Analysis Overview
SHA256
18bc7eedbc38c08acd67766fdb5b10a363ccf3a7a806837d25d9297a4b765c65
Threat Level: Known bad
The file FireyYoy.zip was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-14 05:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-14 05:40
Reported
2024-07-14 05:43
Platform
win7-20240704-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV2.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV2.exe
"C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV2.exe"
Network
Files
memory/2716-0-0x0000000074B6E000-0x0000000074B6F000-memory.dmp
memory/2716-1-0x00000000013E0000-0x0000000001550000-memory.dmp
memory/2716-2-0x00000000002C0000-0x00000000002C6000-memory.dmp
\Users\Admin\AppData\Roaming\d3d9.dll
| MD5 | 383135ee31ca6eda2a23b16e9266e428 |
| SHA1 | 7975297ec104580b54d5cac917b1aab65f025967 |
| SHA256 | 14c151129c9dec79b8c35bb57a0d21977858db553892b8fdaba7eaa37d37435a |
| SHA512 | 2ca83e28f5f5ac15a6617751de848ad161daf29db7c2e7ab8cf9e4e190222a2f66ac2b9e4bebc61f24ff8d3a56982e557b94cc6c7d8b415dc719a6e1ff767449 |
memory/2716-7-0x0000000074B60000-0x000000007524E000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-14 05:40
Reported
2024-07-14 05:43
Platform
win10v2004-20240709-en
Max time kernel
95s
Max time network
122s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV2.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1552 set thread context of 1088 | N/A | C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV2.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV2.exe
"C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV2.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| CH | 185.196.9.26:6302 | tcp | |
| US | 8.8.8.8:53 | 26.9.196.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/1552-0-0x00000000749BE000-0x00000000749BF000-memory.dmp
memory/1552-1-0x0000000000190000-0x0000000000300000-memory.dmp
memory/1552-2-0x0000000004D20000-0x0000000004D26000-memory.dmp
C:\Users\Admin\AppData\Roaming\d3d9.dll
| MD5 | 383135ee31ca6eda2a23b16e9266e428 |
| SHA1 | 7975297ec104580b54d5cac917b1aab65f025967 |
| SHA256 | 14c151129c9dec79b8c35bb57a0d21977858db553892b8fdaba7eaa37d37435a |
| SHA512 | 2ca83e28f5f5ac15a6617751de848ad161daf29db7c2e7ab8cf9e4e190222a2f66ac2b9e4bebc61f24ff8d3a56982e557b94cc6c7d8b415dc719a6e1ff767449 |
memory/1088-9-0x0000000000400000-0x0000000000450000-memory.dmp
memory/1552-11-0x00000000749B0000-0x0000000075160000-memory.dmp
memory/1088-12-0x00000000749B0000-0x0000000075160000-memory.dmp
memory/1088-13-0x0000000005530000-0x0000000005AD4000-memory.dmp
memory/1088-14-0x0000000004F80000-0x0000000005012000-memory.dmp
memory/1088-15-0x0000000004F10000-0x0000000004F1A000-memory.dmp
memory/1088-16-0x00000000749B0000-0x0000000075160000-memory.dmp
memory/1088-17-0x0000000006100000-0x0000000006718000-memory.dmp
memory/1088-18-0x0000000005320000-0x000000000542A000-memory.dmp
memory/1088-19-0x0000000005180000-0x0000000005192000-memory.dmp
memory/1088-20-0x0000000005210000-0x000000000524C000-memory.dmp
memory/1088-21-0x0000000005250000-0x000000000529C000-memory.dmp
memory/1088-22-0x0000000005AE0000-0x0000000005B46000-memory.dmp
memory/1088-23-0x00000000068B0000-0x0000000006900000-memory.dmp
memory/1088-24-0x0000000006BD0000-0x0000000006D92000-memory.dmp
memory/1088-25-0x00000000072D0000-0x00000000077FC000-memory.dmp
memory/1088-27-0x00000000749B0000-0x0000000075160000-memory.dmp
