Analysis Overview
SHA256
cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d
Threat Level: Known bad
The file cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d was found to be: Known bad.
Malicious Activity Summary
RedLine
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-25 04:48
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-25 04:48
Reported
2023-09-25 04:53
Platform
win7-20230831-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
RedLine
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1732 set thread context of 3016 | N/A | C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe
"C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 52
Network
| Country | Destination | Domain | Proto |
| PL | 146.59.10.173:45035 | tcp |
Files
memory/3016-0-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3016-2-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3016-4-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3016-6-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3016-8-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/3016-9-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3016-13-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3016-11-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3016-14-0x0000000073DD0000-0x00000000744BE000-memory.dmp
memory/3016-15-0x00000000003E0000-0x00000000003E6000-memory.dmp
memory/3016-16-0x0000000004A40000-0x0000000004A80000-memory.dmp
memory/3016-17-0x0000000073DD0000-0x00000000744BE000-memory.dmp
memory/3016-18-0x0000000004A40000-0x0000000004A80000-memory.dmp
memory/3016-19-0x0000000073DD0000-0x00000000744BE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-25 04:48
Reported
2023-09-25 04:53
Platform
win10-20230915-en
Max time kernel
188s
Max time network
294s
Command Line
Signatures
RedLine
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1500 set thread context of 3268 | N/A | C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe
"C:\Users\Admin\AppData\Local\Temp\cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 228
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | f.8.3.8.0.2.1.d.f.d.1.8.5.3.4.0.8.f.7.1.4.4.8.5.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| PL | 146.59.10.173:45035 | tcp | |
| US | 8.8.8.8:53 | 173.10.59.146.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
Files
memory/3268-0-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3268-4-0x00000000731E0000-0x00000000738CE000-memory.dmp
memory/3268-5-0x0000000006960000-0x0000000006966000-memory.dmp
memory/3268-6-0x000000000E9B0000-0x000000000EFB6000-memory.dmp
memory/3268-7-0x000000000E4F0000-0x000000000E5FA000-memory.dmp
memory/3268-9-0x000000000E420000-0x000000000E432000-memory.dmp
memory/3268-8-0x0000000009010000-0x0000000009020000-memory.dmp
memory/3268-10-0x000000000E480000-0x000000000E4BE000-memory.dmp
memory/3268-11-0x000000000E600000-0x000000000E64B000-memory.dmp
memory/3268-16-0x000000000E7A0000-0x000000000E816000-memory.dmp
memory/3268-17-0x000000000E8C0000-0x000000000E952000-memory.dmp
memory/3268-18-0x000000000F4C0000-0x000000000F9BE000-memory.dmp
memory/3268-21-0x000000000EFC0000-0x000000000F026000-memory.dmp
memory/3268-22-0x00000000731E0000-0x00000000738CE000-memory.dmp
memory/3268-269-0x000000000FC90000-0x000000000FE52000-memory.dmp
memory/3268-270-0x0000000010390000-0x00000000108BC000-memory.dmp
memory/3268-283-0x0000000009010000-0x0000000009020000-memory.dmp
memory/3268-392-0x000000000FC40000-0x000000000FC90000-memory.dmp
memory/3268-403-0x00000000731E0000-0x00000000738CE000-memory.dmp