Analysis Overview
SHA256
249250ee0dc7a47d413380bf8a83c2d61b80ad55ae2e129175689fe3ba9abf18
Threat Level: Known bad
The file 249250ee0dc7a47d413380bf8a83c2d61b80ad55ae2e129175689fe3ba9abf18 was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 14:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 14:48
Reported
2023-09-10 14:51
Platform
win10-20230831-en
Max time kernel
137s
Max time network
152s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0189654.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0477247.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2167821.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8912791.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\249250ee0dc7a47d413380bf8a83c2d61b80ad55ae2e129175689fe3ba9abf18.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0189654.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0477247.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\249250ee0dc7a47d413380bf8a83c2d61b80ad55ae2e129175689fe3ba9abf18.exe
"C:\Users\Admin\AppData\Local\Temp\249250ee0dc7a47d413380bf8a83c2d61b80ad55ae2e129175689fe3ba9abf18.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0189654.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0189654.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0477247.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0477247.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2167821.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2167821.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8912791.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8912791.exe
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0189654.exe
| MD5 | e709cd894d6e91b74551ff5623c07b4f |
| SHA1 | d7fd873c118b7265b9dc81cdb60d36c31039d3f3 |
| SHA256 | 772a5cfac627a06c146308f49ae5210c8d3c9c4f2bd495e55aee31db9789a3c9 |
| SHA512 | 6cd3b019b2646be32968458ec25f56050ad19910cfd178aa9d04de22bb9ff6676763ac903cc6e3e825c227f7b162e440ca8d8f922ae4a763e08e90d1662962fa |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0189654.exe
| MD5 | e709cd894d6e91b74551ff5623c07b4f |
| SHA1 | d7fd873c118b7265b9dc81cdb60d36c31039d3f3 |
| SHA256 | 772a5cfac627a06c146308f49ae5210c8d3c9c4f2bd495e55aee31db9789a3c9 |
| SHA512 | 6cd3b019b2646be32968458ec25f56050ad19910cfd178aa9d04de22bb9ff6676763ac903cc6e3e825c227f7b162e440ca8d8f922ae4a763e08e90d1662962fa |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0477247.exe
| MD5 | a267d33ccfe820904bb289f55de59e71 |
| SHA1 | dc0a6f8b23fa28817feb9e34a0d1cccfc648fb48 |
| SHA256 | 8b6c928c73c589cd67892c0f635908e3c7bf048d6ca16f20ff4f1112df899373 |
| SHA512 | f8ca79000a556ea4a9fea7f27e0103360084dff945fefe6cc5a1772cb7eea0fe0ae6fb85c7b253645d22082958e4acb8fb42c17b60f308b8dba4685eea9ee7f9 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0477247.exe
| MD5 | a267d33ccfe820904bb289f55de59e71 |
| SHA1 | dc0a6f8b23fa28817feb9e34a0d1cccfc648fb48 |
| SHA256 | 8b6c928c73c589cd67892c0f635908e3c7bf048d6ca16f20ff4f1112df899373 |
| SHA512 | f8ca79000a556ea4a9fea7f27e0103360084dff945fefe6cc5a1772cb7eea0fe0ae6fb85c7b253645d22082958e4acb8fb42c17b60f308b8dba4685eea9ee7f9 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2167821.exe
| MD5 | 6ba454fb0fc0e2bfa07d1c7888e270f5 |
| SHA1 | 6eeab94bcc470d48bd35e90f2dd130fcac2de63b |
| SHA256 | 0d5f3fe3cf36e87a1c075dc25f91ccdcd6c193af90644432859adbacb940ac56 |
| SHA512 | 9a4ebc3ea4150987d22916e109ceee48eff20701b2ec815fcc85a0151e1d866af5554cd5af899cf5c4948488a55f6c96aca860db2c0609062ca5f4fbbd8d01db |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2167821.exe
| MD5 | 6ba454fb0fc0e2bfa07d1c7888e270f5 |
| SHA1 | 6eeab94bcc470d48bd35e90f2dd130fcac2de63b |
| SHA256 | 0d5f3fe3cf36e87a1c075dc25f91ccdcd6c193af90644432859adbacb940ac56 |
| SHA512 | 9a4ebc3ea4150987d22916e109ceee48eff20701b2ec815fcc85a0151e1d866af5554cd5af899cf5c4948488a55f6c96aca860db2c0609062ca5f4fbbd8d01db |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8912791.exe
| MD5 | 66a69f666d330e7e5740b6c2294948b7 |
| SHA1 | d1e8d96498a065463a43fd8ce52b847a62cbf63e |
| SHA256 | c2fea801ddb8b11ea981097bba0a8336fd608d64b849c8643db42a7b0a56c135 |
| SHA512 | f4cfd4ed6b2f7c3c1c0076acf79dab88707f74a34cc3a604499929dbe8cda4fdf1fb29f1743ef0fd4049efb6e1e91cc555e0cfe13e42a48f8cf16c45244015c3 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8912791.exe
| MD5 | 66a69f666d330e7e5740b6c2294948b7 |
| SHA1 | d1e8d96498a065463a43fd8ce52b847a62cbf63e |
| SHA256 | c2fea801ddb8b11ea981097bba0a8336fd608d64b849c8643db42a7b0a56c135 |
| SHA512 | f4cfd4ed6b2f7c3c1c0076acf79dab88707f74a34cc3a604499929dbe8cda4fdf1fb29f1743ef0fd4049efb6e1e91cc555e0cfe13e42a48f8cf16c45244015c3 |
memory/2608-24-0x0000000000FB0000-0x0000000000FE0000-memory.dmp
memory/2608-25-0x0000000073530000-0x0000000073C1E000-memory.dmp
memory/2608-26-0x0000000005730000-0x0000000005736000-memory.dmp
memory/2608-27-0x000000000B230000-0x000000000B836000-memory.dmp
memory/2608-28-0x000000000ADC0000-0x000000000AECA000-memory.dmp
memory/2608-29-0x000000000ACF0000-0x000000000AD02000-memory.dmp
memory/2608-30-0x000000000AD50000-0x000000000AD8E000-memory.dmp
memory/2608-31-0x000000000AED0000-0x000000000AF1B000-memory.dmp
memory/2608-32-0x0000000073530000-0x0000000073C1E000-memory.dmp