Analysis Overview
SHA256
715fe05b0bdce41a6c1997a99cac8b9d2ae7072c612faf7bc25f2a49145817d1
Threat Level: Known bad
The file 715fe05b0bdce41a6c1997a99cac8b9d2ae7072c612faf7bc25f2a49145817d1N was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Redline family
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 12:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 12:51
Reported
2024-11-13 12:53
Platform
win10v2004-20241007-en
Max time kernel
106s
Max time network
115s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i08177316.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a79313029.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i08177316.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\715fe05b0bdce41a6c1997a99cac8b9d2ae7072c612faf7bc25f2a49145817d1N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\715fe05b0bdce41a6c1997a99cac8b9d2ae7072c612faf7bc25f2a49145817d1N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i08177316.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a79313029.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\715fe05b0bdce41a6c1997a99cac8b9d2ae7072c612faf7bc25f2a49145817d1N.exe
"C:\Users\Admin\AppData\Local\Temp\715fe05b0bdce41a6c1997a99cac8b9d2ae7072c612faf7bc25f2a49145817d1N.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i08177316.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i08177316.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a79313029.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a79313029.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| RU | 185.161.248.73:4164 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i08177316.exe
| MD5 | ee33710c8057acb64e9ca7c1f9e07673 |
| SHA1 | 2b06e4119398dd8f16674341e5adf95ba9f70375 |
| SHA256 | 28a46b6b121e238b2c07f77a4281c23fe21d24fa8e3561647f3f681386ded443 |
| SHA512 | 2d379c140ca31aebc88627cb45535eb11678e0548ecc07b6d49dc3e3c8fe611e9121e60283aa7a0f3adc340430edac5957b5738cc3ae81796843aeafd5df17dc |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a79313029.exe
| MD5 | b9dbcf7dc0ebc9b366d7f0c3f1bc1f61 |
| SHA1 | 04ccea00069151a3dd221b7e9acdcdff642a0e14 |
| SHA256 | 9d10117658b96e7f6245411deab4faee01910d330722bde839f39b57436d020e |
| SHA512 | 291d302bad96d6ebefe769490f6c966bd96d4478a63fc8c7462c6d7bfb415929cfc74d6fd19bb63ced349543b812076cb7f6ead37dd26b5ed444126025b3a7f5 |
memory/5116-14-0x0000000073D2E000-0x0000000073D2F000-memory.dmp
memory/5116-15-0x0000000000630000-0x0000000000660000-memory.dmp
memory/5116-16-0x0000000002A00000-0x0000000002A06000-memory.dmp
memory/5116-17-0x000000000AAC0000-0x000000000B0D8000-memory.dmp
memory/5116-18-0x000000000A5E0000-0x000000000A6EA000-memory.dmp
memory/5116-19-0x000000000A510000-0x000000000A522000-memory.dmp
memory/5116-20-0x0000000073D20000-0x00000000744D0000-memory.dmp
memory/5116-21-0x000000000A570000-0x000000000A5AC000-memory.dmp
memory/5116-22-0x00000000028C0000-0x000000000290C000-memory.dmp
memory/5116-23-0x0000000073D2E000-0x0000000073D2F000-memory.dmp
memory/5116-24-0x0000000073D20000-0x00000000744D0000-memory.dmp