Analysis Overview
SHA256
bff423e150313c33682501f246e49aa2a47f1c68d4c39f87005ad4c9efc6057c
Threat Level: Known bad
The file bff423e150313c33682501f246e49aa2a47f1c68d4c39f87005ad4c9efc6057c was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 14:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 14:08
Reported
2023-09-10 14:11
Platform
win10v2004-20230831-en
Max time kernel
140s
Max time network
149s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7783496.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0928001.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2013668.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7400100.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\bff423e150313c33682501f246e49aa2a47f1c68d4c39f87005ad4c9efc6057c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7783496.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0928001.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bff423e150313c33682501f246e49aa2a47f1c68d4c39f87005ad4c9efc6057c.exe
"C:\Users\Admin\AppData\Local\Temp\bff423e150313c33682501f246e49aa2a47f1c68d4c39f87005ad4c9efc6057c.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7783496.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7783496.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0928001.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0928001.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2013668.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2013668.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7400100.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7400100.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7783496.exe
| MD5 | 177571e8876ad2182abc357a7e29ccbb |
| SHA1 | dac8f766e3dc393e7e0d4e699e6b934c76c06b70 |
| SHA256 | 9e6b9717c667c757d0a018b2700e5618afd01546cfcd2e319e9e889d78bf761c |
| SHA512 | c66c397ef12f3d31f1db257fc5c18e0474b5d28853af396b7216da78e75bde52e384dd90e9f292980b782dae47af0466a0a33aa3dbd5b098f38fa0495f6a2cb0 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7783496.exe
| MD5 | 177571e8876ad2182abc357a7e29ccbb |
| SHA1 | dac8f766e3dc393e7e0d4e699e6b934c76c06b70 |
| SHA256 | 9e6b9717c667c757d0a018b2700e5618afd01546cfcd2e319e9e889d78bf761c |
| SHA512 | c66c397ef12f3d31f1db257fc5c18e0474b5d28853af396b7216da78e75bde52e384dd90e9f292980b782dae47af0466a0a33aa3dbd5b098f38fa0495f6a2cb0 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0928001.exe
| MD5 | e4b834639fe34ecfe7eaa709b6205522 |
| SHA1 | 18b3d261327805dbab4b2ae7a684018dd76b22cb |
| SHA256 | f31f13d7735b1d4f69b19345fd58ca2d6ce885445d4e2ac36e8ad7a70a16a7cc |
| SHA512 | 44587772930b48f4e541a3fea2297a8ef102a2d5f65e3952774f2a833029739de36fba60d0c47f2403385b1acf268b1b48094ce3db10d462965d3fe6d5e945ed |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0928001.exe
| MD5 | e4b834639fe34ecfe7eaa709b6205522 |
| SHA1 | 18b3d261327805dbab4b2ae7a684018dd76b22cb |
| SHA256 | f31f13d7735b1d4f69b19345fd58ca2d6ce885445d4e2ac36e8ad7a70a16a7cc |
| SHA512 | 44587772930b48f4e541a3fea2297a8ef102a2d5f65e3952774f2a833029739de36fba60d0c47f2403385b1acf268b1b48094ce3db10d462965d3fe6d5e945ed |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2013668.exe
| MD5 | 802bb7b0dbb651daeeaea30acabf0bd3 |
| SHA1 | ab486299ddfc55dea4f6e67a5496b860c151bde8 |
| SHA256 | bd312dff389a8caf9999c4cfaad3d2b07778a650a0e00ab6fea74f8169bfd574 |
| SHA512 | 2054ecfbd80aa146dde576fb27d4aff0db1847e31f5aac271cc227aebe678740bd1da71bdb9908d7ed8af7c9d23dc322cd450ccc2454d024f6d32170683176ac |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2013668.exe
| MD5 | 802bb7b0dbb651daeeaea30acabf0bd3 |
| SHA1 | ab486299ddfc55dea4f6e67a5496b860c151bde8 |
| SHA256 | bd312dff389a8caf9999c4cfaad3d2b07778a650a0e00ab6fea74f8169bfd574 |
| SHA512 | 2054ecfbd80aa146dde576fb27d4aff0db1847e31f5aac271cc227aebe678740bd1da71bdb9908d7ed8af7c9d23dc322cd450ccc2454d024f6d32170683176ac |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7400100.exe
| MD5 | f031a6fa3f5e72d19c34ae0989833bc7 |
| SHA1 | 10d506f8c8ba945ff6ed3faad4825d6e164e40ae |
| SHA256 | 75042be8dd3700d2bfd43ddf5e85341823a5c6948e41774b4a5b7ee14d4c6090 |
| SHA512 | 958c267c95f1448a33c508aa56e0b70c50cd40672af4b4f15b78fcc84b875e25260a4233ec55a43f4e1fe420c34fdc701e38c1b32aad96664d9019706a810f5e |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7400100.exe
| MD5 | f031a6fa3f5e72d19c34ae0989833bc7 |
| SHA1 | 10d506f8c8ba945ff6ed3faad4825d6e164e40ae |
| SHA256 | 75042be8dd3700d2bfd43ddf5e85341823a5c6948e41774b4a5b7ee14d4c6090 |
| SHA512 | 958c267c95f1448a33c508aa56e0b70c50cd40672af4b4f15b78fcc84b875e25260a4233ec55a43f4e1fe420c34fdc701e38c1b32aad96664d9019706a810f5e |
memory/1284-24-0x0000000000130000-0x0000000000160000-memory.dmp
memory/1284-25-0x0000000074330000-0x0000000074AE0000-memory.dmp
memory/1284-26-0x0000000005160000-0x0000000005778000-memory.dmp
memory/1284-27-0x0000000004C50000-0x0000000004D5A000-memory.dmp
memory/1284-28-0x0000000004A30000-0x0000000004A40000-memory.dmp
memory/1284-29-0x00000000049C0000-0x00000000049D2000-memory.dmp
memory/1284-30-0x0000000004B40000-0x0000000004B7C000-memory.dmp
memory/1284-31-0x0000000074330000-0x0000000074AE0000-memory.dmp
memory/1284-32-0x0000000004A30000-0x0000000004A40000-memory.dmp