Analysis Overview
SHA256
91faebc3db8a692738897a2d841afd2f4443780afe9f1033f6152ae27206fc89
Threat Level: Known bad
The file 91faebc3db8a692738897a2d841afd2f4443780afe9f1033f6152ae27206fc89 was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Redline family
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 23:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 23:15
Reported
2024-11-04 23:17
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOH21.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vgE60.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSR33.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\91faebc3db8a692738897a2d841afd2f4443780afe9f1033f6152ae27206fc89.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOH21.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vgE60.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOH21.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vgE60.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSR33.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\91faebc3db8a692738897a2d841afd2f4443780afe9f1033f6152ae27206fc89.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSR33.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\91faebc3db8a692738897a2d841afd2f4443780afe9f1033f6152ae27206fc89.exe
"C:\Users\Admin\AppData\Local\Temp\91faebc3db8a692738897a2d841afd2f4443780afe9f1033f6152ae27206fc89.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOH21.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOH21.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vgE60.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vgE60.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSR33.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSR33.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.12.20.2.in-addr.arpa | udp |
| RU | 193.233.20.13:4136 | tcp | |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| RU | 193.233.20.13:4136 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| RU | 193.233.20.13:4136 | tcp | |
| US | 8.8.8.8:53 | 94.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| RU | 193.233.20.13:4136 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| RU | 193.233.20.13:4136 | tcp | |
| RU | 193.233.20.13:4136 | tcp | |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOH21.exe
| MD5 | 061a690b6e59859bbe6b9e2b2a065837 |
| SHA1 | 87d9318901894dde383e1415f969c0f674d98163 |
| SHA256 | 5a7d20c157da8f7272d992d9a836c3fb07d87db64df817811de7062cc96ded12 |
| SHA512 | 39e228ec7087804e407ec3cf0b6c75d75def808bfc4a457954592de057124459fa0a2b3cffd14d9071441a95b87d18ad375c96dcfcadd5e069256b95072bf318 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vgE60.exe
| MD5 | 6152d6997a4a314c7cc84f91a2f9d255 |
| SHA1 | 24741359c190377f2d992eaf8d095c8ca4969cba |
| SHA256 | ba0a88430c18336ca71151ba08d0044ab7e050312664c1a1e15b38e0c2340a42 |
| SHA512 | a543188032424c9b9029cf4eb8f1b3ca5b86397e11e0fbb584f743a53e904413b0bb98795136bc803321aea568d515d48502fb0e69a8c115f66fa3675597f621 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSR33.exe
| MD5 | b5b088e47af91c344e3583ef9391586f |
| SHA1 | 81c28284f693f66d1d30b8ee09f0d69e27457333 |
| SHA256 | 3f201ce75b624c56d73e6aa11e0d93825455d0ee88d3fdcc8e2f3bafae6cc739 |
| SHA512 | 9d0789dfa16b849709e3bb04159ed2bf6ccd74975472efe87aeb9d8ff0539b8953cb0937b4d646fba7d1460ea8c1fd0ee4dfb9ec2debfefdee70ab9b05ca1a3b |
memory/4824-22-0x0000000004D10000-0x0000000004D56000-memory.dmp
memory/4824-23-0x0000000004F00000-0x00000000054A4000-memory.dmp
memory/4824-24-0x0000000004D90000-0x0000000004DD4000-memory.dmp
memory/4824-54-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-62-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-88-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-86-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-84-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-82-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-80-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-76-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-75-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-72-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-70-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-69-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-66-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-64-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-60-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-58-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-56-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-52-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-50-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-48-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-46-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-44-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-40-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-36-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-34-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-32-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-30-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-78-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-38-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-28-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-26-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-25-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-42-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/4824-931-0x00000000054B0000-0x0000000005AC8000-memory.dmp
memory/4824-932-0x0000000005AD0000-0x0000000005BDA000-memory.dmp
memory/4824-933-0x0000000004E90000-0x0000000004EA2000-memory.dmp
memory/4824-934-0x0000000004EB0000-0x0000000004EEC000-memory.dmp
memory/4824-935-0x0000000005CF0000-0x0000000005D3C000-memory.dmp