Analysis Overview
SHA256
5fb7ac419931189b181a54705418ac2329ba195e4b2f20ef1085650cfe858064
Threat Level: Known bad
The file 0x00080000000146e3-30.dat was found to be: Known bad.
Malicious Activity Summary
Redline family
RedLine
Drops file in System32 directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 13:40
Signatures
Redline family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 13:40
Reported
2023-09-10 13:43
Platform
win7-20230831-en
Max time kernel
133s
Max time network
145s
Command Line
Signatures
RedLine
Processes
C:\Users\Admin\AppData\Local\Temp\0x00080000000146e3-30.exe
"C:\Users\Admin\AppData\Local\Temp\0x00080000000146e3-30.exe"
Network
| Country | Destination | Domain | Proto |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp |
Files
memory/2292-0-0x0000000000EF0000-0x0000000000F20000-memory.dmp
memory/2292-1-0x0000000073ED0000-0x00000000745BE000-memory.dmp
memory/2292-2-0x0000000000490000-0x0000000000496000-memory.dmp
memory/2292-3-0x00000000049B0000-0x00000000049F0000-memory.dmp
memory/2292-4-0x0000000073ED0000-0x00000000745BE000-memory.dmp
memory/2292-5-0x00000000049B0000-0x00000000049F0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-10 13:40
Reported
2023-09-10 13:43
Platform
win10v2004-20230831-en
Max time kernel
143s
Max time network
154s
Command Line
Signatures
RedLine
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{C6B5AAA5-F3AC-47CF-BFF1-D4482E5AC2EB}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0x00080000000146e3-30.exe
"C:\Users\Admin\AppData\Local\Temp\0x00080000000146e3-30.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.145.253.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.22.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
memory/1972-0-0x0000000000980000-0x00000000009B0000-memory.dmp
memory/1972-1-0x0000000074CE0000-0x0000000075490000-memory.dmp
memory/1972-2-0x0000000005A00000-0x0000000006018000-memory.dmp
memory/1972-3-0x00000000054F0000-0x00000000055FA000-memory.dmp
memory/1972-4-0x0000000005400000-0x0000000005412000-memory.dmp
memory/1972-5-0x00000000053D0000-0x00000000053E0000-memory.dmp
memory/1972-6-0x0000000005460000-0x000000000549C000-memory.dmp
memory/1972-8-0x0000000074CE0000-0x0000000075490000-memory.dmp
memory/1972-9-0x00000000053D0000-0x00000000053E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wsu9DA7.tmp
| MD5 | c01eaa0bdcd7c30a42bbb35a9acbf574 |
| SHA1 | 0aee3e1b873e41d040f1991819d0027b6cc68f54 |
| SHA256 | 32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40 |
| SHA512 | d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7 |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | f38c6b0787f563f037623fee989250c9 |
| SHA1 | fd7d80b95ea635f848648f0aaff0226e2c274be7 |
| SHA256 | 540dc9d05835839ff7a11850fea9675abbdbd6946aece64496f1a51d26827e18 |
| SHA512 | 73069ab7be902e888a6683b47d6bfb1a016a423f2802bed0b292093ccdb14ab4afdc2b513a652a738a6b385f3f134e8e024f5065356b58b7afc048d313781474 |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | 02a0327b77d00d67ea2a68d90542ee78 |
| SHA1 | d0bf040058a8083e62d277037a9d98176f6a3c18 |
| SHA256 | 7f5f3ff5c6eb8f78deec763081274dc1ffbf39d892c42ca82c20f52c97f0806d |
| SHA512 | 053ae829b4d3889e84b935243167604cd1194b613a20d9ead1317dc5886b68ebc807389a8d8632fb3e56152d262521a75e62c7a0393d7794e7ef325cd4b5a763 |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | 6cb88e8bd4e827ea40f2e69d183cd2d9 |
| SHA1 | c9b4874e218e34b7dc4f4a636c65a836277dc563 |
| SHA256 | a9ec11d2738d1efe67094477fb88d705a5bc69a8674add246d6e8624ff71292f |
