Analysis Overview
SHA256
1fd84cecfa8772524842d9bfed6ee550360ffa0a1f9ed29057113180de503695
Threat Level: Known bad
The file 1fd84cecfa8772524842d9bfed6ee550360ffa0a1f9ed29057113180de503695 was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-14 23:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-14 23:22
Reported
2024-07-14 23:24
Platform
win10v2004-20240709-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3308 set thread context of 2648 | N/A | C:\Users\Admin\AppData\Local\Temp\1fd84cecfa8772524842d9bfed6ee550360ffa0a1f9ed29057113180de503695.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1fd84cecfa8772524842d9bfed6ee550360ffa0a1f9ed29057113180de503695.exe
"C:\Users\Admin\AppData\Local\Temp\1fd84cecfa8772524842d9bfed6ee550360ffa0a1f9ed29057113180de503695.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | o0.u2024.icu | udp |
| FI | 95.217.245.123:443 | o0.u2024.icu | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.245.217.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/3308-0-0x0000000001540000-0x0000000001541000-memory.dmp
memory/2648-1-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2648-2-0x0000000074C0E000-0x0000000074C0F000-memory.dmp
memory/2648-3-0x0000000005790000-0x00000000057F6000-memory.dmp
memory/2648-4-0x00000000062C0000-0x00000000068D8000-memory.dmp
memory/2648-5-0x0000000005D40000-0x0000000005D52000-memory.dmp
memory/2648-6-0x0000000005E70000-0x0000000005F7A000-memory.dmp
memory/2648-7-0x0000000074C00000-0x00000000753B0000-memory.dmp
memory/2648-8-0x0000000006B20000-0x0000000006B5C000-memory.dmp
memory/2648-9-0x0000000006B60000-0x0000000006BAC000-memory.dmp
memory/2648-10-0x0000000006EB0000-0x0000000007072000-memory.dmp
memory/2648-11-0x00000000075B0000-0x0000000007ADC000-memory.dmp
memory/2648-12-0x0000000007080000-0x0000000007112000-memory.dmp
memory/2648-13-0x0000000008090000-0x0000000008634000-memory.dmp
memory/2648-14-0x00000000071A0000-0x0000000007216000-memory.dmp
memory/2648-15-0x0000000007120000-0x000000000713E000-memory.dmp
memory/2648-16-0x0000000007280000-0x00000000072D0000-memory.dmp
memory/2648-18-0x0000000074C00000-0x00000000753B0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-14 23:22
Reported
2024-07-14 23:24
Platform
win11-20240709-en
Max time kernel
146s
Max time network
155s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3928 set thread context of 1152 | N/A | C:\Users\Admin\AppData\Local\Temp\1fd84cecfa8772524842d9bfed6ee550360ffa0a1f9ed29057113180de503695.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1fd84cecfa8772524842d9bfed6ee550360ffa0a1f9ed29057113180de503695.exe
"C:\Users\Admin\AppData\Local\Temp\1fd84cecfa8772524842d9bfed6ee550360ffa0a1f9ed29057113180de503695.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| FI | 95.217.245.123:443 | o0.u2024.icu | tcp |
Files
memory/3928-0-0x0000000000A70000-0x0000000000A71000-memory.dmp
memory/1152-1-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1152-2-0x000000007466E000-0x000000007466F000-memory.dmp
memory/1152-3-0x0000000005290000-0x00000000052F6000-memory.dmp
memory/1152-4-0x0000000005DE0000-0x00000000063F8000-memory.dmp
memory/1152-5-0x0000000005820000-0x0000000005832000-memory.dmp
memory/1152-6-0x0000000005950000-0x0000000005A5A000-memory.dmp
memory/1152-7-0x0000000074660000-0x0000000074E11000-memory.dmp
memory/1152-8-0x0000000006640000-0x000000000667C000-memory.dmp
memory/1152-9-0x0000000006680000-0x00000000066CC000-memory.dmp
memory/1152-10-0x0000000006990000-0x0000000006B52000-memory.dmp
memory/1152-11-0x0000000007090000-0x00000000075BC000-memory.dmp
memory/1152-12-0x0000000007B70000-0x0000000008116000-memory.dmp
memory/1152-13-0x0000000006D00000-0x0000000006D92000-memory.dmp
memory/1152-14-0x0000000006BE0000-0x0000000006C56000-memory.dmp
memory/1152-15-0x0000000006C60000-0x0000000006C7E000-memory.dmp
memory/1152-16-0x00000000075C0000-0x0000000007610000-memory.dmp
memory/1152-18-0x0000000074660000-0x0000000074E11000-memory.dmp