Analysis Overview
SHA256
a721ff4a50aa2d2972b7d9e850dfbed392ee063ecff36d0a1b500f0ec50bdb75
Threat Level: Known bad
The file a721ff4a50aa2d2972b7d9e850dfbed392ee063ecff36d0a1b500f0ec50bdb75 was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 08:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 08:40
Reported
2023-09-10 08:42
Platform
win10-20230831-en
Max time kernel
129s
Max time network
143s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9323072.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9464001.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0436827.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3718195.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9323072.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9464001.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\a721ff4a50aa2d2972b7d9e850dfbed392ee063ecff36d0a1b500f0ec50bdb75.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a721ff4a50aa2d2972b7d9e850dfbed392ee063ecff36d0a1b500f0ec50bdb75.exe
"C:\Users\Admin\AppData\Local\Temp\a721ff4a50aa2d2972b7d9e850dfbed392ee063ecff36d0a1b500f0ec50bdb75.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9323072.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9323072.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9464001.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9464001.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0436827.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0436827.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3718195.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3718195.exe
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.92.211:80 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9323072.exe
| MD5 | 09754633c2e19c71b229c49f2a712062 |
| SHA1 | a5c6bb61c3f4c690753586f81dacd7a744531a06 |
| SHA256 | 5f44d4f273e05debab14f803551f2f3babb350ee6250180534279120dce1d651 |
| SHA512 | 96b0cf1042721e4950d624ec0b912b669ef1b1284645b34bc652387a7fbb78a79761f204318d9c8e57812802efff94372f7bee7c3f2a7310706586d442eeef98 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9323072.exe
| MD5 | 09754633c2e19c71b229c49f2a712062 |
| SHA1 | a5c6bb61c3f4c690753586f81dacd7a744531a06 |
| SHA256 | 5f44d4f273e05debab14f803551f2f3babb350ee6250180534279120dce1d651 |
| SHA512 | 96b0cf1042721e4950d624ec0b912b669ef1b1284645b34bc652387a7fbb78a79761f204318d9c8e57812802efff94372f7bee7c3f2a7310706586d442eeef98 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9464001.exe
| MD5 | b377f1e1e9e38e1c13349a2f77c08980 |
| SHA1 | bdd68feefc3458e332e2b3614edf9c83ad484182 |
| SHA256 | a84e87ed78dea542fd674ff902f9aeffd2b22f145ca22731e564be9804c1ea47 |
| SHA512 | 3f764672b1e928882cd8b947dad4f5dc5611a1dcc65e07fa0d8d0d87b167503940338db9b8434f2202fac96e61a3d257aea253ed714c295e9c8c21cc0dc08c8c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9464001.exe
| MD5 | b377f1e1e9e38e1c13349a2f77c08980 |
| SHA1 | bdd68feefc3458e332e2b3614edf9c83ad484182 |
| SHA256 | a84e87ed78dea542fd674ff902f9aeffd2b22f145ca22731e564be9804c1ea47 |
| SHA512 | 3f764672b1e928882cd8b947dad4f5dc5611a1dcc65e07fa0d8d0d87b167503940338db9b8434f2202fac96e61a3d257aea253ed714c295e9c8c21cc0dc08c8c |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0436827.exe
| MD5 | ea3e6fc76e0f664e6d2e867ac7da718d |
| SHA1 | 71d9f296840be41ff4dc700468f4c24b30d38e79 |
| SHA256 | 5b1c99eac7565b5aab61850cdb939e3e8cbdea2bebb2e9059a8156be94f2b75f |
| SHA512 | 9491cf4ce050975d7a9b665f79639259f6645f7ee050ebe62618a6cdc9c9117cc993f63e7bc73a82150e2efcd91d9d5cb40bba5c1b0c3ce52299fd2502d2fe60 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0436827.exe
| MD5 | ea3e6fc76e0f664e6d2e867ac7da718d |
| SHA1 | 71d9f296840be41ff4dc700468f4c24b30d38e79 |
| SHA256 | 5b1c99eac7565b5aab61850cdb939e3e8cbdea2bebb2e9059a8156be94f2b75f |
| SHA512 | 9491cf4ce050975d7a9b665f79639259f6645f7ee050ebe62618a6cdc9c9117cc993f63e7bc73a82150e2efcd91d9d5cb40bba5c1b0c3ce52299fd2502d2fe60 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3718195.exe
| MD5 | 2f5e12e59ed8f86487aeccba80873091 |
| SHA1 | 98fcefdb703618ef0418e6286997190a64400daa |
| SHA256 | b7cbf5cc024a86f2847f7a2b8339eacf1735f5e88d73418b18e67bb737a85365 |
| SHA512 | c5dc958dfb162016ca71a1680e6b87ab5559cb708b4c8694ac8d4d59182fc628f7d54dc4217ae18ab5a0944a7a58d96632197a3eb27d607f07068228baea446b |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3718195.exe
| MD5 | 2f5e12e59ed8f86487aeccba80873091 |
| SHA1 | 98fcefdb703618ef0418e6286997190a64400daa |
| SHA256 | b7cbf5cc024a86f2847f7a2b8339eacf1735f5e88d73418b18e67bb737a85365 |
| SHA512 | c5dc958dfb162016ca71a1680e6b87ab5559cb708b4c8694ac8d4d59182fc628f7d54dc4217ae18ab5a0944a7a58d96632197a3eb27d607f07068228baea446b |
memory/292-24-0x0000000000270000-0x00000000002A0000-memory.dmp
memory/292-25-0x00000000738C0000-0x0000000073FAE000-memory.dmp
memory/292-26-0x0000000000B80000-0x0000000000B86000-memory.dmp
memory/292-27-0x000000000A810000-0x000000000AE16000-memory.dmp
memory/292-28-0x000000000A310000-0x000000000A41A000-memory.dmp
memory/292-29-0x0000000002670000-0x0000000002682000-memory.dmp
memory/292-30-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/292-31-0x0000000004D10000-0x0000000004D5B000-memory.dmp
memory/292-32-0x00000000738C0000-0x0000000073FAE000-memory.dmp