Analysis Overview
SHA256
e92fe358ec198dba3166ee6a657b84412c6f73bf185b15ce9e2402b2f1dd234b
Threat Level: Known bad
The file e92fe358ec198dba3166ee6a657b84412c6f73bf185b15ce9e2402b2f1dd234b was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 15:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 15:14
Reported
2023-09-10 15:16
Platform
win10v2004-20230831-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3932490.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8928671.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5066932.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2575916.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\e92fe358ec198dba3166ee6a657b84412c6f73bf185b15ce9e2402b2f1dd234b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3932490.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8928671.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e92fe358ec198dba3166ee6a657b84412c6f73bf185b15ce9e2402b2f1dd234b.exe
"C:\Users\Admin\AppData\Local\Temp\e92fe358ec198dba3166ee6a657b84412c6f73bf185b15ce9e2402b2f1dd234b.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3932490.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3932490.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8928671.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8928671.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5066932.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5066932.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2575916.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2575916.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.178.238.8.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3932490.exe
| MD5 | fbd1cfc4685fe07d0950774d8e8d93c7 |
| SHA1 | ee3a3933b46d5b4be30f5da4dfa3a6e4ce667afe |
| SHA256 | 39dd0a403726abfae032cffef6310f40c265d91e553654fd1f58883d283c334b |
| SHA512 | a144ac3b854e23e58388595c7fdf68d1fac0197f7799252f8c56480207c26ff275f44d7d609d93088107c54b42a06995a6551f405b5477ddc24de81c6f46adcf |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3932490.exe
| MD5 | fbd1cfc4685fe07d0950774d8e8d93c7 |
| SHA1 | ee3a3933b46d5b4be30f5da4dfa3a6e4ce667afe |
| SHA256 | 39dd0a403726abfae032cffef6310f40c265d91e553654fd1f58883d283c334b |
| SHA512 | a144ac3b854e23e58388595c7fdf68d1fac0197f7799252f8c56480207c26ff275f44d7d609d93088107c54b42a06995a6551f405b5477ddc24de81c6f46adcf |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8928671.exe
| MD5 | 78e8062cabf7e3b6ab4821b19264cae5 |
| SHA1 | f36b6a533a156e246e5361984a61813d3fef9a41 |
| SHA256 | 45a8b15e5cf12f1c0346e173918b0b711f4aabdadf9807192c2e416d6098010e |
| SHA512 | 5b24dd6f377a00feca8d46c7a5de03d47173b1b4bae8808d23f2ad664abf72beec1c98653c051c44e51c38fdfa218cc86dec134bb63cbe8f416df05fd9bc75f9 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8928671.exe
| MD5 | 78e8062cabf7e3b6ab4821b19264cae5 |
| SHA1 | f36b6a533a156e246e5361984a61813d3fef9a41 |
| SHA256 | 45a8b15e5cf12f1c0346e173918b0b711f4aabdadf9807192c2e416d6098010e |
| SHA512 | 5b24dd6f377a00feca8d46c7a5de03d47173b1b4bae8808d23f2ad664abf72beec1c98653c051c44e51c38fdfa218cc86dec134bb63cbe8f416df05fd9bc75f9 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5066932.exe
| MD5 | 9311b141ed218840880d9772e4e37c7b |
| SHA1 | ad378c0ea6ca088d036af763cd9c0780c4c98af7 |
| SHA256 | 810732f89464935bb8a0052a82ff8ddeaec8493b60eff6df96c186393be88a70 |
| SHA512 | 985e232643927ca9bfb926c94751cb6852b89a0344f6f03921994b65344cea9b4f30bd724b7126f57ebb87e3bc3c16ce4058e39726065536725c76033bfbe9fb |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5066932.exe
| MD5 | 9311b141ed218840880d9772e4e37c7b |
| SHA1 | ad378c0ea6ca088d036af763cd9c0780c4c98af7 |
| SHA256 | 810732f89464935bb8a0052a82ff8ddeaec8493b60eff6df96c186393be88a70 |
| SHA512 | 985e232643927ca9bfb926c94751cb6852b89a0344f6f03921994b65344cea9b4f30bd724b7126f57ebb87e3bc3c16ce4058e39726065536725c76033bfbe9fb |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2575916.exe
| MD5 | cf914e72a10a794d9e7f46926cb51dde |
| SHA1 | 99ab0c103f434cd8d4f7251328b01849d1e94d54 |
| SHA256 | 8a68ed2952dd5bd032f7c7eb077524a96fc0f2ae1fded8b9e7afff1aaf1a606c |
| SHA512 | 30224e7601cc43e98ba97da9827db5f41b2c5b1bea3d5a9ae8e712e3ceb7aa5eac699b70654d897e6a2918c0bf295aa6e566e536ad061d590f265a4172aa061c |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2575916.exe
| MD5 | cf914e72a10a794d9e7f46926cb51dde |
| SHA1 | 99ab0c103f434cd8d4f7251328b01849d1e94d54 |
| SHA256 | 8a68ed2952dd5bd032f7c7eb077524a96fc0f2ae1fded8b9e7afff1aaf1a606c |
| SHA512 | 30224e7601cc43e98ba97da9827db5f41b2c5b1bea3d5a9ae8e712e3ceb7aa5eac699b70654d897e6a2918c0bf295aa6e566e536ad061d590f265a4172aa061c |
memory/232-24-0x00000000007A0000-0x00000000007D0000-memory.dmp
memory/232-25-0x0000000073C10000-0x00000000743C0000-memory.dmp
memory/232-26-0x0000000005850000-0x0000000005E68000-memory.dmp
memory/232-27-0x0000000005340000-0x000000000544A000-memory.dmp
memory/232-29-0x0000000005120000-0x0000000005130000-memory.dmp
memory/232-28-0x0000000005270000-0x0000000005282000-memory.dmp
memory/232-30-0x00000000052D0000-0x000000000530C000-memory.dmp
memory/232-31-0x0000000073C10000-0x00000000743C0000-memory.dmp
memory/232-32-0x0000000005120000-0x0000000005130000-memory.dmp