Analysis Overview
SHA256
3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160c
Threat Level: Known bad
The file 3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160cN was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Redline family
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 11:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 11:07
Reported
2024-11-09 11:09
Platform
win10v2004-20241007-en
Max time kernel
106s
Max time network
114s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i10299687.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i72693967.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52330224.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i68938859.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40676473.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160cN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i10299687.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i72693967.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52330224.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i68938859.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i10299687.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i72693967.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52330224.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i68938859.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40676473.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160cN.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160cN.exe
"C:\Users\Admin\AppData\Local\Temp\3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160cN.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i10299687.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i10299687.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i72693967.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i72693967.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52330224.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52330224.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i68938859.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i68938859.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40676473.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40676473.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.82.67.80.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 115.108.222.173.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 210.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i10299687.exe
| MD5 | 96424ad0dbee1cbb7253980d6c1a6be7 |
| SHA1 | c0738d7f51a41623c704a154a9a9013304244d47 |
| SHA256 | 0d55df92f772a478e54daf19b714d03404a7ac3edcd5abbc88c7eadf3733bfd2 |
| SHA512 | 2a8d3aaa1f1fb9865dcb7fcff9eb26e756d7c698ff0100c984ed0cf4f4d99479e87bba1d1c38b25000681dbcb22417cbc63bc507c9622410b528a1d1bb6aef45 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i72693967.exe
| MD5 | 435c23635c3fdf9468818d370c448fb3 |
| SHA1 | b7d1c39b7adfa85103e0dcb7f81da101c3511790 |
| SHA256 | 7719f88e17528c67eceb623ff389cf6581d5f1052b7c3748988db0cdbb23dfdb |
| SHA512 | 9a5cd3122d9b8aa6eb14f24e73511c833c485af0681270e4ebc92f887882bd951434560b2131caa07718b7c496163e96673c91bd60b77a541f9f6403834f19ee |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52330224.exe
| MD5 | df9bffbd5de29604cfcf05286f367cf3 |
| SHA1 | 2f2f7b628eb083068a9220f98779bfa7e423d03d |
| SHA256 | cf78e5d897eace16f314562aaaf28b46e9368ed435ea3f734baf0ccda3106a5a |
| SHA512 | 64a26f763c04ed685f33ff12596f06d63e2e07f8b99695eaf66810f8d27b421a927f2b89d12151412b4f2169d78c15a3b8c2e8dbc9db271e12bcb49947954906 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i68938859.exe
| MD5 | b5665f55e1124c091a5f344f231bd10f |
| SHA1 | b733a68359599dacf7c43cf04708db767d3afdee |
| SHA256 | 8291e7676418fc56d50b263365968e98ccc7d18a5439017d8eaaa88d6741a4d8 |
| SHA512 | 146958f1c403c3c13e77a00a0494165e011e16cf2ba741d309ac3aabe36be7c454b9976dc02356d5652adcb55468d638180810b12bed019641d7c530c4034056 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40676473.exe
| MD5 | 9e3d31f3302c87b6bbc03ffe3af5cb52 |
| SHA1 | 82df246e1fdf14e87d95d1772d0be46e391e2a57 |
| SHA256 | e3537994912e245abac3d6c0d6e0cf66632a2697b555d8dd6296a6af1205f596 |
| SHA512 | 40356f32bac252a36da2f4f0d1b7aaee97deebed36d94785b4ed180e5487a7d8b32dfb10c75f40f604dcabb12701c78bea0956c91e73ba8b05442c0e372a2995 |
memory/2804-35-0x0000000000D40000-0x0000000000D70000-memory.dmp
memory/2804-36-0x0000000003010000-0x0000000003016000-memory.dmp
memory/2804-37-0x0000000005D60000-0x0000000006378000-memory.dmp
memory/2804-38-0x0000000005850000-0x000000000595A000-memory.dmp
memory/2804-39-0x00000000055C0000-0x00000000055D2000-memory.dmp
memory/2804-40-0x0000000005740000-0x000000000577C000-memory.dmp
memory/2804-41-0x0000000005780000-0x00000000057CC000-memory.dmp