Analysis Overview
SHA256
d699da8ebc892b7b0ac67813243c2ba04faa428f186a8cc01446e3377bf2c4c2
Threat Level: Known bad
The file d699da8ebc892b7b0ac67813243c2ba04faa428f186a8cc01446e3377bf2c4c2 was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 13:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 13:58
Reported
2023-09-10 14:01
Platform
win10-20230831-en
Max time kernel
134s
Max time network
147s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8729449.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1694019.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7110257.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9083220.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\d699da8ebc892b7b0ac67813243c2ba04faa428f186a8cc01446e3377bf2c4c2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8729449.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1694019.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d699da8ebc892b7b0ac67813243c2ba04faa428f186a8cc01446e3377bf2c4c2.exe
"C:\Users\Admin\AppData\Local\Temp\d699da8ebc892b7b0ac67813243c2ba04faa428f186a8cc01446e3377bf2c4c2.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8729449.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8729449.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1694019.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1694019.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7110257.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7110257.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9083220.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9083220.exe
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8729449.exe
| MD5 | a6747c0584424e180a8f4fc7121e1d34 |
| SHA1 | c1293449148cb974acda562528648d55d5c4a54f |
| SHA256 | 2e39be3582d691a7f6e6d078cf056886c426e5b54e2bf3d3c043f87ff2fbf7dc |
| SHA512 | 851345046d55c626fbb478cae89d8920a2a33ec3ac6b71afa25989c3020bb78e3fb49b70dbd909132216e108dd302a20ec8bbe08ddb13e123f0a003645dea455 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8729449.exe
| MD5 | a6747c0584424e180a8f4fc7121e1d34 |
| SHA1 | c1293449148cb974acda562528648d55d5c4a54f |
| SHA256 | 2e39be3582d691a7f6e6d078cf056886c426e5b54e2bf3d3c043f87ff2fbf7dc |
| SHA512 | 851345046d55c626fbb478cae89d8920a2a33ec3ac6b71afa25989c3020bb78e3fb49b70dbd909132216e108dd302a20ec8bbe08ddb13e123f0a003645dea455 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1694019.exe
| MD5 | 431f3f95510930e963f99cd0d01f0a41 |
| SHA1 | 4b9a18c98064ed6f821936800fdbd14b59ac0832 |
| SHA256 | 8b6972994f255a37a524978b560ba2f8d2f5c0a36d4184639db630ba3e5fb7bc |
| SHA512 | 29263e4cf7efdc69fedfce72762477f436ea509a5b4a8cb16bf3a7b174e284d0c5a7e3c6a65211859779ad8d49749546da7cf718285b262ffa08cf57ee24c404 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1694019.exe
| MD5 | 431f3f95510930e963f99cd0d01f0a41 |
| SHA1 | 4b9a18c98064ed6f821936800fdbd14b59ac0832 |
| SHA256 | 8b6972994f255a37a524978b560ba2f8d2f5c0a36d4184639db630ba3e5fb7bc |
| SHA512 | 29263e4cf7efdc69fedfce72762477f436ea509a5b4a8cb16bf3a7b174e284d0c5a7e3c6a65211859779ad8d49749546da7cf718285b262ffa08cf57ee24c404 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7110257.exe
| MD5 | 4a85fb56733eecb5ddd8e0eb1ed5fc10 |
| SHA1 | a00fca2f656406f762bf77850dcbaab1ec68bf77 |
| SHA256 | c8dab383d0b337999d9ee3c3ff15efc1147f44d49215fba683c0a093328a8402 |
| SHA512 | babb63fbbc046a607c5881176fcd95b47bce641fc61489861587ca3618c682a24ecc28aa890b46e80527c1033c9d423cc835ee74c9cd25ad78fe419247d58938 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7110257.exe
| MD5 | 4a85fb56733eecb5ddd8e0eb1ed5fc10 |
| SHA1 | a00fca2f656406f762bf77850dcbaab1ec68bf77 |
| SHA256 | c8dab383d0b337999d9ee3c3ff15efc1147f44d49215fba683c0a093328a8402 |
| SHA512 | babb63fbbc046a607c5881176fcd95b47bce641fc61489861587ca3618c682a24ecc28aa890b46e80527c1033c9d423cc835ee74c9cd25ad78fe419247d58938 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9083220.exe
| MD5 | fbedbb8621976cc74f389ce738151acb |
| SHA1 | c15d1b8b555b025d68abbfe1cc50e6776aacd408 |
| SHA256 | 8336fdabb3a60a81d3025e92809d9e119ebe8d7e19a3427bd1bf0aa5f0e4b39e |
| SHA512 | 31738f9f338119bee89e07ad972637bbb85037df8d4b38c4431c7a01f293a20bd8caf9fa96dd5c81b9da0e97d52281db8b7ce91dd3ceb1f0d3659ceba08d127f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9083220.exe
| MD5 | fbedbb8621976cc74f389ce738151acb |
| SHA1 | c15d1b8b555b025d68abbfe1cc50e6776aacd408 |
| SHA256 | 8336fdabb3a60a81d3025e92809d9e119ebe8d7e19a3427bd1bf0aa5f0e4b39e |
| SHA512 | 31738f9f338119bee89e07ad972637bbb85037df8d4b38c4431c7a01f293a20bd8caf9fa96dd5c81b9da0e97d52281db8b7ce91dd3ceb1f0d3659ceba08d127f |
memory/204-24-0x0000000000DD0000-0x0000000000E00000-memory.dmp
memory/204-25-0x0000000072EF0000-0x00000000735DE000-memory.dmp
memory/204-26-0x0000000005590000-0x0000000005596000-memory.dmp
memory/204-27-0x0000000005CF0000-0x00000000062F6000-memory.dmp
memory/204-28-0x00000000057F0000-0x00000000058FA000-memory.dmp
memory/204-29-0x0000000005700000-0x0000000005712000-memory.dmp
memory/204-30-0x0000000005760000-0x000000000579E000-memory.dmp
memory/204-31-0x00000000057A0000-0x00000000057EB000-memory.dmp
memory/204-32-0x0000000072EF0000-0x00000000735DE000-memory.dmp