Analysis Overview
SHA256
771c1954d17774b759d99853046bbdf2ca1c24b8eb04585b2507d5ed5deeff27
Threat Level: Known bad
The file 771c1954d17774b759d99853046bbdf2ca1c24b8eb04585b2507d5ed5deeff27 was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 15:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 15:04
Reported
2023-09-10 15:06
Platform
win10v2004-20230831-en
Max time kernel
139s
Max time network
149s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3630727.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5172747.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6610952.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1718775.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5172747.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\771c1954d17774b759d99853046bbdf2ca1c24b8eb04585b2507d5ed5deeff27.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3630727.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\771c1954d17774b759d99853046bbdf2ca1c24b8eb04585b2507d5ed5deeff27.exe
"C:\Users\Admin\AppData\Local\Temp\771c1954d17774b759d99853046bbdf2ca1c24b8eb04585b2507d5ed5deeff27.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3630727.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3630727.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5172747.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5172747.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6610952.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6610952.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1718775.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1718775.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3630727.exe
| MD5 | 32600de07f2504440d1310f0c5c3fa7a |
| SHA1 | 20874a7b167233bea0fcc1ea9a863a38d68330fc |
| SHA256 | c95967ad6d1bb116b170863a9173b62181ce3839dbf1c224a38968901bf955e1 |
| SHA512 | 691c21b5e8e4c1d17cfe904a760c4dc64bb34193337220e131b5eb53d639993c4e3d6437e71ac83c32a0852585bbf7fc3f791988859908ae20ec5fc8c0c24487 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3630727.exe
| MD5 | 32600de07f2504440d1310f0c5c3fa7a |
| SHA1 | 20874a7b167233bea0fcc1ea9a863a38d68330fc |
| SHA256 | c95967ad6d1bb116b170863a9173b62181ce3839dbf1c224a38968901bf955e1 |
| SHA512 | 691c21b5e8e4c1d17cfe904a760c4dc64bb34193337220e131b5eb53d639993c4e3d6437e71ac83c32a0852585bbf7fc3f791988859908ae20ec5fc8c0c24487 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5172747.exe
| MD5 | 9bad345f18c72518f6e3a808b6e39a25 |
| SHA1 | 24b013df48caf7d0b03cc815667c998ebe79211c |
| SHA256 | 74c39d6cc8b40d5922f7119412bd189ea235c5ea265b81f41000fb76c71abcb5 |
| SHA512 | 1aa8d1a3e922982d0c025de19ee9a2c619061e61e9c18ebbd95118d57c6195f0e6cb5a88e2da03399d1deb8aaf813b4575c6836dbf5f075a37111520ce53910b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5172747.exe
| MD5 | 9bad345f18c72518f6e3a808b6e39a25 |
| SHA1 | 24b013df48caf7d0b03cc815667c998ebe79211c |
| SHA256 | 74c39d6cc8b40d5922f7119412bd189ea235c5ea265b81f41000fb76c71abcb5 |
| SHA512 | 1aa8d1a3e922982d0c025de19ee9a2c619061e61e9c18ebbd95118d57c6195f0e6cb5a88e2da03399d1deb8aaf813b4575c6836dbf5f075a37111520ce53910b |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6610952.exe
| MD5 | d2857face751c320f70d6a2b750ed947 |
| SHA1 | 52d7f4b032df2504e902f72cc718a61bd9367536 |
| SHA256 | 4b13c4094f26f18d50ad0034fde81417e670e1920d33ba9e7ccdfe1600389ab8 |
| SHA512 | c5f51f97069fccf3a74c7934c8d327eb5842230b6e443c030133a026dae8821da1039c7f121c13512319cec1dcb85d6f992e3bed0ee7e23ca619310649e0b412 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6610952.exe
| MD5 | d2857face751c320f70d6a2b750ed947 |
| SHA1 | 52d7f4b032df2504e902f72cc718a61bd9367536 |
| SHA256 | 4b13c4094f26f18d50ad0034fde81417e670e1920d33ba9e7ccdfe1600389ab8 |
| SHA512 | c5f51f97069fccf3a74c7934c8d327eb5842230b6e443c030133a026dae8821da1039c7f121c13512319cec1dcb85d6f992e3bed0ee7e23ca619310649e0b412 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1718775.exe
| MD5 | a66a68739466c1a9e848dc9baf126229 |
| SHA1 | ef74fa9ac2da0bbab2abf3a8ac138bd9ef7a1957 |
| SHA256 | 5f1d520b45d7245c1a7e48bc6c234280b893f25d4b06d9e87e6fbbfca20ad585 |
| SHA512 | b951cff954ae18b57336ed31070b6b2cc1d3bf0601026f837fe80a869cbb06bfe4b630bba7069814b8393980afdca2a5eff0c769b485d7406666bb7430342164 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1718775.exe
| MD5 | a66a68739466c1a9e848dc9baf126229 |
| SHA1 | ef74fa9ac2da0bbab2abf3a8ac138bd9ef7a1957 |
| SHA256 | 5f1d520b45d7245c1a7e48bc6c234280b893f25d4b06d9e87e6fbbfca20ad585 |
| SHA512 | b951cff954ae18b57336ed31070b6b2cc1d3bf0601026f837fe80a869cbb06bfe4b630bba7069814b8393980afdca2a5eff0c769b485d7406666bb7430342164 |
memory/2432-24-0x00000000004D0000-0x0000000000500000-memory.dmp
memory/2432-25-0x00000000743F0000-0x0000000074BA0000-memory.dmp
memory/2432-26-0x0000000005570000-0x0000000005B88000-memory.dmp
memory/2432-27-0x0000000005060000-0x000000000516A000-memory.dmp
memory/2432-29-0x0000000004E40000-0x0000000004E50000-memory.dmp
memory/2432-28-0x0000000004FA0000-0x0000000004FB2000-memory.dmp
memory/2432-30-0x0000000005000000-0x000000000503C000-memory.dmp
memory/2432-31-0x00000000743F0000-0x0000000074BA0000-memory.dmp
memory/2432-32-0x0000000004E40000-0x0000000004E50000-memory.dmp