Analysis Overview
SHA256
31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3
Threat Level: Known bad
The file 31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3 was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Redline family
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:14
Reported
2024-11-10 01:17
Platform
win10v2004-20241007-en
Max time kernel
132s
Max time network
148s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i01790874.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44804119.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i07970134.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i41843636.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a97214348.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i01790874.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44804119.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i07970134.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i41843636.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i01790874.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44804119.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i07970134.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i41843636.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a97214348.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3.exe
"C:\Users\Admin\AppData\Local\Temp\31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i01790874.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i01790874.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44804119.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44804119.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i07970134.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i07970134.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i41843636.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i41843636.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a97214348.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a97214348.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i01790874.exe
| MD5 | c1dbe2e17b308e340eb97be0acd63e31 |
| SHA1 | 27fff37d305225b6f223a159539fdb0b07683fd6 |
| SHA256 | facc9886e9da60292840029fe64a63316f641150b34087c6dab789986f39be11 |
| SHA512 | 4b282f1752dd53a993a31c4f89fcb0013e82a60dca82240710d7559dccec22f2de229352fd96b3e6740ba7bc3c99c5440813e785442fd125ee17584d61b35c67 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44804119.exe
| MD5 | 9f720c820cbde535803ac8a97ec198e7 |
| SHA1 | 788dea0d1242930186b177097e13a6ccb0964561 |
| SHA256 | f5e393b8586d4a379cb1735d76b095f9097fe736f4f1b767c57d76544cec7c02 |
| SHA512 | 7b9d81f6a986e2c1414a5a284dc3a2d31a6402cc8b54fc30608f394966a9c4fcd77626b3c737512f74ef881c97df189e349bfcfe42d9cfe506178e053968fa55 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i07970134.exe
| MD5 | d89e9d86295c132759c0f2ed8e6a0669 |
| SHA1 | 661bbe97b1530db24c1a66683fe9d8db25b632b9 |
| SHA256 | f8a667aad6aa692f46bf30c46b45f9fd80a0c4d23484635147f6080565e4d0f0 |
| SHA512 | 387293a1b725a7d4601a438ec39b10ce0587f72c5626955806205345655bbed2ee6d99d30424b23a81a104e3d8ac8d56bae209c7094453bae0e32480ad0bbd29 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i41843636.exe
| MD5 | de83c3f0968b64ad6b5bd0128edc00a0 |
| SHA1 | 1f6b5630821223ee437dc1998a5aa6b14d528ef2 |
| SHA256 | 8a6861e73519e8f7a659bf5b02f5d35d1b4180aaf9debfc5870c8e99b5552536 |
| SHA512 | 61d4f36e97882aafdf586a22161060a8dfb64942322273b2e01a65eab253cf9bf480237656fd84abb92cb950068b09e8884d9f4ef5e78691f03635caaa5124d6 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a97214348.exe
| MD5 | 44d07a9d2e37f8eec8af6734583a9c3f |
| SHA1 | d14f0a6620645f054d89861b54c4455651810871 |
| SHA256 | 877d41b3912d640bb21c6228a9d788ba4a1e414e35ac091a872644680c3cac9d |
| SHA512 | 92d5d19d6cf9f219f48a3aec1a6aba4411b718cd6c802cabce3931495652cd0ada9afda4e76b360c0d2d3dedfc1defcf08b11302c1be1d9ac34c6f283f76ec5e |
memory/1164-35-0x00000000002D0000-0x0000000000300000-memory.dmp
memory/1164-36-0x00000000025C0000-0x00000000025C6000-memory.dmp
memory/1164-37-0x00000000052C0000-0x00000000058D8000-memory.dmp
memory/1164-38-0x0000000004DB0000-0x0000000004EBA000-memory.dmp
memory/1164-39-0x0000000004C40000-0x0000000004C52000-memory.dmp
memory/1164-40-0x0000000004CE0000-0x0000000004D1C000-memory.dmp
memory/1164-41-0x0000000004D20000-0x0000000004D6C000-memory.dmp