Analysis Overview
SHA256
07c9d1fa427f5daf282a26639d9a1663852abc036d4e91a0c1bcecfed6ad0c5e
Threat Level: Known bad
The file 07c9d1fa427f5daf282a26639d9a1663852abc036d4e91a0c1bcecfed6ad0c5eN.exe was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Redline family
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 00:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 00:29
Reported
2024-11-13 00:31
Platform
win10v2004-20241007-en
Max time kernel
111s
Max time network
118s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vsh86.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vkI61.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpr78.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\07c9d1fa427f5daf282a26639d9a1663852abc036d4e91a0c1bcecfed6ad0c5eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vsh86.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vkI61.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vsh86.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vkI61.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpr78.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\07c9d1fa427f5daf282a26639d9a1663852abc036d4e91a0c1bcecfed6ad0c5eN.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpr78.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\07c9d1fa427f5daf282a26639d9a1663852abc036d4e91a0c1bcecfed6ad0c5eN.exe
"C:\Users\Admin\AppData\Local\Temp\07c9d1fa427f5daf282a26639d9a1663852abc036d4e91a0c1bcecfed6ad0c5eN.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vsh86.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vsh86.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vkI61.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vkI61.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpr78.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpr78.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| RU | 193.233.20.13:4136 | tcp | |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 193.233.20.13:4136 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.190.18.2.in-addr.arpa | udp |
| RU | 193.233.20.13:4136 | tcp | |
| RU | 193.233.20.13:4136 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| RU | 193.233.20.13:4136 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vsh86.exe
| MD5 | 6b439981ec44a792dc8fc1c84759094a |
| SHA1 | fd7c90196c70d4eb0cc992c4195c4050847f88e5 |
| SHA256 | b4ccba2b67d3f344e245f78ab9759a90d99ed83c1d9538ea9d0e5cf80ac5cdb6 |
| SHA512 | 876d5d7a7be6dae4fa1b7396b2b024f0d8406573cb3ded1cf725dbdc90b88119cecc578dc294b5b1fb30e48059e1b915352e9823a9600c3fdcd0b1b2959b35f8 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vkI61.exe
| MD5 | ea82a9132d81fdd49514a643b82c5be9 |
| SHA1 | 8f8bc0f74456638dec6460e99f7dbfd55a20c463 |
| SHA256 | dbe5573ae2fd493a206dbae70c15c46a15f4c9c7620befdbd891c43a167751bd |
| SHA512 | 2b2a12479ebaf7cfc300c0cd3e162bfb9a7d7eb3e12aa27dd6d4cede3a6708d6e31df190a0cbb4062b0e37a0e726306b9ac80bc7a2907bece195327888db80be |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpr78.exe
| MD5 | 8052d925dcd515d349e252a0d434e27c |
| SHA1 | 9a78f5daa0001a5d4f2c1e9439f4ce80f4ef15db |
| SHA256 | bd229d944fbb7266329eda429de3ac07f2a89729ee91d1f9dfda73ea3b6691cc |
| SHA512 | ed29c5bfa0123e5e0ee16afe72d2279139149eebe82b5aae572d714d1f1e1426c2d5484066c7b637f70732524733c27d3d0dda7cfda8a60c918c783a33f124de |
memory/2820-22-0x0000000002590000-0x00000000025D6000-memory.dmp
memory/2820-23-0x0000000004E90000-0x0000000005434000-memory.dmp
memory/2820-24-0x0000000004D90000-0x0000000004DD4000-memory.dmp
memory/2820-26-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-34-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-88-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-86-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-84-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-82-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-78-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-76-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-75-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-72-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-70-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-68-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-66-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-64-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-62-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-60-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-56-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-54-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-52-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-50-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-48-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-46-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-44-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-40-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-38-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-36-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-32-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-30-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-28-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-80-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-58-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-42-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-25-0x0000000004D90000-0x0000000004DCE000-memory.dmp
memory/2820-931-0x0000000005440000-0x0000000005A58000-memory.dmp
memory/2820-932-0x0000000005A60000-0x0000000005B6A000-memory.dmp
memory/2820-933-0x0000000005B80000-0x0000000005B92000-memory.dmp
memory/2820-934-0x0000000005BA0000-0x0000000005BDC000-memory.dmp
memory/2820-935-0x0000000005CF0000-0x0000000005D3C000-memory.dmp