Analysis Overview
SHA256
599843ccca192d07098673d85e367c76aaebd4676afcf73d090f4d101553c9e0
Threat Level: Known bad
The file 599843ccca192d07098673d85e367c76aaebd4676afcf73d090f4d101553c9e0 was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 13:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 13:48
Reported
2023-09-10 13:51
Platform
win10-20230703-en
Max time kernel
135s
Max time network
149s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3472328.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2658062.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1073773.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8247292.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\599843ccca192d07098673d85e367c76aaebd4676afcf73d090f4d101553c9e0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3472328.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2658062.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\599843ccca192d07098673d85e367c76aaebd4676afcf73d090f4d101553c9e0.exe
"C:\Users\Admin\AppData\Local\Temp\599843ccca192d07098673d85e367c76aaebd4676afcf73d090f4d101553c9e0.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3472328.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3472328.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2658062.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2658062.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1073773.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1073773.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8247292.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8247292.exe
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3472328.exe
| MD5 | ee86e032eac963b5d9b14ae097578e12 |
| SHA1 | 8b9b6c96e8f2c6c8c1617d3aea36e32b01e0876e |
| SHA256 | 180ef58e71699f56fca06f9f78371e56823eb7024e8e2893d223e22e73fceafe |
| SHA512 | 60740b21da274316165171cffb1325dfe8e20bf43e169f2d3c9448aacd79bf4e2ae9544d3f94bcc9417f9115f9d97830509268c0c6386d5f396f70eb9589c4b5 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3472328.exe
| MD5 | ee86e032eac963b5d9b14ae097578e12 |
| SHA1 | 8b9b6c96e8f2c6c8c1617d3aea36e32b01e0876e |
| SHA256 | 180ef58e71699f56fca06f9f78371e56823eb7024e8e2893d223e22e73fceafe |
| SHA512 | 60740b21da274316165171cffb1325dfe8e20bf43e169f2d3c9448aacd79bf4e2ae9544d3f94bcc9417f9115f9d97830509268c0c6386d5f396f70eb9589c4b5 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2658062.exe
| MD5 | 945736f8439d4edf45268e0aa9700829 |
| SHA1 | 399835cd8ca19b58cabdd56fc9ff4d35b49ab90e |
| SHA256 | 47ffa98fa556ec4190dfb278ca09b7443412f86bd5b541344c4188edc860a16f |
| SHA512 | 69a85a55d5534429706ae6cc0c7db550629e812a0be7feeb8d88084b347600fc2f223b335bc735ebf8027f271112130ae446237f9f63bd4f3fe73de2ec9eda52 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2658062.exe
| MD5 | 945736f8439d4edf45268e0aa9700829 |
| SHA1 | 399835cd8ca19b58cabdd56fc9ff4d35b49ab90e |
| SHA256 | 47ffa98fa556ec4190dfb278ca09b7443412f86bd5b541344c4188edc860a16f |
| SHA512 | 69a85a55d5534429706ae6cc0c7db550629e812a0be7feeb8d88084b347600fc2f223b335bc735ebf8027f271112130ae446237f9f63bd4f3fe73de2ec9eda52 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1073773.exe
| MD5 | 8ad4f8b9d6e6f0e6629f16a7302cd42f |
| SHA1 | f6663351e2b97b704757365cf5f7ab212f6ca290 |
| SHA256 | eb303f1d5469de2ffb5dc6ea23e59675f14c431122889ba180d09b3b7f05ac78 |
| SHA512 | 8dc9878e68854c2b5ce6e35768f2615e154f4831472af6327a088e87884b4c995fd297e86373f3f8c6299b74e69cea4b42bdf8e338fe3f0e0c84890e114c6729 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1073773.exe
| MD5 | 8ad4f8b9d6e6f0e6629f16a7302cd42f |
| SHA1 | f6663351e2b97b704757365cf5f7ab212f6ca290 |
| SHA256 | eb303f1d5469de2ffb5dc6ea23e59675f14c431122889ba180d09b3b7f05ac78 |
| SHA512 | 8dc9878e68854c2b5ce6e35768f2615e154f4831472af6327a088e87884b4c995fd297e86373f3f8c6299b74e69cea4b42bdf8e338fe3f0e0c84890e114c6729 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8247292.exe
| MD5 | 23107bd07a2bdfd3cc9b9626767ba9ee |
| SHA1 | d66c91701c8ad9773e077a8e3ca9d33c08274acc |
| SHA256 | c7b2b897172ed3cbd3b4cd24e7c880bb6bbd363098c63eaba7774daa8f7fedc4 |
| SHA512 | 385cbf99821092068fbc3bfbe950f9d6e8e4a378635c4ed11f7ded4f22f756f8119448001a684b5cfba689eb59e730ac36a44f8b09dcc4abf9d96786db07471b |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8247292.exe
| MD5 | 23107bd07a2bdfd3cc9b9626767ba9ee |
| SHA1 | d66c91701c8ad9773e077a8e3ca9d33c08274acc |
| SHA256 | c7b2b897172ed3cbd3b4cd24e7c880bb6bbd363098c63eaba7774daa8f7fedc4 |
| SHA512 | 385cbf99821092068fbc3bfbe950f9d6e8e4a378635c4ed11f7ded4f22f756f8119448001a684b5cfba689eb59e730ac36a44f8b09dcc4abf9d96786db07471b |
memory/4500-24-0x0000000000D40000-0x0000000000D70000-memory.dmp
memory/4500-25-0x00000000736C0000-0x0000000073DAE000-memory.dmp
memory/4500-26-0x0000000002E90000-0x0000000002E96000-memory.dmp
memory/4500-27-0x000000000B040000-0x000000000B646000-memory.dmp
memory/4500-28-0x000000000AB50000-0x000000000AC5A000-memory.dmp
memory/4500-29-0x000000000AA80000-0x000000000AA92000-memory.dmp
memory/4500-30-0x000000000AAE0000-0x000000000AB1E000-memory.dmp
memory/4500-31-0x000000000AC60000-0x000000000ACAB000-memory.dmp
memory/4500-32-0x00000000736C0000-0x0000000073DAE000-memory.dmp