Analysis Overview
SHA256
cecb0cde272847011dd2403f79e5cf2ab07b49f2b65d49ef5d00ffd9bb6a66e2
Threat Level: Known bad
The file cecb0cde272847011dd2403f79e5cf2ab07b49f2b65d49ef5d00ffd9bb6a66e2 was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Redline family
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 21:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 21:37
Reported
2024-11-09 21:39
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i31597883.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36009917.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i22580956.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i67693533.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a78241290.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i22580956.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i67693533.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\cecb0cde272847011dd2403f79e5cf2ab07b49f2b65d49ef5d00ffd9bb6a66e2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i31597883.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36009917.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i31597883.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36009917.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i22580956.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i67693533.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a78241290.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cecb0cde272847011dd2403f79e5cf2ab07b49f2b65d49ef5d00ffd9bb6a66e2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cecb0cde272847011dd2403f79e5cf2ab07b49f2b65d49ef5d00ffd9bb6a66e2.exe
"C:\Users\Admin\AppData\Local\Temp\cecb0cde272847011dd2403f79e5cf2ab07b49f2b65d49ef5d00ffd9bb6a66e2.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i31597883.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i31597883.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36009917.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36009917.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i22580956.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i22580956.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i67693533.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i67693533.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a78241290.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a78241290.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.208.201.84.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.209.201.84.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i31597883.exe
| MD5 | daab354c721fafd2ee243a05767c7468 |
| SHA1 | 7f26ce46e73732f540a4269ac032c13cc99c8fae |
| SHA256 | 2da87139d7e667973f378d79d15e5699b408a8eb0db3ec5b067df58ef08c9c27 |
| SHA512 | fe2c8fd05ae113bae76c6acf5deb579fe4e1c060a9e9dffb871d526e0e09fc869ae4059bf6442097f9ee585995110b0f5c81de0cd060420d7f9cbfc657202de5 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36009917.exe
| MD5 | 3a891891b1a5cad57b3989e090bf7a45 |
| SHA1 | 23300df99171a8b3eccd3076d243eb928405b83b |
| SHA256 | e05723334c15901fc9c49ec8fd360caafcfcac948b67f811dc0047f936a9ce70 |
| SHA512 | 188d1d48fcbbd801781402822311af210e89b3dc9c0578d409b3c0655ca9081a2e5753cb3847919bb4b87cc916517b09a547502ab13e9a048eb371e0f752c930 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i22580956.exe
| MD5 | 15afed7ad4a63230f5889cd16befcfcb |
| SHA1 | 2fc0406edb137d816ef78add3f1122405ab4a8e2 |
| SHA256 | 3c406e69fe367ff17c3696ec00a295a9dbb2aa0b1d8a7a9fb935dd59761c43c3 |
| SHA512 | efc7fb2e2529a6be251b2e3b5cbd44d51d7fbe1297bcbb3c28e1979a0a33769ea4e74e2c008c71bebcf0bd10cafbf2b34953b7ed3d446d8e858db5f15958c481 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i67693533.exe
| MD5 | 50e64249ab3e5c4357c0aa5b959486dd |
| SHA1 | 4dfc80849cdeaa991cfbaea1676d50116e49a78b |
| SHA256 | dd2b61f7abbee9a2dd29f96d4a8beaf4e61839551745361e0eb5de342eafb923 |
| SHA512 | 94611819189da460069e271dea11cfdc7998cb7ccc1ba74f79fad965ed30b5e3897a117a8c12a9d25b71b467b9e4ba7e7d59a961b357d8a0221d8d6b058cf2d0 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a78241290.exe
| MD5 | e0a5330d1d105090f672424393566336 |
| SHA1 | 3d00706858bcf31b8e7c796423e8ece447a49d03 |
| SHA256 | 57d9202819648c6f2dec5ef6d39c678d2377e9daa06c85fa0cfc693258c141b0 |
| SHA512 | 6436bf0241555ca37c82059b63417e4bafee4b75fc147302cf45e862913f665e61800f8c457715889922d3f06ac952c26340ba1b58a613cb727da10aaaabc988 |
memory/552-35-0x0000000000EF0000-0x0000000000F20000-memory.dmp
memory/552-36-0x0000000003110000-0x0000000003116000-memory.dmp
memory/552-37-0x0000000005E90000-0x00000000064A8000-memory.dmp
memory/552-38-0x0000000005980000-0x0000000005A8A000-memory.dmp
memory/552-39-0x0000000005870000-0x0000000005882000-memory.dmp
memory/552-40-0x00000000058D0000-0x000000000590C000-memory.dmp
memory/552-41-0x0000000005920000-0x000000000596C000-memory.dmp