Analysis Overview
SHA256
62b45d357531f3096032239b427e854dd5be63f39d663947b20ed99b207d7bc9
Threat Level: Known bad
The file 62b45d357531f3096032239b427e854dd5be63f39d663947b20ed99b207d7bc9 was found to be: Known bad.
Malicious Activity Summary
RedLine payload
RedLine
Redline family
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 15:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 15:22
Reported
2024-11-07 15:24
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nGZ67DN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nHV70VB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nlw73vb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nHy41QE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bjc43De59.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nlw73vb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nHy41QE.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\62b45d357531f3096032239b427e854dd5be63f39d663947b20ed99b207d7bc9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nGZ67DN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nHV70VB.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\62b45d357531f3096032239b427e854dd5be63f39d663947b20ed99b207d7bc9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nGZ67DN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nHV70VB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nlw73vb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nHy41QE.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bjc43De59.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bjc43De59.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\62b45d357531f3096032239b427e854dd5be63f39d663947b20ed99b207d7bc9.exe
"C:\Users\Admin\AppData\Local\Temp\62b45d357531f3096032239b427e854dd5be63f39d663947b20ed99b207d7bc9.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nGZ67DN.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nGZ67DN.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nHV70VB.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nHV70VB.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nlw73vb.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nlw73vb.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nHy41QE.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nHy41QE.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bjc43De59.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bjc43De59.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| RU | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| RU | 193.233.20.23:4124 | tcp | |
| RU | 193.233.20.23:4124 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nGZ67DN.exe
| MD5 | a3e42245bd0ff4f7eed756f6c40155cd |
| SHA1 | 7c521632f4aade214aa2fbf0fb7a76a1b3de5a32 |
| SHA256 | f755f3734bc3c8978fff0c804b2a6e065d9ab3a2dd8be89751fb394132ece985 |
| SHA512 | 7934e078760f74baa31a5687e4ecf16bfff3c3b03265e2c73ae8c6da5af80520d03af807f1c4d933e5e1214d05f42da938b8da5fe16e4703738726f05945cb8b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nHV70VB.exe
| MD5 | 8bd3ef9e9749c9d1f9d444973aeb6c7a |
| SHA1 | cf908e05eef32f7916a261f9c8a51992e42c2b99 |
| SHA256 | 302afab6c6f622f55cada4b81a19776339957fae92133aa77e6fc00a6604aa30 |
| SHA512 | a251be390877e253c98dcaabeb3180a4b6451220884caf00e2ee7b5271e44a1992d99fb6cccda737094872406e5448b2830c2cf1b4772f6da63504d0ebefbe5a |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nlw73vb.exe
| MD5 | 8143a0b14eb5a9aebd96e540e2a0efd7 |
| SHA1 | 9f5872f04a4120cf7a7c3e79a65b538f94845ae3 |
| SHA256 | eddb06692050138d237df3e26d0c95b3edbe7d8e62a5496c72c832f08dbd3e31 |
| SHA512 | 71745ffbf36ae310e9837205994bf1c17ae579a3e28063797d99915fcee02d3d844ce7af7d18cac642a76faf90299b0603db6c2541f142cf40cd9df09454fec4 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bjc43De59.exe
| MD5 | 231430e854c098688aa6848702c5018e |
| SHA1 | 46a9be0ad282ff66b7de6586c6cf86ff5057651d |
| SHA256 | c2c7ced4db7b7a5eb5960c2d518179b7798494fe893b5bb22c756a811460cdf9 |
| SHA512 | 202a0ec01cdd18613c8fb423418ec0abf3382f2ea8d957c287324c23d083a7ab61fb5207c0e9c3bfb421a58f821daf81506e2ecb4d08fa2cfa993587e1e44217 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nHy41QE.exe
| MD5 | 98835893d157b248b3ef2c0f351196d8 |
| SHA1 | 21997d54eea66faff17f6722b30ac5b7f4c8014b |
| SHA256 | a34628e0d573e47902ce8f1bbfd3ea13634a3fe2afd7cd365bde6e71f8ad8f6a |
| SHA512 | 7e0abb112b53a613d03f9c13e85667658a5d517096f73ba234993d365c2223e55496afc45601dcda4a22ceb45a476f461657b534ffadaa4f27444509cb0ad278 |
memory/3716-36-0x0000000004C30000-0x0000000004C76000-memory.dmp
memory/3716-37-0x0000000004D70000-0x0000000005314000-memory.dmp
memory/3716-38-0x0000000004CB0000-0x0000000004CF4000-memory.dmp
memory/3716-44-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-102-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-100-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-98-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-96-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-92-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-90-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-88-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-86-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-84-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-82-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-80-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-78-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-74-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-72-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-70-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-68-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-66-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-64-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-62-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-60-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-58-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-56-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-54-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-52-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-50-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-48-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-46-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-94-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-42-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-40-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-76-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-39-0x0000000004CB0000-0x0000000004CEF000-memory.dmp
memory/3716-945-0x0000000005320000-0x0000000005938000-memory.dmp
memory/3716-946-0x00000000059A0000-0x0000000005AAA000-memory.dmp
memory/3716-947-0x0000000005AE0000-0x0000000005AF2000-memory.dmp
memory/3716-948-0x0000000005B00000-0x0000000005B3C000-memory.dmp
memory/3716-949-0x0000000005C50000-0x0000000005C9C000-memory.dmp