memory/1552-28-0x00000000749B0000-0x0000000075160000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-14 05:40
Reported
2024-07-14 05:43
Platform
win7-20240708-en
Max time kernel
117s
Max time network
125s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV1.exe
"C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV1.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1a0
Network
Files
memory/3040-0-0x0000000074C9E000-0x0000000074C9F000-memory.dmp
memory/3040-1-0x0000000000950000-0x0000000000B20000-memory.dmp
memory/3040-2-0x0000000000420000-0x0000000000426000-memory.dmp
\Users\Admin\AppData\Roaming\d3d9.dll
| MD5 | cfbee81495d87dc1537a869d759392ee |
| SHA1 | 2481be32b25a5edb919eb532ddb1e187b41eccd2 |
| SHA256 | 25a8692639d611867124bb1d7b9dd7ac27ff790386ce3cb1365e9b0546b839ce |
| SHA512 | 810ef929881ba3a4db43eed2799a3da01056e4a3071fb3861191e3abcf7f3ae796b9b018538a290879e729d29285aa757887e47d7886af9f3d0cb7dc5d5ea160 |
memory/3040-7-0x0000000076F50000-0x0000000077011000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-14 05:40
Reported
2024-07-14 05:43
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV1.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3888 set thread context of 3628 | N/A | C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV1.exe
"C:\Users\Admin\AppData\Local\Temp\ExtremeHeatV1.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3628 -ip 3628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 2316
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| CH | 185.196.9.6:43164 | tcp | |
| US | 8.8.8.8:53 | 6.9.196.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
Files
memory/3888-0-0x0000000074B1E000-0x0000000074B1F000-memory.dmp
memory/3888-1-0x0000000000470000-0x0000000000640000-memory.dmp
memory/3888-2-0x0000000004F20000-0x0000000004F26000-memory.dmp
C:\Users\Admin\AppData\Roaming\d3d9.dll
| MD5 | cfbee81495d87dc1537a869d759392ee |
| SHA1 | 2481be32b25a5edb919eb532ddb1e187b41eccd2 |
| SHA256 | 25a8692639d611867124bb1d7b9dd7ac27ff790386ce3cb1365e9b0546b839ce |
| SHA512 | 810ef929881ba3a4db43eed2799a3da01056e4a3071fb3861191e3abcf7f3ae796b9b018538a290879e729d29285aa757887e47d7886af9f3d0cb7dc5d5ea160 |
memory/3628-9-0x0000000000400000-0x0000000000474000-memory.dmp
memory/3888-11-0x0000000074B10000-0x00000000752C0000-memory.dmp
memory/3628-12-0x0000000005DD0000-0x0000000006374000-memory.dmp
memory/3628-13-0x0000000074B10000-0x00000000752C0000-memory.dmp
memory/3628-14-0x0000000074B10000-0x00000000752C0000-memory.dmp
memory/3628-15-0x0000000005920000-0x00000000059B2000-memory.dmp
memory/3628-16-0x0000000005900000-0x000000000590A000-memory.dmp
memory/3628-17-0x0000000008C80000-0x0000000009298000-memory.dmp
memory/3628-18-0x00000000087B0000-0x00000000088BA000-memory.dmp
memory/3628-19-0x0000000008700000-0x0000000008712000-memory.dmp
memory/3628-20-0x0000000008760000-0x000000000879C000-memory.dmp
memory/3628-21-0x00000000088C0000-0x000000000890C000-memory.dmp
memory/3628-22-0x0000000009510000-0x0000000009576000-memory.dmp
memory/3628-23-0x0000000009800000-0x0000000009876000-memory.dmp
memory/3628-24-0x0000000009780000-0x000000000979E000-memory.dmp
memory/3628-25-0x000000000A0C0000-0x000000000A282000-memory.dmp
memory/3628-26-0x000000000A7C0000-0x000000000ACEC000-memory.dmp
memory/3628-27-0x0000000074B10000-0x00000000752C0000-memory.dmp
memory/3888-28-0x0000000074B10000-0x00000000752C0000-memory.dmp