Analysis Overview
SHA256
8ef64f8c3492f5f00b8b0a26aff7423b5d5b06822e971990f064bdba4704b13f
Threat Level: Known bad
The file StartGame.exe was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Suspicious use of SetThreadContext
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-07-07 13:01
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-07 13:01
Reported
2024-07-07 13:04
Platform
win7-20240704-en
Max time kernel
84s
Max time network
101s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1996 set thread context of 2728 | N/A | C:\Users\Admin\AppData\Local\Temp\StartGame.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\StartGame.exe
"C:\Users\Admin\AppData\Local\Temp\StartGame.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c
Network
| Country | Destination | Domain | Proto |
| FI | 95.217.197.197:11343 | tcp | |
| FI | 95.217.197.197:11343 | tcp | |
| FI | 95.217.197.197:11343 | tcp | |
| FI | 95.217.197.197:11343 | tcp |
Files
memory/1996-0-0x0000000000400000-0x0000000000573000-memory.dmp
memory/1996-1-0x00000000005F0000-0x0000000000650000-memory.dmp
memory/1996-17-0x00000000031F0000-0x00000000031F1000-memory.dmp
memory/1996-19-0x00000000031F0000-0x00000000031F3000-memory.dmp
memory/1996-20-0x0000000003240000-0x0000000003241000-memory.dmp
memory/1996-27-0x0000000003210000-0x0000000003211000-memory.dmp
memory/1996-26-0x0000000003220000-0x0000000003221000-memory.dmp
memory/1996-25-0x0000000003230000-0x0000000003231000-memory.dmp
memory/1996-24-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/1996-23-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/1996-22-0x0000000003200000-0x0000000003201000-memory.dmp
memory/1996-21-0x0000000003240000-0x0000000003241000-memory.dmp
memory/1996-18-0x00000000031F0000-0x00000000032F0000-memory.dmp
memory/1996-16-0x00000000031F0000-0x00000000031F1000-memory.dmp
memory/1996-15-0x0000000003200000-0x0000000003201000-memory.dmp
memory/1996-14-0x0000000003200000-0x0000000003201000-memory.dmp
memory/1996-13-0x0000000003200000-0x0000000003201000-memory.dmp
memory/1996-12-0x0000000003200000-0x0000000003201000-memory.dmp
memory/1996-11-0x0000000003200000-0x0000000003201000-memory.dmp
memory/1996-10-0x0000000003200000-0x0000000003201000-memory.dmp
memory/1996-9-0x0000000003200000-0x0000000003201000-memory.dmp
memory/1996-8-0x0000000003200000-0x0000000003201000-memory.dmp
memory/1996-7-0x0000000002350000-0x0000000002351000-memory.dmp
memory/1996-6-0x0000000000710000-0x0000000000711000-memory.dmp
memory/1996-5-0x0000000000680000-0x0000000000681000-memory.dmp
memory/1996-4-0x0000000000660000-0x0000000000661000-memory.dmp
memory/1996-3-0x00000000006F0000-0x00000000006F1000-memory.dmp
memory/1996-2-0x00000000006A0000-0x00000000006A1000-memory.dmp
memory/2728-35-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2728-39-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2728-38-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1996-41-0x00000000005F0000-0x0000000000650000-memory.dmp
memory/1996-40-0x0000000000400000-0x0000000000573000-memory.dmp
memory/2728-31-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2728-29-0x0000000000400000-0x0000000000420000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-07 13:01
Reported
2024-07-07 13:05
Platform
win10v2004-20240704-en
Max time kernel
141s
Max time network
160s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 464 set thread context of 760 | N/A | C:\Users\Admin\AppData\Local\Temp\StartGame.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 464 wrote to memory of 760 | N/A | C:\Users\Admin\AppData\Local\Temp\StartGame.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 464 wrote to memory of 760 | N/A | C:\Users\Admin\AppData\Local\Temp\StartGame.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 464 wrote to memory of 760 | N/A | C:\Users\Admin\AppData\Local\Temp\StartGame.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 464 wrote to memory of 760 | N/A | C:\Users\Admin\AppData\Local\Temp\StartGame.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 464 wrote to memory of 760 | N/A | C:\Users\Admin\AppData\Local\Temp\StartGame.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\StartGame.exe
