Analysis Overview
SHA256
c6613497cea53aec719e58a0febc981f4674934e685821daf333668e020e16c0
Threat Level: Known bad
The file c6613497cea53aec719e58a0febc981f4674934e685821daf333668e020e16c0 was found to be: Known bad.
Malicious Activity Summary
RedLine
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 16:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 16:14
Reported
2023-09-10 16:17
Platform
win10-20230831-en
Max time kernel
135s
Max time network
151s
Command Line
Signatures
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9037731.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0423395.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7831765.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9535050.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\c6613497cea53aec719e58a0febc981f4674934e685821daf333668e020e16c0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9037731.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0423395.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c6613497cea53aec719e58a0febc981f4674934e685821daf333668e020e16c0.exe
"C:\Users\Admin\AppData\Local\Temp\c6613497cea53aec719e58a0febc981f4674934e685821daf333668e020e16c0.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9037731.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9037731.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0423395.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0423395.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7831765.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7831765.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9535050.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9535050.exe
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.9.d.c.d.d.7.8.5.d.1.7.0.c.9.1.0.9.d.c.d.d.7.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 204.201.50.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9037731.exe
| MD5 | e3c79d6f28f06b0f06bec4960ee6f0d2 |
| SHA1 | d8896458ff0fa8c44d5ea070650cda829146ad95 |
| SHA256 | 04a8b0cb3ddc31ec1d5c87aa4c4093af9ed402847c1063fec21a315020316a81 |
| SHA512 | 5da05868c801853cc21193e97d4b17bda12514614eaacf3ab47245c32546937e4ec7dec0a5a7eb7713739fb347c6f289e76fa2f52675215b5153cb559c4ec8d1 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9037731.exe
| MD5 | e3c79d6f28f06b0f06bec4960ee6f0d2 |
| SHA1 | d8896458ff0fa8c44d5ea070650cda829146ad95 |
| SHA256 | 04a8b0cb3ddc31ec1d5c87aa4c4093af9ed402847c1063fec21a315020316a81 |
| SHA512 | 5da05868c801853cc21193e97d4b17bda12514614eaacf3ab47245c32546937e4ec7dec0a5a7eb7713739fb347c6f289e76fa2f52675215b5153cb559c4ec8d1 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0423395.exe
| MD5 | ed0fafb3e59865de276a050a0a0ca0fc |
| SHA1 | 2f0cc07b778d4591770afc20d987cc59b12e4d1f |
| SHA256 | 4962276e2e8b09d57171936007dfdd9106cd8c6757d2ba6f482cd0db75fc49a1 |
| SHA512 | b1d1162eeecb2a9cba8c1e0654516f54c106bc1a1215df4a2a089d9aef85a6fb28e8aada0806c6428089e7c715350fdae132f5b2cb4874991fbae86d9f96f71b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0423395.exe
| MD5 | ed0fafb3e59865de276a050a0a0ca0fc |
| SHA1 | 2f0cc07b778d4591770afc20d987cc59b12e4d1f |
| SHA256 | 4962276e2e8b09d57171936007dfdd9106cd8c6757d2ba6f482cd0db75fc49a1 |
| SHA512 | b1d1162eeecb2a9cba8c1e0654516f54c106bc1a1215df4a2a089d9aef85a6fb28e8aada0806c6428089e7c715350fdae132f5b2cb4874991fbae86d9f96f71b |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7831765.exe
| MD5 | f12d881c23d687ec7e4db45455f9a230 |
| SHA1 | e9803096643f32fa658d7a304fab027302b603c7 |
| SHA256 | 175745bcdee101e425ccc28e395bb0865e949ed47b7dc4e5e09232e9bb0ded42 |
| SHA512 | f13b6e7487ec066272d95585a23cf17a65437a8fb731868f681c6a6e7bd90fea94acf87a3afc199d2714a4fcf0fab8e5c9a72d778ee017d4aa7b75ac400c07fe |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m7831765.exe
| MD5 | f12d881c23d687ec7e4db45455f9a230 |
| SHA1 | e9803096643f32fa658d7a304fab027302b603c7 |
| SHA256 | 175745bcdee101e425ccc28e395bb0865e949ed47b7dc4e5e09232e9bb0ded42 |
| SHA512 | f13b6e7487ec066272d95585a23cf17a65437a8fb731868f681c6a6e7bd90fea94acf87a3afc199d2714a4fcf0fab8e5c9a72d778ee017d4aa7b75ac400c07fe |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9535050.exe
| MD5 | 4802cd9e82d4bf5d233b60d550e2b95a |
| SHA1 | ee417f030ca000ae2158ba0e64fe5daba831b519 |
| SHA256 | a63db67e8e0271ea660200fe80bac9c02a88019d866237081a79a35e59baca60 |
| SHA512 | 9c359bfa4c3e00632fdadf7a2ca9d1ed530c940e4d6ce7cd7235c0270c9899d7a85501a8d6004c2465951a7c97e0045c67d0ff7bfae648c0da6d19b4b73f069c |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9535050.exe
| MD5 | 4802cd9e82d4bf5d233b60d550e2b95a |
| SHA1 | ee417f030ca000ae2158ba0e64fe5daba831b519 |
| SHA256 | a63db67e8e0271ea660200fe80bac9c02a88019d866237081a79a35e59baca60 |
| SHA512 | 9c359bfa4c3e00632fdadf7a2ca9d1ed530c940e4d6ce7cd7235c0270c9899d7a85501a8d6004c2465951a7c97e0045c67d0ff7bfae648c0da6d19b4b73f069c |
memory/1692-24-0x0000000000670000-0x00000000006A0000-memory.dmp
memory/1692-25-0x0000000073310000-0x00000000739FE000-memory.dmp
memory/1692-26-0x0000000004E30000-0x0000000004E36000-memory.dmp
memory/1692-27-0x000000000A940000-0x000000000AF46000-memory.dmp
memory/1692-28-0x000000000A480000-0x000000000A58A000-memory.dmp
memory/1692-29-0x000000000A3B0000-0x000000000A3C2000-memory.dmp
memory/1692-30-0x000000000A410000-0x000000000A44E000-memory.dmp
memory/1692-31-0x000000000A590000-0x000000000A5DB000-memory.dmp
memory/1692-32-0x0000000073310000-0x00000000739FE000-memory.dmp