Analysis Overview
SHA256
67cb2ea56280aa1267015b3ac9034584d84e338ca2c7f82d4c6edc816448324a
Threat Level: Known bad
The file 67cb2ea56280aa1267015b3ac9034584d84e338ca2c7f82d4c6edc816448324a was found to be: Known bad.
Malicious Activity Summary
RedLine
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-07-23 11:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-23 11:40
Reported
2023-07-23 11:43
Platform
win10-20230703-en
Max time kernel
94s
Max time network
98s
Command Line
Signatures
RedLine
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\67cb2ea56280aa1267015b3ac9034584d84e338ca2c7f82d4c6edc816448324a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\67cb2ea56280aa1267015b3ac9034584d84e338ca2c7f82d4c6edc816448324a.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\67cb2ea56280aa1267015b3ac9034584d84e338ca2c7f82d4c6edc816448324a.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\67cb2ea56280aa1267015b3ac9034584d84e338ca2c7f82d4c6edc816448324a.exe
"C:\Users\Admin\AppData\Local\Temp\67cb2ea56280aa1267015b3ac9034584d84e338ca2c7f82d4c6edc816448324a.exe"
Network
| Country | Destination | Domain | Proto |
| FR | 178.32.90.250:29608 | tcp | |
| US | 8.8.8.8:53 | 250.90.32.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
Files
memory/2168-121-0x00000000027B0000-0x00000000028B0000-memory.dmp
memory/2168-122-0x00000000026D0000-0x000000000270F000-memory.dmp
memory/2168-123-0x0000000004200000-0x0000000004238000-memory.dmp
memory/2168-124-0x0000000000400000-0x000000000248B000-memory.dmp
memory/2168-125-0x0000000006B70000-0x0000000006B80000-memory.dmp
memory/2168-126-0x0000000006B80000-0x000000000707E000-memory.dmp
memory/2168-127-0x0000000004400000-0x0000000004434000-memory.dmp
memory/2168-129-0x0000000004470000-0x0000000004476000-memory.dmp
memory/2168-128-0x0000000073780000-0x0000000073E6E000-memory.dmp
memory/2168-130-0x0000000007180000-0x0000000007786000-memory.dmp
memory/2168-131-0x0000000007790000-0x000000000789A000-memory.dmp
memory/2168-132-0x0000000006B70000-0x0000000006B80000-memory.dmp
memory/2168-133-0x0000000006B20000-0x0000000006B32000-memory.dmp
memory/2168-134-0x00000000078A0000-0x00000000078DE000-memory.dmp
memory/2168-135-0x0000000007A10000-0x0000000007A5B000-memory.dmp
memory/2168-136-0x00000000027B0000-0x00000000028B0000-memory.dmp
memory/2168-137-0x00000000026D0000-0x000000000270F000-memory.dmp
memory/2168-138-0x0000000000400000-0x000000000248B000-memory.dmp
memory/2168-139-0x0000000007B50000-0x0000000007BC6000-memory.dmp
memory/2168-141-0x0000000007BD0000-0x0000000007C62000-memory.dmp
memory/2168-142-0x0000000007C70000-0x0000000007CD6000-memory.dmp
memory/2168-143-0x0000000073780000-0x0000000073E6E000-memory.dmp
memory/2168-144-0x00000000084B0000-0x0000000008672000-memory.dmp
memory/2168-145-0x0000000008690000-0x0000000008BBC000-memory.dmp
memory/2168-146-0x0000000008D00000-0x0000000008D50000-memory.dmp
memory/2168-147-0x0000000006B70000-0x0000000006B80000-memory.dmp
memory/2168-149-0x0000000000400000-0x000000000248B000-memory.dmp
memory/2168-150-0x0000000073780000-0x0000000073E6E000-memory.dmp