Analysis Overview
SHA256
62d0e87b30d621f9ab2a55f1ef9f8d5cb627855a630abfeaac77d3c35703c465
Threat Level: Known bad
The file 62d0e87b30d621f9ab2a55f1ef9f8d5cb627855a630abfeaac77d3c35703c465 was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Redline family
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 15:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 15:03
Reported
2024-11-10 15:06
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vMP23.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vkv79.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlf76.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\62d0e87b30d621f9ab2a55f1ef9f8d5cb627855a630abfeaac77d3c35703c465.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vMP23.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vkv79.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\62d0e87b30d621f9ab2a55f1ef9f8d5cb627855a630abfeaac77d3c35703c465.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vMP23.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vkv79.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlf76.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlf76.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\62d0e87b30d621f9ab2a55f1ef9f8d5cb627855a630abfeaac77d3c35703c465.exe
"C:\Users\Admin\AppData\Local\Temp\62d0e87b30d621f9ab2a55f1ef9f8d5cb627855a630abfeaac77d3c35703c465.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vMP23.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vMP23.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vkv79.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vkv79.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlf76.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlf76.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 193.233.20.13:4136 | tcp | |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| RU | 193.233.20.13:4136 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| RU | 193.233.20.13:4136 | tcp | |
| RU | 193.233.20.13:4136 | tcp | |
| RU | 193.233.20.13:4136 | tcp | |
| RU | 193.233.20.13:4136 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vMP23.exe
| MD5 | 0f0d1b3b482a1228914a2b3124b2938d |
| SHA1 | 5a776f0241474aa21e51fed0b5eafa178e46a090 |
| SHA256 | 806af668edc29d7b8670c7bc5773ac61ef6f78a65a560352700883fce0b8a014 |
| SHA512 | 7dfe8e0e44d337a620bf974c837cde56fa31070917d7ab3742433eeee87cb5c41773f9df773b6b16736ddcb395081f686e3d35dde19a66166f299ff2c39e29bc |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vkv79.exe
| MD5 | aba82c5edd0f7d206969bc14c9539e82 |
| SHA1 | 46774153e3e2a591c52086453c2499459664e117 |
| SHA256 | 4d5c570fbb2948fcf459598d3ed373a11db071626e6634cc8f969cb39c4b72b8 |
| SHA512 | f02c4aba13961fe6f737d93991a18f3fe07c5e5ce324c9bad7f7346fb0766e1e340ccfd9bb88412de56f077d5e307e7414ea99413a899ec2c15324b75d8583a3 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlf76.exe
| MD5 | b5b088e47af91c344e3583ef9391586f |
| SHA1 | 81c28284f693f66d1d30b8ee09f0d69e27457333 |
| SHA256 | 3f201ce75b624c56d73e6aa11e0d93825455d0ee88d3fdcc8e2f3bafae6cc739 |
| SHA512 | 9d0789dfa16b849709e3bb04159ed2bf6ccd74975472efe87aeb9d8ff0539b8953cb0937b4d646fba7d1460ea8c1fd0ee4dfb9ec2debfefdee70ab9b05ca1a3b |
memory/3672-22-0x0000000002820000-0x0000000002866000-memory.dmp
memory/3672-23-0x0000000004F40000-0x00000000054E4000-memory.dmp
memory/3672-24-0x0000000004E90000-0x0000000004ED4000-memory.dmp
memory/3672-86-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-78-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-56-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-88-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-84-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-82-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-80-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-76-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-74-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-72-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-70-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-68-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-66-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-64-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-62-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-60-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-58-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-54-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-52-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-50-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-48-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-47-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-44-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-42-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-40-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-38-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-36-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-34-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-32-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-30-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-28-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-26-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-25-0x0000000004E90000-0x0000000004ECE000-memory.dmp
memory/3672-931-0x00000000054F0000-0x0000000005B08000-memory.dmp
memory/3672-932-0x0000000005B80000-0x0000000005C8A000-memory.dmp
memory/3672-933-0x0000000005CC0000-0x0000000005CD2000-memory.dmp
memory/3672-934-0x0000000005CE0000-0x0000000005D1C000-memory.dmp
memory/3672-935-0x0000000005E30000-0x0000000005E7C000-memory.dmp