Analysis Overview
SHA256
211bbfc984d662aabddbcf782176dbed5ca0e988cefc20445e5319db46f95c03
Threat Level: Known bad
The file 211bbfc984d662aabddbcf782176dbed5ca0e988cefc20445e5319db46f95c03 was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 15:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 15:48
Reported
2023-09-10 15:51
Platform
win10-20230703-en
Max time kernel
137s
Max time network
151s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4861451.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6119199.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4486940.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0112396.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\211bbfc984d662aabddbcf782176dbed5ca0e988cefc20445e5319db46f95c03.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4861451.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6119199.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\211bbfc984d662aabddbcf782176dbed5ca0e988cefc20445e5319db46f95c03.exe
"C:\Users\Admin\AppData\Local\Temp\211bbfc984d662aabddbcf782176dbed5ca0e988cefc20445e5319db46f95c03.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4861451.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4861451.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6119199.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6119199.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4486940.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4486940.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0112396.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0112396.exe
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 104.193.132.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4861451.exe
| MD5 | fcd5f6a0dfcb6d948c708519c709d216 |
| SHA1 | 96179407b1534170a447b9cb362b71fbb4cef12a |
| SHA256 | 361b588360a7734d69f7d565af91c4e553027d410d073ed35a94c365250d2574 |
| SHA512 | 11dfd56f22dc7c60fa57709d2741a3f1cacc3004b152f243b3d7b120624b54849126567e4a673894d4a7bd9370a7533f696646aaa2bfbb032167b171b1835710 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4861451.exe
| MD5 | fcd5f6a0dfcb6d948c708519c709d216 |
| SHA1 | 96179407b1534170a447b9cb362b71fbb4cef12a |
| SHA256 | 361b588360a7734d69f7d565af91c4e553027d410d073ed35a94c365250d2574 |
| SHA512 | 11dfd56f22dc7c60fa57709d2741a3f1cacc3004b152f243b3d7b120624b54849126567e4a673894d4a7bd9370a7533f696646aaa2bfbb032167b171b1835710 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6119199.exe
| MD5 | fd4675659ac802d24a875807178dc50e |
| SHA1 | 579b740a15d1e05323f70a45ee95374d02769d16 |
| SHA256 | c049902276db963bab6c40e39cc25de38fa27df673141f7ce09aed96819302de |
| SHA512 | c46ee1a8bb5dc8ce5effda095ef1a552db41dfcd3db74a7172090185a3fed4efd56e56a86528e5c8d7348cdbee354157789046e2d95c1116b4a419d2f605283f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6119199.exe
| MD5 | fd4675659ac802d24a875807178dc50e |
| SHA1 | 579b740a15d1e05323f70a45ee95374d02769d16 |
| SHA256 | c049902276db963bab6c40e39cc25de38fa27df673141f7ce09aed96819302de |
| SHA512 | c46ee1a8bb5dc8ce5effda095ef1a552db41dfcd3db74a7172090185a3fed4efd56e56a86528e5c8d7348cdbee354157789046e2d95c1116b4a419d2f605283f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4486940.exe
| MD5 | 87901109709e8efa126e9f4ca0062d0a |
| SHA1 | 8edbec87ab9fabb79dedb0dcc66a747ab69b012b |
| SHA256 | 6cdaae51c3f6696b4ff4d314eb179d431bca2b43c246e8b2025c352587692a9e |
| SHA512 | 020dc1ef68b7a14801d2543c523f495ec59c1f47d4270e936a0fc25f4d3b5f68eb36e881a201d5bc104d7487b6ff70a4de360802ecc5f62c3fa79eb39071a1f6 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4486940.exe
| MD5 | 87901109709e8efa126e9f4ca0062d0a |
| SHA1 | 8edbec87ab9fabb79dedb0dcc66a747ab69b012b |
| SHA256 | 6cdaae51c3f6696b4ff4d314eb179d431bca2b43c246e8b2025c352587692a9e |
| SHA512 | 020dc1ef68b7a14801d2543c523f495ec59c1f47d4270e936a0fc25f4d3b5f68eb36e881a201d5bc104d7487b6ff70a4de360802ecc5f62c3fa79eb39071a1f6 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0112396.exe
| MD5 | 720aabd1fb39b9fcb66b5ee201a79400 |
| SHA1 | d72624c326430b5b38057552baed22114e60a071 |
| SHA256 | fb70eb16da108ca0a17e80782e04593f6931b607a6e986bc6fa8b591f5e22118 |
| SHA512 | 7b5f39f5547bfe559384e693761fe7c5f078a99d6af5206568ce8ee568b5565424e8f8a8767aff3b71f920e4a4a2dc96cf4eb9af5766a47abfa10cfa3d9fe454 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0112396.exe
| MD5 | 720aabd1fb39b9fcb66b5ee201a79400 |
| SHA1 | d72624c326430b5b38057552baed22114e60a071 |
| SHA256 | fb70eb16da108ca0a17e80782e04593f6931b607a6e986bc6fa8b591f5e22118 |
| SHA512 | 7b5f39f5547bfe559384e693761fe7c5f078a99d6af5206568ce8ee568b5565424e8f8a8767aff3b71f920e4a4a2dc96cf4eb9af5766a47abfa10cfa3d9fe454 |
memory/3912-24-0x0000000000540000-0x0000000000570000-memory.dmp
memory/3912-25-0x0000000072BA0000-0x000000007328E000-memory.dmp
memory/3912-26-0x0000000004D00000-0x0000000004D06000-memory.dmp
memory/3912-27-0x00000000054D0000-0x0000000005AD6000-memory.dmp
memory/3912-28-0x0000000004FD0000-0x00000000050DA000-memory.dmp
memory/3912-29-0x0000000004D50000-0x0000000004D62000-memory.dmp
memory/3912-30-0x0000000004EC0000-0x0000000004EFE000-memory.dmp
memory/3912-31-0x0000000004F00000-0x0000000004F4B000-memory.dmp
memory/3912-32-0x0000000072BA0000-0x000000007328E000-memory.dmp