Analysis Overview
SHA256
fda4b898a3c579fe7ef0682031a7f1ff9c9cddf6018019f5ef8df2e4533d9083
Threat Level: Known bad
The file fda4b898a3c579fe7ef0682031a7f1ff9c9cddf6018019f5ef8df2e4533d9083 was found to be: Known bad.
Malicious Activity Summary
Redline family
RedLine
RedLine payload
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 07:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 07:04
Reported
2024-11-11 07:07
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
149s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\viu68.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vWi46.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dmn77.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\viu68.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vWi46.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\fda4b898a3c579fe7ef0682031a7f1ff9c9cddf6018019f5ef8df2e4533d9083.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fda4b898a3c579fe7ef0682031a7f1ff9c9cddf6018019f5ef8df2e4533d9083.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\viu68.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vWi46.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dmn77.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dmn77.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fda4b898a3c579fe7ef0682031a7f1ff9c9cddf6018019f5ef8df2e4533d9083.exe
"C:\Users\Admin\AppData\Local\Temp\fda4b898a3c579fe7ef0682031a7f1ff9c9cddf6018019f5ef8df2e4533d9083.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\viu68.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\viu68.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vWi46.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vWi46.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dmn77.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dmn77.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| US | 8.8.8.8:53 | 71.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| RU | 193.233.20.12:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\viu68.exe
| MD5 | 7b8e71bed0c5ce06d440cfdc382c14f0 |
| SHA1 | 692985b9a2667122646f36baa3ba7e692244068f |
| SHA256 | 54e78bb7f9554a00751b7b4676eee607fe5018da8953318bc21af63a624c14ba |
| SHA512 | 345e6ac18dbbb01f05b2f5955d8673efefaf3d9260469f4c622d3d1848a7bdfe33eafa510541746dad4fd0ba01e369de287d1dae2499198842a5b3b67bb967a7 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vWi46.exe
| MD5 | 2c19365d8e36305798c141ba721b79c5 |
| SHA1 | 66b18f8d4cc6456c69a15e6fd65021441b0b726a |
| SHA256 | 4084464a01c9471f4bea05e6e6e25a00c1114ee96dcec82c99f06ade6d1891c9 |
| SHA512 | 263269aa3f5dcae6c00eac45378d38b9b68e19cd30b96f47e6e092d64417811638755761ad41096ca13b936fbf659eb03c61642c7342883a7df2399cdd0767b6 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dmn77.exe
| MD5 | 5679820c359decb6148df7d1f99dbf24 |
| SHA1 | afc2c0c251e62bdcfa1b53ae4f228ba8d734ee9f |
| SHA256 | 6187b858630a3b80420ea4e8643056877eb2c528f9f366e4b41d4d31443e5938 |
| SHA512 | 71d465a2e6accb08a50dc8545792df0c0dd2ea67c06be3462448ce4d76166c12214a8e8b99d994a7303d8b9b7c6f8974b01aa5af206f3f2eed4e59b503731aa9 |
memory/2436-22-0x00000000027B0000-0x00000000027F6000-memory.dmp
memory/2436-23-0x0000000004E60000-0x0000000005404000-memory.dmp
memory/2436-24-0x0000000002960000-0x00000000029A4000-memory.dmp
memory/2436-34-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-88-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-86-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-84-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-80-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-78-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-76-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-74-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-72-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-68-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-66-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-64-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-62-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-60-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-56-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-54-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-52-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-50-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-48-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-46-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-44-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-42-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-40-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-38-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-36-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-32-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-30-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-82-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-28-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-70-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-58-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-26-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-25-0x0000000002960000-0x000000000299E000-memory.dmp
memory/2436-931-0x0000000005410000-0x0000000005A28000-memory.dmp
memory/2436-932-0x0000000005A80000-0x0000000005B8A000-memory.dmp
memory/2436-933-0x0000000005BC0000-0x0000000005BD2000-memory.dmp
memory/2436-934-0x0000000005BE0000-0x0000000005C1C000-memory.dmp
memory/2436-935-0x0000000005D30000-0x0000000005D7C000-memory.dmp