Analysis Overview
SHA256
1eae8264ef6827178364adbe9650d4eec1e791ec327f803aea1ea32fb502133e
Threat Level: Known bad
The file 1eae8264ef6827178364adbe9650d4eec1e791ec327f803aea1ea32fb502133e was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-07-13 11:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-13 11:43
Reported
2024-07-13 11:46
Platform
win10v2004-20240709-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4332 set thread context of 1164 | N/A | C:\Users\Admin\AppData\Local\Temp\1eae8264ef6827178364adbe9650d4eec1e791ec327f803aea1ea32fb502133e.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1eae8264ef6827178364adbe9650d4eec1e791ec327f803aea1ea32fb502133e.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1eae8264ef6827178364adbe9650d4eec1e791ec327f803aea1ea32fb502133e.exe
"C:\Users\Admin\AppData\Local\Temp\1eae8264ef6827178364adbe9650d4eec1e791ec327f803aea1ea32fb502133e.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
Files
memory/4332-0-0x000000007458E000-0x000000007458F000-memory.dmp
memory/4332-1-0x0000000000B10000-0x0000000000D34000-memory.dmp
memory/4332-2-0x0000000005BD0000-0x0000000006174000-memory.dmp
memory/4332-3-0x0000000005880000-0x0000000005912000-memory.dmp
memory/4332-4-0x0000000006390000-0x000000000639A000-memory.dmp
memory/4332-5-0x0000000074580000-0x0000000074D30000-memory.dmp
memory/4332-6-0x00000000063A0000-0x0000000006564000-memory.dmp
memory/4332-15-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-28-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-42-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-44-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-66-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-70-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-68-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-64-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-62-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-60-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-58-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-56-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-54-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-50-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-48-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-46-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-41-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-36-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-52-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-38-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-34-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-32-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-26-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-24-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-22-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-20-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-18-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-16-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-12-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-10-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-7-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-30-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-8-0x00000000063A0000-0x000000000655F000-memory.dmp
memory/4332-11967-0x0000000006730000-0x0000000006752000-memory.dmp
memory/4332-11968-0x0000000006820000-0x0000000006B74000-memory.dmp
memory/4332-11969-0x000000003D450000-0x000000003D4B6000-memory.dmp
memory/1164-11972-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1164-11974-0x00000000023B0000-0x00000000023B6000-memory.dmp
memory/4332-11973-0x0000000074580000-0x0000000074D30000-memory.dmp
memory/1164-11975-0x0000000074580000-0x0000000074D30000-memory.dmp
memory/1164-11976-0x0000000074580000-0x0000000074D30000-memory.dmp
memory/1164-11978-0x0000000004A10000-0x0000000004A22000-memory.dmp
memory/1164-11977-0x0000000004F90000-0x00000000055A8000-memory.dmp
memory/1164-11979-0x0000000004B40000-0x0000000004C4A000-memory.dmp
memory/1164-11980-0x0000000004A70000-0x0000000004AAC000-memory.dmp
memory/1164-11981-0x0000000004AD0000-0x0000000004B1C000-memory.dmp
memory/1164-11982-0x0000000074580000-0x0000000074D30000-memory.dmp
memory/1164-11983-0x0000000074580000-0x0000000074D30000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-13 11:43
Reported
2024-07-13 11:46
Platform
win11-20240709-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1160 set thread context of 768 | N/A | C:\Users\Admin\AppData\Local\Temp\1eae8264ef6827178364adbe9650d4eec1e791ec327f803aea1ea32fb502133e.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1eae8264ef6827178364adbe9650d4eec1e791ec327f803aea1ea32fb502133e.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1eae8264ef6827178364adbe9650d4eec1e791ec327f803aea1ea32fb502133e.exe
"C:\Users\Admin\AppData\Local\Temp\1eae8264ef6827178364adbe9650d4eec1e791ec327f803aea1ea32fb502133e.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
Files
memory/1160-0-0x00000000749DE000-0x00000000749DF000-memory.dmp
memory/1160-1-0x0000000000460000-0x0000000000684000-memory.dmp
memory/1160-2-0x00000000054C0000-0x0000000005A66000-memory.dmp
memory/1160-3-0x0000000005160000-0x00000000051F2000-memory.dmp
memory/1160-4-0x0000000005390000-0x000000000539A000-memory.dmp
memory/1160-5-0x00000000749D0000-0x0000000075181000-memory.dmp
memory/1160-6-0x0000000005DD0000-0x0000000005F94000-memory.dmp
memory/1160-8-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-10-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-34-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-46-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-60-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-58-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-56-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-71-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-68-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-66-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-64-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-63-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-54-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-52-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-50-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-48-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-42-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-40-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-38-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-36-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-44-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-32-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-30-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-28-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-26-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-24-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-22-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-20-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-18-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-16-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-14-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-12-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-7-0x0000000005DD0000-0x0000000005F8F000-memory.dmp
memory/1160-11967-0x0000000005480000-0x00000000054A2000-memory.dmp
memory/1160-11968-0x00000000060E0000-0x0000000006437000-memory.dmp
memory/1160-11969-0x000000003E850000-0x000000003E8B6000-memory.dmp
memory/768-11972-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1160-11973-0x00000000749D0000-0x0000000075181000-memory.dmp
memory/768-11974-0x00000000749D0000-0x0000000075181000-memory.dmp
memory/768-11975-0x00000000026C0000-0x00000000026C6000-memory.dmp
memory/768-11976-0x00000000749D0000-0x0000000075181000-memory.dmp
memory/768-11977-0x0000000005490000-0x0000000005AA8000-memory.dmp
memory/768-11978-0x0000000004F00000-0x0000000004F12000-memory.dmp
memory/768-11979-0x0000000005030000-0x000000000513A000-memory.dmp
memory/768-11980-0x0000000004F60000-0x0000000004F9C000-memory.dmp
memory/768-11981-0x0000000004FC0000-0x000000000500C000-memory.dmp
memory/768-11982-0x00000000749D0000-0x0000000075181000-memory.dmp
memory/768-11983-0x00000000749D0000-0x0000000075181000-memory.dmp