Analysis Overview
SHA256
f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9
Threat Level: Known bad
The file f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9 was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Redline family
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 08:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 08:31
Reported
2024-11-11 08:34
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
144s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxq98.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vow79.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXq48.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxq98.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vow79.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxq98.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vow79.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXq48.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXq48.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9.exe
"C:\Users\Admin\AppData\Local\Temp\f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxq98.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxq98.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vow79.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vow79.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXq48.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXq48.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| RU | 193.233.20.12:4132 | tcp | |
| RU | 193.233.20.12:4132 | tcp | |
| RU | 193.233.20.12:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxq98.exe
| MD5 | 808720598383f6ce34866d1386a7497d |
| SHA1 | 50a5d2b6549d59616fb9067ca02ee1fd80ce15f7 |
| SHA256 | 5d9ee4faeabbe5bd559f7bc0758da46f5375013fc86946ed5e4605fa3383e7ca |
| SHA512 | b571abeb700c7017e697d64ee7fadfbc6030327c05c097cb16476ff4952a259381afb96a413e7132c5d3f04569448e33b9a88ac318e645ed4d936ee7c94fa163 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vow79.exe
| MD5 | 36f593c113598104f57f4e0cfe958f3c |
| SHA1 | db6379d6c4734045b827fb3d87a11b1aba75d94d |
| SHA256 | da242dce74bdeaaa9429453a2b470dbc5722b13e151aa704e41be744468f2070 |
| SHA512 | 6b22f3976546f5ffdf4ba1ca487eec3ae0d0c4b3b192f2878bed5c69fdac9cc5d2db477bdb0363687f73f7e9be42dced0d57e24bfafa7e03b3efd0b35a51a665 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXq48.exe
| MD5 | 285075759e1fdcae6a0deb572b9f2deb |
| SHA1 | 8ba0efce7c3edce13cd2cda3c250fe4f7c90ff7b |
| SHA256 | b5bdf2dbf6d46257447f8b9633c4b3c1905171c0ca9e6a8c1954a92accbb00c1 |
| SHA512 | 54338da73f8e569a9d450ac4092d385488103da32cdfddea13d0a92c847d197584683b26a21c5fa37625ce01220717ea34d8b4da4cd3a026e15b77ef23771f02 |
memory/3456-22-0x00000000026C0000-0x0000000002706000-memory.dmp
memory/3456-23-0x0000000004DC0000-0x0000000005364000-memory.dmp
memory/3456-24-0x0000000004CD0000-0x0000000004D14000-memory.dmp
memory/3456-40-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-88-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-86-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-84-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-82-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-80-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-78-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-76-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-72-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-70-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-68-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-66-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-64-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-62-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-60-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-58-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-56-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-54-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-52-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-48-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-46-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-44-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-42-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-38-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-36-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-34-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-32-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-30-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-74-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-28-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-26-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-50-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-25-0x0000000004CD0000-0x0000000004D0E000-memory.dmp
memory/3456-931-0x0000000005370000-0x0000000005988000-memory.dmp
memory/3456-932-0x00000000059B0000-0x0000000005ABA000-memory.dmp
memory/3456-933-0x0000000005AF0000-0x0000000005B02000-memory.dmp
memory/3456-934-0x0000000005B50000-0x0000000005B8C000-memory.dmp
memory/3456-935-0x0000000005C90000-0x0000000005CDC000-memory.dmp