Analysis Overview
SHA256
6d49b0f621026d6830cb38392581341c7854fe85d5ae41dea53bebff573c3cde
Threat Level: Known bad
The file 6d49b0f621026d6830cb38392581341c7854fe85d5ae41dea53bebff573c3cde was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 14:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 14:13
Reported
2023-09-10 14:16
Platform
win10v2004-20230831-en
Max time kernel
143s
Max time network
154s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7936183.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5439613.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8566902.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6481600.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\6d49b0f621026d6830cb38392581341c7854fe85d5ae41dea53bebff573c3cde.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7936183.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5439613.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6d49b0f621026d6830cb38392581341c7854fe85d5ae41dea53bebff573c3cde.exe
"C:\Users\Admin\AppData\Local\Temp\6d49b0f621026d6830cb38392581341c7854fe85d5ae41dea53bebff573c3cde.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7936183.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7936183.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5439613.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5439613.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8566902.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8566902.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6481600.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6481600.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.23.238.8.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7936183.exe
| MD5 | f11816cf8eaf86c34c5f72667e1f1e36 |
| SHA1 | f72b54f0177df0de2c7f0acdeaabcc95dcca977b |
| SHA256 | d12e8d26f4e96390b24e9a9b32fc85e084ac293fd4a82e656d93dcacec698d40 |
| SHA512 | e66ae1a5d8181e626130eb10d82931663c38755219bff877aee3a98f14b562723c042818347a06a92d8152fccc35a2063fd58d54e899a063256714305a396fe8 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7936183.exe
| MD5 | f11816cf8eaf86c34c5f72667e1f1e36 |
| SHA1 | f72b54f0177df0de2c7f0acdeaabcc95dcca977b |
| SHA256 | d12e8d26f4e96390b24e9a9b32fc85e084ac293fd4a82e656d93dcacec698d40 |
| SHA512 | e66ae1a5d8181e626130eb10d82931663c38755219bff877aee3a98f14b562723c042818347a06a92d8152fccc35a2063fd58d54e899a063256714305a396fe8 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5439613.exe
| MD5 | 6229f5cc7f7a4126432fe8cfd87537da |
| SHA1 | 126823fe3b4d596afa0455f0342c105670cea627 |
| SHA256 | 35f8150d521573319ece91b07ff44b3ba3eac22b8e95966fa15b4ca3a8f0daaf |
| SHA512 | b3c331b5e9b3eb887c90bfb501c276bddae8db6972d65c63610614dd34b97f2d8dc80e5fb34bfa391b2e49407e384b8cb12148ff5b020f510b00a311f567a677 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5439613.exe
| MD5 | 6229f5cc7f7a4126432fe8cfd87537da |
| SHA1 | 126823fe3b4d596afa0455f0342c105670cea627 |
| SHA256 | 35f8150d521573319ece91b07ff44b3ba3eac22b8e95966fa15b4ca3a8f0daaf |
| SHA512 | b3c331b5e9b3eb887c90bfb501c276bddae8db6972d65c63610614dd34b97f2d8dc80e5fb34bfa391b2e49407e384b8cb12148ff5b020f510b00a311f567a677 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8566902.exe
| MD5 | c40d06d44b48b0f4a4a84922ac29301b |
| SHA1 | 455e9c947e794d30137bdb37f20ec9cb771a06cc |
| SHA256 | ea053534386005a737f91009ebdfbd607151130239e615e7ea602abf546bd3b1 |
| SHA512 | a2e1b431393ea19853b6b6d649f3350f1836a1817d81a242d0815e622ae1eca27c711926f90eb82fe0b167322154dfca5f2bed13d8d6de65dce56173e666c9ca |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8566902.exe
| MD5 | c40d06d44b48b0f4a4a84922ac29301b |
| SHA1 | 455e9c947e794d30137bdb37f20ec9cb771a06cc |
| SHA256 | ea053534386005a737f91009ebdfbd607151130239e615e7ea602abf546bd3b1 |
| SHA512 | a2e1b431393ea19853b6b6d649f3350f1836a1817d81a242d0815e622ae1eca27c711926f90eb82fe0b167322154dfca5f2bed13d8d6de65dce56173e666c9ca |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6481600.exe
| MD5 | 968b79e1da850482a53bc5bed40ea787 |
| SHA1 | a5711d4237d9f3500f6c267a06dc47bb68220bf0 |
| SHA256 | 1843f8ce47cbf884ed4ff04db72b0e2c5a1bb46477881bdfeb17474b82909ca7 |
| SHA512 | 7e7cf48a6317d93e8a12f2b2cb89119de9e5a8c336114cff12308b112b29992dc9ae34df79931193c28ad739cf30fecd226e897ce4d67a21a608346f5d07793a |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6481600.exe
| MD5 | 968b79e1da850482a53bc5bed40ea787 |
| SHA1 | a5711d4237d9f3500f6c267a06dc47bb68220bf0 |
| SHA256 | 1843f8ce47cbf884ed4ff04db72b0e2c5a1bb46477881bdfeb17474b82909ca7 |
| SHA512 | 7e7cf48a6317d93e8a12f2b2cb89119de9e5a8c336114cff12308b112b29992dc9ae34df79931193c28ad739cf30fecd226e897ce4d67a21a608346f5d07793a |
memory/3420-24-0x0000000074A80000-0x0000000075230000-memory.dmp
memory/3420-25-0x00000000004B0000-0x00000000004E0000-memory.dmp
memory/3420-26-0x000000000A980000-0x000000000AF98000-memory.dmp
memory/3420-27-0x000000000A470000-0x000000000A57A000-memory.dmp
memory/3420-28-0x0000000004FD0000-0x0000000004FE0000-memory.dmp
memory/3420-29-0x000000000A3A0000-0x000000000A3B2000-memory.dmp
memory/3420-30-0x000000000A400000-0x000000000A43C000-memory.dmp
memory/3420-31-0x0000000074A80000-0x0000000075230000-memory.dmp
memory/3420-32-0x0000000004FD0000-0x0000000004FE0000-memory.dmp