Analysis Overview
SHA256
577241d45aa5dc7d188964a95f70af1b589afbbedfc8fb17d7928b5fb2e6c54e
Threat Level: Known bad
The file 577241d45aa5dc7d188964a95f70af1b589afbbedfc8fb17d7928b5fb2e6c54e was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 09:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 09:22
Reported
2023-09-10 09:25
Platform
win10-20230831-en
Max time kernel
128s
Max time network
141s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6761654.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9453442.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6793306.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5835614.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\577241d45aa5dc7d188964a95f70af1b589afbbedfc8fb17d7928b5fb2e6c54e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6761654.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9453442.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\577241d45aa5dc7d188964a95f70af1b589afbbedfc8fb17d7928b5fb2e6c54e.exe
"C:\Users\Admin\AppData\Local\Temp\577241d45aa5dc7d188964a95f70af1b589afbbedfc8fb17d7928b5fb2e6c54e.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6761654.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6761654.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9453442.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9453442.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6793306.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6793306.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5835614.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5835614.exe
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.92.211:80 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6761654.exe
| MD5 | 0decf136562f529a28297998dd79ec55 |
| SHA1 | e7585d6b6cf090069c2ecf2a53eb4af673562c9b |
| SHA256 | 61bd5fa42e4b8fb63c1c2a2bf2e00323adf70b85167f50766d88e27611a2e72f |
| SHA512 | f75402ca59adb5eebecb977caf4683a8f9464c6b4f7dee71fec8324aa9b29260d770d890d2f327c00c8bbabed207620dac27e1ab846e0654f05c4daaccf8efdb |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6761654.exe
| MD5 | 0decf136562f529a28297998dd79ec55 |
| SHA1 | e7585d6b6cf090069c2ecf2a53eb4af673562c9b |
| SHA256 | 61bd5fa42e4b8fb63c1c2a2bf2e00323adf70b85167f50766d88e27611a2e72f |
| SHA512 | f75402ca59adb5eebecb977caf4683a8f9464c6b4f7dee71fec8324aa9b29260d770d890d2f327c00c8bbabed207620dac27e1ab846e0654f05c4daaccf8efdb |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9453442.exe
| MD5 | 6982ccceca9266f7b63f70f7a13b3fc5 |
| SHA1 | f9394d1a246f34da5f52e911521253a60c4a078d |
| SHA256 | 7dec5ff2027f19f2911d2dd4f03f401b27c5ecdc589d4a9960a0822397dc8112 |
| SHA512 | 7088b7b4547e9624b43826c98a50e1cb4f04c5fff1d533e1514859901843f04e4ad01adfc6899f496ba37e119ef2732c6d930bf798cb61d4f11006bbe0ac7d65 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9453442.exe
| MD5 | 6982ccceca9266f7b63f70f7a13b3fc5 |
| SHA1 | f9394d1a246f34da5f52e911521253a60c4a078d |
| SHA256 | 7dec5ff2027f19f2911d2dd4f03f401b27c5ecdc589d4a9960a0822397dc8112 |
| SHA512 | 7088b7b4547e9624b43826c98a50e1cb4f04c5fff1d533e1514859901843f04e4ad01adfc6899f496ba37e119ef2732c6d930bf798cb61d4f11006bbe0ac7d65 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6793306.exe
| MD5 | 49bbc50ba37a6caa1e43c1a7adc5fadd |
| SHA1 | 1344f3f5ef9bf1207919fcea3d7a3f34b5333a6e |
| SHA256 | f14d457eef814320f2089d372cf8f875529ecbc181bff1aa1bd02cebfdc33f4c |
| SHA512 | f134e0fe5a73778f1582eb74a032eea8c47a70ff082e882fff1128146f02b20712191875a0771703f77a0c60087aab6a9245874fcdbcbfeb7bfbd7fe674d19ea |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6793306.exe
| MD5 | 49bbc50ba37a6caa1e43c1a7adc5fadd |
| SHA1 | 1344f3f5ef9bf1207919fcea3d7a3f34b5333a6e |
| SHA256 | f14d457eef814320f2089d372cf8f875529ecbc181bff1aa1bd02cebfdc33f4c |
| SHA512 | f134e0fe5a73778f1582eb74a032eea8c47a70ff082e882fff1128146f02b20712191875a0771703f77a0c60087aab6a9245874fcdbcbfeb7bfbd7fe674d19ea |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5835614.exe
| MD5 | 364851eef6f358ff353473e78268a458 |
| SHA1 | 1e796cdbf6ce440802423fe6f373df302e622a9a |
| SHA256 | b27097d42122248046b41a8235e867f13675f0b38cd89303033b11a4c0f19add |
| SHA512 | f1afea628dae913b6587f6842da17790b543c1c3c45a584843ff6e739eec3b0a4f9a873bb4b34fd84b1c57265239d5167395b17669372f90ef620c3a9be034f4 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5835614.exe
| MD5 | 364851eef6f358ff353473e78268a458 |
| SHA1 | 1e796cdbf6ce440802423fe6f373df302e622a9a |
| SHA256 | b27097d42122248046b41a8235e867f13675f0b38cd89303033b11a4c0f19add |
| SHA512 | f1afea628dae913b6587f6842da17790b543c1c3c45a584843ff6e739eec3b0a4f9a873bb4b34fd84b1c57265239d5167395b17669372f90ef620c3a9be034f4 |
memory/4064-25-0x0000000073160000-0x000000007384E000-memory.dmp
memory/4064-24-0x0000000000AF0000-0x0000000000B20000-memory.dmp
memory/4064-26-0x0000000002C80000-0x0000000002C86000-memory.dmp
memory/4064-27-0x000000000AEC0000-0x000000000B4C6000-memory.dmp
memory/4064-28-0x000000000AA40000-0x000000000AB4A000-memory.dmp
memory/4064-29-0x000000000A970000-0x000000000A982000-memory.dmp
memory/4064-30-0x000000000A9D0000-0x000000000AA0E000-memory.dmp
memory/4064-31-0x000000000AB50000-0x000000000AB9B000-memory.dmp
memory/4064-32-0x0000000073160000-0x000000007384E000-memory.dmp