Analysis Overview
SHA256
2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e
Threat Level: Known bad
The file 2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Redline family
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 09:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 09:21
Reported
2024-11-11 09:24
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
144s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcP52.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vBJ01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlm77.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcP52.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vBJ01.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlm77.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcP52.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vBJ01.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlm77.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e.exe
"C:\Users\Admin\AppData\Local\Temp\2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcP52.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcP52.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vBJ01.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vBJ01.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlm77.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlm77.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| RU | 193.233.20.12:4132 | tcp | |
| RU | 193.233.20.12:4132 | tcp | |
| RU | 193.233.20.12:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcP52.exe
| MD5 | d9e739d9ff85a85d4ae6c0707ebef68b |
| SHA1 | 2082d945a785a3003b03d3e33a6e26c2f4d5ac24 |
| SHA256 | 97e68cc6719f514f36fbb806bd5bd017325dbe9b6584c30fa8c6105bb22d1289 |
| SHA512 | 6849ed07e32b620baadd68324266e12c691269ccd3da4ac24be69847be5536fbf953cd56ef39b072358f2637818ed77fe2045183ae5938d0736298b4b5c2d008 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vBJ01.exe
| MD5 | be3c2a6f36d8411f58580b0b2283046e |
| SHA1 | 77ac282e7ac1bd4be9cbf7b0c8dd797774433a72 |
| SHA256 | 8f1bcb263e5bc70216a07df0fad50357e0dbf77d33417e212142e4d6eced875c |
| SHA512 | 17e8339b23db2955db972797d436618f521f3376a58ad1e6c26177c9288c15a21aa5e252199db1a69aba19f43f7ebed8fa35b5a319b7bddf1c9c95a5207011fa |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlm77.exe
| MD5 | 96cb25fef251057fd9f24f0c8cb90831 |
| SHA1 | dc393dceb9194a4814c42b87eb392ff37fca6c68 |
| SHA256 | d78d94ee7f5e64a25f292d51afee7a7a8f383a9a48a7d54135e9fdfc0fe7fdac |
| SHA512 | 6ad5d18632523607c9d7ec5bbc0dee2664755740a24b475bfc5f56b2707bef2343e12d3d2c6c0d5c7cf2239e245d6a8c6246ddeaf97ba4eba61a123cccaacaa0 |
memory/5036-22-0x00000000025B0000-0x00000000025F6000-memory.dmp
memory/5036-23-0x0000000004F50000-0x00000000054F4000-memory.dmp
memory/5036-24-0x00000000026C0000-0x0000000002704000-memory.dmp
memory/5036-74-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-88-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-86-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-84-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-82-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-80-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-78-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-76-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-72-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-70-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-69-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-66-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-64-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-62-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-60-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-58-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-56-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-54-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-52-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-48-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-46-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-44-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-42-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-40-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-38-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-36-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-35-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-33-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-30-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-28-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-26-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-25-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-50-0x00000000026C0000-0x00000000026FE000-memory.dmp
memory/5036-931-0x0000000005500000-0x0000000005B18000-memory.dmp
memory/5036-932-0x0000000005B20000-0x0000000005C2A000-memory.dmp
memory/5036-933-0x0000000004ED0000-0x0000000004EE2000-memory.dmp
memory/5036-934-0x0000000004EF0000-0x0000000004F2C000-memory.dmp
memory/5036-935-0x0000000005D30000-0x0000000005D7C000-memory.dmp