Analysis Overview
SHA256
3b9b5703ef9d3f1021a41464998550b6b71b924ec2849f948e240de6a34d51cd
Threat Level: Known bad
The file 3b9b5703ef9d3f1021a41464998550b6b71b924ec2849f948e240de6a34d51cd was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Redline family
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 06:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 06:01
Reported
2024-11-11 06:04
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23121391.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i92806119.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28294998.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i45511230.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a56915735.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23121391.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i92806119.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28294998.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i45511230.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\3b9b5703ef9d3f1021a41464998550b6b71b924ec2849f948e240de6a34d51cd.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3b9b5703ef9d3f1021a41464998550b6b71b924ec2849f948e240de6a34d51cd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23121391.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i92806119.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28294998.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i45511230.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a56915735.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3b9b5703ef9d3f1021a41464998550b6b71b924ec2849f948e240de6a34d51cd.exe
"C:\Users\Admin\AppData\Local\Temp\3b9b5703ef9d3f1021a41464998550b6b71b924ec2849f948e240de6a34d51cd.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23121391.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23121391.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i92806119.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i92806119.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28294998.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28294998.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i45511230.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i45511230.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a56915735.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a56915735.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| RU | 185.161.248.73:4164 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23121391.exe
| MD5 | 200533d1407ff660c8e21d85a9eb5f6c |
| SHA1 | 894fc5f6090622dc8feb40137f40499eec677a16 |
| SHA256 | dcd95d79bb84de407d7d77cc5273215662ca9a56255e06cd116d899b7dfe15c3 |
| SHA512 | 1df15c2d7bd057e21c4d4a463abde82b2b63ab784c1e327ac18972d70bd240d76a72fb6ca2031913a806ed3d96ca61ae743c1a76271d8cb0ef7fd4c540b4818e |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i92806119.exe
| MD5 | 85990274efa48f8b8b2a1ecf2a6413d4 |
| SHA1 | 6bee2a00f480eeae5dfe361a22297759fc03d208 |
| SHA256 | 68b75c9b9d2824559d2af7ef28f8c010f77ec043ca24acf2183f6a3921a65b42 |
| SHA512 | 94f1cb9ffad045f155c8e95312d6bd189d868353e43c04550611ada4f66dab1656529600a2194877ae936e30a5b1bde56c3a0aac03c3c191ab35976edc6d3412 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28294998.exe
| MD5 | 3fb432179a28faff938f7f1ad7ffc3d8 |
| SHA1 | 211284485081f7bf0a09b44acdec233a78f65ac8 |
| SHA256 | 771557411c0021f2d495b72a49a020c277ba4658a646fd31507f3b0b715efc0e |
| SHA512 | 17b5f88144542fded42f5df13b875ae24ce40a27a4d3ebe71a9fdf9892e70e1d756f47125facabc64ec3b95b2517de29f84f29a279d2db3676d877836d8face1 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i45511230.exe
| MD5 | 7c0a1c10a357abeb0fb484968abd087e |
| SHA1 | 71aa532533c1fbc2cb51f69f5c21293ccea72425 |
| SHA256 | 7a5893d45095dc0e14f9035780b21a977cbab589c556b7b8f705bf83c5ca0dd9 |
| SHA512 | f26ece118abea3d065715d09a735023da9af1c86770e613cdff8cfc8761e9a2cd723210e2021945024ad5c9f849acc161b1cc5a825a9f639000fa77d306cd8cf |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a56915735.exe
| MD5 | 92ce95e0808338e0da10c041498d7c75 |
| SHA1 | b81e71fa22f23e0148d25cb618ba89dbcdb74b3d |
| SHA256 | f345244e2698b4074cc6b7a988c3aaee9a902f381712299aad6381cb99121387 |
| SHA512 | 056336fdabbc9f260f170ec773b98590c0c75d0e0b173633116fe2c1ec4260d9a2a3a3477b920ab6273694a96c396e98cfff24c8d6985b0e6d201c299bd9a011 |
memory/3608-35-0x0000000000D70000-0x0000000000DA0000-memory.dmp
memory/3608-36-0x0000000003140000-0x0000000003146000-memory.dmp
memory/3608-37-0x0000000005DA0000-0x00000000063B8000-memory.dmp
memory/3608-38-0x0000000005890000-0x000000000599A000-memory.dmp
memory/3608-39-0x00000000055E0000-0x00000000055F2000-memory.dmp
memory/3608-40-0x0000000005780000-0x00000000057BC000-memory.dmp
memory/3608-41-0x00000000057C0000-0x000000000580C000-memory.dmp