Analysis Overview
SHA256
be09924a971a4de61cb2e9f031829d8ceb9822e5c54357b3fdb09fee72b781b2
Threat Level: Known bad
The file be09924a971a4de61cb2e9f031829d8ceb9822e5c54357b3fdb09fee72b781b2 was found to be: Known bad.
Malicious Activity Summary
RedLine
PureCrypter
Purecrypter family
Detect PureCrypter injector
Redline family
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 06:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 06:43
Reported
2024-11-09 06:45
Platform
win7-20240903-en
Max time kernel
149s
Max time network
117s
Command Line
Signatures
Detect PureCrypter injector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PureCrypter
Purecrypter family
RedLine
Redline family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2940 set thread context of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\8601b9efdac4733e888cc949f337cfbba4140a6a441aaefe2ab391b4d637dfbc.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8601b9efdac4733e888cc949f337cfbba4140a6a441aaefe2ab391b4d637dfbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8601b9efdac4733e888cc949f337cfbba4140a6a441aaefe2ab391b4d637dfbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8601b9efdac4733e888cc949f337cfbba4140a6a441aaefe2ab391b4d637dfbc.exe
"C:\Users\Admin\AppData\Local\Temp\8601b9efdac4733e888cc949f337cfbba4140a6a441aaefe2ab391b4d637dfbc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
Files
memory/2940-0-0x00000000744BE000-0x00000000744BF000-memory.dmp
memory/2940-1-0x0000000000DC0000-0x0000000000F0C000-memory.dmp
memory/2940-2-0x0000000004CC0000-0x0000000004F46000-memory.dmp
memory/2940-3-0x00000000744B0000-0x0000000074B9E000-memory.dmp
memory/2940-7-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-4-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-5-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-9-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-25-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-27-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-29-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-33-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-37-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-41-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-43-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-45-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-39-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-35-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-31-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-24-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-21-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-19-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-17-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-15-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-13-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-11-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-47-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-67-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-49-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-65-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-63-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-61-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-59-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-57-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-55-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-53-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-51-0x0000000004CC0000-0x0000000004F3F000-memory.dmp
memory/2940-10162-0x0000000000C90000-0x0000000000CF0000-memory.dmp
memory/2940-10177-0x00000000744B0000-0x0000000074B9E000-memory.dmp
memory/2776-10176-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2776-10178-0x00000000744B0000-0x0000000074B9E000-memory.dmp
memory/2776-10179-0x0000000000350000-0x0000000000356000-memory.dmp
memory/2776-10180-0x00000000744B0000-0x0000000074B9E000-memory.dmp
memory/2776-10181-0x00000000744B0000-0x0000000074B9E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 06:43
Reported
2024-11-09 06:45
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Detect PureCrypter injector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PureCrypter
Purecrypter family
RedLine
Redline family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4592 set thread context of 1432 | N/A | C:\Users\Admin\AppData\Local\Temp\8601b9efdac4733e888cc949f337cfbba4140a6a441aaefe2ab391b4d637dfbc.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8601b9efdac4733e888cc949f337cfbba4140a6a441aaefe2ab391b4d637dfbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8601b9efdac4733e888cc949f337cfbba4140a6a441aaefe2ab391b4d637dfbc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8601b9efdac4733e888cc949f337cfbba4140a6a441aaefe2ab391b4d637dfbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8601b9efdac4733e888cc949f337cfbba4140a6a441aaefe2ab391b4d637dfbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8601b9efdac4733e888cc949f337cfbba4140a6a441aaefe2ab391b4d637dfbc.exe
"C:\Users\Admin\AppData\Local\Temp\8601b9efdac4733e888cc949f337cfbba4140a6a441aaefe2ab391b4d637dfbc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/4592-0-0x0000000074E9E000-0x0000000074E9F000-memory.dmp
memory/4592-1-0x0000000000B70000-0x0000000000CBC000-memory.dmp
memory/4592-2-0x00000000055D0000-0x0000000005856000-memory.dmp
memory/4592-3-0x0000000074E90000-0x0000000075640000-memory.dmp
memory/4592-13-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-17-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-29-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-33-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-51-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-54-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-67-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-65-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-63-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-61-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-59-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-57-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-55-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-49-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-47-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-45-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-43-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-41-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-39-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-37-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-35-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-31-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-27-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-23-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-21-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-19-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-25-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-15-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-9-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-7-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-5-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-4-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-11-0x00000000055D0000-0x000000000584F000-memory.dmp
memory/4592-2785-0x0000000074E9E000-0x0000000074E9F000-memory.dmp
memory/4592-3152-0x0000000074E90000-0x0000000075640000-memory.dmp
memory/4592-10164-0x0000000005D10000-0x0000000005D32000-memory.dmp
memory/4592-10165-0x0000000006100000-0x0000000006454000-memory.dmp
memory/4592-10166-0x0000000005FE0000-0x0000000006046000-memory.dmp
memory/4592-10167-0x0000000034710000-0x00000000347A2000-memory.dmp
memory/4592-10168-0x0000000034D60000-0x0000000035304000-memory.dmp
memory/4592-10169-0x0000000006460000-0x00000000064C0000-memory.dmp
memory/1432-10172-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1432-10173-0x0000000074E90000-0x0000000075640000-memory.dmp
memory/4592-10174-0x0000000074E90000-0x0000000075640000-memory.dmp
memory/1432-10175-0x0000000002C40000-0x0000000002C46000-memory.dmp
memory/1432-10176-0x0000000074E90000-0x0000000075640000-memory.dmp
memory/1432-10177-0x000000000B120000-0x000000000B738000-memory.dmp
memory/1432-10178-0x000000000AC80000-0x000000000AD8A000-memory.dmp
memory/1432-10179-0x000000000ABB0000-0x000000000ABC2000-memory.dmp
memory/1432-10180-0x000000000AC10000-0x000000000AC4C000-memory.dmp
memory/1432-10181-0x0000000004D80000-0x0000000004DCC000-memory.dmp
memory/1432-10182-0x0000000074E90000-0x0000000075640000-memory.dmp