Analysis Overview
SHA256
95b95a66d42542d9d705a383c151d7688b37f9f79c4c19e7f72a79ce812f1efa
Threat Level: Known bad
The file 95b95a66d42542d9d705a383c151d7688b37f9f79c4c19e7f72a79ce812f1efa was found to be: Known bad.
Malicious Activity Summary
RedLine payload
RedLine
Redline family
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 01:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 01:28
Reported
2024-11-07 01:30
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
148s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZx81ND.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nNL46jI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nky57By.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bnE61aA55.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\95b95a66d42542d9d705a383c151d7688b37f9f79c4c19e7f72a79ce812f1efa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZx81ND.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nNL46jI.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nky57By.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\95b95a66d42542d9d705a383c151d7688b37f9f79c4c19e7f72a79ce812f1efa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZx81ND.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nNL46jI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nky57By.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bnE61aA55.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bnE61aA55.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\95b95a66d42542d9d705a383c151d7688b37f9f79c4c19e7f72a79ce812f1efa.exe
"C:\Users\Admin\AppData\Local\Temp\95b95a66d42542d9d705a383c151d7688b37f9f79c4c19e7f72a79ce812f1efa.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZx81ND.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZx81ND.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nNL46jI.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nNL46jI.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nky57By.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nky57By.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bnE61aA55.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bnE61aA55.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| RU | 193.233.20.23:4124 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZx81ND.exe
| MD5 | f55c9b36562ace6d480b1e931e09e918 |
| SHA1 | cfbd0c94955181645af8cee57394b6d46cdca1ea |
| SHA256 | 017374323884b51e854036ee6fee42f1a07c041ab7cf6740c058851b3dec874e |
| SHA512 | 2087ec8d44b3cd388f49846270ecec884b220cd081a00ddb92f256901d8db633e11cfab440549ae09b077ebd147caa08c667fe4289329c8b0defdb9d42d4eaec |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nNL46jI.exe
| MD5 | df72ca8e216aecb3460c0ca0989ef93d |
| SHA1 | 2a0f644b48b3f10a5cbc889db9c87558a00a0319 |
| SHA256 | 9944be9df706b932b25e64b8fc5590d490f8520b555fbd74c17682ee83533f56 |
| SHA512 | 3e30b24a249df193e5a0d09256f1f8323be1e7e4fc626ba304857b22712ba16e1b6f6161e0a52e991c9ddfedbc287a2fdead40c7544033d3f31c8b3cbd16fc7c |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nky57By.exe
| MD5 | 760e193d0de6af62e9be94e6a62aab80 |
| SHA1 | 5db723781ee502c93f6b1954079694aa04d99fe4 |
| SHA256 | ec09b351cc91237cfe79c2038659a0fbec3b251f9a2ac6d31826a70596d846b8 |
| SHA512 | 908d6e0235e1456dce5b06f23b489ab1d137bf3666f138967838caa7e01fb2fdf3b680eb55e6ccc41c7e2f37154d0076133a7337a5ac5b857b904c93b1e88ef5 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bnE61aA55.exe
| MD5 | e5e97fd2974a50b5a07e32634aa8c336 |
| SHA1 | c841973581b669ce53d079feae3bfc163eac3d48 |
| SHA256 | 934f074101777f99e03a4671dfba2384942017a561be032adb310ac2aaf317e7 |
| SHA512 | 9ce9697c2d5d18313dbcc463f3c6691f28783ff4a1671f205b8a4c5464adb2970fd34d279810266a814b65157e691fe7da59bac25da5a994ed15f35716a07e4b |
memory/3508-29-0x0000000004C60000-0x0000000004CA6000-memory.dmp
memory/3508-30-0x00000000071B0000-0x0000000007754000-memory.dmp
memory/3508-31-0x00000000077A0000-0x00000000077E4000-memory.dmp
memory/3508-35-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-63-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-95-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-93-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-91-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-89-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-87-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-85-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-83-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-81-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-79-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-77-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-75-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-73-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-69-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-67-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-65-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-61-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-59-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-57-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-55-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-53-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-51-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-49-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-47-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-45-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-43-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-41-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-39-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-71-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-37-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-33-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-32-0x00000000077A0000-0x00000000077DF000-memory.dmp
memory/3508-938-0x00000000077F0000-0x0000000007E08000-memory.dmp
memory/3508-939-0x0000000007E90000-0x0000000007F9A000-memory.dmp
memory/3508-940-0x0000000007FD0000-0x0000000007FE2000-memory.dmp
memory/3508-941-0x0000000007FF0000-0x000000000802C000-memory.dmp
memory/3508-942-0x0000000008140000-0x000000000818C000-memory.dmp