Analysis Overview
SHA256
c045fcdcf743873ebb4728c0951b70b0684cebe4af0008f8fc2ac9e9983d15b0
Threat Level: Known bad
The file c045fcdcf743873ebb4728c0951b70b0684cebe4af0008f8fc2ac9e9983d15b0 was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 14:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 14:23
Reported
2023-09-10 14:26
Platform
win10-20230831-en
Max time kernel
135s
Max time network
150s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4357699.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8785670.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9084100.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5879334.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\c045fcdcf743873ebb4728c0951b70b0684cebe4af0008f8fc2ac9e9983d15b0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4357699.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8785670.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c045fcdcf743873ebb4728c0951b70b0684cebe4af0008f8fc2ac9e9983d15b0.exe
"C:\Users\Admin\AppData\Local\Temp\c045fcdcf743873ebb4728c0951b70b0684cebe4af0008f8fc2ac9e9983d15b0.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4357699.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4357699.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8785670.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8785670.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9084100.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9084100.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5879334.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5879334.exe
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 130.109.69.13.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4357699.exe
| MD5 | d746aca1a02da777428721426b71173a |
| SHA1 | e399ba07b96d66c1ca94163120d6ddb0713136ea |
| SHA256 | 8151305704079a52672c5460b1acc501ed92fdaa5cbadf5597ad11b05cd31321 |
| SHA512 | 85d8ac2d68d7e29ec55d6dcad21b0684f2dc294c4184279dc548fd79f43b14bc0e8f58d80a8a957d50763b217dc1cf76ef22af0c32583909659698b7cabeb277 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4357699.exe
| MD5 | d746aca1a02da777428721426b71173a |
| SHA1 | e399ba07b96d66c1ca94163120d6ddb0713136ea |
| SHA256 | 8151305704079a52672c5460b1acc501ed92fdaa5cbadf5597ad11b05cd31321 |
| SHA512 | 85d8ac2d68d7e29ec55d6dcad21b0684f2dc294c4184279dc548fd79f43b14bc0e8f58d80a8a957d50763b217dc1cf76ef22af0c32583909659698b7cabeb277 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8785670.exe
| MD5 | 2f6967348d882aa9411ae49b5d4ee86a |
| SHA1 | dad514ee457072d01e6931ac72d839a3dfaaf9c8 |
| SHA256 | 1a13962a0f1d9c75d806a8d3eb877b6546164f832ce449293599f817019690a6 |
| SHA512 | 57df2fc1cfcb9306be4121b914a080cf7db778b56cdaa647a7ead8abc36e624dc9eea6f1f3c41d05fe89f008ec4d7ca4099d190a4b191ed9c1842fd961ea9964 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8785670.exe
| MD5 | 2f6967348d882aa9411ae49b5d4ee86a |
| SHA1 | dad514ee457072d01e6931ac72d839a3dfaaf9c8 |
| SHA256 | 1a13962a0f1d9c75d806a8d3eb877b6546164f832ce449293599f817019690a6 |
| SHA512 | 57df2fc1cfcb9306be4121b914a080cf7db778b56cdaa647a7ead8abc36e624dc9eea6f1f3c41d05fe89f008ec4d7ca4099d190a4b191ed9c1842fd961ea9964 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9084100.exe
| MD5 | 0c8c4061602d1326e80bdd610f5f412e |
| SHA1 | 538d05ecef866fc4de093974b9d4d38692c8edc5 |
| SHA256 | da1f4be5289dbafe034250661a679d0c8382aac17f6898a4f250bbeae72a40d0 |
| SHA512 | 3d8af05add2ee522645007454c473a5e3fa401b758c67f404688f83634302a880e32e7b9cfcaa1d99f8634ab6d911ce6ae18110fb89db33890def2cf34a742ea |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9084100.exe
| MD5 | 0c8c4061602d1326e80bdd610f5f412e |
| SHA1 | 538d05ecef866fc4de093974b9d4d38692c8edc5 |
| SHA256 | da1f4be5289dbafe034250661a679d0c8382aac17f6898a4f250bbeae72a40d0 |
| SHA512 | 3d8af05add2ee522645007454c473a5e3fa401b758c67f404688f83634302a880e32e7b9cfcaa1d99f8634ab6d911ce6ae18110fb89db33890def2cf34a742ea |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5879334.exe
| MD5 | 026bb3ccc6781d041e4e1d1c5e930a48 |
| SHA1 | 74cedcdc01119ad2e652475a3c61b3259f8f0277 |
| SHA256 | 11f2cbc7995c850b0fb593240b8dc1a3acb26ac7dfdc31c02aa37c7440eab7ef |
| SHA512 | 01fbe0304e2d7b403f01a549578326d271319d16e0b9c99446a67e413f6cc01745ad0ffa7c8701b1239d68e36b39b3ef9bcccfd65782e89391bf9ad71e5e46d5 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5879334.exe
| MD5 | 026bb3ccc6781d041e4e1d1c5e930a48 |
| SHA1 | 74cedcdc01119ad2e652475a3c61b3259f8f0277 |
| SHA256 | 11f2cbc7995c850b0fb593240b8dc1a3acb26ac7dfdc31c02aa37c7440eab7ef |
| SHA512 | 01fbe0304e2d7b403f01a549578326d271319d16e0b9c99446a67e413f6cc01745ad0ffa7c8701b1239d68e36b39b3ef9bcccfd65782e89391bf9ad71e5e46d5 |
memory/5108-24-0x0000000000440000-0x0000000000470000-memory.dmp
memory/5108-25-0x0000000073800000-0x0000000073EEE000-memory.dmp
memory/5108-26-0x0000000000BE0000-0x0000000000BE6000-memory.dmp
memory/5108-27-0x000000000A6D0000-0x000000000ACD6000-memory.dmp
memory/5108-28-0x000000000A250000-0x000000000A35A000-memory.dmp
memory/5108-29-0x000000000A180000-0x000000000A192000-memory.dmp
memory/5108-30-0x000000000A1E0000-0x000000000A21E000-memory.dmp
memory/5108-31-0x000000000A360000-0x000000000A3AB000-memory.dmp
memory/5108-32-0x0000000073800000-0x0000000073EEE000-memory.dmp