Analysis Overview
SHA256
934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1
Threat Level: Known bad
The file 934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1 was found to be: Known bad.
Malicious Activity Summary
RedLine
Redline family
RedLine payload
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:12
Reported
2024-11-10 01:15
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
143s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vnk76.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vEh06.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duW94.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vnk76.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vEh06.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vnk76.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vEh06.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duW94.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duW94.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1.exe
"C:\Users\Admin\AppData\Local\Temp\934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vnk76.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vnk76.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vEh06.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vEh06.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duW94.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duW94.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| RU | 193.233.20.12:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vnk76.exe
| MD5 | 7daeacaf039d31faf12df639e1c988df |
| SHA1 | b5d6576dafee6f860760c2154a95bc1e789524c3 |
| SHA256 | 60f8cf69f8e1d28a45c3073477b0ac4ed90719d972eb18704eaf1d4fb952ed64 |
| SHA512 | 0fe286e3d29db95734d7e8c3db692285637f44de0b899af0737d42a8435c9a097e88d3cdf3d817f5416e180ccf8f99677d01cff9fc74b148ec74d901e0d6a59c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vEh06.exe
| MD5 | 666c0311502a1e366cbd6fa346ef7d70 |
| SHA1 | 90d49fff94e3fe2a00141d3b125d817c89b76601 |
| SHA256 | 19b36b0f715e7a191aaaa832232c01393f6b7bbc48d35bece1ad6b2e3dc95d43 |
| SHA512 | 8252737c17c3bf8c53b891506e09ca68232d39b4f70b3ce2b9bd88929915e889a5aac5d61916e956e7bf9782161f4550aa43c606791bc066a31edd91d2d0ef76 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duW94.exe
| MD5 | c76b024698fbf2e549cbc0515872a7b4 |
| SHA1 | 6dd18e417c892a26a1b9eca8b4a07421e743f052 |
| SHA256 | c0171f0d598f860d522908c1247e21d1325ec3d14cfda22e181d642fe1d29c20 |
| SHA512 | 48b8cd24779f46abd1769ac6453f4b22782b0ec34841b89e15f32e130d6b4d29eb5999f00afb9fdfc927fbc02f0ec0607c933163ff1794beba58fe3db5e3e19c |
memory/2704-22-0x0000000002AC0000-0x0000000002B06000-memory.dmp
memory/2704-23-0x0000000004F00000-0x00000000054A4000-memory.dmp
memory/2704-24-0x00000000054B0000-0x00000000054F4000-memory.dmp
memory/2704-60-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-62-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-88-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-84-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-80-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-78-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-76-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-74-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-933-0x0000000005D00000-0x0000000005D12000-memory.dmp
memory/2704-932-0x0000000005BC0000-0x0000000005CCA000-memory.dmp
memory/2704-931-0x0000000005520000-0x0000000005B38000-memory.dmp
memory/2704-72-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-934-0x0000000005D20000-0x0000000005D5C000-memory.dmp
memory/2704-70-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-68-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-66-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-64-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-58-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-56-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-54-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-52-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-50-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-46-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-935-0x0000000005E70000-0x0000000005EBC000-memory.dmp
memory/2704-44-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-42-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-40-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-38-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-36-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-34-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-30-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-28-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-86-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-82-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-48-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-32-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-26-0x00000000054B0000-0x00000000054EE000-memory.dmp
memory/2704-25-0x00000000054B0000-0x00000000054EE000-memory.dmp