Analysis Overview
SHA256
9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370
Threat Level: Known bad
The file D5A7AFAA7CC3C7DC5E19665034A32512.exe was found to be: Known bad.
Malicious Activity Summary
RedLine payload
RedLine
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-13 21:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-13 21:36
Reported
2024-07-13 21:38
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D5A7AFAA7CC3C7DC5E19665034A32512.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3432 set thread context of 4980 | N/A | C:\Users\Admin\AppData\Local\Temp\D5A7AFAA7CC3C7DC5E19665034A32512.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\D5A7AFAA7CC3C7DC5E19665034A32512.exe
"C:\Users\Admin\AppData\Local\Temp\D5A7AFAA7CC3C7DC5E19665034A32512.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | sp.joger.top | udp |
| FI | 95.217.245.123:3306 | sp.joger.top | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.245.217.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
memory/3432-0-0x0000000074F3E000-0x0000000074F3F000-memory.dmp
memory/3432-1-0x0000000000CE0000-0x0000000000DBE000-memory.dmp
C:\Users\Admin\AppData\Roaming\d3d9.dll
| MD5 | 1f804181133345524e018243d5ad2610 |
| SHA1 | 482ff64943006de93caea2671c854152203dd820 |
| SHA256 | e63e1a997fd7626c8f9d02137ab87f0c6fae00955daacaf20e4cbd89feda4e24 |
| SHA512 | a661abaa41b433282bc9d03c7f69c9c5b66b52d45d6561d79ee9faaa006988f2a7919daef71784c88508c8b944870924072485be8b1f04a60e6bcf07398f8701 |
memory/4980-8-0x0000000000400000-0x0000000000422000-memory.dmp
memory/3432-10-0x0000000074F30000-0x00000000756E0000-memory.dmp
memory/4980-11-0x0000000005560000-0x00000000055C6000-memory.dmp
memory/4980-12-0x0000000074F30000-0x00000000756E0000-memory.dmp
memory/4980-13-0x0000000006050000-0x0000000006668000-memory.dmp
memory/4980-14-0x0000000005A90000-0x0000000005AA2000-memory.dmp
memory/4980-15-0x0000000005BC0000-0x0000000005CCA000-memory.dmp
memory/4980-16-0x0000000074F30000-0x00000000756E0000-memory.dmp
memory/4980-17-0x0000000006870000-0x00000000068AC000-memory.dmp
memory/4980-18-0x00000000068B0000-0x00000000068FC000-memory.dmp
memory/4980-19-0x0000000006BF0000-0x0000000006DB2000-memory.dmp
memory/4980-20-0x00000000072F0000-0x000000000781C000-memory.dmp
memory/4980-21-0x0000000006DC0000-0x0000000006E52000-memory.dmp
memory/4980-22-0x0000000007DD0000-0x0000000008374000-memory.dmp
memory/4980-23-0x0000000006F40000-0x0000000006FB6000-memory.dmp
memory/4980-24-0x0000000006E80000-0x0000000006E9E000-memory.dmp
memory/4980-25-0x0000000007270000-0x00000000072C0000-memory.dmp
memory/4980-27-0x0000000074F30000-0x00000000756E0000-memory.dmp
memory/3432-28-0x0000000074F30000-0x00000000756E0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-13 21:36
Reported
2024-07-13 21:38
Platform
win7-20240705-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D5A7AFAA7CC3C7DC5E19665034A32512.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\D5A7AFAA7CC3C7DC5E19665034A32512.exe
"C:\Users\Admin\AppData\Local\Temp\D5A7AFAA7CC3C7DC5E19665034A32512.exe"
Network
Files
memory/2088-0-0x000000007498E000-0x000000007498F000-memory.dmp
memory/2088-1-0x0000000000B20000-0x0000000000BFE000-memory.dmp
\Users\Admin\AppData\Roaming\d3d9.dll
| MD5 | 1f804181133345524e018243d5ad2610 |
| SHA1 | 482ff64943006de93caea2671c854152203dd820 |
| SHA256 | e63e1a997fd7626c8f9d02137ab87f0c6fae00955daacaf20e4cbd89feda4e24 |
| SHA512 | a661abaa41b433282bc9d03c7f69c9c5b66b52d45d6561d79ee9faaa006988f2a7919daef71784c88508c8b944870924072485be8b1f04a60e6bcf07398f8701 |
memory/2088-6-0x0000000075DD0000-0x0000000075E91000-memory.dmp