| SHA512 | 5edd0aa2cb7aa4eb041ba90b64741626a661724dbd8ba785fa4535fadbc4f94cef73fa16dd39893360e478ff4c5ea1e3d32615ba1505650473ef8e2a6f846c7a |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | 118ddfff7f15fdd71e01cea81c9bdba8 |
| SHA1 | b0ec8f86aae59ab024a08f155b66fa0ec945ed91 |
| SHA256 | 62c624f1ee94798886022a82a4aafda7aa91e0aaf10c76cb497f9ac5b040de18 |
| SHA512 | 885946c92d847360d58899710d1931b0b96120273978136e71ff616e6e146703de501c78b99d72dab6ab5dd81e22bb008f89886e32b0e4346bb4dbf2d56c0a79 |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | df9d9f3e048e47eb17265fdd991c9dca |
| SHA1 | 9e7132c2244189671e9c8a7871a0f54ed1bdb399 |
| SHA256 | a8be625c87edfa3ca4b5ad3c77fd380a08837360bcf80e151b5b73d6be089bc1 |
| SHA512 | 758f3316ca377a74bf88bec4e704c56d1d4b12c3180a30e37d2df85fab13ef2b3d43e8d128331fae64ceb0cbe41d1d1d7524411914da798c2315cce3c7cc3289 |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | 53c21dbe04fe230bc2bec06b047d9f38 |
| SHA1 | d63f0872921c1bd50c4bf4c700262df206fc818e |
| SHA256 | def41a5af7f474ba584b10c38d22bb8f41571419d4c91f70a6c1daf540357953 |
| SHA512 | 58b651167c9eae8a59f56b46c206f3cc857b7d051ccfa48ab0e5851db8850fe0fe4fd569f488bde0d6e10404795983e56498b122acf3fb8663cb06348e6d8872 |
memory/2684-230-0x000001C8EE4A0000-0x000001C8EE4B0000-memory.dmp
memory/2684-246-0x000001C8EE5A0000-0x000001C8EE5B0000-memory.dmp
memory/2684-265-0x000001C8F6B90000-0x000001C8F6B91000-memory.dmp
memory/2684-266-0x000001C8F6BB0000-0x000001C8F6BB1000-memory.dmp
memory/2684-267-0x000001C8F6BB0000-0x000001C8F6BB1000-memory.dmp
memory/2684-268-0x000001C8F6BB0000-0x000001C8F6BB1000-memory.dmp
memory/2684-269-0x000001C8F6BB0000-0x000001C8F6BB1000-memory.dmp
memory/2684-270-0x000001C8F6BB0000-0x000001C8F6BB1000-memory.dmp
memory/2684-271-0x000001C8F6BB0000-0x000001C8F6BB1000-memory.dmp
memory/2684-272-0x000001C8F6BB0000-0x000001C8F6BB1000-memory.dmp
memory/2684-273-0x000001C8F6BB0000-0x000001C8F6BB1000-memory.dmp
memory/2684-274-0x000001C8F6BB0000-0x000001C8F6BB1000-memory.dmp
memory/2684-275-0x000001C8F6BB0000-0x000001C8F6BB1000-memory.dmp
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | 26798b50a016f3c1cbcb5f719b01cb37 |
| SHA1 | 6f6d37a842859fa1a881c1096e7a53cffabc180b |
| SHA256 | 2588c87430945a36919901179858f10957f8be2a0e1690dd84703eddd89f8b19 |
| SHA512 | eda8e58aff0a5c4af9edf459aee4a86b99016e1ed4551f80085ec728bb1bf57d02550ed01e01f6da0e42ac86d961648f0245924692dc7adc54f5020a8d85dea2 |
memory/2684-282-0x000001C8F67E0000-0x000001C8F67E1000-memory.dmp
memory/2684-283-0x000001C8F67D0000-0x000001C8F67D1000-memory.dmp
memory/2684-285-0x000001C8F67E0000-0x000001C8F67E1000-memory.dmp
memory/2684-288-0x000001C8F67D0000-0x000001C8F67D1000-memory.dmp
memory/2684-291-0x000001C8F6710000-0x000001C8F6711000-memory.dmp
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm
| MD5 | d72bb6f085e82b1cec519ecd62c4df33 |
| SHA1 | ccf1afcb3da2e044156af825376b0bfa6d269781 |
| SHA256 | f274d4b381b5b261a837156437d1a8055c19e6762e9d7f1387ac8a093d69b02b |
| SHA512 | 3eefb81599d8f616922167ca25b5522b3427a926a4f98905658e30d3e77ab8f121b48e213fbf9a6220416b9c2b3a2f28fc933f42c5f580c817b24bbf38a8d328 |
memory/2684-303-0x000001C8F6910000-0x000001C8F6911000-memory.dmp
memory/2684-305-0x000001C8F6920000-0x000001C8F6921000-memory.dmp
memory/2684-306-0x000001C8F6920000-0x000001C8F6921000-memory.dmp
memory/2684-307-0x000001C8F6A30000-0x000001C8F6A31000-memory.dmp
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | 46d490b54ba7a815a1ca81e0aaaf472f |
| SHA1 | 5e4385521b59ad02a34efe2a8dac436b715ef36d |
| SHA256 | 04b54ff77e7ce82a149d1d4705ad946fc8925a6e1a0f01422dcda0816727f3a3 |
| SHA512 | 1bf3438cb06c3813a43de8ea70b4cc87e75a949d74f4fc78be22f021a53667d4f196a080fd7ab45c1005b70320b7dbca69c8eb6f864cae1fdbafd0533abf4b9e |