Analysis Overview
SHA256
2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e
Threat Level: Known bad
The file 2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-14 18:15
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-14 18:15
Reported
2024-07-14 18:17
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 464 set thread context of 1656 | N/A | C:\Users\Admin\AppData\Local\Temp\2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e.exe
"C:\Users\Admin\AppData\Local\Temp\2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | o0.u2024.icu | udp |
| FI | 95.217.245.123:443 | o0.u2024.icu | tcp |
| US | 8.8.8.8:53 | 123.245.217.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
Files
memory/464-0-0x0000000000D00000-0x0000000000D01000-memory.dmp
memory/1656-1-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1656-2-0x000000007493E000-0x000000007493F000-memory.dmp
memory/1656-3-0x0000000005520000-0x0000000005586000-memory.dmp
memory/1656-4-0x0000000006000000-0x0000000006618000-memory.dmp
memory/1656-5-0x0000000005A80000-0x0000000005A92000-memory.dmp
memory/1656-6-0x0000000005BB0000-0x0000000005CBA000-memory.dmp
memory/1656-7-0x0000000074930000-0x00000000750E0000-memory.dmp
memory/1656-8-0x0000000006860000-0x000000000689C000-memory.dmp
memory/1656-9-0x00000000068A0000-0x00000000068EC000-memory.dmp
memory/1656-10-0x0000000006BF0000-0x0000000006DB2000-memory.dmp
memory/1656-11-0x00000000072F0000-0x000000000781C000-memory.dmp
memory/1656-12-0x0000000006DC0000-0x0000000006E52000-memory.dmp
memory/1656-13-0x0000000007DD0000-0x0000000008374000-memory.dmp
memory/1656-14-0x0000000006E60000-0x0000000006EB0000-memory.dmp
memory/1656-15-0x0000000006EB0000-0x0000000006F26000-memory.dmp
memory/1656-16-0x0000000006F70000-0x0000000006F8E000-memory.dmp
memory/1656-18-0x0000000074930000-0x00000000750E0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-14 18:15
Reported
2024-07-14 18:17
Platform
win11-20240709-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1628 set thread context of 3248 | N/A | C:\Users\Admin\AppData\Local\Temp\2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e.exe
"C:\Users\Admin\AppData\Local\Temp\2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| FI | 95.217.245.123:443 | o0.u2024.icu | tcp |
Files
memory/1628-1-0x0000000002E80000-0x0000000002E81000-memory.dmp
memory/3248-0-0x0000000000400000-0x0000000000422000-memory.dmp
memory/3248-2-0x00000000743EE000-0x00000000743EF000-memory.dmp
memory/3248-3-0x00000000058A0000-0x0000000005906000-memory.dmp
memory/3248-4-0x00000000063D0000-0x00000000069E8000-memory.dmp
memory/3248-5-0x0000000005DF0000-0x0000000005E02000-memory.dmp
memory/3248-6-0x0000000005F20000-0x000000000602A000-memory.dmp
memory/3248-7-0x00000000743E0000-0x0000000074B91000-memory.dmp
memory/3248-8-0x0000000006BF0000-0x0000000006C2C000-memory.dmp
memory/3248-9-0x0000000006C30000-0x0000000006C7C000-memory.dmp
memory/3248-10-0x0000000006F60000-0x0000000007122000-memory.dmp
memory/3248-11-0x0000000007660000-0x0000000007B8C000-memory.dmp
memory/3248-12-0x0000000007130000-0x00000000071C2000-memory.dmp
memory/3248-13-0x0000000008140000-0x00000000086E6000-memory.dmp
memory/3248-15-0x0000000007370000-0x00000000073E6000-memory.dmp
memory/3248-14-0x0000000007220000-0x0000000007270000-memory.dmp
memory/3248-16-0x00000000072F0000-0x000000000730E000-memory.dmp
memory/3248-18-0x00000000743E0000-0x0000000074B91000-memory.dmp