Analysis Overview
SHA256
0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0
Threat Level: Known bad
The file 0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0 was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-08 23:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-08 23:14
Reported
2024-04-08 23:16
Platform
win11-20240221-en
Max time kernel
149s
Max time network
158s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0.exe
"C:\Users\Admin\AppData\Local\Temp\0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| MD | 94.103.188.162:443 | sy.slo5prc.top | tcp |
Files
memory/1548-0-0x00000000009C0000-0x00000000009E2000-memory.dmp
memory/1548-4-0x00000000745C0000-0x0000000074D71000-memory.dmp
memory/1548-5-0x0000000005050000-0x00000000050B6000-memory.dmp
memory/1548-6-0x0000000005BE0000-0x00000000061F8000-memory.dmp
memory/1548-7-0x0000000005600000-0x0000000005612000-memory.dmp
memory/1548-8-0x0000000005730000-0x000000000583A000-memory.dmp
memory/1548-9-0x00000000051B0000-0x00000000051C0000-memory.dmp
memory/1548-10-0x0000000006680000-0x00000000066BC000-memory.dmp
memory/1548-11-0x00000000066C0000-0x000000000670C000-memory.dmp
memory/1548-12-0x00000000069F0000-0x0000000006BB2000-memory.dmp
memory/1548-13-0x00000000070F0000-0x000000000761C000-memory.dmp
memory/1548-14-0x0000000006BC0000-0x0000000006C52000-memory.dmp
memory/1548-15-0x0000000007BD0000-0x0000000008176000-memory.dmp
memory/1548-16-0x0000000006CE0000-0x0000000006D56000-memory.dmp
memory/1548-17-0x0000000006C90000-0x0000000006CAE000-memory.dmp
memory/1548-18-0x0000000006E20000-0x0000000006E70000-memory.dmp
memory/1548-21-0x00000000745C0000-0x0000000074D71000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-08 23:14
Reported
2024-04-08 23:16
Platform
win10v2004-20240226-en
Max time kernel
139s
Max time network
160s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0.exe
"C:\Users\Admin\AppData\Local\Temp\0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4400 -ip 4400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 244
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3704 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |