Analysis Overview
SHA256
159c1316c53406d7b53021362d0a5da759725fb1a83d35f89ff43a4403728a75
Threat Level: Known bad
The file 159c1316c53406d7b53021362d0a5da759725fb1a83d35f89ff43a4403728a75 was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 15:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 15:24
Reported
2023-09-10 15:26
Platform
win10v2004-20230831-en
Max time kernel
135s
Max time network
149s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5157994.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4158471.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n8655862.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5157994.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\159c1316c53406d7b53021362d0a5da759725fb1a83d35f89ff43a4403728a75.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\159c1316c53406d7b53021362d0a5da759725fb1a83d35f89ff43a4403728a75.exe
"C:\Users\Admin\AppData\Local\Temp\159c1316c53406d7b53021362d0a5da759725fb1a83d35f89ff43a4403728a75.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5157994.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5157994.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4158471.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4158471.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n8655862.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n8655862.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5157994.exe
| MD5 | 3f42b683b80107ce3ba8709a8e664aba |
| SHA1 | f1144d044fd9165910f5e8085b2741cef9a8c284 |
| SHA256 | f97a8d525e703530ede90a5843cf5f7ade8fd3e0818ed3680462f15501adb04c |
| SHA512 | d976d5f89302d3465eeef94ffbcebcd549c4745a03ac5e311321835f8b5b613fac51584014c192985592af7b617f67e4a8a04244c696e3162bc63fe8631f9bdd |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5157994.exe
| MD5 | 3f42b683b80107ce3ba8709a8e664aba |
| SHA1 | f1144d044fd9165910f5e8085b2741cef9a8c284 |
| SHA256 | f97a8d525e703530ede90a5843cf5f7ade8fd3e0818ed3680462f15501adb04c |
| SHA512 | d976d5f89302d3465eeef94ffbcebcd549c4745a03ac5e311321835f8b5b613fac51584014c192985592af7b617f67e4a8a04244c696e3162bc63fe8631f9bdd |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4158471.exe
| MD5 | 869b97d83656356f181bd6e87f9a70b5 |
| SHA1 | 49b436b705f13b856bcf44daa8a418172c177325 |
| SHA256 | 679d4a08919ed34fd7c46638c83773e18b612febf1ce64995fd2f0b776151c88 |
| SHA512 | 42ac5e0d15e8da0e6ce88666263d8c262048a3e568d8ded631d23a4c794afc0de414f37ae08d23859cc7fa2e3f85c0562e7f46ad60f3018a1ae0cde33c63b539 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4158471.exe
| MD5 | 869b97d83656356f181bd6e87f9a70b5 |
| SHA1 | 49b436b705f13b856bcf44daa8a418172c177325 |
| SHA256 | 679d4a08919ed34fd7c46638c83773e18b612febf1ce64995fd2f0b776151c88 |
| SHA512 | 42ac5e0d15e8da0e6ce88666263d8c262048a3e568d8ded631d23a4c794afc0de414f37ae08d23859cc7fa2e3f85c0562e7f46ad60f3018a1ae0cde33c63b539 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n8655862.exe
| MD5 | 6e417d28cebe711d65980eeef8979064 |
| SHA1 | 1b3f112f074960065793d9658f047d9e444473b6 |
| SHA256 | e54e0adc03c9b6d982eecd2bae4024010c9ba1c0826302dc8cd7f8de6a947f44 |
| SHA512 | b7f8acac01cb4f8d26d2ec347593ad5c844516e268cefcb2d1918ad08e6cac550350f446f20c121acd49bc357669398d504af7f44fb063426427ae0daf9deaa2 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n8655862.exe
| MD5 | 6e417d28cebe711d65980eeef8979064 |
| SHA1 | 1b3f112f074960065793d9658f047d9e444473b6 |
| SHA256 | e54e0adc03c9b6d982eecd2bae4024010c9ba1c0826302dc8cd7f8de6a947f44 |
| SHA512 | b7f8acac01cb4f8d26d2ec347593ad5c844516e268cefcb2d1918ad08e6cac550350f446f20c121acd49bc357669398d504af7f44fb063426427ae0daf9deaa2 |
memory/1784-17-0x0000000000C20000-0x0000000000C50000-memory.dmp
memory/1784-18-0x0000000073F70000-0x0000000074720000-memory.dmp
memory/1784-19-0x0000000005B90000-0x00000000061A8000-memory.dmp
memory/1784-20-0x0000000005680000-0x000000000578A000-memory.dmp
memory/1784-21-0x0000000005420000-0x0000000005430000-memory.dmp
memory/1784-22-0x00000000055B0000-0x00000000055C2000-memory.dmp
memory/1784-23-0x0000000005610000-0x000000000564C000-memory.dmp
memory/1784-24-0x0000000073F70000-0x0000000074720000-memory.dmp
memory/1784-25-0x0000000005420000-0x0000000005430000-memory.dmp