Analysis Overview
SHA256
1977b80f411bc5418875737557203e3d107c578a0be6dee9e20f5e12db0ff2fd
Threat Level: Known bad
The file 1977b80f411bc5418875737557203e3d107c578a0be6dee9e20f5e12db0ff2fd was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 15:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 15:29
Reported
2023-09-10 15:31
Platform
win10v2004-20230831-en
Max time kernel
142s
Max time network
155s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7075102.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0915866.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1848341.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3149889.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\1977b80f411bc5418875737557203e3d107c578a0be6dee9e20f5e12db0ff2fd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7075102.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0915866.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1977b80f411bc5418875737557203e3d107c578a0be6dee9e20f5e12db0ff2fd.exe
"C:\Users\Admin\AppData\Local\Temp\1977b80f411bc5418875737557203e3d107c578a0be6dee9e20f5e12db0ff2fd.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7075102.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7075102.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0915866.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0915866.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1848341.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1848341.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3149889.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3149889.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.1.85.104.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 254.178.238.8.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7075102.exe
| MD5 | 58dd6d4cebba939fa28635e1f699280f |
| SHA1 | 71fbd01e3b3a6131ac4ed25fa642a2da4f766b1b |
| SHA256 | 1af7e0c908053a325bcb5487f2fec6e34a9d7864555249878b1d764937f531da |
| SHA512 | 0f1d7e6fc0d9e9b0ceadfef5544f8ce2da75a162d043d82a3c573943ff35c72bbeca0a271ba695d149702fbb2101eef6d7c21f72a34d4a8d741a1a64f187c46c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7075102.exe
| MD5 | 58dd6d4cebba939fa28635e1f699280f |
| SHA1 | 71fbd01e3b3a6131ac4ed25fa642a2da4f766b1b |
| SHA256 | 1af7e0c908053a325bcb5487f2fec6e34a9d7864555249878b1d764937f531da |
| SHA512 | 0f1d7e6fc0d9e9b0ceadfef5544f8ce2da75a162d043d82a3c573943ff35c72bbeca0a271ba695d149702fbb2101eef6d7c21f72a34d4a8d741a1a64f187c46c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0915866.exe
| MD5 | 611821bc964e6c73fa268f44628fbe3a |
| SHA1 | 11425404d2226fe96802886e6b4535b44585a834 |
| SHA256 | b4b370cd61c2d629986e4c4bb67aea938c15a99a4e3c5181e13ce4b6c65341b0 |
| SHA512 | 1bc0cad4ce2151e8896303e0fcef4b8d8802080dee68501bd918f12cad227e1df248c6ae9b756a5f9734ed2a9a42cc97f34e12082e18c64383732ef27508b496 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0915866.exe
| MD5 | 611821bc964e6c73fa268f44628fbe3a |
| SHA1 | 11425404d2226fe96802886e6b4535b44585a834 |
| SHA256 | b4b370cd61c2d629986e4c4bb67aea938c15a99a4e3c5181e13ce4b6c65341b0 |
| SHA512 | 1bc0cad4ce2151e8896303e0fcef4b8d8802080dee68501bd918f12cad227e1df248c6ae9b756a5f9734ed2a9a42cc97f34e12082e18c64383732ef27508b496 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1848341.exe
| MD5 | b2c27d2ca3e20e545edd433115a5f7ce |
| SHA1 | 572d93cb954dd9aefc88c8373b5e39f0957fa9e5 |
| SHA256 | e2ffb00d67ed59d6e6699c18bcb7ed7f8d424ff66b0187fba6a651694e4e9e03 |
| SHA512 | 29250da3fde48068929daf31015747c3bc2e207a6045938147986d131bee4ac1482e20cb1b7262bbb9aa8a86330d716b83843bbe091f6d167498333337287089 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1848341.exe
| MD5 | b2c27d2ca3e20e545edd433115a5f7ce |
| SHA1 | 572d93cb954dd9aefc88c8373b5e39f0957fa9e5 |
| SHA256 | e2ffb00d67ed59d6e6699c18bcb7ed7f8d424ff66b0187fba6a651694e4e9e03 |
| SHA512 | 29250da3fde48068929daf31015747c3bc2e207a6045938147986d131bee4ac1482e20cb1b7262bbb9aa8a86330d716b83843bbe091f6d167498333337287089 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3149889.exe
| MD5 | 3d9d6999a96723d8833fdb5a08b0010e |
| SHA1 | 7224c35b12f672fecbbdd009a9dd77473899b4a6 |
| SHA256 | 5361a86c966f45c813a9265cfec20109c5d039b4f928f9073eb137ff1ded2ae9 |
| SHA512 | dcbc0880d3059481461af0a1594ebd99955d01d5f21d8a3ca7698a3e4a0c48bc5d89cf97ea6cb7588ef7ebeeab4bd1d91d8b6597dd52820843afdc93b3b059b0 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3149889.exe
| MD5 | 3d9d6999a96723d8833fdb5a08b0010e |
| SHA1 | 7224c35b12f672fecbbdd009a9dd77473899b4a6 |
| SHA256 | 5361a86c966f45c813a9265cfec20109c5d039b4f928f9073eb137ff1ded2ae9 |
| SHA512 | dcbc0880d3059481461af0a1594ebd99955d01d5f21d8a3ca7698a3e4a0c48bc5d89cf97ea6cb7588ef7ebeeab4bd1d91d8b6597dd52820843afdc93b3b059b0 |
memory/3824-24-0x0000000000610000-0x0000000000640000-memory.dmp
memory/3824-25-0x0000000074530000-0x0000000074CE0000-memory.dmp
memory/3824-26-0x0000000005660000-0x0000000005C78000-memory.dmp
memory/3824-27-0x00000000051A0000-0x00000000052AA000-memory.dmp
memory/3824-28-0x0000000002870000-0x0000000002880000-memory.dmp
memory/3824-29-0x00000000050E0000-0x00000000050F2000-memory.dmp
memory/3824-30-0x0000000005140000-0x000000000517C000-memory.dmp
memory/3824-31-0x0000000074530000-0x0000000074CE0000-memory.dmp
memory/3824-32-0x0000000002870000-0x0000000002880000-memory.dmp