Analysis Overview
SHA256
77ba34f450e9a293600b76082b4dcc02b13e52106438ecb2e7c5df3e79ebb6f4
Threat Level: Known bad
The file 77ba34f450e9a293600b76082b4dcc02b13e52106438ecb2e7c5df3e79ebb6f4 was found to be: Known bad.
Malicious Activity Summary
Redline family
RedLine
RedLine payload
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 05:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 05:55
Reported
2024-11-11 05:57
Platform
win7-20240903-en
Max time kernel
130s
Max time network
141s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2168 set thread context of 2308 | N/A | C:\Users\Admin\AppData\Local\Temp\77ba34f450e9a293600b76082b4dcc02b13e52106438ecb2e7c5df3e79ebb6f4.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\77ba34f450e9a293600b76082b4dcc02b13e52106438ecb2e7c5df3e79ebb6f4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\77ba34f450e9a293600b76082b4dcc02b13e52106438ecb2e7c5df3e79ebb6f4.exe
"C:\Users\Admin\AppData\Local\Temp\77ba34f450e9a293600b76082b4dcc02b13e52106438ecb2e7c5df3e79ebb6f4.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 82.115.223.46:57672 | tcp | |
| NL | 82.115.223.46:57672 | tcp | |
| NL | 82.115.223.46:57672 | tcp | |
| NL | 82.115.223.46:57672 | tcp | |
| NL | 82.115.223.46:57672 | tcp | |
| NL | 82.115.223.46:57672 | tcp |
Files
memory/2168-1-0x0000000000330000-0x0000000000530000-memory.dmp
memory/2308-7-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2308-3-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2308-11-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2308-10-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2308-2-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2168-9-0x0000000000C60000-0x0000000000C9C000-memory.dmp
memory/2308-12-0x000000007466E000-0x000000007466F000-memory.dmp
memory/2308-13-0x000000007466E000-0x000000007466F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 05:55
Reported
2024-11-11 05:57
Platform
win10v2004-20241007-en
Max time kernel
131s
Max time network
147s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4828 set thread context of 3784 | N/A | C:\Users\Admin\AppData\Local\Temp\77ba34f450e9a293600b76082b4dcc02b13e52106438ecb2e7c5df3e79ebb6f4.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\77ba34f450e9a293600b76082b4dcc02b13e52106438ecb2e7c5df3e79ebb6f4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\77ba34f450e9a293600b76082b4dcc02b13e52106438ecb2e7c5df3e79ebb6f4.exe
"C:\Users\Admin\AppData\Local\Temp\77ba34f450e9a293600b76082b4dcc02b13e52106438ecb2e7c5df3e79ebb6f4.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| NL | 82.115.223.46:57672 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| NL | 82.115.223.46:57672 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| NL | 82.115.223.46:57672 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| NL | 82.115.223.46:57672 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| NL | 82.115.223.46:57672 | tcp | |
| NL | 82.115.223.46:57672 | tcp |
Files
memory/3784-1-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4828-6-0x0000000000C00000-0x0000000000E00000-memory.dmp
memory/4828-7-0x0000000000EE0000-0x0000000000F1C000-memory.dmp
memory/3784-8-0x000000007517E000-0x000000007517F000-memory.dmp
memory/3784-9-0x0000000005850000-0x0000000005E68000-memory.dmp
memory/3784-10-0x0000000005360000-0x000000000546A000-memory.dmp
memory/3784-11-0x0000000005290000-0x00000000052A2000-memory.dmp
memory/3784-12-0x0000000075170000-0x0000000075920000-memory.dmp
memory/3784-13-0x00000000052F0000-0x000000000532C000-memory.dmp
memory/3784-14-0x0000000005470000-0x00000000054BC000-memory.dmp
memory/3784-15-0x000000007517E000-0x000000007517F000-memory.dmp
memory/3784-16-0x0000000075170000-0x0000000075920000-memory.dmp