Analysis Overview
SHA256
1a9919325da63b8484a6bd765fb24e43189e13130d5740306b71aac0ea7178ce
Threat Level: Known bad
The file 1a9919325da63b8484a6bd765fb24e43189e13130d5740306b71aac0ea7178ce was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 09:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 09:39
Reported
2023-09-10 09:42
Platform
win10-20230831-en
Max time kernel
130s
Max time network
147s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6670028.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4413852.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5033490.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6383049.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\1a9919325da63b8484a6bd765fb24e43189e13130d5740306b71aac0ea7178ce.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6670028.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4413852.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1a9919325da63b8484a6bd765fb24e43189e13130d5740306b71aac0ea7178ce.exe
"C:\Users\Admin\AppData\Local\Temp\1a9919325da63b8484a6bd765fb24e43189e13130d5740306b71aac0ea7178ce.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6670028.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6670028.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4413852.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4413852.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5033490.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5033490.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6383049.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6383049.exe
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.92.211:80 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6670028.exe
| MD5 | 7d167f11001e81ae9de536d660be67c5 |
| SHA1 | f28c61d979e3178d7d3ddf6378bb2ccf7062d95f |
| SHA256 | e1d6e976808c8081f81d00daad0409756605111ffc9e41e67f58f98a6565b6fa |
| SHA512 | 2e39a7a9193fd772db2d4d7860e7c5ba7e448f00f9ddff8a82672e4f6bde9a632ca0da4e996827e4c167dc1f1b38e48a6341fd1bc55e719b39629a510dce395f |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6670028.exe
| MD5 | 7d167f11001e81ae9de536d660be67c5 |
| SHA1 | f28c61d979e3178d7d3ddf6378bb2ccf7062d95f |
| SHA256 | e1d6e976808c8081f81d00daad0409756605111ffc9e41e67f58f98a6565b6fa |
| SHA512 | 2e39a7a9193fd772db2d4d7860e7c5ba7e448f00f9ddff8a82672e4f6bde9a632ca0da4e996827e4c167dc1f1b38e48a6341fd1bc55e719b39629a510dce395f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4413852.exe
| MD5 | 69cd62dd1807a3f3ed07f3828ee0a149 |
| SHA1 | 5e1f177ce86d6da85975bb009de1bd5f3f98ec93 |
| SHA256 | 5e69862b29c7fe4ce5498185f281c3bdbe55a1fc882bc2089fd020c48fa17b35 |
| SHA512 | 6c44f5a290e7a25b0db758e9232accb8ae6ac67b1ed6bd0fffaad3c4b670418c4cae4dc41527c7bd34a2ea252341e1ea4eaeedcc36057d33bce2ae16787b323f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4413852.exe
| MD5 | 69cd62dd1807a3f3ed07f3828ee0a149 |
| SHA1 | 5e1f177ce86d6da85975bb009de1bd5f3f98ec93 |
| SHA256 | 5e69862b29c7fe4ce5498185f281c3bdbe55a1fc882bc2089fd020c48fa17b35 |
| SHA512 | 6c44f5a290e7a25b0db758e9232accb8ae6ac67b1ed6bd0fffaad3c4b670418c4cae4dc41527c7bd34a2ea252341e1ea4eaeedcc36057d33bce2ae16787b323f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5033490.exe
| MD5 | b9c72a6902c1b14f2e054497232b5e14 |
| SHA1 | 39291f76b1a94185d76c160980dffb1f9fbf41d3 |
| SHA256 | 0118ef88749345f4ada8bb2281f71b0601117b952cc9d67666a3d5c02f486ccf |
| SHA512 | 521e05913bf9b0f1bae38b1d32746efe22bcb5ca821d4c4e11962f80bf04f27461881f201a4382156480c3c739cbba9389e7ad2ff4d782bfd7c552e97549d2da |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5033490.exe
| MD5 | b9c72a6902c1b14f2e054497232b5e14 |
| SHA1 | 39291f76b1a94185d76c160980dffb1f9fbf41d3 |
| SHA256 | 0118ef88749345f4ada8bb2281f71b0601117b952cc9d67666a3d5c02f486ccf |
| SHA512 | 521e05913bf9b0f1bae38b1d32746efe22bcb5ca821d4c4e11962f80bf04f27461881f201a4382156480c3c739cbba9389e7ad2ff4d782bfd7c552e97549d2da |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6383049.exe
| MD5 | 1b276d9e94d340bed48c1a253a60796c |
| SHA1 | b7c3c4cefe1529536b455eeee0e2b88057f5a34a |
| SHA256 | 6322738bdf57adddd1d5afe6cd9c4a1f39a23df63707375de59a51360f869e82 |
| SHA512 | c8c5136525861a94da38a3a7792b9a86e22daaf829066e3e666859d610d073352e9c1ac6f217a349f4b9adb42587c7cd5f2e48d6e489b5b5e5a089ff8666bd80 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6383049.exe
| MD5 | 1b276d9e94d340bed48c1a253a60796c |
| SHA1 | b7c3c4cefe1529536b455eeee0e2b88057f5a34a |
| SHA256 | 6322738bdf57adddd1d5afe6cd9c4a1f39a23df63707375de59a51360f869e82 |
| SHA512 | c8c5136525861a94da38a3a7792b9a86e22daaf829066e3e666859d610d073352e9c1ac6f217a349f4b9adb42587c7cd5f2e48d6e489b5b5e5a089ff8666bd80 |
memory/1852-24-0x0000000000ED0000-0x0000000000F00000-memory.dmp
memory/1852-25-0x0000000072B90000-0x000000007327E000-memory.dmp
memory/1852-26-0x0000000001780000-0x0000000001786000-memory.dmp
memory/1852-27-0x000000000B2F0000-0x000000000B8F6000-memory.dmp
memory/1852-28-0x000000000ADF0000-0x000000000AEFA000-memory.dmp
memory/1852-29-0x0000000003330000-0x0000000003342000-memory.dmp
memory/1852-30-0x0000000005910000-0x000000000594E000-memory.dmp
memory/1852-31-0x000000000ACE0000-0x000000000AD2B000-memory.dmp
memory/1852-32-0x0000000072B90000-0x000000007327E000-memory.dmp