Analysis Overview
SHA256
1b4b695ff0e3c2bb369e4ae2614f6c3cd71862a86bcc6baadf733fadf9279c5d
Threat Level: Known bad
The file 2468-60-0x0000000003540000-0x0000000003574000-memory.dmp was found to be: Known bad.
Malicious Activity Summary
Redline family
RedLine
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-13 03:54
Signatures
Redline family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-13 03:54
Reported
2023-08-13 03:57
Platform
win10v2004-20230703-en
Max time kernel
124s
Max time network
130s
Command Line
Signatures
RedLine
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2468-60-0x0000000003540000-0x0000000003574000-memory.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2468-60-0x0000000003540000-0x0000000003574000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\2468-60-0x0000000003540000-0x0000000003574000-memory.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 126.128.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| PL | 51.83.170.21:19447 | tcp | |
| US | 8.8.8.8:53 | 21.170.83.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.130.255.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
Files
memory/1620-133-0x00000000753B0000-0x0000000075B60000-memory.dmp
memory/1620-134-0x0000000000610000-0x0000000000644000-memory.dmp
memory/1620-135-0x000000000AAD0000-0x000000000B0E8000-memory.dmp
memory/1620-136-0x000000000A5C0000-0x000000000A6CA000-memory.dmp
memory/1620-138-0x000000000A500000-0x000000000A512000-memory.dmp
memory/1620-137-0x0000000005120000-0x0000000005130000-memory.dmp
memory/1620-139-0x000000000A560000-0x000000000A59C000-memory.dmp
memory/1620-140-0x00000000753B0000-0x0000000075B60000-memory.dmp
memory/1620-141-0x000000000A870000-0x000000000A8E6000-memory.dmp
memory/1620-142-0x000000000A990000-0x000000000AA22000-memory.dmp
memory/1620-143-0x000000000B6A0000-0x000000000BC44000-memory.dmp
memory/1620-144-0x000000000AA30000-0x000000000AA96000-memory.dmp
memory/1620-145-0x000000000B5B0000-0x000000000B600000-memory.dmp
memory/1620-146-0x0000000005120000-0x0000000005130000-memory.dmp
memory/1620-147-0x000000000CBD0000-0x000000000CD92000-memory.dmp
memory/1620-148-0x000000000D2D0000-0x000000000D7FC000-memory.dmp
memory/1620-150-0x00000000753B0000-0x0000000075B60000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-13 03:54
Reported
2023-08-13 03:57
Platform
win7-20230712-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
RedLine
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2468-60-0x0000000003540000-0x0000000003574000-memory.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2468-60-0x0000000003540000-0x0000000003574000-memory.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2468-60-0x0000000003540000-0x0000000003574000-memory.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2468-60-0x0000000003540000-0x0000000003574000-memory.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2468-60-0x0000000003540000-0x0000000003574000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\2468-60-0x0000000003540000-0x0000000003574000-memory.exe"
Network
| Country | Destination | Domain | Proto |
| PL | 51.83.170.21:19447 | tcp |
Files
memory/2896-54-0x0000000001060000-0x0000000001094000-memory.dmp
memory/2896-55-0x00000000746E0000-0x0000000074DCE000-memory.dmp
memory/2896-56-0x0000000000300000-0x0000000000306000-memory.dmp
memory/2896-57-0x0000000000FC0000-0x0000000001000000-memory.dmp
memory/2896-58-0x00000000746E0000-0x0000000074DCE000-memory.dmp
memory/2896-59-0x0000000000FC0000-0x0000000001000000-memory.dmp
memory/2896-60-0x00000000746E0000-0x0000000074DCE000-memory.dmp