Analysis Overview
SHA256
9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370
Threat Level: Known bad
The file 9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370.exe was found to be: Known bad.
Malicious Activity Summary
RedLine payload
RedLine
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-14 09:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-14 09:35
Reported
2024-07-14 09:37
Platform
win10v2004-20240709-en
Max time kernel
93s
Max time network
145s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2496 set thread context of 2484 | N/A | C:\Users\Admin\AppData\Local\Temp\9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370.exe
"C:\Users\Admin\AppData\Local\Temp\9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | sp.joger.top | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| FI | 95.217.245.123:3306 | sp.joger.top | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.245.217.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
Files
memory/2496-0-0x000000007485E000-0x000000007485F000-memory.dmp
memory/2496-1-0x0000000000BF0000-0x0000000000CCE000-memory.dmp
C:\Users\Admin\AppData\Roaming\d3d9.dll
| MD5 | 1f804181133345524e018243d5ad2610 |
| SHA1 | 482ff64943006de93caea2671c854152203dd820 |
| SHA256 | e63e1a997fd7626c8f9d02137ab87f0c6fae00955daacaf20e4cbd89feda4e24 |
| SHA512 | a661abaa41b433282bc9d03c7f69c9c5b66b52d45d6561d79ee9faaa006988f2a7919daef71784c88508c8b944870924072485be8b1f04a60e6bcf07398f8701 |
memory/2484-8-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2484-11-0x00000000053D0000-0x0000000005436000-memory.dmp
memory/2496-10-0x0000000074850000-0x0000000075000000-memory.dmp
memory/2484-12-0x0000000074850000-0x0000000075000000-memory.dmp
memory/2484-13-0x0000000005EF0000-0x0000000006508000-memory.dmp
memory/2484-14-0x0000000005940000-0x0000000005952000-memory.dmp
memory/2484-15-0x0000000005A70000-0x0000000005B7A000-memory.dmp
memory/2484-16-0x0000000074850000-0x0000000075000000-memory.dmp
memory/2484-17-0x0000000006890000-0x00000000068CC000-memory.dmp
memory/2484-18-0x00000000068D0000-0x000000000691C000-memory.dmp
memory/2484-19-0x0000000006BF0000-0x0000000006DB2000-memory.dmp
memory/2484-20-0x00000000072F0000-0x000000000781C000-memory.dmp
memory/2484-21-0x0000000007DD0000-0x0000000008374000-memory.dmp
memory/2484-22-0x0000000006DC0000-0x0000000006E52000-memory.dmp
memory/2484-23-0x0000000006E60000-0x0000000006ED6000-memory.dmp
memory/2484-24-0x0000000006EE0000-0x0000000006EFE000-memory.dmp
memory/2484-25-0x0000000007070000-0x00000000070C0000-memory.dmp
memory/2484-27-0x0000000074850000-0x0000000075000000-memory.dmp
memory/2496-28-0x0000000074850000-0x0000000075000000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-14 09:35
Reported
2024-07-14 09:37
Platform
win7-20240705-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370.exe
"C:\Users\Admin\AppData\Local\Temp\9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370.exe"
Network
Files
memory/2972-0-0x0000000073D0E000-0x0000000073D0F000-memory.dmp
memory/2972-1-0x0000000001320000-0x00000000013FE000-memory.dmp
\Users\Admin\AppData\Roaming\d3d9.dll
| MD5 | 1f804181133345524e018243d5ad2610 |
| SHA1 | 482ff64943006de93caea2671c854152203dd820 |
| SHA256 | e63e1a997fd7626c8f9d02137ab87f0c6fae00955daacaf20e4cbd89feda4e24 |
| SHA512 | a661abaa41b433282bc9d03c7f69c9c5b66b52d45d6561d79ee9faaa006988f2a7919daef71784c88508c8b944870924072485be8b1f04a60e6bcf07398f8701 |
memory/2972-6-0x0000000074C50000-0x0000000074D11000-memory.dmp