Analysis Overview
SHA256
2cdc2cf65c0b76e97dc8706727c5ca17e3a12ecdb9d650a3e48f93db466b6929
Threat Level: Known bad
The file 2cdc2cf65c0b76e97dc8706727c5ca17e3a12ecdb9d650a3e48f93db466b6929N was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Redline family
RedLine
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:33
Reported
2024-11-09 22:35
Platform
win10v2004-20241007-en
Max time kernel
106s
Max time network
116s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i68651788.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i24870767.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i13175462.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i69943212.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a21074425.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\2cdc2cf65c0b76e97dc8706727c5ca17e3a12ecdb9d650a3e48f93db466b6929N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i68651788.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i24870767.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i13175462.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i69943212.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a21074425.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2cdc2cf65c0b76e97dc8706727c5ca17e3a12ecdb9d650a3e48f93db466b6929N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i68651788.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i24870767.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i13175462.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i69943212.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2cdc2cf65c0b76e97dc8706727c5ca17e3a12ecdb9d650a3e48f93db466b6929N.exe
"C:\Users\Admin\AppData\Local\Temp\2cdc2cf65c0b76e97dc8706727c5ca17e3a12ecdb9d650a3e48f93db466b6929N.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i68651788.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i68651788.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i24870767.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i24870767.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i13175462.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i13175462.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i69943212.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i69943212.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a21074425.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a21074425.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i68651788.exe
| MD5 | 6936e10d16bb27e8ea995b10330e6d82 |
| SHA1 | 5b7ef7a2931ce1d3ff9a26dcd5c44d106259b668 |
| SHA256 | 064cc79ec77d2d83a5e6b32d5fcff5aec0fe57c647c5cea18fc8e17b33af3efd |
| SHA512 | 52ba8628ae0eabbd0324b760317e0c159f78d5b91dd426e4585874785fa3d14956fe893a1303af2cd6bc4d89dbfb8341b2070161dbf333b5e67e7bb369ad85e1 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i24870767.exe
| MD5 | 72b5c64d627c51afb31095c2ec34abb5 |
| SHA1 | 360a7218d4ae988efec1239a6f0fa426f99d416b |
| SHA256 | eb4f1dad91cec99b60666a250c1e33d433b0ecc7f8ed0e33cf2ce071afcae96b |
| SHA512 | 5d9ad6101b9ccdef20096a522d767d948e0ef760f57fd60d9f27b6ec42b51275c3943dfe97f92542289b6c4a77446073e866179c57cd9c5f684b2b5792a2f818 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i13175462.exe
| MD5 | 7b30aad55158f9b86b00477a9c02f37e |
| SHA1 | 11dbae8ad9dad171734e9f987d9ea88f176134b1 |
| SHA256 | f02a1f70b033a73aced257efb53ff063aa8323b02cd53c1f3123a6edec82da49 |
| SHA512 | f45d386cd44ba0aacd8021ae4b5b4d7a904df9ba53629bef56bac467dbcab07790c477b695323ee69d04f1cb1783e68425aec238bf2566b927f66154a5c2c397 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i69943212.exe
| MD5 | 5cb5cd623e8f97a70524cea121b6741a |
| SHA1 | 233f805da864a96a2d8d79af518cdccaa09e2f98 |
| SHA256 | 5cd7000325031c7dc7364713184571f206be7d74df78d70903012238dc022fd6 |
| SHA512 | 013d114845fc4fe359599f09ac9e98c3982ef338591c69fb7150fdbc4ca3bd8b74703976a6ccd9b25a6d8c7f0ad66863354037129cd21cbb923941cb4784089c |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a21074425.exe
| MD5 | d8aa03b25b1824599be2265db8293609 |
| SHA1 | dfea0dd07dafca78dc2a864cdfa7c6d635fef2d6 |
| SHA256 | 76907d36619ef4fad7ed836fe81855af0533aff5d3187430f557cc18910e258d |
| SHA512 | 236cb50cba2b23285881bf7429f587b479125d4a50cb56cf13b96ec384d17ded7988ff9a180b1455de649e276bea5457442e5ac030f8ad3e57fcf19aab16b8fc |
memory/4296-35-0x0000000000DE0000-0x0000000000E10000-memory.dmp
memory/4296-36-0x0000000005600000-0x0000000005606000-memory.dmp
memory/4296-37-0x0000000005D80000-0x0000000006398000-memory.dmp
memory/4296-38-0x0000000005870000-0x000000000597A000-memory.dmp
memory/4296-39-0x0000000005760000-0x0000000005772000-memory.dmp
memory/4296-40-0x00000000057C0000-0x00000000057FC000-memory.dmp
memory/4296-41-0x0000000005810000-0x000000000585C000-memory.dmp