Analysis Overview
SHA256
905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d
Threat Level: Known bad
The file 905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Redline family
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 19:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 19:47
Reported
2024-11-09 19:49
Platform
win10v2004-20241007-en
Max time kernel
131s
Max time network
147s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9572884.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8910133.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1556528.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9572884.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8910133.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9572884.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8910133.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1556528.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d.exe
"C:\Users\Admin\AppData\Local\Temp\905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9572884.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9572884.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8910133.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8910133.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1556528.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1556528.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.161.248.75:4132 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| RU | 185.161.248.75:4132 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| RU | 185.161.248.75:4132 | tcp | |
| RU | 185.161.248.75:4132 | tcp | |
| RU | 185.161.248.75:4132 | tcp | |
| RU | 185.161.248.75:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9572884.exe
| MD5 | 1f936525487ee3390a2f40543dd362a9 |
| SHA1 | 9bee10624dcb45e4ab975aeb334a447da6b5673e |
| SHA256 | 7df3ff2c961e5e492af90a7c100d981cd6c8ed5cd0f4714061e8826858e799aa |
| SHA512 | bcf627c4ca1bc7afededeaf8f73195e52935a9c336bbcfdcd194d1cc9b94aa87bcf11ebcd2414180822e98ea64e76401d97fa7da8b3c9df4146b23f118ceffb1 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8910133.exe
| MD5 | 691b863b119613d2123e13d8a800bc49 |
| SHA1 | ab2c44f0fe8efff78f0ac1c72626ffee39b7a3e7 |
| SHA256 | 40a1996d7687379818189391391219f55125b7c46bae19345ed9a21bb17e4503 |
| SHA512 | 9069b2e3728b19164a7ff4de5a35661d9f72bbce873ed637d7fd76aa593fd3b228abf33684a74c281e36c166eee481e9cd609ba996cb020af5ee273431adc657 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1556528.exe
| MD5 | f64f648b9ef280bbee7159a5f4f70182 |
| SHA1 | b7a292a9eaaf559ab327606301cdcff3e3235a42 |
| SHA256 | 381c68a6d8555975dd16ed9d48b3fbccba8c0a84dac6b00d9ad28a9143843130 |
| SHA512 | 746dc58b87c8d183de27cf9a37bf478982e4b3b6f3b268d459bd1ee5d3a985fc79f30e46a328ebc22b62f52ccad22ffc0bcdef68b9e592c24b2ea3ef57f0c445 |
memory/468-21-0x0000000000D80000-0x0000000000DAA000-memory.dmp
memory/468-22-0x0000000005CD0000-0x00000000062E8000-memory.dmp
memory/468-23-0x0000000005850000-0x000000000595A000-memory.dmp
memory/468-24-0x0000000005780000-0x0000000005792000-memory.dmp
memory/468-25-0x00000000057E0000-0x000000000581C000-memory.dmp
memory/468-26-0x0000000005960000-0x00000000059AC000-memory.dmp