Analysis Overview
SHA256
6a809b1c49ed96c4a8fa3549839513d26ffc57baa4cb97dd7a3f5414fec6650e
Threat Level: Known bad
The file 6a809b1c49ed96c4a8fa3549839513d26ffc57baa4cb97dd7a3f5414fec6650e was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 14:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 14:33
Reported
2023-09-10 14:36
Platform
win10v2004-20230831-en
Max time kernel
145s
Max time network
152s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0183118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5169086.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4838131.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2539021.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\6a809b1c49ed96c4a8fa3549839513d26ffc57baa4cb97dd7a3f5414fec6650e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0183118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5169086.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6a809b1c49ed96c4a8fa3549839513d26ffc57baa4cb97dd7a3f5414fec6650e.exe
"C:\Users\Admin\AppData\Local\Temp\6a809b1c49ed96c4a8fa3549839513d26ffc57baa4cb97dd7a3f5414fec6650e.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0183118.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0183118.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5169086.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5169086.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4838131.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4838131.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2539021.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2539021.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 121.208.253.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 121.150.79.40.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0183118.exe
| MD5 | 259b6e6f2d9c1330f6fb1635b45c485e |
| SHA1 | fb9eb2e3d11c1ca11993aea02a775cb9a8ae7bf1 |
| SHA256 | ff29b2efbb8c866cc7a9cf0de891aca96657015a71c01d5547bae063eea856af |
| SHA512 | 7ee052b78e3db473a2f6e7fc2ffa4a841983fcbd2789673e04abfe893eda0f641327397eef0d6b14b8d61ccb6b6356ffb5a954aa86a59a6ab670f9abf805289d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0183118.exe
| MD5 | 259b6e6f2d9c1330f6fb1635b45c485e |
| SHA1 | fb9eb2e3d11c1ca11993aea02a775cb9a8ae7bf1 |
| SHA256 | ff29b2efbb8c866cc7a9cf0de891aca96657015a71c01d5547bae063eea856af |
| SHA512 | 7ee052b78e3db473a2f6e7fc2ffa4a841983fcbd2789673e04abfe893eda0f641327397eef0d6b14b8d61ccb6b6356ffb5a954aa86a59a6ab670f9abf805289d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5169086.exe
| MD5 | a681127234606951d05f4b6a130caa38 |
| SHA1 | 7d90a66aeed3aa084bb426c3a936812423bc42ea |
| SHA256 | 09660f9431baf92ebd0dff6b84692d4b10851fb389607e476e142d982bcb611d |
| SHA512 | d6d8f39b739808c2fec11a3f5961465e4a04b514a41a05949c33f9e65683783fd95445b28e8890b8b828c372b049f0460dd9f06c346e9867913b38dd185f1f5b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5169086.exe
| MD5 | a681127234606951d05f4b6a130caa38 |
| SHA1 | 7d90a66aeed3aa084bb426c3a936812423bc42ea |
| SHA256 | 09660f9431baf92ebd0dff6b84692d4b10851fb389607e476e142d982bcb611d |
| SHA512 | d6d8f39b739808c2fec11a3f5961465e4a04b514a41a05949c33f9e65683783fd95445b28e8890b8b828c372b049f0460dd9f06c346e9867913b38dd185f1f5b |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4838131.exe
| MD5 | c456285d95a344c3b1173f2541048606 |
| SHA1 | 899c3329db1f556523d388edeac5d3453b84728b |
| SHA256 | e3a1251146ee19acf8d19b6d7bf19be621f04d47da5e3a4acd8f7e7d7c04da20 |
| SHA512 | 714d7b94a814baf24e7460f399e8e5ad1438d57caafe2c431cac82b7cebd133bd4cacd1ea463a6d97cd56d7da976f6b902c53d51b601639b0648e33df086a0a0 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4838131.exe
| MD5 | c456285d95a344c3b1173f2541048606 |
| SHA1 | 899c3329db1f556523d388edeac5d3453b84728b |
| SHA256 | e3a1251146ee19acf8d19b6d7bf19be621f04d47da5e3a4acd8f7e7d7c04da20 |
| SHA512 | 714d7b94a814baf24e7460f399e8e5ad1438d57caafe2c431cac82b7cebd133bd4cacd1ea463a6d97cd56d7da976f6b902c53d51b601639b0648e33df086a0a0 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2539021.exe
| MD5 | 8781337438331a46121b30d3f0e9ba47 |
| SHA1 | 1192597acabb7a4c0ab72cd6f35fa7271773c9f4 |
| SHA256 | 8815416217b2d30996704e8fd1358a319bdacd01b4114436fa040484e8b49bd0 |
| SHA512 | 442b39680c66613e3aa2dc6b57f303dd91417eb22833152a534333e878ada4b95ec66a7d0fa39b8fdfbf2a74d7182cedf49a7097b2ee1c20254211eea3ef1f09 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2539021.exe
| MD5 | 8781337438331a46121b30d3f0e9ba47 |
| SHA1 | 1192597acabb7a4c0ab72cd6f35fa7271773c9f4 |
| SHA256 | 8815416217b2d30996704e8fd1358a319bdacd01b4114436fa040484e8b49bd0 |
| SHA512 | 442b39680c66613e3aa2dc6b57f303dd91417eb22833152a534333e878ada4b95ec66a7d0fa39b8fdfbf2a74d7182cedf49a7097b2ee1c20254211eea3ef1f09 |
memory/3316-24-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/3316-25-0x00000000007F0000-0x0000000000820000-memory.dmp
memory/3316-26-0x000000000ACE0000-0x000000000B2F8000-memory.dmp
memory/3316-27-0x000000000A7D0000-0x000000000A8DA000-memory.dmp
memory/3316-28-0x0000000005230000-0x0000000005240000-memory.dmp
memory/3316-29-0x000000000A6E0000-0x000000000A6F2000-memory.dmp
memory/3316-30-0x000000000A740000-0x000000000A77C000-memory.dmp
memory/3316-31-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/3316-32-0x0000000005230000-0x0000000005240000-memory.dmp