Analysis Overview
SHA256
48f20912518df567aaf4d979d318444b8030a580cb700d88f26f1c23542bb621
Threat Level: Known bad
The file 48f20912518df567aaf4d979d318444b8030a580cb700d88f26f1c23542bb621 was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Redline family
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:20
Reported
2024-11-09 22:23
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wKq28jb65.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\48f20912518df567aaf4d979d318444b8030a580cb700d88f26f1c23542bb621.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wKq28jb65.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\48f20912518df567aaf4d979d318444b8030a580cb700d88f26f1c23542bb621.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wKq28jb65.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3312 wrote to memory of 2240 | N/A | C:\Users\Admin\AppData\Local\Temp\48f20912518df567aaf4d979d318444b8030a580cb700d88f26f1c23542bb621.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wKq28jb65.exe |
| PID 3312 wrote to memory of 2240 | N/A | C:\Users\Admin\AppData\Local\Temp\48f20912518df567aaf4d979d318444b8030a580cb700d88f26f1c23542bb621.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wKq28jb65.exe |
| PID 3312 wrote to memory of 2240 | N/A | C:\Users\Admin\AppData\Local\Temp\48f20912518df567aaf4d979d318444b8030a580cb700d88f26f1c23542bb621.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wKq28jb65.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\48f20912518df567aaf4d979d318444b8030a580cb700d88f26f1c23542bb621.exe
"C:\Users\Admin\AppData\Local\Temp\48f20912518df567aaf4d979d318444b8030a580cb700d88f26f1c23542bb621.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wKq28jb65.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wKq28jb65.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| RU | 193.233.20.23:4123 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| RU | 193.233.20.23:4123 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| RU | 193.233.20.23:4123 | tcp | |
| RU | 193.233.20.23:4123 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| RU | 193.233.20.23:4123 | tcp | |
| RU | 193.233.20.23:4123 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wKq28jb65.exe
| MD5 | dc87fc747ed14e7e07d222a946edf7c3 |
| SHA1 | bfaa2e559fdd8e0db71da8e30d9ff52a74f04b8a |
| SHA256 | ac04ebd907b3f394e6ebd788df9cf663853d22961d2259a3da243ada170869a1 |
| SHA512 | 0df4a616be289551060f940880c595c05fdd4d9366796770a4a345e3fdcd4bc299efd2f6c5fe9f6bda6f4ec2b3247d0ecbdf2ab1f5c150ed6a986c2b775bc733 |
memory/2240-8-0x0000000002FB0000-0x00000000030B0000-memory.dmp
memory/2240-9-0x0000000000400000-0x000000000044E000-memory.dmp
memory/2240-10-0x0000000004D20000-0x0000000004D66000-memory.dmp
memory/2240-11-0x0000000007260000-0x0000000007804000-memory.dmp
memory/2240-13-0x0000000000400000-0x0000000002BCA000-memory.dmp
memory/2240-12-0x0000000007810000-0x0000000007854000-memory.dmp
memory/2240-43-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-73-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-77-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-75-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-71-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-69-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-67-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-65-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-63-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-61-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-59-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-57-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-55-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-53-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-51-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-49-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-47-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-45-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-41-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-39-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-37-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-35-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-33-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-31-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-29-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-25-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-23-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-21-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-19-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-17-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-15-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-14-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-27-0x0000000007810000-0x000000000784E000-memory.dmp
memory/2240-886-0x0000000000400000-0x0000000002BCA000-memory.dmp
memory/2240-922-0x0000000007EB0000-0x0000000007FBA000-memory.dmp
memory/2240-921-0x0000000007850000-0x0000000007E68000-memory.dmp
memory/2240-923-0x0000000007FE0000-0x0000000007FF2000-memory.dmp
memory/2240-924-0x0000000008000000-0x000000000803C000-memory.dmp
memory/2240-925-0x0000000008150000-0x000000000819C000-memory.dmp
memory/2240-927-0x0000000002FB0000-0x00000000030B0000-memory.dmp
memory/2240-928-0x0000000000400000-0x000000000044E000-memory.dmp