Analysis Overview
SHA256
9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3
Threat Level: Known bad
The file 9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3 was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-07-13 12:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-13 12:34
Reported
2024-07-13 12:36
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3520 set thread context of 1996 | N/A | C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe
"C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
Files
memory/3520-0-0x000000007528E000-0x000000007528F000-memory.dmp
memory/3520-1-0x0000000000070000-0x00000000002BE000-memory.dmp
memory/3520-2-0x0000000005010000-0x00000000055B4000-memory.dmp
memory/3520-3-0x0000000004D20000-0x0000000004DB2000-memory.dmp
memory/3520-4-0x0000000004F10000-0x0000000004F1A000-memory.dmp
memory/3520-5-0x0000000075280000-0x0000000075A30000-memory.dmp
memory/3520-6-0x00000000058B0000-0x0000000005A9E000-memory.dmp
memory/3520-26-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-54-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-40-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-30-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-24-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-58-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-70-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-68-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-66-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-64-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-62-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-60-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-56-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-52-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-50-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-48-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-46-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-44-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-42-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-38-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-36-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-34-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-32-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-28-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-22-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-20-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-18-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-16-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-14-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-12-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-10-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-7-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-8-0x00000000058B0000-0x0000000005A99000-memory.dmp
memory/3520-13161-0x0000000005C00000-0x0000000005C22000-memory.dmp
memory/3520-13162-0x0000000005CA0000-0x0000000005FF4000-memory.dmp
memory/3520-13163-0x000000003C8D0000-0x000000003C936000-memory.dmp
memory/1996-13166-0x0000000000400000-0x0000000000444000-memory.dmp
memory/3520-13167-0x0000000075280000-0x0000000075A30000-memory.dmp
memory/1996-13168-0x0000000075280000-0x0000000075A30000-memory.dmp
memory/1996-13169-0x0000000002860000-0x0000000002866000-memory.dmp
memory/1996-13170-0x0000000075280000-0x0000000075A30000-memory.dmp
memory/1996-13171-0x000000000AD00000-0x000000000B318000-memory.dmp
memory/1996-13172-0x000000000A7A0000-0x000000000A7B2000-memory.dmp
memory/1996-13173-0x000000000A8D0000-0x000000000A9DA000-memory.dmp
memory/1996-13174-0x000000000A800000-0x000000000A83C000-memory.dmp
memory/1996-13175-0x00000000027D0000-0x000000000281C000-memory.dmp
memory/1996-13176-0x0000000075280000-0x0000000075A30000-memory.dmp
memory/1996-13177-0x0000000075280000-0x0000000075A30000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-13 12:34
Reported
2024-07-13 12:36
Platform
win11-20240709-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5612 set thread context of 3332 | N/A | C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe
"C:\Users\Admin\AppData\Local\Temp\9f8a1f56a75fcbae6a2a52fe6e74f00585e28b6aa8c02e380fb9a114d218c1d3.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
Files
memory/5612-0-0x000000007524E000-0x000000007524F000-memory.dmp
memory/5612-1-0x0000000000140000-0x000000000038E000-memory.dmp
memory/5612-2-0x0000000005300000-0x00000000058A6000-memory.dmp
memory/5612-3-0x0000000004F90000-0x0000000005022000-memory.dmp
memory/5612-4-0x00000000052E0000-0x00000000052EA000-memory.dmp
memory/5612-5-0x0000000075240000-0x00000000759F1000-memory.dmp
memory/5612-6-0x0000000005B20000-0x0000000005D0E000-memory.dmp
memory/5612-20-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-12-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-7-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-38-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-40-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-56-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-54-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-52-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-50-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-48-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-46-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-44-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-36-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-34-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-32-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-30-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-28-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-26-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-24-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-43-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-22-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-18-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-16-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-14-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-10-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-8-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-58-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-70-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-62-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-60-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-68-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-66-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-64-0x0000000005B20000-0x0000000005D09000-memory.dmp
memory/5612-11091-0x000000007524E000-0x000000007524F000-memory.dmp
memory/5612-11987-0x0000000075240000-0x00000000759F1000-memory.dmp
memory/5612-13163-0x0000000005E80000-0x0000000005EA2000-memory.dmp
memory/5612-13164-0x0000000005F60000-0x00000000062B7000-memory.dmp
memory/5612-13165-0x000000003BF60000-0x000000003BFC6000-memory.dmp
memory/5612-13169-0x0000000075240000-0x00000000759F1000-memory.dmp
memory/3332-13168-0x0000000000400000-0x0000000000444000-memory.dmp
memory/3332-13171-0x0000000001600000-0x0000000001606000-memory.dmp
memory/3332-13170-0x0000000075240000-0x00000000759F1000-memory.dmp
memory/3332-13172-0x0000000005F30000-0x0000000006548000-memory.dmp
memory/3332-13173-0x0000000005970000-0x0000000005982000-memory.dmp
memory/3332-13174-0x0000000075240000-0x00000000759F1000-memory.dmp
memory/3332-13175-0x0000000005AA0000-0x0000000005BAA000-memory.dmp
memory/3332-13176-0x00000000059D0000-0x0000000005A0C000-memory.dmp
memory/3332-13177-0x0000000005A30000-0x0000000005A7C000-memory.dmp
memory/3332-13178-0x0000000075240000-0x00000000759F1000-memory.dmp
memory/3332-13179-0x0000000075240000-0x00000000759F1000-memory.dmp