Analysis Overview
SHA256
8624da9141750c81f59048be74be5682cdeffa370a581f04ed54a2160d1dda48
Threat Level: Known bad
The file DisableFamiliesViewSteam.rar was found to be: Known bad.
Malicious Activity Summary
RedLine payload
RedLine
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-20 10:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 10:21
Reported
2024-05-20 10:21
Platform
win10v2004-20240426-en
Max time kernel
7s
Max time network
10s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DisableFamiliesViewSteam.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1223.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mowgang.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1223.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 216 set thread context of 2772 | N/A | C:\Users\Admin\AppData\Local\Temp\1223.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DisableFamiliesViewSteam.exe
"C:\Users\Admin\AppData\Local\Temp\DisableFamiliesViewSteam.exe"
C:\Users\Admin\AppData\Local\Temp\1223.exe
"C:\Users\Admin\AppData\Local\Temp\1223.exe"
C:\Users\Admin\AppData\Local\Temp\mowgang.exe
"C:\Users\Admin\AppData\Local\Temp\mowgang.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| RU | 89.23.100.72:21038 | tcp | |
| US | 8.8.8.8:53 | 72.100.23.89.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\1223.exe
| MD5 | 3aee694d5be41a350239eecd6efc8a96 |
| SHA1 | 54a1e0c86ea5d97d4dd9916115b25a674d8e161e |
| SHA256 | 443cab0cea8162a275ffae4e511afb653e1ae558f81d5d9401253b48c99a2052 |
| SHA512 | aa6d71f3d92e42da0a32bc70514893938440f18d8ffa1773dff9aa594c81edc12bade432480ac3022666dc4a67f8f25884515fe9e2e668f20eade4f6870f9036 |
C:\Users\Admin\AppData\Local\Temp\mowgang.exe
| MD5 | 70f5712af69e43e691a6adef7f971f6b |
| SHA1 | 326dbcbd77dbe38fd938684f2a506b9bf8dcdfd7 |
| SHA256 | 64a25f655a4280eebfafb1df35fe8dcf19962438987a5cf6dfcfb444ab7b54af |
| SHA512 | b3eac71db8faddb98bb8138e6e351c799e168ecb7077f98b0ecfac8087e771b61a3fe631a1b0f451077160442ba6a46960c4aa4f3324c37e05ea29f7e13f113f |
memory/216-20-0x0000000072E5E000-0x0000000072E5F000-memory.dmp
memory/3512-22-0x0000000000400000-0x0000000000422000-memory.dmp
memory/216-23-0x0000000000C20000-0x0000000001340000-memory.dmp
memory/216-24-0x00000000055C0000-0x00000000055C1000-memory.dmp
C:\Users\Admin\AppData\Roaming\d3d9.dll
| MD5 | 878014e9987f80f6c50801b67aaf040c |
| SHA1 | 03bfaab4f356a60e79c757bafac22738c0e6a95e |
| SHA256 | 1af5766f944c2bc06ede847876a50190def6cb3959e6620162028badf122162b |
| SHA512 | b71e5e512cd57a9a3c12a8d006b05e611d7215de16f6994166469fd8a01349eaaa9924cf029d955db5d99a00522c21fab588e13e4ff9add702da8d411f187ff0 |
memory/2772-30-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2772-32-0x0000000072E50000-0x0000000073600000-memory.dmp
memory/2772-33-0x0000000005F10000-0x00000000064B4000-memory.dmp
memory/2772-34-0x0000000005840000-0x00000000058D2000-memory.dmp
memory/2772-35-0x0000000072E50000-0x0000000073600000-memory.dmp
memory/2772-36-0x00000000034E0000-0x00000000034EA000-memory.dmp
memory/2772-37-0x0000000008A80000-0x0000000009098000-memory.dmp
memory/2772-38-0x0000000008700000-0x000000000880A000-memory.dmp
memory/2772-39-0x0000000008650000-0x0000000008662000-memory.dmp
memory/2772-40-0x00000000086B0000-0x00000000086EC000-memory.dmp
memory/2772-41-0x0000000008810000-0x000000000885C000-memory.dmp
memory/2772-42-0x00000000089B0000-0x0000000008A16000-memory.dmp
memory/2772-43-0x0000000009320000-0x0000000009396000-memory.dmp
memory/2772-44-0x00000000092A0000-0x00000000092BE000-memory.dmp
memory/2772-45-0x0000000009A00000-0x0000000009BC2000-memory.dmp
memory/2772-46-0x000000000A8B0000-0x000000000ADDC000-memory.dmp