Analysis Overview
SHA256
46fa37194327c53d495f3c00f3e70775710d3b23827876633b4d3a480ef15a6e
Threat Level: Known bad
The file 46fa37194327c53d495f3c00f3e70775710d3b23827876633b4d3a480ef15a6e was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 14:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 14:28
Reported
2023-09-10 14:31
Platform
win10v2004-20230831-en
Max time kernel
141s
Max time network
155s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587778.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1837070.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2725955.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0292856.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\46fa37194327c53d495f3c00f3e70775710d3b23827876633b4d3a480ef15a6e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587778.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1837070.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\46fa37194327c53d495f3c00f3e70775710d3b23827876633b4d3a480ef15a6e.exe
"C:\Users\Admin\AppData\Local\Temp\46fa37194327c53d495f3c00f3e70775710d3b23827876633b4d3a480ef15a6e.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587778.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587778.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1837070.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1837070.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2725955.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2725955.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0292856.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0292856.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.1.85.104.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 254.177.238.8.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587778.exe
| MD5 | 66f96a1f7f258b5f5d4ce1df743fc602 |
| SHA1 | 7280b0aba3fa25e9e728eb7e44634014f93dc37a |
| SHA256 | 22c9d85ae9b9ce4a08cec3baee49ddef74f1f95f5dad22e178744684a49ea572 |
| SHA512 | e1e8022ffd6c4d7f0d60695fb18cd096aeacbe7eb36d6a5f8f05526c99133941c6b80ba99864e5a74cc630448523b97e63d034360a3853f9c8e80c8672481026 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0587778.exe
| MD5 | 66f96a1f7f258b5f5d4ce1df743fc602 |
| SHA1 | 7280b0aba3fa25e9e728eb7e44634014f93dc37a |
| SHA256 | 22c9d85ae9b9ce4a08cec3baee49ddef74f1f95f5dad22e178744684a49ea572 |
| SHA512 | e1e8022ffd6c4d7f0d60695fb18cd096aeacbe7eb36d6a5f8f05526c99133941c6b80ba99864e5a74cc630448523b97e63d034360a3853f9c8e80c8672481026 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1837070.exe
| MD5 | 5f0e7c3f626a9a74018d98dbc9a49e72 |
| SHA1 | b71415979142c02a9e82db8d4a5fc2a7a1bfa65d |
| SHA256 | 01b6b5437c6e183a342ab3f156816d59f133c66afea79501d34be11f56159303 |
| SHA512 | de33e6e54a3cdbf3474eedd56e039e9856c7467ffbc942aa3c80b7b114d0836cc538e8d62a35102e9f93c1dc09958a55f85ab58e1df9c00a0b5a57d04e5ffa86 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1837070.exe
| MD5 | 5f0e7c3f626a9a74018d98dbc9a49e72 |
| SHA1 | b71415979142c02a9e82db8d4a5fc2a7a1bfa65d |
| SHA256 | 01b6b5437c6e183a342ab3f156816d59f133c66afea79501d34be11f56159303 |
| SHA512 | de33e6e54a3cdbf3474eedd56e039e9856c7467ffbc942aa3c80b7b114d0836cc538e8d62a35102e9f93c1dc09958a55f85ab58e1df9c00a0b5a57d04e5ffa86 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2725955.exe
| MD5 | 7c6bad29a69ea01e9c25ba6718984e20 |
| SHA1 | 47d5982e258323be0f47d315a8d1e601ec47dc18 |
| SHA256 | 843d24934838a19b384530f7e6faad3be4f80453dc6fe706c702609fc26878b1 |
| SHA512 | 15fe6baa6255eacda70ae8c06d08f5d0b53e4c2f362cc5efc96515f1667be03e12e7c91b02b39421b671760b543256d33f726a64b33f665679a7d505b4b253ab |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2725955.exe
| MD5 | 7c6bad29a69ea01e9c25ba6718984e20 |
| SHA1 | 47d5982e258323be0f47d315a8d1e601ec47dc18 |
| SHA256 | 843d24934838a19b384530f7e6faad3be4f80453dc6fe706c702609fc26878b1 |
| SHA512 | 15fe6baa6255eacda70ae8c06d08f5d0b53e4c2f362cc5efc96515f1667be03e12e7c91b02b39421b671760b543256d33f726a64b33f665679a7d505b4b253ab |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0292856.exe
| MD5 | f85757575057789dd8bd8dca77a4c0c5 |
| SHA1 | fb4fc2d66758ad3e8bde01b15149c2b3f76cf44b |
| SHA256 | ed518349e219582792c340878e6b91cd14c7c6ad1bb276c69dcb0cedabb8ef5d |
| SHA512 | 6c0437da66218e44424da2b7cb7e68810939851b41affc4d36dff19067e5ae3817c3b248fe644b6203e3ad1b83f46f2c03943061a83e68d4a1f7fde8f4124d93 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0292856.exe
| MD5 | f85757575057789dd8bd8dca77a4c0c5 |
| SHA1 | fb4fc2d66758ad3e8bde01b15149c2b3f76cf44b |
| SHA256 | ed518349e219582792c340878e6b91cd14c7c6ad1bb276c69dcb0cedabb8ef5d |
| SHA512 | 6c0437da66218e44424da2b7cb7e68810939851b41affc4d36dff19067e5ae3817c3b248fe644b6203e3ad1b83f46f2c03943061a83e68d4a1f7fde8f4124d93 |
memory/2172-24-0x0000000074430000-0x0000000074BE0000-memory.dmp
memory/2172-25-0x0000000000380000-0x00000000003B0000-memory.dmp
memory/2172-26-0x0000000005420000-0x0000000005A38000-memory.dmp
memory/2172-27-0x0000000004F10000-0x000000000501A000-memory.dmp
memory/2172-29-0x0000000004BF0000-0x0000000004C00000-memory.dmp
memory/2172-28-0x0000000004E50000-0x0000000004E62000-memory.dmp
memory/2172-30-0x0000000004EB0000-0x0000000004EEC000-memory.dmp
memory/2172-31-0x0000000074430000-0x0000000074BE0000-memory.dmp
memory/2172-32-0x0000000004BF0000-0x0000000004C00000-memory.dmp