Analysis Overview
SHA256
3aad62f457879c2ba7b955eb2b9dc20ff914bc9c5d92283f411c430304a75345
Threat Level: Known bad
The file 3aad62f457879c2ba7b955eb2b9dc20ff914bc9c5d92283f411c430304a75345 was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 15:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 15:34
Reported
2023-09-10 15:36
Platform
win10-20230831-en
Max time kernel
133s
Max time network
147s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4945763.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2356185.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6469612.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7551739.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4945763.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2356185.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\3aad62f457879c2ba7b955eb2b9dc20ff914bc9c5d92283f411c430304a75345.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3aad62f457879c2ba7b955eb2b9dc20ff914bc9c5d92283f411c430304a75345.exe
"C:\Users\Admin\AppData\Local\Temp\3aad62f457879c2ba7b955eb2b9dc20ff914bc9c5d92283f411c430304a75345.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4945763.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4945763.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2356185.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2356185.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6469612.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6469612.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7551739.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7551739.exe
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4945763.exe
| MD5 | 38b3f26aa1a688ca7edf542aa6316413 |
| SHA1 | 7d324b5cea58e7927f1647cf79e7c7fa58fb0e4f |
| SHA256 | bb1c730e2e1bb646028bb473f4e551dc39e6d2c13a804f5f712862512d7b91c2 |
| SHA512 | efe4c9b14cdb27831e1ff67bfdcf8671f6b25de9319998b5ec001d9965e3ff9db87c17b747ae833ce12dad114bf2aa0275a058b599fcb151a325c02e55e481a7 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4945763.exe
| MD5 | 38b3f26aa1a688ca7edf542aa6316413 |
| SHA1 | 7d324b5cea58e7927f1647cf79e7c7fa58fb0e4f |
| SHA256 | bb1c730e2e1bb646028bb473f4e551dc39e6d2c13a804f5f712862512d7b91c2 |
| SHA512 | efe4c9b14cdb27831e1ff67bfdcf8671f6b25de9319998b5ec001d9965e3ff9db87c17b747ae833ce12dad114bf2aa0275a058b599fcb151a325c02e55e481a7 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2356185.exe
| MD5 | 2c25c24b7e855d7484c633543048cd73 |
| SHA1 | 68e349948840f25612fdc3c64e8033c5b9f71ba5 |
| SHA256 | c1e8ce06a1e3446d239836e3e117de260278ea8b027b082f764f120418aafc40 |
| SHA512 | e685e6926613edb6c7ded3dffd3b05b1d75c96bbec83e8d8e5b2a3aa7a72354657e5a4101cc21c9a3ea0694636b6dbc38802b7e717208f31ded1a55c574848c4 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2356185.exe
| MD5 | 2c25c24b7e855d7484c633543048cd73 |
| SHA1 | 68e349948840f25612fdc3c64e8033c5b9f71ba5 |
| SHA256 | c1e8ce06a1e3446d239836e3e117de260278ea8b027b082f764f120418aafc40 |
| SHA512 | e685e6926613edb6c7ded3dffd3b05b1d75c96bbec83e8d8e5b2a3aa7a72354657e5a4101cc21c9a3ea0694636b6dbc38802b7e717208f31ded1a55c574848c4 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6469612.exe
| MD5 | 2f61b2219e6f4b67b4db987bf5ebaf2a |
| SHA1 | 48e24372a0e3fc2a9332d0661896fb98ec4cd396 |
| SHA256 | ae1cef89f945337a3091940f92b431e517573cfa0a6e29b95151359aacee2ee0 |
| SHA512 | 3f24f722511f29db3da7c6b19723099244e9b3d0d10f15c23074153aba144dd9c73458a7d4378bc9129a53c2729fcbd20c8cfe0829bdd82e0d4398012c399002 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6469612.exe
| MD5 | 2f61b2219e6f4b67b4db987bf5ebaf2a |
| SHA1 | 48e24372a0e3fc2a9332d0661896fb98ec4cd396 |
| SHA256 | ae1cef89f945337a3091940f92b431e517573cfa0a6e29b95151359aacee2ee0 |
| SHA512 | 3f24f722511f29db3da7c6b19723099244e9b3d0d10f15c23074153aba144dd9c73458a7d4378bc9129a53c2729fcbd20c8cfe0829bdd82e0d4398012c399002 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7551739.exe
| MD5 | ba5f05a4fe02c54497a08bc91c74dd9d |
| SHA1 | 420ae384056bc3be559a4362e341635d1b2c7bde |
| SHA256 | a9cf07703a7d8656320e8190522c968fa053f8ad35faff52bdb6b35401473b04 |
| SHA512 | 309f87685a0105d07c56f63047315080bf8a9edc5a25d5c89e314359cb7de88f8128f86004327c7aca3bb459a1a0b1f350757883fab9a99271f5a4669020b43d |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7551739.exe
| MD5 | ba5f05a4fe02c54497a08bc91c74dd9d |
| SHA1 | 420ae384056bc3be559a4362e341635d1b2c7bde |
| SHA256 | a9cf07703a7d8656320e8190522c968fa053f8ad35faff52bdb6b35401473b04 |
| SHA512 | 309f87685a0105d07c56f63047315080bf8a9edc5a25d5c89e314359cb7de88f8128f86004327c7aca3bb459a1a0b1f350757883fab9a99271f5a4669020b43d |
memory/2920-24-0x00000000006A0000-0x00000000006D0000-memory.dmp
memory/2920-25-0x00000000738E0000-0x0000000073FCE000-memory.dmp
memory/2920-26-0x0000000002900000-0x0000000002906000-memory.dmp
memory/2920-27-0x0000000005730000-0x0000000005D36000-memory.dmp
memory/2920-28-0x0000000005230000-0x000000000533A000-memory.dmp
memory/2920-29-0x0000000002950000-0x0000000002962000-memory.dmp
memory/2920-30-0x0000000005020000-0x000000000505E000-memory.dmp
memory/2920-31-0x0000000005060000-0x00000000050AB000-memory.dmp
memory/2920-32-0x00000000738E0000-0x0000000073FCE000-memory.dmp