Analysis Overview
SHA256
db9b2b94e74840f740649eec3185a06175e76f418075f90c6ae509f628be21ee
Threat Level: Known bad
The file db9b2b94e74840f740649eec3185a06175e76f418075f90c6ae509f628be21ee was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 15:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 15:59
Reported
2023-09-10 16:01
Platform
win10v2004-20230831-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8657000.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7836652.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7166275.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5871070.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\db9b2b94e74840f740649eec3185a06175e76f418075f90c6ae509f628be21ee.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8657000.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7836652.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\db9b2b94e74840f740649eec3185a06175e76f418075f90c6ae509f628be21ee.exe
"C:\Users\Admin\AppData\Local\Temp\db9b2b94e74840f740649eec3185a06175e76f418075f90c6ae509f628be21ee.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8657000.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8657000.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7836652.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7836652.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7166275.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7166275.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5871070.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5871070.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.132.60.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.178.238.8.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 11.73.50.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 254.7.248.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8657000.exe
| MD5 | ba551f1df27817c36d126be92f607d36 |
| SHA1 | 9f6a5f2c7e884d381a44c41f5d5d582de31e385a |
| SHA256 | 37aefc87c62f04cc96a085cd0a814e3abf3b5407b6f7fb3fd426efcc320d7a9f |
| SHA512 | cb9c7924a653ab9a99a1d5397a43f1303c4649ee231d5d61f57259db3aac91f97ba1e9bf7554523a0c437d45f99be0207e521b078c5fd231ff90904112d730b4 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8657000.exe
| MD5 | ba551f1df27817c36d126be92f607d36 |
| SHA1 | 9f6a5f2c7e884d381a44c41f5d5d582de31e385a |
| SHA256 | 37aefc87c62f04cc96a085cd0a814e3abf3b5407b6f7fb3fd426efcc320d7a9f |
| SHA512 | cb9c7924a653ab9a99a1d5397a43f1303c4649ee231d5d61f57259db3aac91f97ba1e9bf7554523a0c437d45f99be0207e521b078c5fd231ff90904112d730b4 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7836652.exe
| MD5 | 261b226b34a93e616027a74408b707ba |
| SHA1 | b961a95b045e1992c62fef615c4e1dd174b1da61 |
| SHA256 | a8201a7ce0c444498b015a95b962b109237590dc6857f4450733a4b7562aab60 |
| SHA512 | 64617256beabba93e56cb348c8f285ed9db00d7c03e5421fed93d7e370a7c85d60b7f35f879fbf17331be3ef9f583def6d4c05692b8c81350c80fbb0780fca54 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7836652.exe
| MD5 | 261b226b34a93e616027a74408b707ba |
| SHA1 | b961a95b045e1992c62fef615c4e1dd174b1da61 |
| SHA256 | a8201a7ce0c444498b015a95b962b109237590dc6857f4450733a4b7562aab60 |
| SHA512 | 64617256beabba93e56cb348c8f285ed9db00d7c03e5421fed93d7e370a7c85d60b7f35f879fbf17331be3ef9f583def6d4c05692b8c81350c80fbb0780fca54 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7166275.exe
| MD5 | 3a4b10d36a038f6c05afe5f64ec2bb76 |
| SHA1 | 758eb4dba2bdfeffe1e06bf48a93ef1eaf3b344f |
| SHA256 | b5bf7bc08eb773114ea5d16ed71cc1b0fccaeff837c612f472563eb1d4ca662e |
| SHA512 | 781b78cbbe97fb24434fb4cde283831aacb23de65b7f43b20969d033c0f8377f86bd7f0466f19d8e8a86434a200f44ef5ce623d840039031c9e0ddf2eaf7b5cd |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7166275.exe
| MD5 | 3a4b10d36a038f6c05afe5f64ec2bb76 |
| SHA1 | 758eb4dba2bdfeffe1e06bf48a93ef1eaf3b344f |
| SHA256 | b5bf7bc08eb773114ea5d16ed71cc1b0fccaeff837c612f472563eb1d4ca662e |
| SHA512 | 781b78cbbe97fb24434fb4cde283831aacb23de65b7f43b20969d033c0f8377f86bd7f0466f19d8e8a86434a200f44ef5ce623d840039031c9e0ddf2eaf7b5cd |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5871070.exe
| MD5 | fffc92607c54d8a4f7d22147f200ccde |
| SHA1 | c49a4dba6e04b3ab09354466060db02a80bd4e54 |
| SHA256 | 3c58ea7b021e3433e09693739299b5f8714419ba181a8994b2296bd97eeed270 |
| SHA512 | e4fc458835b3cb8c9aa749e364f720d40a663beb9644bcb871a573e8f1b6c4bce573a45c5f9acc310c3b41e2d6ebbd562b7f67b80532174ee5c0b4345f9cc479 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5871070.exe
| MD5 | fffc92607c54d8a4f7d22147f200ccde |
| SHA1 | c49a4dba6e04b3ab09354466060db02a80bd4e54 |
| SHA256 | 3c58ea7b021e3433e09693739299b5f8714419ba181a8994b2296bd97eeed270 |
| SHA512 | e4fc458835b3cb8c9aa749e364f720d40a663beb9644bcb871a573e8f1b6c4bce573a45c5f9acc310c3b41e2d6ebbd562b7f67b80532174ee5c0b4345f9cc479 |
memory/4272-24-0x00000000001C0000-0x00000000001F0000-memory.dmp
memory/4272-25-0x00000000741F0000-0x00000000749A0000-memory.dmp
memory/4272-26-0x0000000005170000-0x0000000005788000-memory.dmp
memory/4272-27-0x0000000004C60000-0x0000000004D6A000-memory.dmp
memory/4272-29-0x0000000004B40000-0x0000000004B50000-memory.dmp
memory/4272-28-0x0000000004B50000-0x0000000004B62000-memory.dmp
memory/4272-30-0x0000000004BB0000-0x0000000004BEC000-memory.dmp
memory/4272-31-0x00000000741F0000-0x00000000749A0000-memory.dmp
memory/4272-32-0x0000000004B40000-0x0000000004B50000-memory.dmp