Analysis Overview
SHA256
0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32
Threat Level: Known bad
The file 0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32N was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Redline family
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 05:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 05:57
Reported
2024-11-11 05:59
Platform
win10v2004-20241007-en
Max time kernel
106s
Max time network
114s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i52967016.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i84159350.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i51748369.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a64284449.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i52967016.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i84159350.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i51748369.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i52967016.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i84159350.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i51748369.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a64284449.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32N.exe
"C:\Users\Admin\AppData\Local\Temp\0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32N.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i52967016.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i52967016.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i84159350.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i84159350.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i51748369.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i51748369.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a64284449.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a64284449.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i52967016.exe
| MD5 | b659e8693f9c6bf3a07242f64a641643 |
| SHA1 | d6b9303eaf4fa66f95c4c617288ec57fc6addbe3 |
| SHA256 | c5c53066c9c65ea6d05fa10adcace56317f59ece80d9e756bdcbec681599fca1 |
| SHA512 | b0544418d253d2e1a1416b16cf52de3af6aef7f2afe96ddaccfdb622e27dd53a9ebe64595d5de106c47cfe697fd6cf8bc8fdf155b6821bd0c61ec99b6a0a7350 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i84159350.exe
| MD5 | 1881d788b8046308e1156636d4a6f8d2 |
| SHA1 | fb8e4d40d1a0664f13316ab23f13c050390b99b5 |
| SHA256 | a9b8e823d9318836368a7be00b8edccbe265282d0aaa5666d6503afff0dea74c |
| SHA512 | 41b780eaa441b6500b249da7767284b3cf3d7cbbdff55203461baf9808c5598a1b5ef2eca9f3692e1bf0cd954b1373695b54d2fef1eddbbb1c86cd09c6fb83bb |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i51748369.exe
| MD5 | 341ee1742a7c6cb97a6f94cb2880f72b |
| SHA1 | 55d67dc790192ad81761dc30ce4550b9f7e096a7 |
| SHA256 | 5303cca9f76963e9b0a728d64f36a64bdca4f3c6ed9c6e00a85489af77b60695 |
| SHA512 | d0628d5e853bf87e72a399aaaf7f43af6e43bb549b39cb955cd1f74b0d31d0d1f101f357c18c8caa875cbf3ce2410e04e24a98568c042ac0d19636f8cda7aca9 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a64284449.exe
| MD5 | 375fb5fc9e409807364960c1891d2625 |
| SHA1 | ca904acdf5e162c8e595bb3c1dcb48ed97228ed5 |
| SHA256 | 71d35ffc50602e0bc952a8157bbc4b07cc2dcdd47c6a01257abc3d1c47b2510f |
| SHA512 | f6d7d1d6336440d69dc5debbb46ad4791bfb0f228519df264ba1f56c5227c832ef046803a28b65209f039b720f0d60dab7478d70d06036ac0df017a60248ec89 |
memory/1052-28-0x0000000000FF0000-0x0000000001020000-memory.dmp
memory/1052-29-0x00000000034B0000-0x00000000034B6000-memory.dmp
memory/1052-30-0x0000000006120000-0x0000000006738000-memory.dmp
memory/1052-31-0x0000000005C10000-0x0000000005D1A000-memory.dmp
memory/1052-32-0x0000000005990000-0x00000000059A2000-memory.dmp
memory/1052-33-0x0000000005B00000-0x0000000005B3C000-memory.dmp
memory/1052-34-0x0000000005B50000-0x0000000005B9C000-memory.dmp