Analysis Overview
SHA256
cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4
Threat Level: Known bad
The file cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4 was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-07-13 12:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-13 12:34
Reported
2024-07-13 12:36
Platform
win10v2004-20240704-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2888 set thread context of 4076 | N/A | C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe
"C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/2888-0-0x00007FFD437F0000-0x00007FFD439E5000-memory.dmp
memory/2888-1-0x0000000000E40000-0x00000000010A0000-memory.dmp
memory/2888-2-0x0000000005F60000-0x0000000006504000-memory.dmp
memory/2888-3-0x0000000005BF0000-0x0000000005C82000-memory.dmp
memory/2888-4-0x00007FFD437F0000-0x00007FFD439E5000-memory.dmp
memory/2888-5-0x0000000005E20000-0x0000000005E2A000-memory.dmp
memory/2888-6-0x0000000006800000-0x0000000006A04000-memory.dmp
memory/2888-8-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-18-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-66-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-70-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-68-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-64-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-62-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-58-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-56-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-54-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-52-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-50-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-48-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-44-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-60-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-46-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-42-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-38-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-36-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-34-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-32-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-30-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-28-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-26-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-24-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-22-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-16-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-14-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-12-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-10-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-40-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-20-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-7-0x0000000006800000-0x00000000069FD000-memory.dmp
memory/2888-13461-0x0000000006B30000-0x0000000006B52000-memory.dmp
memory/2888-13462-0x0000000006BD0000-0x0000000006F24000-memory.dmp
memory/2888-13463-0x000000003F5B0000-0x000000003F616000-memory.dmp
memory/2888-13466-0x00007FFD437F0000-0x00007FFD439E5000-memory.dmp
memory/4076-13468-0x00007FFD437F0000-0x00007FFD439E5000-memory.dmp
memory/4076-13469-0x0000000000F70000-0x0000000000F76000-memory.dmp
memory/4076-13467-0x0000000000400000-0x0000000000444000-memory.dmp
memory/4076-13470-0x00007FFD437F0000-0x00007FFD439E5000-memory.dmp
memory/4076-13471-0x00000000056E0000-0x0000000005CF8000-memory.dmp
memory/4076-13472-0x0000000005100000-0x0000000005112000-memory.dmp
memory/4076-13473-0x0000000005230000-0x000000000533A000-memory.dmp
memory/4076-13474-0x0000000005160000-0x000000000519C000-memory.dmp
memory/4076-13475-0x00000000051B0000-0x00000000051FC000-memory.dmp
memory/4076-13476-0x00007FFD437F0000-0x00007FFD439E5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-13 12:34
Reported
2024-07-13 12:36
Platform
win11-20240709-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 644 set thread context of 1848 | N/A | C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe
"C:\Users\Admin\AppData\Local\Temp\cb5be74fea917e24244f7b10ec4f838fcaedc1683af463868e2dd0f832ace0b4.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
Files
memory/644-0-0x0000000074B7E000-0x0000000074B7F000-memory.dmp
memory/644-1-0x0000000000FB0000-0x0000000001210000-memory.dmp
memory/644-2-0x0000000006190000-0x0000000006736000-memory.dmp
memory/644-3-0x0000000005E00000-0x0000000005E92000-memory.dmp
memory/644-4-0x0000000005DF0000-0x0000000005DFA000-memory.dmp
memory/644-5-0x0000000074B70000-0x0000000075321000-memory.dmp
memory/644-6-0x0000000006A30000-0x0000000006C34000-memory.dmp
memory/644-12-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-14-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-32-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-10-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-24-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-8-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-7-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-34-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-64-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-66-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-70-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-68-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-62-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-60-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-58-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-56-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-54-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-52-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-50-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-48-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-46-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-44-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-42-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-41-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-38-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-36-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-30-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-28-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-26-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-22-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-20-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-18-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-16-0x0000000006A30000-0x0000000006C2D000-memory.dmp
memory/644-13461-0x0000000006D50000-0x0000000006D72000-memory.dmp
memory/644-13462-0x0000000006DF0000-0x0000000007147000-memory.dmp
memory/644-13463-0x000000003FE30000-0x000000003FE96000-memory.dmp
memory/1848-13466-0x0000000000400000-0x0000000000444000-memory.dmp
memory/644-13467-0x0000000074B70000-0x0000000075321000-memory.dmp
memory/1848-13468-0x0000000074B70000-0x0000000075321000-memory.dmp
memory/1848-13469-0x00000000028A0000-0x00000000028A6000-memory.dmp
memory/1848-13470-0x0000000074B70000-0x0000000075321000-memory.dmp
memory/1848-13471-0x00000000057E0000-0x0000000005DF8000-memory.dmp
memory/1848-13472-0x0000000004F80000-0x0000000004F92000-memory.dmp
memory/1848-13473-0x00000000052D0000-0x00000000053DA000-memory.dmp
memory/1848-13474-0x0000000005200000-0x000000000523C000-memory.dmp
memory/1848-13475-0x0000000005250000-0x000000000529C000-memory.dmp
memory/1848-13476-0x0000000074B70000-0x0000000075321000-memory.dmp
memory/1848-13477-0x0000000074B70000-0x0000000075321000-memory.dmp