Analysis Overview
SHA256
fef7ddcee2119553733d71db28cc110f690153cc7063bb36d4565644bb518af9
Threat Level: Known bad
The file fef7ddcee2119553733d71db28cc110f690153cc7063bb36d4565644bb518af9 was found to be: Known bad.
Malicious Activity Summary
Redline family
RedLine
RedLine payload
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 18:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 18:33
Reported
2024-11-10 18:36
Platform
win7-20241010-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fef7ddcee2119553733d71db28cc110f690153cc7063bb36d4565644bb518af9.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fef7ddcee2119553733d71db28cc110f690153cc7063bb36d4565644bb518af9.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\fef7ddcee2119553733d71db28cc110f690153cc7063bb36d4565644bb518af9.exe
"C:\Users\Admin\AppData\Local\Temp\fef7ddcee2119553733d71db28cc110f690153cc7063bb36d4565644bb518af9.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 45.9.20.240:46257 | tcp | |
| NL | 45.9.20.240:46257 | tcp | |
| NL | 45.9.20.240:46257 | tcp | |
| NL | 45.9.20.240:46257 | tcp | |
| NL | 45.9.20.240:46257 | tcp |
Files
memory/2820-0-0x0000000000220000-0x000000000024B000-memory.dmp
memory/2820-1-0x00000000002F0000-0x0000000000329000-memory.dmp
memory/2820-2-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2820-3-0x0000000000400000-0x0000000000835000-memory.dmp
memory/2820-4-0x00000000022F0000-0x0000000002324000-memory.dmp
memory/2820-5-0x0000000002470000-0x00000000024A2000-memory.dmp
memory/2820-6-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-9-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-37-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-67-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-7-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-69-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-65-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-64-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-61-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-59-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-57-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-55-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-53-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-51-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-49-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-47-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-45-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-43-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-41-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-39-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-35-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-33-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-31-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-29-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-27-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-25-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-23-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-21-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-19-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-17-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-15-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-13-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-11-0x0000000002470000-0x000000000249D000-memory.dmp
memory/2820-960-0x0000000000220000-0x000000000024B000-memory.dmp
memory/2820-962-0x00000000002F0000-0x0000000000329000-memory.dmp
memory/2820-963-0x0000000000400000-0x000000000043C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 18:33
Reported
2024-11-10 18:35
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
149s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fef7ddcee2119553733d71db28cc110f690153cc7063bb36d4565644bb518af9.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fef7ddcee2119553733d71db28cc110f690153cc7063bb36d4565644bb518af9.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\fef7ddcee2119553733d71db28cc110f690153cc7063bb36d4565644bb518af9.exe
"C:\Users\Admin\AppData\Local\Temp\fef7ddcee2119553733d71db28cc110f690153cc7063bb36d4565644bb518af9.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 45.9.20.240:46257 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| NL | 45.9.20.240:46257 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| NL | 45.9.20.240:46257 | tcp | |
| NL | 45.9.20.240:46257 | tcp | |
| NL | 45.9.20.240:46257 | tcp | |
| NL | 45.9.20.240:46257 | tcp |
Files
memory/5112-0-0x00000000009A0000-0x00000000009CB000-memory.dmp
memory/5112-1-0x00000000009D0000-0x0000000000A09000-memory.dmp
memory/5112-2-0x0000000000400000-0x000000000043C000-memory.dmp
memory/5112-3-0x0000000000400000-0x0000000000835000-memory.dmp
memory/5112-4-0x00000000027E0000-0x0000000002814000-memory.dmp
memory/5112-5-0x0000000005250000-0x00000000057F4000-memory.dmp
memory/5112-6-0x0000000002810000-0x0000000002842000-memory.dmp
memory/5112-12-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-18-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-70-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-68-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-67-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-64-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-62-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-61-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-56-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-54-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-52-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-50-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-49-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-46-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-44-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-40-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-38-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-37-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-34-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-32-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-31-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-28-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-26-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-24-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-23-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-21-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-16-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-14-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-58-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-42-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-10-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-8-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-7-0x0000000002810000-0x000000000283D000-memory.dmp
memory/5112-961-0x0000000005800000-0x0000000005E18000-memory.dmp
memory/5112-962-0x0000000005070000-0x0000000005082000-memory.dmp
memory/5112-963-0x0000000005090000-0x000000000519A000-memory.dmp
memory/5112-964-0x00000000051B0000-0x00000000051EC000-memory.dmp
memory/5112-965-0x0000000005F20000-0x0000000005F6C000-memory.dmp
memory/5112-966-0x00000000009A0000-0x00000000009CB000-memory.dmp
memory/5112-967-0x00000000009D0000-0x0000000000A09000-memory.dmp
memory/5112-968-0x0000000000400000-0x000000000043C000-memory.dmp