Analysis Overview
SHA256
457b786aba33f4350498c9a8644a5764f7ec1e6adc79a5182c61180dc3f21d6f
Threat Level: Known bad
The file 457b786aba33f4350498c9a8644a5764f7ec1e6adc79a5182c61180dc3f21d6f was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Redline family
RedLine
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 21:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 21:40
Reported
2024-11-10 21:43
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxb95.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vAx09.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAg06.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\457b786aba33f4350498c9a8644a5764f7ec1e6adc79a5182c61180dc3f21d6f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxb95.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vAx09.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vAx09.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAg06.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\457b786aba33f4350498c9a8644a5764f7ec1e6adc79a5182c61180dc3f21d6f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxb95.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAg06.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\457b786aba33f4350498c9a8644a5764f7ec1e6adc79a5182c61180dc3f21d6f.exe
"C:\Users\Admin\AppData\Local\Temp\457b786aba33f4350498c9a8644a5764f7ec1e6adc79a5182c61180dc3f21d6f.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxb95.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxb95.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vAx09.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vAx09.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAg06.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAg06.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| RU | 193.233.20.13:4136 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| RU | 193.233.20.13:4136 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| RU | 193.233.20.13:4136 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 193.233.20.13:4136 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| RU | 193.233.20.13:4136 | tcp | |
| RU | 193.233.20.13:4136 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxb95.exe
| MD5 | b114060a6ddc413737ad19a2f49a282b |
| SHA1 | 63d4a34062e0954338682998ea55d52044b68880 |
| SHA256 | d9537c10109cec72ea01fc5ebad52f80d100b0774f63bc409a16085a04fc64ac |
| SHA512 | c3653a50c252fc0d88babf26936b8d7fa91d5feef5d3364fbc0251ccbeb0358f9c9c0053de4b069143c5a626b48ad85473213ee7aae942af8f9d654061d2faa8 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vAx09.exe
| MD5 | 0e498d9d822eb4e5d018dc5357819e17 |
| SHA1 | 511a949f31f6368ebd5ad89d91098cd22cbfbaa4 |
| SHA256 | a45432d2e400de589b7f9005b3168f48bd8d3230fa0221346baa270e3fc92bd0 |
| SHA512 | 448274db0a672203c09255295ffc7d28df9914a626317737d85a747902acf7bf3c9f5fee4c0c9aaeb86124bdc6a9dca169d6d1101825c1a8b60bda922bfed55e |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAg06.exe
| MD5 | fb82c4087f33ef1500be09b2c64edd7e |
| SHA1 | f3bc3a8bc794198f45c88e4e7f209301a7319247 |
| SHA256 | a49071caacb938f2602eab78925d1cb38ce8fe180d3db37a91a58b49c912f265 |
| SHA512 | f0692f8a1c5c835c600ea33bfaa38246970db8ec2c82b49bdcdbf57423c7e220aa48e8f03c107fbc69b4826e4a7f8723e614f7cfa0642f9231677c9a20065184 |
memory/1668-22-0x0000000002650000-0x0000000002696000-memory.dmp
memory/1668-23-0x0000000004D70000-0x0000000005314000-memory.dmp
memory/1668-24-0x0000000005320000-0x0000000005364000-memory.dmp
memory/1668-42-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-44-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-88-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-87-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-84-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-82-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-80-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-78-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-76-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-74-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-72-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-70-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-66-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-64-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-60-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-58-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-54-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-52-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-50-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-48-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-46-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-40-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-38-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-36-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-32-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-30-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-68-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-62-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-56-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-34-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-28-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-26-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-25-0x0000000005320000-0x000000000535E000-memory.dmp
memory/1668-931-0x00000000053A0000-0x00000000059B8000-memory.dmp
memory/1668-932-0x0000000005A40000-0x0000000005B4A000-memory.dmp
memory/1668-933-0x0000000005B80000-0x0000000005B92000-memory.dmp
memory/1668-934-0x0000000005BA0000-0x0000000005BDC000-memory.dmp
memory/1668-935-0x0000000005CF0000-0x0000000005D3C000-memory.dmp