Analysis Overview
SHA256
4ce9240b27044909c8eb2ea20e39cd9b18a85e95363d3aba871166fbf2b58d19
Threat Level: Known bad
The file 4ce9240b27044909c8eb2ea20e39cd9b18a85e95363d3aba871166fbf2b58d19 was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 16:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 16:04
Reported
2023-09-10 16:06
Platform
win10v2004-20230831-en
Max time kernel
143s
Max time network
154s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7927850.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1076109.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3750619.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6469564.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\4ce9240b27044909c8eb2ea20e39cd9b18a85e95363d3aba871166fbf2b58d19.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7927850.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1076109.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4ce9240b27044909c8eb2ea20e39cd9b18a85e95363d3aba871166fbf2b58d19.exe
"C:\Users\Admin\AppData\Local\Temp\4ce9240b27044909c8eb2ea20e39cd9b18a85e95363d3aba871166fbf2b58d19.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7927850.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7927850.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1076109.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1076109.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3750619.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3750619.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6469564.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6469564.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.134.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 120.208.253.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7927850.exe
| MD5 | 4a014e8aa37146029a435d77a71bd1c5 |
| SHA1 | e49b40abd1d4e3f7a4af24054e0bae9463de482a |
| SHA256 | 40322bb26aaeb78c49e5db567eae839bb5b1cee69a61a21091e0feb55de2590c |
| SHA512 | 74b4a5bf665690b30cd6f7a1daec3d889b012c1d1af7aeedac1325295d1552311f3272b00a23a1d96f840ff59c4cd1747893d39506bf863cab5480c831f20c69 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7927850.exe
| MD5 | 4a014e8aa37146029a435d77a71bd1c5 |
| SHA1 | e49b40abd1d4e3f7a4af24054e0bae9463de482a |
| SHA256 | 40322bb26aaeb78c49e5db567eae839bb5b1cee69a61a21091e0feb55de2590c |
| SHA512 | 74b4a5bf665690b30cd6f7a1daec3d889b012c1d1af7aeedac1325295d1552311f3272b00a23a1d96f840ff59c4cd1747893d39506bf863cab5480c831f20c69 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1076109.exe
| MD5 | 76b006c0a88bf56a72fbcc4ef7c30fac |
| SHA1 | f28153daa6dc91251251b2893b1ffcd418701565 |
| SHA256 | 14000c30e18607507ed684b345288b7b8f4a1d5d34c558d66c9483ce66a49535 |
| SHA512 | 19bdcb74cd02ca61bc7e875c3497d049f18950e17746808c75da5a2d0f226f33c88185fe6982c44a16de5f3e0060381f1f84ed5278f12a94241f365f9ddc95f3 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1076109.exe
| MD5 | 76b006c0a88bf56a72fbcc4ef7c30fac |
| SHA1 | f28153daa6dc91251251b2893b1ffcd418701565 |
| SHA256 | 14000c30e18607507ed684b345288b7b8f4a1d5d34c558d66c9483ce66a49535 |
| SHA512 | 19bdcb74cd02ca61bc7e875c3497d049f18950e17746808c75da5a2d0f226f33c88185fe6982c44a16de5f3e0060381f1f84ed5278f12a94241f365f9ddc95f3 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3750619.exe
| MD5 | c5c834095c3738981936b89138ab4de5 |
| SHA1 | bc93ac94ee751e4258310af686f2c38dfd9cbec2 |
| SHA256 | c93eb6c98e6ccd58af89c704d5f7db520c9e299a2df243384c239ef9507f64c0 |
| SHA512 | 7f33db7750ca37c8bc54e3dee39a151e78363be332ed5d8348adb13370e293bf26055281c311ee823d5a9c47dd67a5aaf5ddf24796e26748e4409c1f805c5f43 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3750619.exe
| MD5 | c5c834095c3738981936b89138ab4de5 |
| SHA1 | bc93ac94ee751e4258310af686f2c38dfd9cbec2 |
| SHA256 | c93eb6c98e6ccd58af89c704d5f7db520c9e299a2df243384c239ef9507f64c0 |
| SHA512 | 7f33db7750ca37c8bc54e3dee39a151e78363be332ed5d8348adb13370e293bf26055281c311ee823d5a9c47dd67a5aaf5ddf24796e26748e4409c1f805c5f43 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6469564.exe
| MD5 | 9ab91ab47c32839265c32757a763300a |
| SHA1 | c3d894358ccd3a69870974d6db1aff4f9399e58d |
| SHA256 | c3bf560b6955ecd08108dcbe5717b8f92760913ace0d5b6e8a51bca74ad9aab1 |
| SHA512 | 613b08b54bf4047fb5ec460fc68b2b17cbfdb734b2413f4ab89f9102617171c1502c547ed7293ab89caa175839bcb16c144c8c364b1b728a49828f14181f5d07 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6469564.exe
| MD5 | 9ab91ab47c32839265c32757a763300a |
| SHA1 | c3d894358ccd3a69870974d6db1aff4f9399e58d |
| SHA256 | c3bf560b6955ecd08108dcbe5717b8f92760913ace0d5b6e8a51bca74ad9aab1 |
| SHA512 | 613b08b54bf4047fb5ec460fc68b2b17cbfdb734b2413f4ab89f9102617171c1502c547ed7293ab89caa175839bcb16c144c8c364b1b728a49828f14181f5d07 |
memory/2432-24-0x0000000074760000-0x0000000074F10000-memory.dmp
memory/2432-25-0x0000000000F10000-0x0000000000F40000-memory.dmp
memory/2432-26-0x0000000005ED0000-0x00000000064E8000-memory.dmp
memory/2432-27-0x00000000059C0000-0x0000000005ACA000-memory.dmp
memory/2432-28-0x00000000057A0000-0x00000000057B0000-memory.dmp
memory/2432-29-0x00000000058B0000-0x00000000058C2000-memory.dmp
memory/2432-30-0x0000000005910000-0x000000000594C000-memory.dmp
memory/2432-31-0x0000000074760000-0x0000000074F10000-memory.dmp
memory/2432-32-0x00000000057A0000-0x00000000057B0000-memory.dmp