Analysis Overview
SHA256
9c87ae8aa139f78d048e64fef780cef440b87e3ac7f583cbda8f530995cd1de2
Threat Level: Known bad
The file 9c87ae8aa139f78d048e64fef780cef440b87e3ac7f583cbda8f530995cd1de2 was found to be: Known bad.
Malicious Activity Summary
Redline family
RedLine
RedLine payload
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 11:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 11:10
Reported
2024-11-11 11:12
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
154s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGu18.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vJl17.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dkS63.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\9c87ae8aa139f78d048e64fef780cef440b87e3ac7f583cbda8f530995cd1de2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGu18.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vJl17.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9c87ae8aa139f78d048e64fef780cef440b87e3ac7f583cbda8f530995cd1de2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGu18.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vJl17.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dkS63.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dkS63.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9c87ae8aa139f78d048e64fef780cef440b87e3ac7f583cbda8f530995cd1de2.exe
"C:\Users\Admin\AppData\Local\Temp\9c87ae8aa139f78d048e64fef780cef440b87e3ac7f583cbda8f530995cd1de2.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGu18.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGu18.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vJl17.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vJl17.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dkS63.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dkS63.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| RU | 193.233.20.12:4132 | tcp | |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| RU | 193.233.20.12:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGu18.exe
| MD5 | 1c03cf581d0b202e326d177106dce492 |
| SHA1 | e53f111b16694713dc233e2a53f9f3de317cb802 |
| SHA256 | 621a683bbf03c7b907a5a84d18a971d3c033eb0cee9ffb51b6ebe1e795b21f1a |
| SHA512 | 2b189d85934f9c9e5ffba05f0ae8b13b9351b5c9c6f0926197c8c53ce07359ea3a3fa256ba802b7ebf3e73b7e574af21c9aaa30ec5d64e24a90a0dd41fe9175a |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vJl17.exe
| MD5 | b9e5e108c15efadef1247987402118e5 |
| SHA1 | 7f6bb289ba9b7de7efd48f7294f1d18e8c149669 |
| SHA256 | 14a7e1de2c732d95b5f661b897cd4aa7dd97287679bc7cb2962544ff2309e3e6 |
| SHA512 | 23c6bc3ac0438096a54bef8c61c300410a32ec1d06d9115ba1b214703406ae10cb7269c5736a12ca8a5a76d66b9ed22b7f1cb9913f965bec28a67d0105701370 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dkS63.exe
| MD5 | 05cec4f107653cd20a093e2ab3255796 |
| SHA1 | 3ea89b1cf7fc3a40d3a8c06d7e3082b39ad67f85 |
| SHA256 | f8f4ea19cff74a70ef2cc653515d2512d6caf81f7cff71774ae8978718039326 |
| SHA512 | 7553f277177d5025c4346ce5d727073c83c224b12540908bf6d8b75e229ec25b5ad0ef1ce6569ecb59661ef7e16926c3a5bfad477979f9b9d0ab55cc80091b65 |
memory/1548-22-0x0000000000860000-0x0000000000960000-memory.dmp
memory/1548-23-0x0000000000650000-0x000000000069B000-memory.dmp
memory/1548-24-0x0000000000400000-0x000000000044E000-memory.dmp
memory/1548-25-0x0000000004A90000-0x0000000004AD6000-memory.dmp
memory/1548-26-0x0000000004BF0000-0x0000000005194000-memory.dmp
memory/1548-27-0x0000000004B50000-0x0000000004B94000-memory.dmp
memory/1548-29-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-35-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-33-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-31-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-89-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-77-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-65-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-37-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-28-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-91-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-87-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-86-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-83-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-81-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-79-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-75-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-73-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-71-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-69-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-67-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-63-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-61-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-59-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-57-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-55-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-53-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-51-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-49-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-47-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-45-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-43-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-41-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-39-0x0000000004B50000-0x0000000004B8E000-memory.dmp
memory/1548-934-0x00000000051B0000-0x00000000057C8000-memory.dmp
memory/1548-935-0x0000000005850000-0x000000000595A000-memory.dmp
memory/1548-936-0x0000000005990000-0x00000000059A2000-memory.dmp
memory/1548-937-0x00000000059B0000-0x00000000059EC000-memory.dmp
memory/1548-938-0x0000000005B00000-0x0000000005B4C000-memory.dmp
memory/1548-940-0x0000000000860000-0x0000000000960000-memory.dmp
memory/1548-941-0x0000000000650000-0x000000000069B000-memory.dmp
memory/1548-942-0x0000000000400000-0x000000000044E000-memory.dmp