Analysis Overview
SHA256
38b2f087885ad02ba55a3635b06fbc8d7368a997f63ec10d96ea3e1c01481923
Threat Level: Known bad
The file 38b2f087885ad02ba55a3635b06fbc8d7368a997f63ec10d96ea3e1c01481923 was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Redline family
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 21:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 21:17
Reported
2024-11-09 21:20
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i19703148.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55206354.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a17825952.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\38b2f087885ad02ba55a3635b06fbc8d7368a997f63ec10d96ea3e1c01481923.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i19703148.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55206354.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\38b2f087885ad02ba55a3635b06fbc8d7368a997f63ec10d96ea3e1c01481923.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i19703148.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55206354.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a17825952.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\38b2f087885ad02ba55a3635b06fbc8d7368a997f63ec10d96ea3e1c01481923.exe
"C:\Users\Admin\AppData\Local\Temp\38b2f087885ad02ba55a3635b06fbc8d7368a997f63ec10d96ea3e1c01481923.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i19703148.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i19703148.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55206354.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55206354.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a17825952.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a17825952.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i19703148.exe
| MD5 | 282f2a5eb18dce9ba508f0bb62e53d8c |
| SHA1 | 5ce9da3d71af2b74c49447de61e26d951b43720d |
| SHA256 | 8044726d78b8d4acaa7fd0dd819472076c2f605d81f8502a5747b6d08174790f |
| SHA512 | 83bdc61b2cde4701a25e27f656549d782ae28b085e1801833a5a373f3f5d85b0d3f4dce732114960d4e2d6a4e15e964946edabbc765bc72f0703385e0c11e804 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55206354.exe
| MD5 | 5549989438ee6c704a23a7a637178750 |
| SHA1 | f1efbe87eed0cd040541491811c8a6142ef9e4ec |
| SHA256 | c62c223e1d2cae23de64ebf545fc091c7fac3b1bb4aae9473645dc566f379812 |
| SHA512 | f1eabc7457b0773b22d745c401db2b67d4430590433778896b5bbcbcc7c4b08d174e7599a25585f710b1aafd68a00a4756ff604e16d6af4644c135725b06a2e9 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a17825952.exe
| MD5 | 3835fb0e49c8bd776b55f96534aa9bb9 |
| SHA1 | 63118ed0b06d166440837cebacf528dc9c325816 |
| SHA256 | 302cb0e099bb50eedf0cad27654917c7311a4662e52888f54116ca2ce008f579 |
| SHA512 | da4411146bf120646348a5ca965ecea68f2ecc2cc5bcb67a61919e88e22bc1bdb2d761a6e06104e0e345d7100eb5c4c0d1641d292c7c21df59f083df5b7a359b |
memory/4284-21-0x0000000000740000-0x0000000000770000-memory.dmp
memory/4284-22-0x0000000004F60000-0x0000000004F66000-memory.dmp
memory/4284-23-0x00000000056E0000-0x0000000005CF8000-memory.dmp
memory/4284-24-0x00000000051D0000-0x00000000052DA000-memory.dmp
memory/4284-25-0x00000000050C0000-0x00000000050D2000-memory.dmp
memory/4284-26-0x0000000005120000-0x000000000515C000-memory.dmp
memory/4284-27-0x0000000005170000-0x00000000051BC000-memory.dmp