Analysis Overview
SHA256
38a69dbb581af4f2f9dd2762e58adadb968e62f36b57143198bd2f45b5cdbdc1
Threat Level: Known bad
The file 38a69dbb581af4f2f9dd2762e58adadb968e62f36b57143198bd2f45b5cdbdc1 was found to be: Known bad.
Malicious Activity Summary
RedLine payload
RedLine
Redline family
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 21:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 21:20
Reported
2024-11-11 21:23
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vrW84.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dTi36.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\38a69dbb581af4f2f9dd2762e58adadb968e62f36b57143198bd2f45b5cdbdc1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vrW84.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\38a69dbb581af4f2f9dd2762e58adadb968e62f36b57143198bd2f45b5cdbdc1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vrW84.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dTi36.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dTi36.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\38a69dbb581af4f2f9dd2762e58adadb968e62f36b57143198bd2f45b5cdbdc1.exe
"C:\Users\Admin\AppData\Local\Temp\38a69dbb581af4f2f9dd2762e58adadb968e62f36b57143198bd2f45b5cdbdc1.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vrW84.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vrW84.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dTi36.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dTi36.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| RU | 193.233.20.12:4132 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| RU | 193.233.20.12:4132 | tcp | |
| RU | 193.233.20.12:4132 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vrW84.exe
| MD5 | 3958dd8ac2a8746b927e9ac278aa66fd |
| SHA1 | c44b9d160613628015256846309f2a6fdf666944 |
| SHA256 | 152d9b91a6b37cbdb0bff999e8e2fdb21c5428a0aea7c8eb5f447c887fd0250c |
| SHA512 | 3d376334d19f6ed2589cf2e67e85613f1a1ae3ed856318ebe123e005b67b94678d43b4a94c72ae61e2453aea75419a90debc599b8fbfdeb355468a2488277c3e |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dTi36.exe
| MD5 | 24c46754103adc1ecce0a7e177f03bf2 |
| SHA1 | 72f06bb8c21d8da858a16399e2cd86be84f2e987 |
| SHA256 | 0130db5ed9a6d75757e9232d13d56033239b00afc7eeade437f96e377353181c |
| SHA512 | 55ec531b17b8c7f193f918ff2042b72c18f6e4a081acb6daffdc5801c0083d2fa582e06ca495dcd3c2b624f4b291f2fae61b4364452b45f1c8635d41acb70eef |
memory/2520-16-0x00000000023E0000-0x000000000242B000-memory.dmp
memory/2520-15-0x0000000000A40000-0x0000000000B40000-memory.dmp
memory/2520-17-0x0000000000400000-0x000000000044E000-memory.dmp
memory/2520-18-0x0000000000400000-0x00000000007B1000-memory.dmp
memory/2520-19-0x0000000004CF0000-0x0000000004D36000-memory.dmp
memory/2520-20-0x0000000004EC0000-0x0000000005464000-memory.dmp
memory/2520-21-0x0000000004D90000-0x0000000004DD4000-memory.dmp
memory/2520-23-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-41-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-39-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-37-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-35-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-33-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-85-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-83-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-79-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-77-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-75-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-74-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-71-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-67-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-65-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-63-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-61-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-59-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-57-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-53-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-51-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-49-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-47-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-45-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-43-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-31-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-29-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-25-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-81-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-69-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-56-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-28-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-22-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2520-928-0x0000000005470000-0x0000000005A88000-memory.dmp
memory/2520-929-0x0000000005A90000-0x0000000005B9A000-memory.dmp
memory/2520-930-0x0000000005BD0000-0x0000000005BE2000-memory.dmp
memory/2520-931-0x0000000005BF0000-0x0000000005C2C000-memory.dmp
memory/2520-932-0x0000000005D40000-0x0000000005D8C000-memory.dmp
memory/2520-933-0x0000000000A40000-0x0000000000B40000-memory.dmp
memory/2520-934-0x00000000023E0000-0x000000000242B000-memory.dmp
memory/2520-935-0x0000000000400000-0x000000000044E000-memory.dmp