Analysis Overview
SHA256
77ccc61481c9fa009dfb6af2f6293b604312d440df4338e757ad2df844d10e0b
Threat Level: Known bad
The file Acal BFi UK - Products List 020240704PDF.exe was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-05 04:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-05 04:01
Reported
2024-07-05 04:03
Platform
win7-20240419-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2028 set thread context of 2800 | N/A | C:\Users\Admin\AppData\Local\Temp\Acal BFi UK - Products List 020240704PDF.exe | C:\Users\Admin\AppData\Local\Temp\Acal BFi UK - Products List 020240704PDF.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Acal BFi UK - Products List 020240704PDF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Acal BFi UK - Products List 020240704PDF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Acal BFi UK - Products List 020240704PDF.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Acal BFi UK - Products List 020240704PDF.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Acal BFi UK - Products List 020240704PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Acal BFi UK - Products List 020240704PDF.exe"
C:\Users\Admin\AppData\Local\Temp\Acal BFi UK - Products List 020240704PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Acal BFi UK - Products List 020240704PDF.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 79.110.62.16:1912 | tcp |
Files
memory/2028-0-0x000000007450E000-0x000000007450F000-memory.dmp
memory/2028-1-0x0000000000C40000-0x0000000000D0E000-memory.dmp
memory/2028-2-0x0000000074500000-0x0000000074BEE000-memory.dmp
memory/2028-3-0x00000000059E0000-0x0000000005AAC000-memory.dmp
memory/2028-4-0x0000000000480000-0x000000000049A000-memory.dmp
memory/2028-5-0x00000000004A0000-0x00000000004A8000-memory.dmp
memory/2028-6-0x00000000004C0000-0x00000000004CC000-memory.dmp
memory/2028-7-0x0000000005F80000-0x0000000006014000-memory.dmp
memory/2800-8-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2800-15-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2800-19-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2800-17-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2800-20-0x0000000074500000-0x0000000074BEE000-memory.dmp
memory/2800-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2800-11-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2800-10-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2028-22-0x0000000074500000-0x0000000074BEE000-memory.dmp
memory/2800-21-0x0000000074500000-0x0000000074BEE000-memory.dmp
memory/2800-9-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2800-23-0x0000000074500000-0x0000000074BEE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-05 04:01
Reported
2024-07-05 04:03
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5108 set thread context of 3480 | N/A | C:\Users\Admin\AppData\Local\Temp\Acal BFi UK - Products List 020240704PDF.exe | C:\Users\Admin\AppData\Local\Temp\Acal BFi UK - Products List 020240704PDF.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Acal BFi UK - Products List 020240704PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Acal BFi UK - Products List 020240704PDF.exe"
C:\Users\Admin\AppData\Local\Temp\Acal BFi UK - Products List 020240704PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Acal BFi UK - Products List 020240704PDF.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 79.110.62.16:1912 | tcp | |
| NL | 79.110.62.16:1912 | tcp | |
| NL | 79.110.62.16:1912 | tcp | |
| NL | 79.110.62.16:1912 | tcp | |
| NL | 79.110.62.16:1912 | tcp | |
| NL | 79.110.62.16:1912 | tcp |
Files
memory/5108-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmp
memory/5108-1-0x0000000000AC0000-0x0000000000B8E000-memory.dmp
memory/5108-2-0x0000000005940000-0x0000000005EE4000-memory.dmp
memory/5108-3-0x0000000005430000-0x00000000054C2000-memory.dmp
memory/5108-4-0x0000000005410000-0x000000000541A000-memory.dmp
memory/5108-5-0x0000000074E40000-0x00000000755F0000-memory.dmp
memory/5108-6-0x0000000007EC0000-0x0000000007F8C000-memory.dmp
memory/5108-7-0x0000000005640000-0x000000000565A000-memory.dmp
memory/5108-8-0x0000000005680000-0x0000000005688000-memory.dmp
memory/5108-9-0x00000000058D0000-0x00000000058DC000-memory.dmp
memory/5108-10-0x000000000D8E0000-0x000000000D974000-memory.dmp
memory/5108-11-0x0000000011100000-0x000000001119C000-memory.dmp
memory/3480-12-0x0000000000400000-0x0000000000452000-memory.dmp
memory/3480-14-0x0000000074E40000-0x00000000755F0000-memory.dmp
memory/5108-15-0x0000000074E40000-0x00000000755F0000-memory.dmp
memory/3480-16-0x0000000074E40000-0x00000000755F0000-memory.dmp
memory/3480-17-0x0000000006770000-0x0000000006D88000-memory.dmp
memory/3480-18-0x0000000005980000-0x0000000005A8A000-memory.dmp
memory/3480-19-0x00000000056F0000-0x0000000005702000-memory.dmp
memory/3480-20-0x0000000005870000-0x00000000058AC000-memory.dmp
memory/3480-21-0x00000000058B0000-0x00000000058FC000-memory.dmp
memory/3480-22-0x0000000074E40000-0x00000000755F0000-memory.dmp