Analysis Overview
SHA256
427fc9aabd9fb141a41b1bdf410eb785cea07db78ee47e3601b202aac8d9ca1e
Threat Level: Known bad
The file 427fc9aabd9fb141a41b1bdf410eb785cea07db78ee47e3601b202aac8d9ca1e was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 13:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 13:42
Reported
2023-09-10 13:45
Platform
win10v2004-20230831-en
Max time kernel
167s
Max time network
171s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6209226.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6468188.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1111805.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4891288.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\427fc9aabd9fb141a41b1bdf410eb785cea07db78ee47e3601b202aac8d9ca1e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6209226.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6468188.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\427fc9aabd9fb141a41b1bdf410eb785cea07db78ee47e3601b202aac8d9ca1e.exe
"C:\Users\Admin\AppData\Local\Temp\427fc9aabd9fb141a41b1bdf410eb785cea07db78ee47e3601b202aac8d9ca1e.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6209226.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6209226.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6468188.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6468188.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1111805.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1111805.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4891288.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4891288.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 99.134.101.95.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6209226.exe
| MD5 | bf93ed68f3a7c89e16dd609658d1d60c |
| SHA1 | 5e07617caeebab3cbdc3f36d980777bc0971f8fb |
| SHA256 | 16650148258fd10c488557f20a637e9c4a9e5cef8798245c9fe53478c2fca54d |
| SHA512 | bd73d5126797c0038ef430f249766c9b479f19393271bbde35f2679da6971bec7b1eaeeb8875968cf2d0e3b334a44d2f00a3263cdd60e59a1a54fa4ce9cd8df1 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6209226.exe
| MD5 | bf93ed68f3a7c89e16dd609658d1d60c |
| SHA1 | 5e07617caeebab3cbdc3f36d980777bc0971f8fb |
| SHA256 | 16650148258fd10c488557f20a637e9c4a9e5cef8798245c9fe53478c2fca54d |
| SHA512 | bd73d5126797c0038ef430f249766c9b479f19393271bbde35f2679da6971bec7b1eaeeb8875968cf2d0e3b334a44d2f00a3263cdd60e59a1a54fa4ce9cd8df1 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6468188.exe
| MD5 | c912838867ab8540ebe1934d1e237f16 |
| SHA1 | ebfe2eac811a4073ebf1a98d7add4711dd8f6310 |
| SHA256 | 97f9632b8308485734682550e03b4ae7f3aa7daba4444c9c5e8a892a8066875c |
| SHA512 | ff31e811729d156a229405cfc4a18a89bdd9f4257fff69e01cb239ef9564a518d299277f1094375f7c160f9579ed19993188ef2fe94cfe7058ec8eb49fd40a19 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6468188.exe
| MD5 | c912838867ab8540ebe1934d1e237f16 |
| SHA1 | ebfe2eac811a4073ebf1a98d7add4711dd8f6310 |
| SHA256 | 97f9632b8308485734682550e03b4ae7f3aa7daba4444c9c5e8a892a8066875c |
| SHA512 | ff31e811729d156a229405cfc4a18a89bdd9f4257fff69e01cb239ef9564a518d299277f1094375f7c160f9579ed19993188ef2fe94cfe7058ec8eb49fd40a19 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1111805.exe
| MD5 | bcb90b1506a33d1c0f75c1f6b5e15e00 |
| SHA1 | 15745a8edb7e5d22f3d354c940c86c2ef169e114 |
| SHA256 | bfe5711d5b0bea2404032920a505dc1321913304eebd7a003c7eda7abd7676e1 |
| SHA512 | 0dd59b93066e7f0c0a05b5a682b973356f454548fb3564c99b1b5801af86bc168b9cfea1aae443bfa7cd76d2993ecda220d84f86744629607213feb209b23667 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1111805.exe
| MD5 | bcb90b1506a33d1c0f75c1f6b5e15e00 |
| SHA1 | 15745a8edb7e5d22f3d354c940c86c2ef169e114 |
| SHA256 | bfe5711d5b0bea2404032920a505dc1321913304eebd7a003c7eda7abd7676e1 |
| SHA512 | 0dd59b93066e7f0c0a05b5a682b973356f454548fb3564c99b1b5801af86bc168b9cfea1aae443bfa7cd76d2993ecda220d84f86744629607213feb209b23667 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4891288.exe
| MD5 | d06a765b4a839850bfe55b445d289f9d |
| SHA1 | 16ffae344ea228a9d4376b09701cd755266a2f7c |
| SHA256 | b72eb51508205296db36d84afd5eba001a64faf1500e06a05e4cce0ae1bcb9c3 |
| SHA512 | cb33361a000977a9fc6053c52782bc69ac50f3d3699ccdda235acd6321d6dd35f60f30670ea0e5982c3d8a4b2be038a3ce16d28db9b61036de527b20f326baf4 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4891288.exe
| MD5 | d06a765b4a839850bfe55b445d289f9d |
| SHA1 | 16ffae344ea228a9d4376b09701cd755266a2f7c |
| SHA256 | b72eb51508205296db36d84afd5eba001a64faf1500e06a05e4cce0ae1bcb9c3 |
| SHA512 | cb33361a000977a9fc6053c52782bc69ac50f3d3699ccdda235acd6321d6dd35f60f30670ea0e5982c3d8a4b2be038a3ce16d28db9b61036de527b20f326baf4 |
memory/2340-24-0x0000000000820000-0x0000000000850000-memory.dmp
memory/2340-25-0x00000000741D0000-0x0000000074980000-memory.dmp
memory/2340-26-0x00000000058E0000-0x0000000005EF8000-memory.dmp
memory/2340-27-0x00000000053D0000-0x00000000054DA000-memory.dmp
memory/2340-29-0x00000000052B0000-0x00000000052C0000-memory.dmp
memory/2340-28-0x00000000052F0000-0x0000000005302000-memory.dmp
memory/2340-30-0x0000000005350000-0x000000000538C000-memory.dmp
memory/2340-31-0x00000000741D0000-0x0000000074980000-memory.dmp
memory/2340-32-0x00000000052B0000-0x00000000052C0000-memory.dmp