Analysis Overview
SHA256
509e986c7d9c67628f6f957a279f1414fd441b3b6fbb21c46bf00d74f987c220
Threat Level: Known bad
The file 509e986c7d9c67628f6f957a279f1414fd441b3b6fbb21c46bf00d74f987c220 was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 09:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 09:25
Reported
2023-09-10 09:28
Platform
win10v2004-20230831-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2655142.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2225031.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9596896.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6526775.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\509e986c7d9c67628f6f957a279f1414fd441b3b6fbb21c46bf00d74f987c220.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2655142.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2225031.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\509e986c7d9c67628f6f957a279f1414fd441b3b6fbb21c46bf00d74f987c220.exe
"C:\Users\Admin\AppData\Local\Temp\509e986c7d9c67628f6f957a279f1414fd441b3b6fbb21c46bf00d74f987c220.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2655142.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2655142.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2225031.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2225031.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9596896.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9596896.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6526775.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6526775.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.1.248.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| RU | 5.42.92.211:80 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.145.253.8.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2655142.exe
| MD5 | e30795c062c537707cb4c04beaf4c5bd |
| SHA1 | a8d37fc6e6eb05998de982d447f3e1a5df5c1b90 |
| SHA256 | c44580baad965f75fdf962bd5d2e78682f0486afc933a66cde5b79c645ea2e07 |
| SHA512 | 9e2087b710f63000399e0a91e5dfa347318417dfc918d9dda2670c2cd708803e932a0dd89fabea7b1c7f9acb81d461e1e59293b8df1cfe7772a1eb27985da907 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2655142.exe
| MD5 | e30795c062c537707cb4c04beaf4c5bd |
| SHA1 | a8d37fc6e6eb05998de982d447f3e1a5df5c1b90 |
| SHA256 | c44580baad965f75fdf962bd5d2e78682f0486afc933a66cde5b79c645ea2e07 |
| SHA512 | 9e2087b710f63000399e0a91e5dfa347318417dfc918d9dda2670c2cd708803e932a0dd89fabea7b1c7f9acb81d461e1e59293b8df1cfe7772a1eb27985da907 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2225031.exe
| MD5 | 42d558174f1caac68d2574320ea6d851 |
| SHA1 | 4f342e03526705972c30c72d57d3075b7bbe7ce2 |
| SHA256 | 4c60e82ac3c74316831092d74f3869bfaa631ba93a9b26308e3a11f4258512a2 |
| SHA512 | d5f866004413ff96cf4ae2bc0a2eefce6571040632c23c391c4b1b4c28ea88bf2a407d982d2bc817cf72a61a8f7cfe17cb05b112ab6bef979e533da73c15db8b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2225031.exe
| MD5 | 42d558174f1caac68d2574320ea6d851 |
| SHA1 | 4f342e03526705972c30c72d57d3075b7bbe7ce2 |
| SHA256 | 4c60e82ac3c74316831092d74f3869bfaa631ba93a9b26308e3a11f4258512a2 |
| SHA512 | d5f866004413ff96cf4ae2bc0a2eefce6571040632c23c391c4b1b4c28ea88bf2a407d982d2bc817cf72a61a8f7cfe17cb05b112ab6bef979e533da73c15db8b |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9596896.exe
| MD5 | 7d51de3d3db7a185492221e85e07af4b |
| SHA1 | a5331de5bd9a0d3c9f6650ae889e4cd3ab1a3677 |
| SHA256 | 652ae64e8305edb9a3c9221ee05a11b0af3453cb0de44c447e608d0cf54c13ca |
| SHA512 | 1f13938997c68df1a43e383e1a1d5268ff37c9b6c70fb90738e0e1561c4a89dcf6403f44bc955ac9cc3aaabedeaddebcf1234458b266761bd99a77872dc340ca |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9596896.exe
| MD5 | 7d51de3d3db7a185492221e85e07af4b |
| SHA1 | a5331de5bd9a0d3c9f6650ae889e4cd3ab1a3677 |
| SHA256 | 652ae64e8305edb9a3c9221ee05a11b0af3453cb0de44c447e608d0cf54c13ca |
| SHA512 | 1f13938997c68df1a43e383e1a1d5268ff37c9b6c70fb90738e0e1561c4a89dcf6403f44bc955ac9cc3aaabedeaddebcf1234458b266761bd99a77872dc340ca |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6526775.exe
| MD5 | 4f9db2721bdc4dd5a29a5b807b3d660e |
| SHA1 | 4ba1705cf10b794725f66e9fa116d4a7e3ed49c6 |
| SHA256 | 785ff05e10a1eb7fa1d61b79b01a6e10d26946b0d2c2d6dd3734504845d4e2f6 |
| SHA512 | ac5392647ce78c017901ac99079ee96014b792122524d598c55e95e6366249419f0f8a2d3e9dba0880b21317c368e6275f54534ea69f306c45feb6621923618b |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6526775.exe
| MD5 | 4f9db2721bdc4dd5a29a5b807b3d660e |
| SHA1 | 4ba1705cf10b794725f66e9fa116d4a7e3ed49c6 |
| SHA256 | 785ff05e10a1eb7fa1d61b79b01a6e10d26946b0d2c2d6dd3734504845d4e2f6 |
| SHA512 | ac5392647ce78c017901ac99079ee96014b792122524d598c55e95e6366249419f0f8a2d3e9dba0880b21317c368e6275f54534ea69f306c45feb6621923618b |
memory/5072-24-0x0000000000B20000-0x0000000000B50000-memory.dmp
memory/5072-25-0x0000000073D00000-0x00000000744B0000-memory.dmp
memory/5072-26-0x0000000005C50000-0x0000000006268000-memory.dmp
memory/5072-27-0x0000000005740000-0x000000000584A000-memory.dmp
memory/5072-28-0x0000000005620000-0x0000000005630000-memory.dmp
memory/5072-29-0x00000000055E0000-0x00000000055F2000-memory.dmp
memory/5072-30-0x0000000005670000-0x00000000056AC000-memory.dmp
memory/5072-31-0x0000000073D00000-0x00000000744B0000-memory.dmp
memory/5072-32-0x0000000005620000-0x0000000005630000-memory.dmp