Analysis Overview
SHA256
e797832588cd21e00e08deaca250c0ef4f21342ebd8a6f62edb88daa65dd5dc5
Threat Level: Known bad
The file e797832588cd21e00e08deaca250c0ef4f21342ebd8a6f62edb88daa65dd5dc5 was found to be: Known bad.
Malicious Activity Summary
Redline family
RedLine
RedLine payload
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-05 02:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-05 02:28
Reported
2024-11-05 02:38
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOZ24.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vjC60.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWh46.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\e797832588cd21e00e08deaca250c0ef4f21342ebd8a6f62edb88daa65dd5dc5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOZ24.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vjC60.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOZ24.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vjC60.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWh46.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e797832588cd21e00e08deaca250c0ef4f21342ebd8a6f62edb88daa65dd5dc5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWh46.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e797832588cd21e00e08deaca250c0ef4f21342ebd8a6f62edb88daa65dd5dc5.exe
"C:\Users\Admin\AppData\Local\Temp\e797832588cd21e00e08deaca250c0ef4f21342ebd8a6f62edb88daa65dd5dc5.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOZ24.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOZ24.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vjC60.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vjC60.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWh46.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWh46.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| RU | 193.233.20.12:4132 | tcp | |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| RU | 193.233.20.12:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOZ24.exe
| MD5 | 452cb856cc81701b19c2cf328f9bde58 |
| SHA1 | f146540557426e025a7aada1f45ad10be15566ea |
| SHA256 | 674d3f33ced08a01d845a123fa1f020b3d4a488b63da5d2d3793477d83cf5096 |
| SHA512 | afdeb3312ef156cb38e36ce0f33e710292d9a24fc5cfdd1d7b1b9439841fc35d31c26fc9fee8c3595a7e714266cd25e505915fcdf8d2bf63b446cc6ef8601f11 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vjC60.exe
| MD5 | 835a115bddb17552e437f24ef3309d25 |
| SHA1 | a20f5ed97b33b2703dbb92f0c72fd7f91f295a6b |
| SHA256 | 82306e6f2780544918bb3fa365506caec4e42b227123f91ed8d43ec97b0b55aa |
| SHA512 | b9cb03ad4687f7a65097f97ed4e9eeeccfb6d68c2c81aaf89a3d84a06eab3abafb2a46252278e8cff75624631a189b614dd134f8e7ece5696da18316bbd2d9e1 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWh46.exe
| MD5 | 7d909ade41361092545c6e8718ef0458 |
| SHA1 | 36b2753a4c3275635178e80d71a86bcd04ad4c98 |
| SHA256 | 06e3026c306e867e5c77594df9c6bc687d1567416f014fba65ec1121eaf78591 |
| SHA512 | 063b2020da84aad453254dd62fc3b6d2d6fa29966dfd88ad2af175514fad0a45a808123bd1619fae162190449cbdb8521873b4839e101ea0bb3622b4c1a03dce |
memory/3660-22-0x00000000026C0000-0x0000000002706000-memory.dmp
memory/3660-23-0x0000000004FD0000-0x0000000005574000-memory.dmp
memory/3660-24-0x00000000028D0000-0x0000000002914000-memory.dmp
memory/3660-82-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-88-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-86-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-84-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-80-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-78-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-74-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-72-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-70-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-68-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-66-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-62-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-60-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-58-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-56-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-54-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-52-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-48-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-46-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-44-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-42-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-40-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-38-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-36-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-34-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-30-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-28-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-26-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-76-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-64-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-50-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-32-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-25-0x00000000028D0000-0x000000000290E000-memory.dmp
memory/3660-931-0x0000000005580000-0x0000000005B98000-memory.dmp
memory/3660-932-0x0000000004EA0000-0x0000000004FAA000-memory.dmp
memory/3660-933-0x0000000005BC0000-0x0000000005BD2000-memory.dmp
memory/3660-934-0x0000000005BE0000-0x0000000005C1C000-memory.dmp
memory/3660-935-0x0000000005D30000-0x0000000005D7C000-memory.dmp