Analysis Overview
SHA256
649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f
Threat Level: Known bad
The file 649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-14 19:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-14 19:38
Reported
2024-07-14 19:40
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 220 set thread context of 3984 | N/A | C:\Users\Admin\AppData\Local\Temp\649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f.exe
"C:\Users\Admin\AppData\Local\Temp\649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | o0.u2024.icu | udp |
| FI | 95.217.245.123:443 | o0.u2024.icu | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.245.217.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/220-0-0x0000000000EC0000-0x0000000000EC1000-memory.dmp
memory/3984-1-0x0000000000400000-0x0000000000422000-memory.dmp
memory/3984-2-0x000000007457E000-0x000000007457F000-memory.dmp
memory/3984-3-0x0000000005700000-0x0000000005766000-memory.dmp
memory/3984-4-0x0000000006230000-0x0000000006848000-memory.dmp
memory/3984-5-0x0000000005C80000-0x0000000005C92000-memory.dmp
memory/3984-6-0x0000000005DB0000-0x0000000005EBA000-memory.dmp
memory/3984-7-0x0000000074570000-0x0000000074D20000-memory.dmp
memory/3984-8-0x0000000006BD0000-0x0000000006C0C000-memory.dmp
memory/3984-9-0x0000000006C10000-0x0000000006C5C000-memory.dmp
memory/3984-10-0x0000000006F30000-0x00000000070F2000-memory.dmp
memory/3984-11-0x0000000007630000-0x0000000007B5C000-memory.dmp
memory/3984-12-0x0000000007100000-0x0000000007192000-memory.dmp
memory/3984-13-0x0000000008110000-0x00000000086B4000-memory.dmp
memory/3984-14-0x0000000007220000-0x0000000007296000-memory.dmp
memory/3984-15-0x00000000071A0000-0x00000000071BE000-memory.dmp
memory/3984-16-0x0000000007300000-0x0000000007350000-memory.dmp
memory/3984-18-0x0000000074570000-0x0000000074D20000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-14 19:38
Reported
2024-07-14 19:40
Platform
win11-20240709-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4936 set thread context of 1312 | N/A | C:\Users\Admin\AppData\Local\Temp\649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f.exe
"C:\Users\Admin\AppData\Local\Temp\649e74038636f6b61ad6d208315c54c646fced3671f91165f911e2fe9af8509f.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| FI | 95.217.245.123:443 | o0.u2024.icu | tcp |
Files
memory/4936-0-0x00000000033B0000-0x00000000033B1000-memory.dmp
memory/1312-1-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1312-2-0x0000000074EEE000-0x0000000074EEF000-memory.dmp
memory/1312-3-0x0000000005350000-0x00000000053B6000-memory.dmp
memory/1312-4-0x0000000005E20000-0x0000000006438000-memory.dmp
memory/1312-5-0x00000000058B0000-0x00000000058C2000-memory.dmp
memory/1312-6-0x00000000059E0000-0x0000000005AEA000-memory.dmp
memory/1312-7-0x0000000074EE0000-0x0000000075691000-memory.dmp
memory/1312-8-0x0000000005D80000-0x0000000005DBC000-memory.dmp
memory/1312-9-0x0000000005DC0000-0x0000000005E0C000-memory.dmp
memory/1312-10-0x0000000006A20000-0x0000000006BE2000-memory.dmp
memory/1312-11-0x0000000007120000-0x000000000764C000-memory.dmp
memory/1312-12-0x0000000006BF0000-0x0000000006C82000-memory.dmp
memory/1312-13-0x0000000007C00000-0x00000000081A6000-memory.dmp
memory/1312-14-0x0000000006D10000-0x0000000006D86000-memory.dmp
memory/1312-15-0x0000000006CC0000-0x0000000006CDE000-memory.dmp
memory/1312-16-0x0000000006FC0000-0x0000000007010000-memory.dmp
memory/1312-18-0x0000000074EE0000-0x0000000075691000-memory.dmp