Analysis Overview
SHA256
273ae46386b8370e41efb48ccd8f7cb8b5658a49ff0e94013fcae42786ccbe02
Threat Level: Known bad
The file 273ae46386b8370e41efb48ccd8f7cb8b5658a49ff0e94013fcae42786ccbe02 was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 15:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 15:18
Reported
2023-09-10 15:21
Platform
win10-20230831-en
Max time kernel
134s
Max time network
151s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7082179.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7996034.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8151025.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8502733.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\273ae46386b8370e41efb48ccd8f7cb8b5658a49ff0e94013fcae42786ccbe02.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7082179.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7996034.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\273ae46386b8370e41efb48ccd8f7cb8b5658a49ff0e94013fcae42786ccbe02.exe
"C:\Users\Admin\AppData\Local\Temp\273ae46386b8370e41efb48ccd8f7cb8b5658a49ff0e94013fcae42786ccbe02.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7082179.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7082179.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7996034.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7996034.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8151025.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8151025.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8502733.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8502733.exe
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.117.26.67.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7082179.exe
| MD5 | 55a060a4c04d4db1ebefd6068a170926 |
| SHA1 | c4220c82d2078d540a7dd95199f69f3dd302006a |
| SHA256 | 58d49e7b2b0b044161f7a0a268893f470047807e52e42e9484d1c0a3b9cbb787 |
| SHA512 | 24545693f291a7b0e3501cc84d31f009fa0744eebddbf00bd2d1a14ed9f98dac5ee77ccc88b1c3f581d39ff2a55f0e48c23ec980b2bdf425250d0204b79bd174 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7082179.exe
| MD5 | 55a060a4c04d4db1ebefd6068a170926 |
| SHA1 | c4220c82d2078d540a7dd95199f69f3dd302006a |
| SHA256 | 58d49e7b2b0b044161f7a0a268893f470047807e52e42e9484d1c0a3b9cbb787 |
| SHA512 | 24545693f291a7b0e3501cc84d31f009fa0744eebddbf00bd2d1a14ed9f98dac5ee77ccc88b1c3f581d39ff2a55f0e48c23ec980b2bdf425250d0204b79bd174 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7996034.exe
| MD5 | c1bd68dacd2978d54e9d449b201b65ad |
| SHA1 | ef33cc8e7062e97a81df1194842fce08c70131d6 |
| SHA256 | bdbdbeb97a375188f7b3e42027f71d06dcf46d31365e90f31fd13cf61f5aced6 |
| SHA512 | 49aed568f2b4f4c24a915200a9e072b63d115fb9406baf3da4bc350402939c86fff9b231b6d9a0d421dcf8268d690221ae3f82ac645b61baeda6cb90aff3fdc1 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7996034.exe
| MD5 | c1bd68dacd2978d54e9d449b201b65ad |
| SHA1 | ef33cc8e7062e97a81df1194842fce08c70131d6 |
| SHA256 | bdbdbeb97a375188f7b3e42027f71d06dcf46d31365e90f31fd13cf61f5aced6 |
| SHA512 | 49aed568f2b4f4c24a915200a9e072b63d115fb9406baf3da4bc350402939c86fff9b231b6d9a0d421dcf8268d690221ae3f82ac645b61baeda6cb90aff3fdc1 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8151025.exe
| MD5 | a099282cad55a4afeb242aa2082dbf21 |
| SHA1 | 9b27a76f113a9b5f188de25be67214d6e5692285 |
| SHA256 | 6fcb4c56a948884fdabe46bed179a691d226e8fba533e046fc121bf77c373e9a |
| SHA512 | 462d2d216904729a6ca1a6fda598199b051634eec1faebe11704b95ddc4dd8806ce12be3703d7dc0dbbf4327ddbb53e93cc68ce7dc40cec78adf2cfba282fd2f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8151025.exe
| MD5 | a099282cad55a4afeb242aa2082dbf21 |
| SHA1 | 9b27a76f113a9b5f188de25be67214d6e5692285 |
| SHA256 | 6fcb4c56a948884fdabe46bed179a691d226e8fba533e046fc121bf77c373e9a |
| SHA512 | 462d2d216904729a6ca1a6fda598199b051634eec1faebe11704b95ddc4dd8806ce12be3703d7dc0dbbf4327ddbb53e93cc68ce7dc40cec78adf2cfba282fd2f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8502733.exe
| MD5 | 9dad6498f68a5f897d236061a2ac0416 |
| SHA1 | d19e2401650452c22653b4338cb38be2fb17ae64 |
| SHA256 | fb2882ba468928c4c009ffec0349cc7ae4eb281de5f7152f2dd4f0863f1261e4 |
| SHA512 | 7a0e0412ed815d545e933658e0a20ccb6520b7b1b7956cc9aa4a9351253dbb0bb9ec48e146a23b845cffeb7e99907d0e4a1c7e77dd4672c0bb95502803e257a4 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8502733.exe
| MD5 | 9dad6498f68a5f897d236061a2ac0416 |
| SHA1 | d19e2401650452c22653b4338cb38be2fb17ae64 |
| SHA256 | fb2882ba468928c4c009ffec0349cc7ae4eb281de5f7152f2dd4f0863f1261e4 |
| SHA512 | 7a0e0412ed815d545e933658e0a20ccb6520b7b1b7956cc9aa4a9351253dbb0bb9ec48e146a23b845cffeb7e99907d0e4a1c7e77dd4672c0bb95502803e257a4 |
memory/3584-24-0x0000000000E50000-0x0000000000E80000-memory.dmp
memory/3584-25-0x0000000072BA0000-0x000000007328E000-memory.dmp
memory/3584-26-0x0000000002FD0000-0x0000000002FD6000-memory.dmp
memory/3584-27-0x000000000B210000-0x000000000B816000-memory.dmp
memory/3584-28-0x000000000ADA0000-0x000000000AEAA000-memory.dmp
memory/3584-29-0x000000000ACD0000-0x000000000ACE2000-memory.dmp
memory/3584-30-0x000000000AD30000-0x000000000AD6E000-memory.dmp
memory/3584-31-0x000000000AEB0000-0x000000000AEFB000-memory.dmp
memory/3584-32-0x0000000072BA0000-0x000000007328E000-memory.dmp