Analysis Overview
SHA256
0cc8535f4f092be307e2427d363407452d0e3f24c7fe9773e035babe6c77e7fd
Threat Level: Known bad
The file 0cc8535f4f092be307e2427d363407452d0e3f24c7fe9773e035babe6c77e7fd was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 14:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 14:38
Reported
2023-09-10 14:41
Platform
win10-20230831-en
Max time kernel
138s
Max time network
154s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5682608.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7019901.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2089591.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6037580.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5682608.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7019901.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\0cc8535f4f092be307e2427d363407452d0e3f24c7fe9773e035babe6c77e7fd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0cc8535f4f092be307e2427d363407452d0e3f24c7fe9773e035babe6c77e7fd.exe
"C:\Users\Admin\AppData\Local\Temp\0cc8535f4f092be307e2427d363407452d0e3f24c7fe9773e035babe6c77e7fd.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5682608.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5682608.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7019901.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7019901.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2089591.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2089591.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6037580.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6037580.exe
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5682608.exe
| MD5 | 46ec7972d62e03ce67067190534a66cf |
| SHA1 | 3499f89e0154987614793a5e500704eb6addfc44 |
| SHA256 | e4ba56513a569f4bb2b78229eb6e8b0d99160be97f641055ced4abe49ae9a15a |
| SHA512 | 9d50e1f34f69ab48e2516c6f4286fdfa4f086068152c90ceaf6df1f0379fba6c273c29eb0bb12e122da85182d5d9bb5c20d4d204592b42dbd70643a10441cf07 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5682608.exe
| MD5 | 46ec7972d62e03ce67067190534a66cf |
| SHA1 | 3499f89e0154987614793a5e500704eb6addfc44 |
| SHA256 | e4ba56513a569f4bb2b78229eb6e8b0d99160be97f641055ced4abe49ae9a15a |
| SHA512 | 9d50e1f34f69ab48e2516c6f4286fdfa4f086068152c90ceaf6df1f0379fba6c273c29eb0bb12e122da85182d5d9bb5c20d4d204592b42dbd70643a10441cf07 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7019901.exe
| MD5 | fe4d16aa6cb5d422a0334c1aa5d3e134 |
| SHA1 | 32ee6cd02b203367d38340b180fee3011531ff1c |
| SHA256 | ac4935acba3b9d91a0d6aadb2e038186e8ffd285fade204da7cdfd4b499b1691 |
| SHA512 | ce86f16f918979437c5fda69a9e738448ef3cf6137c4553f46552a962889f0b928b2799a1542dec3018af942c6dc59554bed316f8faf9c7b933dbc54e02ef8a2 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7019901.exe
| MD5 | fe4d16aa6cb5d422a0334c1aa5d3e134 |
| SHA1 | 32ee6cd02b203367d38340b180fee3011531ff1c |
| SHA256 | ac4935acba3b9d91a0d6aadb2e038186e8ffd285fade204da7cdfd4b499b1691 |
| SHA512 | ce86f16f918979437c5fda69a9e738448ef3cf6137c4553f46552a962889f0b928b2799a1542dec3018af942c6dc59554bed316f8faf9c7b933dbc54e02ef8a2 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2089591.exe
| MD5 | 34bd80037fecfd3586ce91be31e9268f |
| SHA1 | 5567a473fb40973a7b4ba65eecf303d25c8b2aed |
| SHA256 | e704b5e0761839bf6125daba3d3fb00725c3889a64d16263f9af670b7f33c95e |
| SHA512 | 2f84896bbcf8f3f408c279e864ba475a921756c2ba3d64659335ad961ecfb62f38af82b7b535d1731e3c077b14e3b2d3df4089c9171346fd0e4701b59f5fd83a |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2089591.exe
| MD5 | 34bd80037fecfd3586ce91be31e9268f |
| SHA1 | 5567a473fb40973a7b4ba65eecf303d25c8b2aed |
| SHA256 | e704b5e0761839bf6125daba3d3fb00725c3889a64d16263f9af670b7f33c95e |
| SHA512 | 2f84896bbcf8f3f408c279e864ba475a921756c2ba3d64659335ad961ecfb62f38af82b7b535d1731e3c077b14e3b2d3df4089c9171346fd0e4701b59f5fd83a |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6037580.exe
| MD5 | 9742b6d5abbc6b392c2f2204acc25767 |
| SHA1 | 330c56d1b51059ae4dd72e5072abd581a6ac34dc |
| SHA256 | 82897620ebef7edf58d17d5c49dee9f7e9a0383d8276bc70e24e55df2ed31e41 |
| SHA512 | c426c9c6d659463c59de79800d0cca6244ed3ddd3ddf50ec3f8132d7e979d74fd9e652dbb4b90570b9737067584a65773accf4c30013d0072293537b09509cc8 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6037580.exe
| MD5 | 9742b6d5abbc6b392c2f2204acc25767 |
| SHA1 | 330c56d1b51059ae4dd72e5072abd581a6ac34dc |
| SHA256 | 82897620ebef7edf58d17d5c49dee9f7e9a0383d8276bc70e24e55df2ed31e41 |
| SHA512 | c426c9c6d659463c59de79800d0cca6244ed3ddd3ddf50ec3f8132d7e979d74fd9e652dbb4b90570b9737067584a65773accf4c30013d0072293537b09509cc8 |
memory/4264-24-0x0000000000E20000-0x0000000000E50000-memory.dmp
memory/4264-25-0x00000000734D0000-0x0000000073BBE000-memory.dmp
memory/4264-26-0x0000000002FE0000-0x0000000002FE6000-memory.dmp
memory/4264-27-0x000000000B1F0000-0x000000000B7F6000-memory.dmp
memory/4264-28-0x000000000AD70000-0x000000000AE7A000-memory.dmp
memory/4264-29-0x000000000ACA0000-0x000000000ACB2000-memory.dmp
memory/4264-30-0x000000000AD00000-0x000000000AD3E000-memory.dmp
memory/4264-31-0x000000000AE80000-0x000000000AECB000-memory.dmp
memory/4264-32-0x00000000734D0000-0x0000000073BBE000-memory.dmp