Analysis Overview
SHA256
de3da04b0858d14b9eaa2c756481e2b14656954edb783855fbfeed710d28e845
Threat Level: Known bad
The file 9816ccc43f834ac1a6f476e80a03a70051684be7 was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Redline family
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 21:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 21:38
Reported
2024-11-09 21:40
Platform
win7-20240708-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1716 set thread context of 2064 | N/A | C:\Users\Admin\AppData\Local\Temp\cec703c63339c89ae05ee7f8bcaf0118ef8c24eb74ae5c09bd3346609e2f1c15.exe | C:\Users\Admin\AppData\Local\Temp\cec703c63339c89ae05ee7f8bcaf0118ef8c24eb74ae5c09bd3346609e2f1c15.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cec703c63339c89ae05ee7f8bcaf0118ef8c24eb74ae5c09bd3346609e2f1c15.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cec703c63339c89ae05ee7f8bcaf0118ef8c24eb74ae5c09bd3346609e2f1c15.exe
"C:\Users\Admin\AppData\Local\Temp\cec703c63339c89ae05ee7f8bcaf0118ef8c24eb74ae5c09bd3346609e2f1c15.exe"
C:\Users\Admin\AppData\Local\Temp\cec703c63339c89ae05ee7f8bcaf0118ef8c24eb74ae5c09bd3346609e2f1c15.exe
C:\Users\Admin\AppData\Local\Temp\cec703c63339c89ae05ee7f8bcaf0118ef8c24eb74ae5c09bd3346609e2f1c15.exe
Network
Files
memory/1716-0-0x000000007446E000-0x000000007446F000-memory.dmp
memory/1716-1-0x00000000003C0000-0x000000000041C000-memory.dmp
memory/1716-2-0x0000000074460000-0x0000000074B4E000-memory.dmp
memory/2064-3-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2064-11-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2064-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2064-8-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2064-7-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2064-5-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1716-13-0x0000000074460000-0x0000000074B4E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 21:38
Reported
2024-11-09 21:40
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3936 set thread context of 4380 | N/A | C:\Users\Admin\AppData\Local\Temp\cec703c63339c89ae05ee7f8bcaf0118ef8c24eb74ae5c09bd3346609e2f1c15.exe | C:\Users\Admin\AppData\Local\Temp\cec703c63339c89ae05ee7f8bcaf0118ef8c24eb74ae5c09bd3346609e2f1c15.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cec703c63339c89ae05ee7f8bcaf0118ef8c24eb74ae5c09bd3346609e2f1c15.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cec703c63339c89ae05ee7f8bcaf0118ef8c24eb74ae5c09bd3346609e2f1c15.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cec703c63339c89ae05ee7f8bcaf0118ef8c24eb74ae5c09bd3346609e2f1c15.exe
"C:\Users\Admin\AppData\Local\Temp\cec703c63339c89ae05ee7f8bcaf0118ef8c24eb74ae5c09bd3346609e2f1c15.exe"
C:\Users\Admin\AppData\Local\Temp\cec703c63339c89ae05ee7f8bcaf0118ef8c24eb74ae5c09bd3346609e2f1c15.exe
C:\Users\Admin\AppData\Local\Temp\cec703c63339c89ae05ee7f8bcaf0118ef8c24eb74ae5c09bd3346609e2f1c15.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| KZ | 185.242.85.232:80 | tcp | |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| KZ | 185.242.85.232:80 | tcp | |
| KZ | 185.242.85.232:80 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| KZ | 185.242.85.232:80 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| KZ | 185.242.85.232:80 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| KZ | 185.242.85.232:80 | tcp | |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.208.201.84.in-addr.arpa | udp |
| KZ | 185.242.85.232:80 | tcp | |
| KZ | 185.242.85.232:80 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| KZ | 185.242.85.232:80 | tcp | |
| KZ | 185.242.85.232:80 | tcp | |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
Files
memory/3936-0-0x0000000074E9E000-0x0000000074E9F000-memory.dmp
memory/3936-1-0x0000000000AB0000-0x0000000000B0C000-memory.dmp
memory/3936-2-0x0000000005490000-0x0000000005506000-memory.dmp
memory/3936-3-0x0000000005440000-0x000000000545E000-memory.dmp
memory/3936-4-0x0000000074E90000-0x0000000075640000-memory.dmp
memory/3936-5-0x0000000005BF0000-0x0000000006194000-memory.dmp
memory/4380-6-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cec703c63339c89ae05ee7f8bcaf0118ef8c24eb74ae5c09bd3346609e2f1c15.exe.log
| MD5 | e5352797047ad2c91b83e933b24fbc4f |
| SHA1 | 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772 |
| SHA256 | b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c |
| SHA512 | dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827 |
memory/3936-9-0x0000000074E90000-0x0000000075640000-memory.dmp
memory/4380-10-0x0000000074E90000-0x0000000075640000-memory.dmp
memory/4380-11-0x0000000005840000-0x0000000005E58000-memory.dmp
memory/4380-12-0x00000000052D0000-0x00000000052E2000-memory.dmp
memory/4380-13-0x0000000005400000-0x000000000550A000-memory.dmp
memory/4380-14-0x0000000074E90000-0x0000000075640000-memory.dmp
memory/4380-15-0x0000000005330000-0x000000000536C000-memory.dmp
memory/4380-16-0x0000000005370000-0x00000000053BC000-memory.dmp
memory/4380-17-0x0000000074E90000-0x0000000075640000-memory.dmp
memory/4380-18-0x0000000074E90000-0x0000000075640000-memory.dmp