Analysis Overview
SHA256
3b8702a80a1e7690b98ccc8f3ba9f935a606c3f84d001d3171f5d9dc5b78fad2
Threat Level: Known bad
The file 3b8702a80a1e7690b98ccc8f3ba9f935a606c3f84d001d3171f5d9dc5b78fad2 was found to be: Known bad.
Malicious Activity Summary
Redline family
RedLine
RedLine payload
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 23:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 23:15
Reported
2024-11-09 23:18
Platform
win10v2004-20241007-en
Max time kernel
131s
Max time network
150s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7548617.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1326909.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5289473.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\3b8702a80a1e7690b98ccc8f3ba9f935a606c3f84d001d3171f5d9dc5b78fad2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7548617.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1326909.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3b8702a80a1e7690b98ccc8f3ba9f935a606c3f84d001d3171f5d9dc5b78fad2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7548617.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1326909.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5289473.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3b8702a80a1e7690b98ccc8f3ba9f935a606c3f84d001d3171f5d9dc5b78fad2.exe
"C:\Users\Admin\AppData\Local\Temp\3b8702a80a1e7690b98ccc8f3ba9f935a606c3f84d001d3171f5d9dc5b78fad2.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7548617.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7548617.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1326909.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1326909.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5289473.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5289473.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| RU | 185.161.248.75:4132 | tcp | |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| RU | 185.161.248.75:4132 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| RU | 185.161.248.75:4132 | tcp | |
| RU | 185.161.248.75:4132 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| RU | 185.161.248.75:4132 | tcp | |
| RU | 185.161.248.75:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7548617.exe
| MD5 | 91248268996a0ece3629ebea188c0d57 |
| SHA1 | ec2ca895968e340f9099bf1bd5354cfccba73f20 |
| SHA256 | 2f1a5cf368cf2444406e577da0ac7966ab32d209a0f73a59ed46ab5155c79758 |
| SHA512 | 8176ccb3dc74b70d44890d9c34cccce4ff17482e54b5f757653c74d3070ca70b82be57572ce4b448b753d521b86e5c8b8a837e186d61645460ffe1e1b3f2adf2 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1326909.exe
| MD5 | dadd9de803bd1188e2886373f0e6c1ba |
| SHA1 | 80fe83b9efa0b6b2d9b3b12335d747f7378ca876 |
| SHA256 | 68b2612e2ed911a86cfd70510231a0156375c970ce8c61963acfc3d6f902d99a |
| SHA512 | afc151746b2be1d044b2a998ca1fe12b3c3c3081339d212a19141b3427d73e27a6a098fe226942275e832f81d8a61d2fd33f19d4c4ccf6f665baf64d01161c2a |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5289473.exe
| MD5 | 8278703515a2585063e467fbfffa3b8a |
| SHA1 | 437577feceda565c8e5b72a5117c8e6905cc920d |
| SHA256 | 65fdfcb0e267a98f37fa04567e88dc25637a73f94f61ae1b77c33e4b7579e091 |
| SHA512 | bb2b4dd8df35918558109db5b2eb36af0fe980da71702e536755813382974072c7d0fa9bcce2cda60fe41a8ff69c88b293a28e88033e447669406b3b4e89be35 |
memory/1140-21-0x0000000000720000-0x000000000074E000-memory.dmp
memory/1140-22-0x0000000002990000-0x0000000002996000-memory.dmp
memory/1140-23-0x000000000AA10000-0x000000000B028000-memory.dmp
memory/1140-24-0x000000000A590000-0x000000000A69A000-memory.dmp
memory/1140-25-0x000000000A4C0000-0x000000000A4D2000-memory.dmp
memory/1140-26-0x000000000A520000-0x000000000A55C000-memory.dmp
memory/1140-27-0x00000000049E0000-0x0000000004A2C000-memory.dmp