Analysis Overview
SHA256
056e09db3df7f2d734879c0d1466cf5a863ebcfb00177826b3338971f7fe3836
Threat Level: Known bad
The file 056e09db3df7f2d734879c0d1466cf5a863ebcfb00177826b3338971f7fe3836 was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 15:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 15:54
Reported
2023-09-10 15:56
Platform
win10v2004-20230831-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2401678.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6247132.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0317448.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8492571.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\056e09db3df7f2d734879c0d1466cf5a863ebcfb00177826b3338971f7fe3836.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2401678.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6247132.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\056e09db3df7f2d734879c0d1466cf5a863ebcfb00177826b3338971f7fe3836.exe
"C:\Users\Admin\AppData\Local\Temp\056e09db3df7f2d734879c0d1466cf5a863ebcfb00177826b3338971f7fe3836.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2401678.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2401678.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6247132.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6247132.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0317448.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0317448.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8492571.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8492571.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 104.193.132.51.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2401678.exe
| MD5 | 2eb2586bfa97e4595d6c949c9a1c18a9 |
| SHA1 | bebc730c30c19926efca5e6901e87d5dfb7f50c8 |
| SHA256 | cc29e033b98ae879cc6b204314c37b48bbf05d652fd7adfa57a751e6913819f2 |
| SHA512 | 63313c8b3c1fe123331fcba2cdb00cb25f1e8bf7cdd22fa2a1d6dbc38572a6fcc440ae840c3306db39e048cdfe35a28f3c7d6def223c832da3fb7c06486e607d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2401678.exe
| MD5 | 2eb2586bfa97e4595d6c949c9a1c18a9 |
| SHA1 | bebc730c30c19926efca5e6901e87d5dfb7f50c8 |
| SHA256 | cc29e033b98ae879cc6b204314c37b48bbf05d652fd7adfa57a751e6913819f2 |
| SHA512 | 63313c8b3c1fe123331fcba2cdb00cb25f1e8bf7cdd22fa2a1d6dbc38572a6fcc440ae840c3306db39e048cdfe35a28f3c7d6def223c832da3fb7c06486e607d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6247132.exe
| MD5 | 6c05a54057feed24c217761e5fc231d3 |
| SHA1 | eaf1139ed114bda6a3304d596f289ecc5c507e3e |
| SHA256 | 1569ab69f313c7dfd64829a7ccfa03dd702be3485f096b9c93b2fb3493fca806 |
| SHA512 | 7f37f8d41dc8ed217f263c014ae6fdb99b9f7ee61eb806784bba4ad8809b42958cd0193d62ac7f687270d2dc21a7dacf06c12621e17381c16d4b632f0c743cf6 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6247132.exe
| MD5 | 6c05a54057feed24c217761e5fc231d3 |
| SHA1 | eaf1139ed114bda6a3304d596f289ecc5c507e3e |
| SHA256 | 1569ab69f313c7dfd64829a7ccfa03dd702be3485f096b9c93b2fb3493fca806 |
| SHA512 | 7f37f8d41dc8ed217f263c014ae6fdb99b9f7ee61eb806784bba4ad8809b42958cd0193d62ac7f687270d2dc21a7dacf06c12621e17381c16d4b632f0c743cf6 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0317448.exe
| MD5 | 2b6a06b35dc40c657cff55003ab9ace3 |
| SHA1 | b424c95e74acf538a053926863a322cf266ea01f |
| SHA256 | 4000791bd038ef86c859554da678dac44c57a032663501e53bd1414bd7ceeedf |
| SHA512 | 5806b6d7040a78c2efc0376db0d5e81d6fbbf30fb2e2265d26e96f613e7c51c61ce663e5e1cac72794a42805f43f84c63630f8062f6dafb6b7250fd3d323e0b1 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0317448.exe
| MD5 | 2b6a06b35dc40c657cff55003ab9ace3 |
| SHA1 | b424c95e74acf538a053926863a322cf266ea01f |
| SHA256 | 4000791bd038ef86c859554da678dac44c57a032663501e53bd1414bd7ceeedf |
| SHA512 | 5806b6d7040a78c2efc0376db0d5e81d6fbbf30fb2e2265d26e96f613e7c51c61ce663e5e1cac72794a42805f43f84c63630f8062f6dafb6b7250fd3d323e0b1 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8492571.exe
| MD5 | 0369c7f9cb0a49d94791fafb750c07dc |
| SHA1 | 7a5e03f39d0058bf9dd353191ddc069589d8cebb |
| SHA256 | ce8729d258a44fd9009a0a7d1082c1c87e1c1fd447ad59cb9daf49d6c360e3c9 |
| SHA512 | 374daa716b262fb7f08252fe97cd0e2af2b729d7724ebc0446f75f3c298035833d9d94ff1044d31d63db005b6fdc80cddd6a8737f76815f55f02a4b3e3800905 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8492571.exe
| MD5 | 0369c7f9cb0a49d94791fafb750c07dc |
| SHA1 | 7a5e03f39d0058bf9dd353191ddc069589d8cebb |
| SHA256 | ce8729d258a44fd9009a0a7d1082c1c87e1c1fd447ad59cb9daf49d6c360e3c9 |
| SHA512 | 374daa716b262fb7f08252fe97cd0e2af2b729d7724ebc0446f75f3c298035833d9d94ff1044d31d63db005b6fdc80cddd6a8737f76815f55f02a4b3e3800905 |
memory/1912-24-0x00000000747C0000-0x0000000074F70000-memory.dmp
memory/1912-25-0x0000000000860000-0x0000000000890000-memory.dmp
memory/1912-26-0x000000000AC90000-0x000000000B2A8000-memory.dmp
memory/1912-27-0x000000000A810000-0x000000000A91A000-memory.dmp
memory/1912-29-0x000000000A750000-0x000000000A762000-memory.dmp
memory/1912-28-0x00000000051D0000-0x00000000051E0000-memory.dmp
memory/1912-30-0x000000000A7B0000-0x000000000A7EC000-memory.dmp
memory/1912-31-0x00000000747C0000-0x0000000074F70000-memory.dmp
memory/1912-32-0x00000000051D0000-0x00000000051E0000-memory.dmp