Analysis Overview
SHA256
620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c
Threat Level: Known bad
The file 620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Redline family
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 19:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 19:46
Reported
2024-11-09 19:49
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i89324392.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i07777833.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i33379376.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i52230489.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40413450.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i89324392.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i07777833.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i33379376.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i52230489.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i89324392.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i07777833.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i33379376.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i52230489.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40413450.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exe
"C:\Users\Admin\AppData\Local\Temp\620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i89324392.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i89324392.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i07777833.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i07777833.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i33379376.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i33379376.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i52230489.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i52230489.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40413450.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40413450.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i89324392.exe
| MD5 | 56f99dcf4769ad94475b2a3e385df7d6 |
| SHA1 | ed74096779e730c722936fb5d801eed8f5954690 |
| SHA256 | 22bfe184cfd7cdaa688996a4bd0f9905df5974f8593db8f4653b5cf067445647 |
| SHA512 | c260df906606a895f848a9edad464670eca5fcc903382dfb56171e830c20a5371804e7a1da8010ed1bb224c408263ed911df2ac2d9fb174784fa0b8fd3500e20 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i07777833.exe
| MD5 | 30b50206b81e64e42387a3978250a621 |
| SHA1 | 706973766bd1ac82df56582cf7373c863d9c5968 |
| SHA256 | ebc43d9668df22cdce448f429903b80039f814cca8819fcae555cb33c3e14c54 |
| SHA512 | 94e803afec1013ed773fb2f0c41dea46720c6c8398ed1d66ca7464634b17fa44ca9b662ef6a188a8a20d9f8e8ee90ae70514710ea17058aab0226440cbe60e1f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i33379376.exe
| MD5 | 1ab762700633e3d5986313b195d2f943 |
| SHA1 | 8b072b0b0524d8550533d2197eed3ddc3a719556 |
| SHA256 | 3df7a12fe0e2395c6e1843ba0affbd3f1f0aaa6a73c86759eddfad9f6d66a851 |
| SHA512 | 154d80251596de6a4a20c40f8aa7a8c23a9533c96c156181b4dec937c1ca23e6cf12560f35554ce84598ac9db637bf11ff5efe4b757b83c0f5eda4b625d91177 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i52230489.exe
| MD5 | 1b4f78619e0b825ec684b6ec596677b9 |
| SHA1 | 2165630b91acbf5b4cd054fcfee91f60741fc31a |
| SHA256 | cdcddd98edcfdf812d6d135766a2c5112626a0bc55e7074f15cfca59d86c725a |
| SHA512 | 5e9eb2a950549541555995ab5ddd284c50454103f74214cffb348268ebeac559d65129aff37ed2f2fddb686db1a9dd64ff3d44035260d05b0b89c2a1ae8f204d |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40413450.exe
| MD5 | 42c797dd79cf627f18bdafc02154aaac |
| SHA1 | 4bc76f54be567295d68d78bfcd766944b1229f49 |
| SHA256 | 922d50cb151fb9f0d087982b84bea6d9ef37879989d06146f3876222060950ee |
| SHA512 | c3328b4eae57991a4d9c3d08ecd92679758b9cb435669eeda5bfa25357acf13f8a04b085e9344b50f7df322ee1cba22b1768e128514d23a6dfc0a0f9afae411b |
memory/2872-35-0x0000000000510000-0x0000000000540000-memory.dmp
memory/2872-36-0x0000000004CF0000-0x0000000004CF6000-memory.dmp
memory/2872-37-0x0000000005490000-0x0000000005AA8000-memory.dmp
memory/2872-38-0x0000000004F80000-0x000000000508A000-memory.dmp
memory/2872-39-0x0000000004E90000-0x0000000004EA2000-memory.dmp
memory/2872-40-0x0000000004EF0000-0x0000000004F2C000-memory.dmp
memory/2872-41-0x0000000005090000-0x00000000050DC000-memory.dmp