Analysis Overview
SHA256
cdb5e16bd2f311496ab745f09bf88e3dd6453138f3c995e2cdcf573a992cc042
Threat Level: Known bad
The file cdb5e16bd2f311496ab745f09bf88e3dd6453138f3c995e2cdcf573a992cc042 was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 14:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 14:58
Reported
2023-09-10 15:01
Platform
win10-20230831-en
Max time kernel
144s
Max time network
152s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7735334.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8191104.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9572907.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8459468.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\cdb5e16bd2f311496ab745f09bf88e3dd6453138f3c995e2cdcf573a992cc042.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7735334.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8191104.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cdb5e16bd2f311496ab745f09bf88e3dd6453138f3c995e2cdcf573a992cc042.exe
"C:\Users\Admin\AppData\Local\Temp\cdb5e16bd2f311496ab745f09bf88e3dd6453138f3c995e2cdcf573a992cc042.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7735334.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7735334.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8191104.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8191104.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9572907.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9572907.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8459468.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8459468.exe
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 50.192.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7735334.exe
| MD5 | 12fa3eb97370c9787af3286ae298a744 |
| SHA1 | 474ac6226e6259a99c81e815f6b8440a87a38084 |
| SHA256 | 627f08929168229417d11ec060145379326d2627945d60874bb346c9d336fbe5 |
| SHA512 | 269de9c03a46a50c69741c4416b7343f00328cd05ab766eaef22911da30e758e3bc346b7378faf235a0072eb80bf89a888c534820fcc79d2d331cb5737a94de9 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7735334.exe
| MD5 | 12fa3eb97370c9787af3286ae298a744 |
| SHA1 | 474ac6226e6259a99c81e815f6b8440a87a38084 |
| SHA256 | 627f08929168229417d11ec060145379326d2627945d60874bb346c9d336fbe5 |
| SHA512 | 269de9c03a46a50c69741c4416b7343f00328cd05ab766eaef22911da30e758e3bc346b7378faf235a0072eb80bf89a888c534820fcc79d2d331cb5737a94de9 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8191104.exe
| MD5 | 05253cdbc82346bc67becfe01f35d0ce |
| SHA1 | 74989b15ca68f0595c638c72fafcad43ea75f364 |
| SHA256 | 2cddc8907e464d2e6bc0eea6e9557aca3c9d213349e534d893a1866cbb3cd3a6 |
| SHA512 | 1b8c313777d74e0c7b36b4dc9ef7b85e820e6c3fb48c917acc0c9bfa6e50952626e453a4b2e19cbb75e25a72c8d923ae4fca70781d2b68902f9dcb1dd733d69e |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8191104.exe
| MD5 | 05253cdbc82346bc67becfe01f35d0ce |
| SHA1 | 74989b15ca68f0595c638c72fafcad43ea75f364 |
| SHA256 | 2cddc8907e464d2e6bc0eea6e9557aca3c9d213349e534d893a1866cbb3cd3a6 |
| SHA512 | 1b8c313777d74e0c7b36b4dc9ef7b85e820e6c3fb48c917acc0c9bfa6e50952626e453a4b2e19cbb75e25a72c8d923ae4fca70781d2b68902f9dcb1dd733d69e |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9572907.exe
| MD5 | c144a8e1fe4e8f834ac2a4226c2c14b8 |
| SHA1 | e4ff06d8676201cdfe1eb9db340c1808b2a26dd0 |
| SHA256 | 611a1e139dd2a2fc257f36fd6c2a0dfa6a361e8644b7d4a78f8eb9cac00bce3a |
| SHA512 | 4d6b8cf449c40223bee790973126c588211cab4810abc16a81071e6b8b1b623fc7f6ab51e5ce73e9701d423e906338324b4d32953d74c9022ce0eda727dc07cf |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9572907.exe
| MD5 | c144a8e1fe4e8f834ac2a4226c2c14b8 |
| SHA1 | e4ff06d8676201cdfe1eb9db340c1808b2a26dd0 |
| SHA256 | 611a1e139dd2a2fc257f36fd6c2a0dfa6a361e8644b7d4a78f8eb9cac00bce3a |
| SHA512 | 4d6b8cf449c40223bee790973126c588211cab4810abc16a81071e6b8b1b623fc7f6ab51e5ce73e9701d423e906338324b4d32953d74c9022ce0eda727dc07cf |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8459468.exe
| MD5 | 0b02b8935cbcf99f75bdaaa865968d3f |
| SHA1 | a1dfa80727084e741464a1c0e9f624d88ecd37a6 |
| SHA256 | d73fd9ba820bc170129db963e67008022514031656eaa37d863f90265373e658 |
| SHA512 | 049cad85f1119ee19ca989fd1ebab7ca50dbb8536670834ec6b07b55f1a6d60bea244f3e4e56aaa27e00f265b957004642c703b026f098782b549101f145f36f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8459468.exe
| MD5 | 0b02b8935cbcf99f75bdaaa865968d3f |
| SHA1 | a1dfa80727084e741464a1c0e9f624d88ecd37a6 |
| SHA256 | d73fd9ba820bc170129db963e67008022514031656eaa37d863f90265373e658 |
| SHA512 | 049cad85f1119ee19ca989fd1ebab7ca50dbb8536670834ec6b07b55f1a6d60bea244f3e4e56aaa27e00f265b957004642c703b026f098782b549101f145f36f |
memory/960-24-0x0000000000310000-0x0000000000340000-memory.dmp
memory/960-25-0x0000000072F60000-0x000000007364E000-memory.dmp
memory/960-26-0x0000000002500000-0x0000000002506000-memory.dmp
memory/960-27-0x000000000A620000-0x000000000AC26000-memory.dmp
memory/960-28-0x000000000A120000-0x000000000A22A000-memory.dmp
memory/960-29-0x000000000A050000-0x000000000A062000-memory.dmp
memory/960-30-0x000000000A0B0000-0x000000000A0EE000-memory.dmp
memory/960-31-0x000000000A230000-0x000000000A27B000-memory.dmp
memory/960-32-0x0000000072F60000-0x000000007364E000-memory.dmp