Analysis Overview
SHA256
3e1af7e26ab12c6b48da7042fe15762e4ccad35c8d57268df72ff30b4dc76144
Threat Level: Known bad
The file 3e1af7e26ab12c6b48da7042fe15762e4ccad35c8d57268df72ff30b4dc76144 was found to be: Known bad.
Malicious Activity Summary
RedLine payload
RedLine
Redline family
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:14
Reported
2024-11-10 01:17
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
149s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcL85.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\daG44.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\1fe28479e42351ecb3ae531321e56803d7aba556c51e79a9c99ae8cd002706d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcL85.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\daG44.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1fe28479e42351ecb3ae531321e56803d7aba556c51e79a9c99ae8cd002706d7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcL85.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\daG44.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1fe28479e42351ecb3ae531321e56803d7aba556c51e79a9c99ae8cd002706d7.exe
"C:\Users\Admin\AppData\Local\Temp\1fe28479e42351ecb3ae531321e56803d7aba556c51e79a9c99ae8cd002706d7.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcL85.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcL85.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\daG44.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\daG44.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.13:4136 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| RU | 193.233.20.13:4136 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| RU | 193.233.20.13:4136 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 193.233.20.13:4136 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| RU | 193.233.20.13:4136 | tcp | |
| RU | 193.233.20.13:4136 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcL85.exe
| MD5 | f741776c71c86f4a34323ded9602a4d5 |
| SHA1 | 292ce158bdfae3117bb2be35625608999d18f63e |
| SHA256 | 5265966f5f0074df5a240ef6caf46e977fc03495f14baf9c57c4fb7f88b31137 |
| SHA512 | 87feda7e09956e900ffd4461435466c2281052b0219bef74a3f81f859c93a27c3713e6249f07f5af1fa01286c8dfc91e5fdc3ac6f4d9e702e44b3b96c332fb96 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\daG44.exe
| MD5 | 7cf461732cf9d151aed5ca9f15c9d689 |
| SHA1 | 16308873863f9231638b81abe04b80afd0b98c18 |
| SHA256 | 971b14529405a8774ceb5552f3f12fcf455f530e567b71ae043ef166f4ff9d4f |
| SHA512 | 1b27323c2386aa46b28ebd2b8a127dfa86ccefee0a104c73d0ec2fd56b7f72c65a46d0529716def211c747e386d101aa38cc7d2143839927971ba7788e381e75 |
memory/2320-15-0x00000000009D0000-0x0000000000AD0000-memory.dmp
memory/2320-17-0x0000000000400000-0x000000000044E000-memory.dmp
memory/2320-16-0x00000000023F0000-0x000000000243B000-memory.dmp
memory/2320-18-0x0000000000400000-0x0000000000767000-memory.dmp
memory/2320-19-0x0000000004CF0000-0x0000000004D36000-memory.dmp
memory/2320-20-0x0000000004D30000-0x00000000052D4000-memory.dmp
memory/2320-21-0x0000000005320000-0x0000000005364000-memory.dmp
memory/2320-59-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-57-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-85-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-83-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-81-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-79-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-77-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-75-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-73-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-71-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-69-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-67-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-65-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-63-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-61-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-55-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-53-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-51-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-49-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-47-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-45-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-43-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-41-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-39-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-37-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-35-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-33-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-31-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-29-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-27-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-25-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-23-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-22-0x0000000005320000-0x000000000535E000-memory.dmp
memory/2320-928-0x00000000053A0000-0x00000000059B8000-memory.dmp
memory/2320-929-0x0000000005A40000-0x0000000005B4A000-memory.dmp
memory/2320-930-0x0000000005B80000-0x0000000005B92000-memory.dmp
memory/2320-931-0x0000000005BA0000-0x0000000005BDC000-memory.dmp
memory/2320-932-0x0000000005CF0000-0x0000000005D3C000-memory.dmp
memory/2320-933-0x00000000009D0000-0x0000000000AD0000-memory.dmp
memory/2320-934-0x0000000000400000-0x000000000044E000-memory.dmp