"C:\Users\Admin\AppData\Local\Temp\StartGame.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| FI | 95.217.197.197:11343 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| FI | 95.217.197.197:11343 | tcp | |
| FI | 95.217.197.197:11343 | tcp | |
| FI | 95.217.197.197:11343 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| FI | 95.217.197.197:11343 | tcp | |
| FI | 95.217.197.197:11343 | tcp |
Files
memory/464-0-0x0000000000400000-0x0000000000573000-memory.dmp
memory/464-1-0x0000000002320000-0x0000000002380000-memory.dmp
memory/464-15-0x0000000003490000-0x0000000003491000-memory.dmp
memory/464-50-0x0000000002480000-0x0000000002481000-memory.dmp
memory/464-49-0x0000000003490000-0x0000000003491000-memory.dmp
memory/464-48-0x00000000034D0000-0x00000000034D1000-memory.dmp
memory/464-47-0x00000000034D0000-0x00000000034D1000-memory.dmp
memory/464-46-0x00000000034D0000-0x00000000034D1000-memory.dmp
memory/464-45-0x00000000034A0000-0x00000000034A1000-memory.dmp
memory/464-44-0x00000000034B0000-0x00000000034B1000-memory.dmp
memory/464-43-0x00000000034C0000-0x00000000034C1000-memory.dmp
memory/464-42-0x00000000022C0000-0x00000000022C1000-memory.dmp
memory/464-41-0x00000000034D0000-0x00000000034D1000-memory.dmp
memory/464-40-0x00000000034D0000-0x00000000034D1000-memory.dmp
memory/464-39-0x00000000034D0000-0x00000000034D1000-memory.dmp
memory/464-38-0x00000000034D0000-0x00000000034D1000-memory.dmp
memory/464-37-0x00000000034D0000-0x00000000034D1000-memory.dmp
memory/464-36-0x00000000034D0000-0x00000000034D1000-memory.dmp
memory/464-35-0x00000000034D0000-0x00000000034D1000-memory.dmp
memory/464-34-0x00000000034D0000-0x00000000034D1000-memory.dmp
memory/464-33-0x00000000034D0000-0x00000000034D1000-memory.dmp
memory/464-32-0x00000000034D0000-0x00000000034D1000-memory.dmp
memory/464-31-0x00000000034D0000-0x00000000034D1000-memory.dmp
memory/464-30-0x00000000034D0000-0x00000000034D1000-memory.dmp
memory/464-29-0x00000000034D0000-0x00000000034D1000-memory.dmp
memory/464-28-0x00000000034D0000-0x00000000034D1000-memory.dmp
memory/464-27-0x00000000034D0000-0x00000000034D1000-memory.dmp
memory/464-26-0x00000000034D0000-0x00000000034D1000-memory.dmp
memory/464-25-0x00000000034D0000-0x00000000034D1000-memory.dmp
memory/464-24-0x00000000034D0000-0x00000000034D1000-memory.dmp
memory/464-23-0x00000000034D0000-0x00000000034D1000-memory.dmp
memory/464-22-0x00000000034D0000-0x00000000034D1000-memory.dmp
memory/464-21-0x0000000003480000-0x0000000003483000-memory.dmp
memory/464-20-0x0000000003480000-0x0000000003481000-memory.dmp
memory/464-19-0x0000000003480000-0x0000000003481000-memory.dmp
memory/464-18-0x0000000003480000-0x0000000003481000-memory.dmp
memory/464-17-0x0000000003480000-0x0000000003481000-memory.dmp
memory/464-16-0x0000000003480000-0x0000000003481000-memory.dmp
memory/464-14-0x0000000003490000-0x0000000003491000-memory.dmp
memory/464-13-0x0000000003490000-0x0000000003491000-memory.dmp
memory/464-12-0x0000000003490000-0x0000000003491000-memory.dmp
memory/464-11-0x0000000003490000-0x0000000003491000-memory.dmp
memory/464-10-0x0000000003490000-0x0000000003491000-memory.dmp
memory/464-9-0x0000000003490000-0x0000000003491000-memory.dmp
memory/464-8-0x0000000003490000-0x0000000003491000-memory.dmp
memory/464-7-0x00000000025E0000-0x00000000025E1000-memory.dmp
memory/464-6-0x00000000025C0000-0x00000000025C1000-memory.dmp
memory/464-5-0x0000000002570000-0x0000000002571000-memory.dmp
memory/464-4-0x0000000002550000-0x0000000002551000-memory.dmp
memory/464-3-0x00000000025A0000-0x00000000025A1000-memory.dmp
memory/464-2-0x0000000002590000-0x0000000002591000-memory.dmp
memory/760-52-0x0000000000400000-0x0000000000420000-memory.dmp
memory/464-59-0x0000000002320000-0x0000000002380000-memory.dmp
memory/464-58-0x0000000000400000-0x0000000000573000-memory.dmp
memory/760-60-0x0000000005EE0000-0x00000000064F8000-memory.dmp
memory/760-61-0x0000000005980000-0x0000000005992000-memory.dmp
memory/760-62-0x0000000005AB0000-0x0000000005BBA000-memory.dmp
memory/760-63-0x00000000059E0000-0x0000000005A1C000-memory.dmp
memory/760-64-0x0000000005A20000-0x0000000005A6C000-memory.dmp