Analysis Overview
SHA256
0cebb90e26b7ed9e1ab29b4620b2270de761469b6d630ae7a411ecf0d54477ba
Threat Level: Known bad
The file 0cebb90e26b7ed9e1ab29b4620b2270de761469b6d630ae7a411ecf0d54477ba was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Redline family
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:28
Reported
2024-11-10 01:30
Platform
win10v2004-20241007-en
Max time kernel
132s
Max time network
148s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6066881.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4444320.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8027644.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4444320.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\0cebb90e26b7ed9e1ab29b4620b2270de761469b6d630ae7a411ecf0d54477ba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6066881.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4444320.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8027644.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0cebb90e26b7ed9e1ab29b4620b2270de761469b6d630ae7a411ecf0d54477ba.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6066881.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0cebb90e26b7ed9e1ab29b4620b2270de761469b6d630ae7a411ecf0d54477ba.exe
"C:\Users\Admin\AppData\Local\Temp\0cebb90e26b7ed9e1ab29b4620b2270de761469b6d630ae7a411ecf0d54477ba.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6066881.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6066881.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4444320.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4444320.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8027644.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8027644.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 185.161.248.75:4132 | tcp | |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| RU | 185.161.248.75:4132 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| RU | 185.161.248.75:4132 | tcp | |
| RU | 185.161.248.75:4132 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| RU | 185.161.248.75:4132 | tcp | |
| RU | 185.161.248.75:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6066881.exe
| MD5 | 7a05acabce7dd1066ea099fb13c75adf |
| SHA1 | 7d99bd714de74c0b47ab3cfb8cefa43dda79ce56 |
| SHA256 | 902ba912435a11647c782a44c0e449c5766f0b7b7489671707ebeca159c25959 |
| SHA512 | 4bad57062261b28146de53c500772e971d17059f36a6871fa65b13794f5ceaf75667e1d6a37f40256b27bc9faa6804175667cc91ad83d12d1bd5ec5800bc1be7 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4444320.exe
| MD5 | 30953a378de72624b0d1c0b9562733a4 |
| SHA1 | 5900c61b2b2b286a42504b9910687ede7ee0d01c |
| SHA256 | fd89d9c07891166c82eda88373585b7d7d419db1b49fb50e241ffe8c2d8ee420 |
| SHA512 | 1a842b157abd25d6637dea1c000e6f34d1633e2af26665f38595ac8eb1b844463e01c5e6f6dc0a7145172bb48209e72ef86650aa2ae6b35357608b41b3383ae5 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8027644.exe
| MD5 | 4fd5c9bc65d0d1009a09353e99b80323 |
| SHA1 | a1890ea18653d647d33acc1416942bac34f06d40 |
| SHA256 | 5a6d984c120abf06468714d0553802305be4304fa7f70399da9472132f02e360 |
| SHA512 | 1bc69f926063d95ce68a6abe013302bd940794d3e51327e22e8ac179ed01284a8b2c2c77c5d756923efa7748678a02a872b0200bdc1852f49d7a9c79fbff4b99 |
memory/1512-21-0x00000000004C0000-0x00000000004EA000-memory.dmp
memory/1512-22-0x0000000005300000-0x0000000005918000-memory.dmp
memory/1512-23-0x0000000004E50000-0x0000000004F5A000-memory.dmp
memory/1512-24-0x0000000004DA0000-0x0000000004DB2000-memory.dmp
memory/1512-25-0x0000000004DC0000-0x0000000004DFC000-memory.dmp
memory/1512-26-0x0000000004E00000-0x0000000004E4C000-memory.dmp