Analysis Overview
SHA256
c394c85dde339930fef0b8f82e5f1fcf41b4022165eacc8567a9c5284f8824c0
Threat Level: Known bad
The file c394c85dde339930fef0b8f82e5f1fcf41b4022165eacc8567a9c5284f8824c0 was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 13:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 13:43
Reported
2023-09-10 13:46
Platform
win10-20230831-en
Max time kernel
134s
Max time network
148s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9108691.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6907974.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6852595.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4350701.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\c394c85dde339930fef0b8f82e5f1fcf41b4022165eacc8567a9c5284f8824c0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9108691.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6907974.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c394c85dde339930fef0b8f82e5f1fcf41b4022165eacc8567a9c5284f8824c0.exe
"C:\Users\Admin\AppData\Local\Temp\c394c85dde339930fef0b8f82e5f1fcf41b4022165eacc8567a9c5284f8824c0.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9108691.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9108691.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6907974.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6907974.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6852595.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6852595.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4350701.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4350701.exe
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9108691.exe
| MD5 | d4edb5567c7ca11501bef02f208e6161 |
| SHA1 | 6ffeab2d5cdc191f508ade66eab65ee27c4a2bb7 |
| SHA256 | 1d490fef50d85fb899954a648a07682df791344020df9adb4f3351e4c0bd1c29 |
| SHA512 | 4ad0e777cc03f22bc20c374be6e5b27a9fee2dcc9a0900d7ec309029f3c4056d28feac0a76fdef932de8a836aafcc9a82228f1c70eb7a20f0e232a62a94ed453 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9108691.exe
| MD5 | d4edb5567c7ca11501bef02f208e6161 |
| SHA1 | 6ffeab2d5cdc191f508ade66eab65ee27c4a2bb7 |
| SHA256 | 1d490fef50d85fb899954a648a07682df791344020df9adb4f3351e4c0bd1c29 |
| SHA512 | 4ad0e777cc03f22bc20c374be6e5b27a9fee2dcc9a0900d7ec309029f3c4056d28feac0a76fdef932de8a836aafcc9a82228f1c70eb7a20f0e232a62a94ed453 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6907974.exe
| MD5 | c8d87e7d399e769ed8aeecd61a0bffde |
| SHA1 | dfd0939da42f497bf5dff7859673bc0331d9d06a |
| SHA256 | 46b841b5c1ee4eca590937520cce7fced11286f30cb5c61b22f9474fb23cc9e1 |
| SHA512 | 7b985f8007bc4ca621e29b67e2d44f91743d99b32ad0d8979da3f9fbbccc4e2854b92c3499b1e83628ee7853a8d045b6d032c8dcaebdfc1af25a635e7d88f5af |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6907974.exe
| MD5 | c8d87e7d399e769ed8aeecd61a0bffde |
| SHA1 | dfd0939da42f497bf5dff7859673bc0331d9d06a |
| SHA256 | 46b841b5c1ee4eca590937520cce7fced11286f30cb5c61b22f9474fb23cc9e1 |
| SHA512 | 7b985f8007bc4ca621e29b67e2d44f91743d99b32ad0d8979da3f9fbbccc4e2854b92c3499b1e83628ee7853a8d045b6d032c8dcaebdfc1af25a635e7d88f5af |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6852595.exe
| MD5 | 73382f6db421cfc92314b76617a0a63b |
| SHA1 | 16a64c163711112fbcbcc416d225e80949aafeb5 |
| SHA256 | a593c86f46caa9bba9f3907d8fd4504b41a2e48ae65c690b3a553f52dedb57e5 |
| SHA512 | 2e326c9f9a203e6ac6a76c7fc32b2fb41fe73fa0f13108b8ba34406b4208486240c3e5632031bfab445bcb76d0f420fd2b8e30f16c950ba863b3f9e9e9ff4e93 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6852595.exe
| MD5 | 73382f6db421cfc92314b76617a0a63b |
| SHA1 | 16a64c163711112fbcbcc416d225e80949aafeb5 |
| SHA256 | a593c86f46caa9bba9f3907d8fd4504b41a2e48ae65c690b3a553f52dedb57e5 |
| SHA512 | 2e326c9f9a203e6ac6a76c7fc32b2fb41fe73fa0f13108b8ba34406b4208486240c3e5632031bfab445bcb76d0f420fd2b8e30f16c950ba863b3f9e9e9ff4e93 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4350701.exe
| MD5 | 374978733248502d9b975a43a2c7b8eb |
| SHA1 | 252cd7c091e01f74f09c6fd1369f4c8b03bbb4f5 |
| SHA256 | 75749bf00c3a86930409f7a9b082f941137c80bb6a58a0d616493ac033d423a5 |
| SHA512 | ed5395a71cd30d00be4396ff1335b8b66b63a86b259d89227ac17ed9cc31c510204c2b8cbe026d1f5faff736f00e5789691d0e87b161e27caa697c9a49902a77 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4350701.exe
| MD5 | 374978733248502d9b975a43a2c7b8eb |
| SHA1 | 252cd7c091e01f74f09c6fd1369f4c8b03bbb4f5 |
| SHA256 | 75749bf00c3a86930409f7a9b082f941137c80bb6a58a0d616493ac033d423a5 |
| SHA512 | ed5395a71cd30d00be4396ff1335b8b66b63a86b259d89227ac17ed9cc31c510204c2b8cbe026d1f5faff736f00e5789691d0e87b161e27caa697c9a49902a77 |
memory/4160-24-0x0000000000AE0000-0x0000000000B10000-memory.dmp
memory/4160-25-0x0000000072F20000-0x000000007360E000-memory.dmp
memory/4160-26-0x0000000002CC0000-0x0000000002CC6000-memory.dmp
memory/4160-27-0x000000000AF50000-0x000000000B556000-memory.dmp
memory/4160-28-0x000000000AA50000-0x000000000AB5A000-memory.dmp
memory/4160-29-0x000000000A960000-0x000000000A972000-memory.dmp
memory/4160-30-0x000000000A9C0000-0x000000000A9FE000-memory.dmp
memory/4160-31-0x000000000AA00000-0x000000000AA4B000-memory.dmp
memory/4160-32-0x0000000072F20000-0x000000007360E000-memory.dmp