Analysis Overview
SHA256
1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016
Threat Level: Known bad
The file 1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016 was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Redline family
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 20:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 20:55
Reported
2024-11-09 20:58
Platform
win10v2004-20241007-en
Max time kernel
132s
Max time network
148s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0808175.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4649219.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3031760.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0808175.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4649219.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4649219.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3031760.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0808175.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016.exe
"C:\Users\Admin\AppData\Local\Temp\1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0808175.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0808175.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4649219.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4649219.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3031760.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3031760.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| RU | 185.161.248.75:4132 | tcp | |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| RU | 185.161.248.75:4132 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| RU | 185.161.248.75:4132 | tcp | |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| RU | 185.161.248.75:4132 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| RU | 185.161.248.75:4132 | tcp | |
| RU | 185.161.248.75:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0808175.exe
| MD5 | da50fde284558cbe419670c53aa60f8c |
| SHA1 | 6da56df05c9df1e23fa8719065ab892686c6479c |
| SHA256 | d6d3e0992009881476610222f4ba7656745c83ebdaf40d3f7b5ee17e72d2cd7b |
| SHA512 | b850e054457b7c04041336aaf34ecd369984d3f8fccb76f0a615c6d39567f3ffcfef16d94ba0f8c7f11be29f2d06611688cc40aa6ee58c310ab67fe1b69f5098 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4649219.exe
| MD5 | d75a68e15a7eedab42754de0502c7619 |
| SHA1 | ad9e8bf0251500696926ca836585b8567f48c29e |
| SHA256 | 03c4a6ac507b203cd3a509c0eb36cd281153d8fd22472f94e9db7995ca8c31ad |
| SHA512 | 7ee1d57961d3f805cc2f32633511e35e725ea75b4c4175a96bbfb085dc7bc1857846744705f0db361a9d073d0dd7544e41d571b86885893a0adb8210e0100127 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3031760.exe
| MD5 | 21921b55690c5c16247fe806df039732 |
| SHA1 | 3c8a00d69d7f460413cbaf99156893481fc66329 |
| SHA256 | 910ece74bdb35bc0f4a0ab2b1716b1d3ffa42192b0cab65d8e5c5e7a102f0bb0 |
| SHA512 | 86f560f879791688888b28072ffd7ddb59d78808c26e6b2b6473f3c122801597c43d78e3aeca89daff8c1e7d067559f5a8ecaddc7b903a73cd7ce912400c8f1a |
memory/1960-21-0x0000000000160000-0x000000000018E000-memory.dmp
memory/1960-22-0x0000000006E10000-0x0000000006E16000-memory.dmp
memory/1960-23-0x000000000A590000-0x000000000ABA8000-memory.dmp
memory/1960-24-0x000000000A110000-0x000000000A21A000-memory.dmp
memory/1960-25-0x000000000A040000-0x000000000A052000-memory.dmp
memory/1960-26-0x000000000A0A0000-0x000000000A0DC000-memory.dmp
memory/1960-27-0x0000000004460000-0x00000000044AC000-memory.dmp