Analysis Overview
SHA256
4bab71f88a04106542ebe5ae77c59dcb98e2314f3ad50fc301ae8f454e8322c8
Threat Level: Known bad
The file 4bab71f88a04106542ebe5ae77c59dcb98e2314f3ad50fc301ae8f454e8322c8 was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 10:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 10:17
Reported
2023-09-10 10:20
Platform
win10-20230831-en
Max time kernel
135s
Max time network
150s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3018998.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1774864.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4350058.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3130102.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\4bab71f88a04106542ebe5ae77c59dcb98e2314f3ad50fc301ae8f454e8322c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3018998.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1774864.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4bab71f88a04106542ebe5ae77c59dcb98e2314f3ad50fc301ae8f454e8322c8.exe
"C:\Users\Admin\AppData\Local\Temp\4bab71f88a04106542ebe5ae77c59dcb98e2314f3ad50fc301ae8f454e8322c8.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3018998.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3018998.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1774864.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1774864.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4350058.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4350058.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3130102.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3130102.exe
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 224.162.46.104.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3018998.exe
| MD5 | df99d3d338437ad7948606c0e866dfd8 |
| SHA1 | 5f3d0599288dd9425297304d739dab0c0572aea5 |
| SHA256 | 53636e36a4636954d5b83deb92e080d2d837136e9f9765c8b96b93196efb9197 |
| SHA512 | 263075eb35667b2fc386012cb951ccda631e8f560a4f351ba411785ec1dcc4edca057000b0aed710cacca12cd7bd498ea57ff24ce859d417ea16e30360c3115f |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3018998.exe
| MD5 | df99d3d338437ad7948606c0e866dfd8 |
| SHA1 | 5f3d0599288dd9425297304d739dab0c0572aea5 |
| SHA256 | 53636e36a4636954d5b83deb92e080d2d837136e9f9765c8b96b93196efb9197 |
| SHA512 | 263075eb35667b2fc386012cb951ccda631e8f560a4f351ba411785ec1dcc4edca057000b0aed710cacca12cd7bd498ea57ff24ce859d417ea16e30360c3115f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1774864.exe
| MD5 | b1123e0eea43083d04ca4985357d087e |
| SHA1 | 3f09af2da2146f2b26ef7d72de00b27ac489a991 |
| SHA256 | 58ff35935ca6618a9e8c8b5a746698b4f6d241ab7ce6143dd49699cb0317c5a0 |
| SHA512 | 307f153c52dcd3efa8a2378c47df2ac20db90e7db10e4b2c3850efb12f2954d11e864fbcd1a5dfc4b200a0b05d5a939735eab52280123d6b6bc3a539d9ee2e89 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1774864.exe
| MD5 | b1123e0eea43083d04ca4985357d087e |
| SHA1 | 3f09af2da2146f2b26ef7d72de00b27ac489a991 |
| SHA256 | 58ff35935ca6618a9e8c8b5a746698b4f6d241ab7ce6143dd49699cb0317c5a0 |
| SHA512 | 307f153c52dcd3efa8a2378c47df2ac20db90e7db10e4b2c3850efb12f2954d11e864fbcd1a5dfc4b200a0b05d5a939735eab52280123d6b6bc3a539d9ee2e89 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4350058.exe
| MD5 | 9d7454d23fcb98608bb27546984f7bf2 |
| SHA1 | 1df6780b2446db970fca203726f792cde1fb36fd |
| SHA256 | 3412205817988b9c1e4e8f74f108e6dda6c84681f28e0d6637934f423c07c672 |
| SHA512 | 347a0b9d3ad549e88283953f2db80d4d9dfd62e9251d0de40d6f46b7e89d17b35fa1ec0fe8cbe4ca03ec2ddb9214f25ebe4ea921aa3d705d9a80e8cf361dac56 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4350058.exe
| MD5 | 9d7454d23fcb98608bb27546984f7bf2 |
| SHA1 | 1df6780b2446db970fca203726f792cde1fb36fd |
| SHA256 | 3412205817988b9c1e4e8f74f108e6dda6c84681f28e0d6637934f423c07c672 |
| SHA512 | 347a0b9d3ad549e88283953f2db80d4d9dfd62e9251d0de40d6f46b7e89d17b35fa1ec0fe8cbe4ca03ec2ddb9214f25ebe4ea921aa3d705d9a80e8cf361dac56 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3130102.exe
| MD5 | 3d9f3caf3864e2d1236a6de74c9f8b9e |
| SHA1 | f27ddf34425c878e7c7067a77178af01490170ef |
| SHA256 | 64b7e6e77af4a8ff51fd76b77d124628c314d6b72aedbec3c19990f0fc4ea9f6 |
| SHA512 | 33c4eeaa20330d835b5ecceba2ccdfb72527f24af0acffd65f402985bdc5402199fe8a50a4c1edb881ece4121470a06ff1a9f68308be0e8496275ff34b3cf6af |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3130102.exe
| MD5 | 3d9f3caf3864e2d1236a6de74c9f8b9e |
| SHA1 | f27ddf34425c878e7c7067a77178af01490170ef |
| SHA256 | 64b7e6e77af4a8ff51fd76b77d124628c314d6b72aedbec3c19990f0fc4ea9f6 |
| SHA512 | 33c4eeaa20330d835b5ecceba2ccdfb72527f24af0acffd65f402985bdc5402199fe8a50a4c1edb881ece4121470a06ff1a9f68308be0e8496275ff34b3cf6af |
memory/5044-24-0x00000000000B0000-0x00000000000E0000-memory.dmp
memory/5044-25-0x0000000073170000-0x000000007385E000-memory.dmp
memory/5044-26-0x0000000000850000-0x0000000000856000-memory.dmp
memory/5044-27-0x0000000005010000-0x0000000005616000-memory.dmp
memory/5044-28-0x0000000004B10000-0x0000000004C1A000-memory.dmp
memory/5044-29-0x0000000004480000-0x0000000004492000-memory.dmp
memory/5044-30-0x0000000004A40000-0x0000000004A7E000-memory.dmp
memory/5044-31-0x0000000004A80000-0x0000000004ACB000-memory.dmp
memory/5044-32-0x0000000073170000-0x000000007385E000-memory.dmp