |
| SHA512 | b6068f3badf72ef789d509f4bf520ce0e879411f84bd9892fe654d4976565d21975d13ed3f1a9b0d317fb3839dddd24f5c8ec25cc3672bfcaf2557b5df979f0a |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7051169.exe
| MD5 | 63e464f314d790e4a843741c8ee5728f |
| SHA1 | f395da808009d57e2be3ae7d45179097b243a228 |
| SHA256 | 94e18f06b510267badaf3085ff761183799c96a4eba2843e82bf7f3eeeed721d |
| SHA512 | 4ba4f0e3047421507f6e8883fce6c86cb3615e086d16e1e243f54b7a04e9a7f47362a101e4336a196d21b75d7d9cd9dd3ee003134c3e0b4d63d462a8cc7627b7 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7051169.exe
| MD5 | 63e464f314d790e4a843741c8ee5728f |
| SHA1 | f395da808009d57e2be3ae7d45179097b243a228 |
| SHA256 | 94e18f06b510267badaf3085ff761183799c96a4eba2843e82bf7f3eeeed721d |
| SHA512 | 4ba4f0e3047421507f6e8883fce6c86cb3615e086d16e1e243f54b7a04e9a7f47362a101e4336a196d21b75d7d9cd9dd3ee003134c3e0b4d63d462a8cc7627b7 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1568105.exe
| MD5 | 95b5eaa4779fba4f21ae26ff883ab1a3 |
| SHA1 | 7f24374f0b6bec896109405686073aa8990aea3c |
| SHA256 | 9471476ba4a75e3350bf4c9cdd1582bfc059ddc94c622248d713c0556db9be5f |
| SHA512 | 241c82eee553c80c918f2191fa940c2d5cd421c6d7e51ce3d8803d60d7473d55b18607b6333540f263fa9edc8ede715a82d38dcf8280d39a8ce2e999a67dda88 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1568105.exe
| MD5 | 95b5eaa4779fba4f21ae26ff883ab1a3 |
| SHA1 | 7f24374f0b6bec896109405686073aa8990aea3c |
| SHA256 | 9471476ba4a75e3350bf4c9cdd1582bfc059ddc94c622248d713c0556db9be5f |
| SHA512 | 241c82eee553c80c918f2191fa940c2d5cd421c6d7e51ce3d8803d60d7473d55b18607b6333540f263fa9edc8ede715a82d38dcf8280d39a8ce2e999a67dda88 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9944352.exe
| MD5 | ecdfdd53993fcdac3bf755f29e52b8f2 |
| SHA1 | 457e870ec06485181e382436c14559b9f5018236 |
| SHA256 | e1a2af5d0c1af4f3768e95208c3b251beaff317fac933de828b362c510712034 |
| SHA512 | 4014e808c2410a808d54427114c8ebabe2266b849575b9c1b08e384583260d08382c94684867d559a5a60596d1e8aab594de920ec8fdc5af2b02598b07a016a6 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9944352.exe
| MD5 | ecdfdd53993fcdac3bf755f29e52b8f2 |
| SHA1 | 457e870ec06485181e382436c14559b9f5018236 |
| SHA256 | e1a2af5d0c1af4f3768e95208c3b251beaff317fac933de828b362c510712034 |
| SHA512 | 4014e808c2410a808d54427114c8ebabe2266b849575b9c1b08e384583260d08382c94684867d559a5a60596d1e8aab594de920ec8fdc5af2b02598b07a016a6 |
memory/3812-24-0x0000000000730000-0x0000000000760000-memory.dmp
memory/3812-25-0x0000000074170000-0x0000000074920000-memory.dmp
memory/3812-26-0x000000000ABE0000-0x000000000B1F8000-memory.dmp
memory/3812-27-0x000000000A6E0000-0x000000000A7EA000-memory.dmp
memory/3812-28-0x0000000005230000-0x0000000005240000-memory.dmp
memory/3812-29-0x000000000A620000-0x000000000A632000-memory.dmp
memory/3812-30-0x000000000A680000-0x000000000A6BC000-memory.dmp
memory/3812-31-0x0000000074170000-0x0000000074920000-memory.dmp
memory/3812-32-0x0000000005230000-0x0000000005240000-memory.dmp