Analysis Overview
SHA256
d1a29ffa42b1cfeb8daf43256f8ebe7b3bb9db99c724a5ea3ec54d932e8217e0
Threat Level: Known bad
The file d1a29ffa42b1cfeb8daf43256f8ebe7b3bb9db99c724a5ea3ec54d932e8217e0 was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Redline family
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 23:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 23:41
Reported
2024-11-10 23:43
Platform
win10v2004-20241007-en
Max time kernel
132s
Max time network
148s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svu97Xv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\srw38gb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kLg82Bb.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\d1a29ffa42b1cfeb8daf43256f8ebe7b3bb9db99c724a5ea3ec54d932e8217e0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svu97Xv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\srw38gb.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d1a29ffa42b1cfeb8daf43256f8ebe7b3bb9db99c724a5ea3ec54d932e8217e0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svu97Xv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\srw38gb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kLg82Bb.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d1a29ffa42b1cfeb8daf43256f8ebe7b3bb9db99c724a5ea3ec54d932e8217e0.exe
"C:\Users\Admin\AppData\Local\Temp\d1a29ffa42b1cfeb8daf43256f8ebe7b3bb9db99c724a5ea3ec54d932e8217e0.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svu97Xv.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svu97Xv.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\srw38gb.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\srw38gb.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kLg82Bb.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kLg82Bb.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| RU | 193.233.20.12:4132 | tcp | |
| RU | 193.233.20.12:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svu97Xv.exe
| MD5 | b14b196a5a21d9092001bab061ab946c |
| SHA1 | 8b5af6bdf9d71df296ef11ba74178c898aa71fbb |
| SHA256 | d5c3609359b8e1c81b79af15606e7bd801e007e7977d2d71c8ba7bf82119184f |
| SHA512 | 8a383ba3e708bc8f50e4d0afb174dd7ee78b6a4d7c762645421d93f1acbc3786b73d2384dbe9b428f51365752245371f7fc718b6e1083f2f79c102a4d6e260ec |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\srw38gb.exe
| MD5 | f24e88085fe326147ac61e8ead2cfa04 |
| SHA1 | aad4fee9bf3ff5fe6341cacc8bdf0fb20123a51a |
| SHA256 | 17a023086139b6b916f5785ce997b44ea161c25d1fc8c8d79e7777c450c86a15 |
| SHA512 | 52acdb1b551e419fc3ee29b5ee1b593181c2d7842dde4fb92dcc8f2c630c1685a5059ddc965356487897a45af91acbcd7c81f2d550439a34cd2aeb9929784e2f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kLg82Bb.exe
| MD5 | da6f3bef8abc85bd09f50783059964e3 |
| SHA1 | a0f25f60ec1896c4c920ea397f40e6ce29724322 |
| SHA256 | e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b |
| SHA512 | 4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec |
memory/3404-21-0x00000000007A0000-0x00000000007D2000-memory.dmp
memory/3404-22-0x0000000005720000-0x0000000005D38000-memory.dmp
memory/3404-23-0x0000000005280000-0x000000000538A000-memory.dmp
memory/3404-24-0x00000000051B0000-0x00000000051C2000-memory.dmp
memory/3404-25-0x0000000005220000-0x000000000525C000-memory.dmp
memory/3404-26-0x0000000005390000-0x00000000053DC000-memory.dmp