Analysis Overview
SHA256
da706d3d027ef63aaf24b70f5c2f8e8bb795a40baaa4a7ce692aed3a7a60169b
Threat Level: Known bad
The file da706d3d027ef63aaf24b70f5c2f8e8bb795a40baaa4a7ce692aed3a7a60169b was found to be: Known bad.
Malicious Activity Summary
Redline family
RedLine
RedLine payload
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 20:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 20:30
Reported
2024-11-09 20:32
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i13015130.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i89335978.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i71644065.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i89623002.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a70175154.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i89335978.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i71644065.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i89623002.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\da706d3d027ef63aaf24b70f5c2f8e8bb795a40baaa4a7ce692aed3a7a60169b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i13015130.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i89623002.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a70175154.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\da706d3d027ef63aaf24b70f5c2f8e8bb795a40baaa4a7ce692aed3a7a60169b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i13015130.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i89335978.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i71644065.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\da706d3d027ef63aaf24b70f5c2f8e8bb795a40baaa4a7ce692aed3a7a60169b.exe
"C:\Users\Admin\AppData\Local\Temp\da706d3d027ef63aaf24b70f5c2f8e8bb795a40baaa4a7ce692aed3a7a60169b.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i13015130.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i13015130.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i89335978.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i89335978.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i71644065.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i71644065.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i89623002.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i89623002.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a70175154.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a70175154.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i13015130.exe
| MD5 | d204859ccc2d8cd642a6a4ea6c931e38 |
| SHA1 | af57f700d7ba5ea5136a709caf69e17671f56445 |
| SHA256 | 08ca7369ce6e720df3fba908e915a1e42acdac678542ed32bf6149df9218dd58 |
| SHA512 | 265e4e199bf5975b1b0bcd155c70123c2864a55e421aa467b737f47305d9ebcc62bb7f6a35021725e03753619a0a612dd3bedfcc70bd08e2c8328435d7077c44 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i89335978.exe
| MD5 | 2fe3fcf52c956c689c47500ff7e415e1 |
| SHA1 | 220d98108f3de803c2a93816f7deb2541ebffd80 |
| SHA256 | 2e60b6c23fbb8f5e047217391abfad6f7f55f02fb13901718c36c02da71a3cc8 |
| SHA512 | cd8da39b030b0e78e5e51dd9fe7ce7222fae0a8867e4c3cd8f986cd3d8fca72ed278bbbc4e333192a3f9611c9225d32daeccc78e6fc41d0e0fa4a9bb3dea1e9e |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i71644065.exe
| MD5 | e458082da7cc4f5dd3579ea94b81c071 |
| SHA1 | 27d1eb84fd0e40e1929bc863916f3e729589ede9 |
| SHA256 | a5b8cb12a49febceb29ffe1c5c0cbc5649c90f379c53cd5ec6c7b2c2d66a1c32 |
| SHA512 | 1e36cdb30a8fa6950e1326d4052f873a9c7f1089a54ec3aa30c1a6faa2e437111efcbc63ce5ad4f62a1590c442425a4e7288cc79f9d5ff20cf2629ce1b349198 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i89623002.exe
| MD5 | 69aeb4273a7286acb0d16733ef666fc3 |
| SHA1 | c2c82c3b557a2bf7d9efe4c8505d2b64ec57facd |
| SHA256 | 0055f0d686cb0886a5251a468fb710f26c2cb0bcb0d5ee9585a3f2451d25fe06 |
| SHA512 | fd8ea7f738e438bd44000b6a118e4737b9a5d3599496897685bc1e35376f89f708e99f79943a1dfd1f122279ac096737e67c673f9cf3d83a6778225657f7eecc |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a70175154.exe
| MD5 | 5773a53d294a14d3ff6774e36b97aec1 |
| SHA1 | f14e74f98201241fc5bc112c46d22a38fc2b8d6e |
| SHA256 | b2a4b49950ddcb5ada42f12b5e3f669ea936dd8f2f056d83d71327b774d4e8c1 |
| SHA512 | 11f1d9e885bd8ae28ab8dfff97320d582f522d79c298cf31cc2d946f9543bfc78d88bee51cbdf31235f7105023bfdd75564611a4eabf64f1d10319d60b73d1b3 |
memory/220-35-0x0000000000A50000-0x0000000000A80000-memory.dmp
memory/220-36-0x0000000002BB0000-0x0000000002BB6000-memory.dmp
memory/220-37-0x0000000005B90000-0x00000000061A8000-memory.dmp
memory/220-38-0x0000000005680000-0x000000000578A000-memory.dmp
memory/220-39-0x0000000005400000-0x0000000005412000-memory.dmp
memory/220-40-0x0000000005570000-0x00000000055AC000-memory.dmp
memory/220-41-0x00000000055C0000-0x000000000560C000-memory.dmp