Analysis Overview
SHA256
7b918d02f98f0af5072119d9a56c46cdcf9cb2dffa4e2f03ae2fb63e4612f6de
Threat Level: Known bad
The file 7b918d02f98f0af5072119d9a56c46cdcf9cb2dffa4e2f03ae2fb63e4612f6de was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 15:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 15:43
Reported
2023-09-10 15:46
Platform
win10-20230831-en
Max time kernel
134s
Max time network
148s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9236422.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2243031.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0012892.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7509982.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7b918d02f98f0af5072119d9a56c46cdcf9cb2dffa4e2f03ae2fb63e4612f6de.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9236422.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2243031.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7b918d02f98f0af5072119d9a56c46cdcf9cb2dffa4e2f03ae2fb63e4612f6de.exe
"C:\Users\Admin\AppData\Local\Temp\7b918d02f98f0af5072119d9a56c46cdcf9cb2dffa4e2f03ae2fb63e4612f6de.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9236422.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9236422.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2243031.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2243031.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0012892.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0012892.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7509982.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7509982.exe
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9236422.exe
| MD5 | 9abee56bba72cea4c3c5bdff83832c6b |
| SHA1 | 8de97dfd6994d1d41a54a2cebe955a381f881aba |
| SHA256 | 9ab5a58abb194ccadf7da859b048462705e0d36ea8980c2f183cab8acef76072 |
| SHA512 | 7b147f8e793d1865436fb07fea29e2f3dd5764f8988507c2bca8f3ac13db67c80f0833f76c0e81f86ca7af5c40c54888824a2c07f8124b041d507b1979f90146 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9236422.exe
| MD5 | 9abee56bba72cea4c3c5bdff83832c6b |
| SHA1 | 8de97dfd6994d1d41a54a2cebe955a381f881aba |
| SHA256 | 9ab5a58abb194ccadf7da859b048462705e0d36ea8980c2f183cab8acef76072 |
| SHA512 | 7b147f8e793d1865436fb07fea29e2f3dd5764f8988507c2bca8f3ac13db67c80f0833f76c0e81f86ca7af5c40c54888824a2c07f8124b041d507b1979f90146 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2243031.exe
| MD5 | 717ffe37123b1b214c99f863eae3c4b9 |
| SHA1 | 4651b6c2406ecfc676ea8e6a885eb8348ae0d5b9 |
| SHA256 | 8fa6c37b1491006a75580068c90261f02795920912762e44cfa0bb04fb75cd31 |
| SHA512 | d44f1b6e86e8d41337eb60da3d51066e7298ab6f589837c521cdba330927ec60fa4c3a3394e0e202dbf1265ad55738a3ae5cee2e384826c0da5046b9090dad13 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2243031.exe
| MD5 | 717ffe37123b1b214c99f863eae3c4b9 |
| SHA1 | 4651b6c2406ecfc676ea8e6a885eb8348ae0d5b9 |
| SHA256 | 8fa6c37b1491006a75580068c90261f02795920912762e44cfa0bb04fb75cd31 |
| SHA512 | d44f1b6e86e8d41337eb60da3d51066e7298ab6f589837c521cdba330927ec60fa4c3a3394e0e202dbf1265ad55738a3ae5cee2e384826c0da5046b9090dad13 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0012892.exe
| MD5 | e30ea88baabea0fa133892851b8e6000 |
| SHA1 | 67fca9ae56a39b7f33584b18343bb84f24bc57f2 |
| SHA256 | 5ed7464b1082793fa734dbaed8de1c728a330868539fb163257bcf6dc4668a23 |
| SHA512 | 4616e7fc445321c2233977929f208dab80c6c0d87ee5d1ce118a63659cd0273e3e7aa05c542c07245f805d528c5629279e682bcd009c20b86b040fb949d5e7e2 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0012892.exe
| MD5 | e30ea88baabea0fa133892851b8e6000 |
| SHA1 | 67fca9ae56a39b7f33584b18343bb84f24bc57f2 |
| SHA256 | 5ed7464b1082793fa734dbaed8de1c728a330868539fb163257bcf6dc4668a23 |
| SHA512 | 4616e7fc445321c2233977929f208dab80c6c0d87ee5d1ce118a63659cd0273e3e7aa05c542c07245f805d528c5629279e682bcd009c20b86b040fb949d5e7e2 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7509982.exe
| MD5 | 388b729a36fc92f407524afd1393c388 |
| SHA1 | 947583ca2c0b6f8f3ccee7534f2951fdb76cf9f1 |
| SHA256 | f72ac12d68f02af8a9857bfdd6be6f51afa2deef78d576b72fa176112ec5af68 |
| SHA512 | bdd32994a3f6b7e811ef65dbeb7e12626b8097575a17570352474145b9d8a173f586bd4956bb9f039f377cdbcdccf32244ee278a248970823187a5b3ac4fdc18 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7509982.exe
| MD5 | 388b729a36fc92f407524afd1393c388 |
| SHA1 | 947583ca2c0b6f8f3ccee7534f2951fdb76cf9f1 |
| SHA256 | f72ac12d68f02af8a9857bfdd6be6f51afa2deef78d576b72fa176112ec5af68 |
| SHA512 | bdd32994a3f6b7e811ef65dbeb7e12626b8097575a17570352474145b9d8a173f586bd4956bb9f039f377cdbcdccf32244ee278a248970823187a5b3ac4fdc18 |
memory/1864-24-0x0000000000DC0000-0x0000000000DF0000-memory.dmp
memory/1864-25-0x0000000072E00000-0x00000000734EE000-memory.dmp
memory/1864-26-0x0000000003030000-0x0000000003036000-memory.dmp
memory/1864-27-0x0000000005ED0000-0x00000000064D6000-memory.dmp
memory/1864-28-0x00000000059D0000-0x0000000005ADA000-memory.dmp
memory/1864-29-0x0000000005710000-0x0000000005722000-memory.dmp
memory/1864-30-0x0000000005770000-0x00000000057AE000-memory.dmp
memory/1864-31-0x00000000058C0000-0x000000000590B000-memory.dmp
memory/1864-32-0x0000000072E00000-0x00000000734EE000-memory.dmp