Analysis Overview
SHA256
57c7b6b1d432cb85d3a543b6744fa26c24f888885c21d48b00ab1cb7f8f4f649
Threat Level: Known bad
The file 57c7b6b1d432cb85d3a543b6744fa26c24f888885c21d48b00ab1cb7f8f4f649 was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Redline family
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-05 02:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-05 02:33
Reported
2024-11-05 02:37
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2936507.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9175512.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\57c7b6b1d432cb85d3a543b6744fa26c24f888885c21d48b00ab1cb7f8f4f649.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2936507.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\57c7b6b1d432cb85d3a543b6744fa26c24f888885c21d48b00ab1cb7f8f4f649.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2936507.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9175512.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\57c7b6b1d432cb85d3a543b6744fa26c24f888885c21d48b00ab1cb7f8f4f649.exe
"C:\Users\Admin\AppData\Local\Temp\57c7b6b1d432cb85d3a543b6744fa26c24f888885c21d48b00ab1cb7f8f4f649.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2936507.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2936507.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9175512.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9175512.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| CY | 217.196.96.56:4138 | tcp | |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| CY | 217.196.96.56:4138 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| CY | 217.196.96.56:4138 | tcp | |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| CY | 217.196.96.56:4138 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| CY | 217.196.96.56:4138 | tcp | |
| CY | 217.196.96.56:4138 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2936507.exe
| MD5 | 9f0563d17bf9f60520c88b0535050c5e |
| SHA1 | 7d3a68cf75e74e8711ab9e1d3556a36faff206ff |
| SHA256 | d7e820dd6dafc41691a4dbc0168d3837ea8ff49d6d9d31cf0d81521c9063e7ca |
| SHA512 | a980be3e6e843f344face252995f8ad02ffa490230509c2d6329ee86a64ff537751858a0159279e44fb374eab6f0a6999805807e959edad03f2fd58291a93244 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9175512.exe
| MD5 | bf39d72105f904ba0dbf967cdabe1458 |
| SHA1 | 0d0cc8c770402173931ec5d74fac117c4e5f9e2e |
| SHA256 | 1c7869d733cfca38d87faebd465681b5211984a524b13bc766d2e2a5e068c56d |
| SHA512 | 796ce2f2670d7a82f401bd7e02fa928d8404bed46a2ab9b53cbe06b905c70f48629195dcfe81228d82b882c963e3a5045fe1969e2a8911b5873177bb212f3553 |
memory/3460-14-0x00000000746EE000-0x00000000746EF000-memory.dmp
memory/3460-15-0x0000000000890000-0x00000000008BE000-memory.dmp
memory/3460-16-0x00000000052F0000-0x00000000052F6000-memory.dmp
memory/3460-17-0x000000000ACC0000-0x000000000B2D8000-memory.dmp
memory/3460-18-0x000000000A840000-0x000000000A94A000-memory.dmp
memory/3460-19-0x000000000A770000-0x000000000A782000-memory.dmp
memory/3460-20-0x000000000A7D0000-0x000000000A80C000-memory.dmp
memory/3460-21-0x00000000746E0000-0x0000000074E90000-memory.dmp
memory/3460-22-0x0000000004D30000-0x0000000004D7C000-memory.dmp
memory/3460-23-0x00000000746EE000-0x00000000746EF000-memory.dmp
memory/3460-24-0x00000000746E0000-0x0000000074E90000-memory.dmp