Analysis Overview
SHA256
644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d
Threat Level: Known bad
The file 644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-07-13 11:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-13 11:58
Reported
2024-07-13 12:01
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4264 set thread context of 3640 | N/A | C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe
"C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
Files
memory/4264-0-0x0000000074BCE000-0x0000000074BCF000-memory.dmp
memory/4264-1-0x00000000003A0000-0x00000000005A8000-memory.dmp
memory/4264-2-0x0000000004EB0000-0x0000000004FB0000-memory.dmp
memory/4264-12-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-14-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-66-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-64-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-60-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-58-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-56-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-54-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-52-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-48-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-46-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-44-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-42-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-40-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-36-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-34-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-32-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-30-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-28-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-26-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-24-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-22-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-20-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-16-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-10-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-8-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-62-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-50-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-38-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-4-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-18-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-3-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-6-0x0000000004EB0000-0x0000000004FAA000-memory.dmp
memory/4264-2443-0x0000000074BC0000-0x0000000075370000-memory.dmp
memory/4264-2444-0x0000000005180000-0x0000000005212000-memory.dmp
memory/4264-2445-0x0000000005210000-0x0000000005232000-memory.dmp
memory/4264-2446-0x00000000054E0000-0x0000000005834000-memory.dmp
memory/4264-2447-0x00000000052E0000-0x0000000005346000-memory.dmp
memory/4264-2448-0x0000000033CB0000-0x0000000033D42000-memory.dmp
memory/4264-2449-0x0000000034300000-0x00000000348A4000-memory.dmp
memory/3640-2452-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4264-2453-0x0000000074BC0000-0x0000000075370000-memory.dmp
memory/3640-2455-0x0000000002880000-0x0000000002886000-memory.dmp
memory/3640-2454-0x0000000074BC0000-0x0000000075370000-memory.dmp
memory/3640-2456-0x0000000074BC0000-0x0000000075370000-memory.dmp
memory/3640-2457-0x0000000005870000-0x0000000005E88000-memory.dmp
memory/3640-2458-0x0000000005360000-0x000000000546A000-memory.dmp
memory/3640-2459-0x0000000005290000-0x00000000052A2000-memory.dmp
memory/3640-2460-0x00000000052F0000-0x000000000532C000-memory.dmp
memory/3640-2461-0x0000000005470000-0x00000000054BC000-memory.dmp
memory/3640-2462-0x0000000074BC0000-0x0000000075370000-memory.dmp
memory/3640-2463-0x0000000074BC0000-0x0000000075370000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-13 11:58
Reported
2024-07-13 12:01
Platform
win11-20240709-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4584 set thread context of 5104 | N/A | C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe
"C:\Users\Admin\AppData\Local\Temp\644770baab7ff1c25fde1ea6c43be23c49989cf5699308460371773cde18bf2d.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
Files
memory/4584-0-0x000000007511E000-0x000000007511F000-memory.dmp
memory/4584-1-0x0000000000710000-0x0000000000918000-memory.dmp
memory/4584-2-0x0000000005330000-0x0000000005430000-memory.dmp
memory/4584-35-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-12-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-66-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-60-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-58-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-56-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-54-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-52-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-50-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-48-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-46-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-44-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-43-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-38-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-36-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-32-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-28-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-26-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-25-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-22-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-20-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-18-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-16-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-14-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-10-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-8-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-6-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-64-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-62-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-40-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-30-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-4-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-3-0x0000000005330000-0x000000000542A000-memory.dmp
memory/4584-2443-0x0000000075110000-0x00000000758C1000-memory.dmp
memory/4584-2444-0x0000000005540000-0x00000000055D2000-memory.dmp
memory/4584-2445-0x0000000005610000-0x0000000005632000-memory.dmp
memory/4584-2446-0x0000000005910000-0x0000000005C67000-memory.dmp
memory/4584-2447-0x0000000005710000-0x0000000005776000-memory.dmp
memory/4584-2448-0x00000000310D0000-0x0000000031162000-memory.dmp
memory/4584-2449-0x0000000031720000-0x0000000031CC6000-memory.dmp
memory/4584-2453-0x0000000075110000-0x00000000758C1000-memory.dmp
memory/5104-2455-0x0000000075110000-0x00000000758C1000-memory.dmp
memory/5104-2454-0x0000000002990000-0x0000000002996000-memory.dmp
memory/5104-2452-0x0000000000400000-0x0000000000460000-memory.dmp
memory/5104-2456-0x0000000005810000-0x0000000005E28000-memory.dmp
memory/5104-2457-0x0000000005360000-0x000000000546A000-memory.dmp
memory/5104-2458-0x0000000005290000-0x00000000052A2000-memory.dmp
memory/5104-2459-0x00000000052F0000-0x000000000532C000-memory.dmp
memory/5104-2460-0x0000000075110000-0x00000000758C1000-memory.dmp
memory/5104-2461-0x0000000005470000-0x00000000054BC000-memory.dmp
memory/5104-2462-0x0000000075110000-0x00000000758C1000-memory.dmp
memory/5104-2463-0x0000000075110000-0x00000000758C1000-memory.dmp