Analysis Overview
SHA256
64802b822518e9531aa9bbe7b681e07f48b2865892d9605fb88566b5523f392f
Threat Level: Known bad
The file 64802b822518e9531aa9bbe7b681e07f48b2865892d9605fb88566b5523f392f was found to be: Known bad.
Malicious Activity Summary
RedLine payload
RedLine
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-04 22:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-04 22:37
Reported
2024-07-04 22:42
Platform
win7-20240704-en
Max time kernel
237s
Max time network
238s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64802b822518e9531aa9bbe7b681e07f48b2865892d9605fb88566b5523f392f.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\64802b822518e9531aa9bbe7b681e07f48b2865892d9605fb88566b5523f392f.exe
"C:\Users\Admin\AppData\Local\Temp\64802b822518e9531aa9bbe7b681e07f48b2865892d9605fb88566b5523f392f.exe"
Network
Files
memory/3008-0-0x00000000747FE000-0x00000000747FF000-memory.dmp
memory/3008-1-0x0000000001230000-0x0000000001294000-memory.dmp
memory/3008-2-0x00000000004D0000-0x00000000004D6000-memory.dmp
\Users\Admin\AppData\Roaming\d3d9.dll
| MD5 | 855707da714f67eb0a60d2b850cef20f |
| SHA1 | df8ef101ba0bd2881472d488ef164496b9781ad0 |
| SHA256 | 632f9b221e4f92282ccdd5a0a76039a14f5838e1cdace8e99dd8d81e95bc6bfb |
| SHA512 | 3896fdc1932b1a05dd14ad99885c9f05fe858fd9c01356bccc5e746072425a053478b5c5b6cd42f1b46c2bf3d99614f5fded345a351c8d7990636b2dbfe96a27 |
memory/3008-7-0x0000000076EE0000-0x0000000076FA1000-memory.dmp
memory/3008-8-0x00000000747F0000-0x0000000074EDE000-memory.dmp
memory/3008-9-0x00000000747F0000-0x0000000074EDE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-04 22:37
Reported
2024-07-04 22:42
Platform
win10-20240404-en
Max time kernel
195s
Max time network
300s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64802b822518e9531aa9bbe7b681e07f48b2865892d9605fb88566b5523f392f.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4512 set thread context of 960 | N/A | C:\Users\Admin\AppData\Local\Temp\64802b822518e9531aa9bbe7b681e07f48b2865892d9605fb88566b5523f392f.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\64802b822518e9531aa9bbe7b681e07f48b2865892d9605fb88566b5523f392f.exe
"C:\Users\Admin\AppData\Local\Temp\64802b822518e9531aa9bbe7b681e07f48b2865892d9605fb88566b5523f392f.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 77.91.77.6:24186 | tcp | |
| US | 8.8.8.8:53 | 6.77.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
memory/4512-0-0x000000007377E000-0x000000007377F000-memory.dmp
memory/4512-1-0x0000000000620000-0x0000000000684000-memory.dmp
memory/4512-2-0x0000000002820000-0x0000000002826000-memory.dmp
\Users\Admin\AppData\Roaming\d3d9.dll
| MD5 | 855707da714f67eb0a60d2b850cef20f |
| SHA1 | df8ef101ba0bd2881472d488ef164496b9781ad0 |
| SHA256 | 632f9b221e4f92282ccdd5a0a76039a14f5838e1cdace8e99dd8d81e95bc6bfb |
| SHA512 | 3896fdc1932b1a05dd14ad99885c9f05fe858fd9c01356bccc5e746072425a053478b5c5b6cd42f1b46c2bf3d99614f5fded345a351c8d7990636b2dbfe96a27 |
memory/960-9-0x0000000000400000-0x0000000000450000-memory.dmp
memory/4512-12-0x0000000077531000-0x0000000077644000-memory.dmp
memory/4512-11-0x0000000074E10000-0x0000000074E70000-memory.dmp
memory/960-15-0x0000000073770000-0x0000000073E5E000-memory.dmp
memory/960-14-0x0000000005530000-0x0000000005A2E000-memory.dmp
memory/4512-13-0x0000000073770000-0x0000000073E5E000-memory.dmp
memory/960-16-0x0000000005030000-0x00000000050C2000-memory.dmp
memory/960-17-0x0000000005000000-0x000000000500A000-memory.dmp
memory/960-18-0x0000000073770000-0x0000000073E5E000-memory.dmp
memory/960-19-0x0000000006040000-0x0000000006646000-memory.dmp
memory/960-20-0x00000000053E0000-0x00000000054EA000-memory.dmp
memory/960-21-0x0000000005260000-0x0000000005272000-memory.dmp
memory/960-22-0x00000000052C0000-0x00000000052FE000-memory.dmp
memory/960-23-0x0000000005300000-0x000000000534B000-memory.dmp
memory/960-24-0x0000000005AD0000-0x0000000005B36000-memory.dmp
memory/960-25-0x00000000077E0000-0x00000000079A2000-memory.dmp
memory/960-26-0x0000000007EE0000-0x000000000840C000-memory.dmp
memory/960-27-0x0000000006AC0000-0x0000000006B10000-memory.dmp
memory/960-29-0x0000000073770000-0x0000000073E5E000-memory.dmp
memory/4512-30-0x0000000073770000-0x0000000073E5E000-memory.dmp