Analysis Overview
SHA256
4d4bafd29ab538ec1ca91e386218408d31f92aa2fb9cd5659c3cf4ecf20b790e
Threat Level: Known bad
The file 4d4bafd29ab538ec1ca91e386218408d31f92aa2fb9cd5659c3cf4ecf20b790e was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 15:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 15:09
Reported
2023-09-10 15:11
Platform
win10v2004-20230831-en
Max time kernel
142s
Max time network
154s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8581377.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3380029.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3734391.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8565053.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\4d4bafd29ab538ec1ca91e386218408d31f92aa2fb9cd5659c3cf4ecf20b790e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8581377.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3380029.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4d4bafd29ab538ec1ca91e386218408d31f92aa2fb9cd5659c3cf4ecf20b790e.exe
"C:\Users\Admin\AppData\Local\Temp\4d4bafd29ab538ec1ca91e386218408d31f92aa2fb9cd5659c3cf4ecf20b790e.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8581377.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8581377.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3380029.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3380029.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3734391.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3734391.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8565053.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8565053.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8581377.exe
| MD5 | 016b0776eefa9005dae8ca2d14a73e63 |
| SHA1 | e0fbf85e98ebdab0a7a9fb93320c851d108377c7 |
| SHA256 | 625a4ba90e6475c80b466f40149fa43c48d304eb99c3f78dc64f77bb065b11b8 |
| SHA512 | c678b9c2c13e030444faa0b282f7ed2693ad4f010161c9b1a748fae191d879dd1a2010473be8e3e0d7294061d339321798f12e6a96049231ec15c429c9335c2f |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8581377.exe
| MD5 | 016b0776eefa9005dae8ca2d14a73e63 |
| SHA1 | e0fbf85e98ebdab0a7a9fb93320c851d108377c7 |
| SHA256 | 625a4ba90e6475c80b466f40149fa43c48d304eb99c3f78dc64f77bb065b11b8 |
| SHA512 | c678b9c2c13e030444faa0b282f7ed2693ad4f010161c9b1a748fae191d879dd1a2010473be8e3e0d7294061d339321798f12e6a96049231ec15c429c9335c2f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3380029.exe
| MD5 | a9b8c48c74b9112a780f6e40cd38c596 |
| SHA1 | 9fddb3b41d3a1c1474a2e1812af038c1aaa46b25 |
| SHA256 | 2d28e68b4251e8b2d887f1a4877b8ad77bbfc6fafca67fd4ade8408466f727bd |
| SHA512 | 946867de4d5ea040f239de9225379981e1a6724538aecda655e9ca1646ae21835c9bb4c07c93886c84534f78b9f3ac6a49b029e5741861618145bc422634533d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3380029.exe
| MD5 | a9b8c48c74b9112a780f6e40cd38c596 |
| SHA1 | 9fddb3b41d3a1c1474a2e1812af038c1aaa46b25 |
| SHA256 | 2d28e68b4251e8b2d887f1a4877b8ad77bbfc6fafca67fd4ade8408466f727bd |
| SHA512 | 946867de4d5ea040f239de9225379981e1a6724538aecda655e9ca1646ae21835c9bb4c07c93886c84534f78b9f3ac6a49b029e5741861618145bc422634533d |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3734391.exe
| MD5 | 671d2ab229f16ba63536914c6540b851 |
| SHA1 | 82f4bcd0d71db3c22f974afc5805b797f7786d4f |
| SHA256 | e3c10b81610a573d66a3e7eb8a7b15d30252beb093217f2f246101394b02e144 |
| SHA512 | faddff6722bde3fd4afca475a29c69ba165b75ec68464351df694e4d3d319ac20cdd515e1ffc3a95e61b9f705960c50a164e29427215989246824aa1fe606e72 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3734391.exe
| MD5 | 671d2ab229f16ba63536914c6540b851 |
| SHA1 | 82f4bcd0d71db3c22f974afc5805b797f7786d4f |
| SHA256 | e3c10b81610a573d66a3e7eb8a7b15d30252beb093217f2f246101394b02e144 |
| SHA512 | faddff6722bde3fd4afca475a29c69ba165b75ec68464351df694e4d3d319ac20cdd515e1ffc3a95e61b9f705960c50a164e29427215989246824aa1fe606e72 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8565053.exe
| MD5 | c8d58048ea4cba31315279d7c9a15634 |
| SHA1 | 4451ca8eed6bf5b87bf5936676adad18feb902ca |
| SHA256 | 9c05f9cb5c6511450a0080e6df105f47f3e5a9baf9adbdc13b635a57c29dcb0d |
| SHA512 | 038c3a59be0fdc3b0f05a5adf1fde0ff59a430a5bbbb5e6c99eb71710040b28239dad085687ff58003be7c17e9d924424a3d3e092e37e592f586423687b66911 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8565053.exe
| MD5 | c8d58048ea4cba31315279d7c9a15634 |
| SHA1 | 4451ca8eed6bf5b87bf5936676adad18feb902ca |
| SHA256 | 9c05f9cb5c6511450a0080e6df105f47f3e5a9baf9adbdc13b635a57c29dcb0d |
| SHA512 | 038c3a59be0fdc3b0f05a5adf1fde0ff59a430a5bbbb5e6c99eb71710040b28239dad085687ff58003be7c17e9d924424a3d3e092e37e592f586423687b66911 |
memory/892-24-0x0000000000B90000-0x0000000000BC0000-memory.dmp
memory/892-25-0x0000000073C70000-0x0000000074420000-memory.dmp
memory/892-26-0x0000000005C70000-0x0000000006288000-memory.dmp
memory/892-27-0x0000000005760000-0x000000000586A000-memory.dmp
memory/892-29-0x0000000005500000-0x0000000005510000-memory.dmp
memory/892-28-0x0000000005670000-0x0000000005682000-memory.dmp
memory/892-30-0x00000000056D0000-0x000000000570C000-memory.dmp
memory/892-31-0x0000000073C70000-0x0000000074420000-memory.dmp
memory/892-32-0x0000000005500000-0x0000000005510000-memory.dmp