Analysis Overview
SHA256
085a46a11e5f51719ad5621e6d3595befbb01ab0f7a88277a4e923e414d41700
Threat Level: Known bad
The file 184d122b490b7ddd40bb242632966c12 was found to be: Known bad.
Malicious Activity Summary
SectopRAT payload
RedLine
RedLine payload
SectopRAT
Suspicious use of SetThreadContext
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-12-24 23:09
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-24 23:09
Reported
2023-12-26 03:04
Platform
win7-20231215-en
Max time kernel
213s
Max time network
246s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3060 set thread context of 2180 | N/A | C:\Users\Admin\AppData\Local\Temp\184d122b490b7ddd40bb242632966c12.exe | C:\Users\Admin\AppData\Local\Temp\184d122b490b7ddd40bb242632966c12.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\184d122b490b7ddd40bb242632966c12.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\184d122b490b7ddd40bb242632966c12.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\184d122b490b7ddd40bb242632966c12.exe
"C:\Users\Admin\AppData\Local\Temp\184d122b490b7ddd40bb242632966c12.exe"
C:\Users\Admin\AppData\Local\Temp\184d122b490b7ddd40bb242632966c12.exe
C:\Users\Admin\AppData\Local\Temp\184d122b490b7ddd40bb242632966c12.exe
Network
| Country | Destination | Domain | Proto |
| FI | 95.217.122.120:8374 | tcp | |
| FI | 95.217.122.120:8374 | tcp | |
| FI | 95.217.122.120:8374 | tcp | |
| FI | 95.217.122.120:8374 | tcp | |
| FI | 95.217.122.120:8374 | tcp | |
| FI | 95.217.122.120:8374 | tcp | |
| FI | 95.217.122.120:8374 | tcp |
Files
memory/3060-0-0x0000000074D70000-0x000000007545E000-memory.dmp
memory/3060-1-0x0000000000210000-0x0000000000248000-memory.dmp
memory/3060-2-0x0000000074D70000-0x000000007545E000-memory.dmp
memory/3060-3-0x0000000004730000-0x0000000004770000-memory.dmp
memory/3060-4-0x0000000000440000-0x0000000000454000-memory.dmp
memory/2180-5-0x0000000000400000-0x000000000041E000-memory.dmp
memory/3060-7-0x0000000074D70000-0x000000007545E000-memory.dmp
memory/2180-8-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2180-10-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2180-11-0x0000000074680000-0x0000000074D6E000-memory.dmp
memory/2180-12-0x0000000004BC0000-0x0000000004C00000-memory.dmp
memory/2180-13-0x0000000074680000-0x0000000074D6E000-memory.dmp
memory/2180-14-0x0000000004BC0000-0x0000000004C00000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-24 23:09
Reported
2023-12-26 03:01
Platform
win10v2004-20231215-en
Max time kernel
149s
Max time network
158s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4924 set thread context of 2712 | N/A | C:\Users\Admin\AppData\Local\Temp\184d122b490b7ddd40bb242632966c12.exe | C:\Users\Admin\AppData\Local\Temp\184d122b490b7ddd40bb242632966c12.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\184d122b490b7ddd40bb242632966c12.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\184d122b490b7ddd40bb242632966c12.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\184d122b490b7ddd40bb242632966c12.exe
"C:\Users\Admin\AppData\Local\Temp\184d122b490b7ddd40bb242632966c12.exe"
C:\Users\Admin\AppData\Local\Temp\184d122b490b7ddd40bb242632966c12.exe
C:\Users\Admin\AppData\Local\Temp\184d122b490b7ddd40bb242632966c12.exe
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 82.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.1.37.23.in-addr.arpa | udp |
| FI | 95.217.122.120:8374 | tcp | |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| GB | 96.16.110.114:80 | tcp | |
| FI | 95.217.122.120:8374 | tcp | |
| FI | 95.217.122.120:8374 | tcp | |
| FI | 95.217.122.120:8374 | tcp | |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| FI | 95.217.122.120:8374 | tcp | |
| FI | 95.217.122.120:8374 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| FI | 95.217.122.120:8374 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| FI | 95.217.122.120:8374 | tcp | |
| FI | 95.217.122.120:8374 | tcp | |
| FI | 95.217.122.120:8374 | tcp | |
| FI | 95.217.122.120:8374 | tcp | |
| FI | 95.217.122.120:8374 | tcp | |
| FI | 95.217.122.120:8374 | tcp |
Files
memory/4924-0-0x0000000000530000-0x0000000000568000-memory.dmp
memory/4924-1-0x0000000074450000-0x0000000074C00000-memory.dmp
memory/4924-2-0x0000000004E90000-0x0000000004EA0000-memory.dmp
memory/4924-3-0x0000000004DA0000-0x0000000004E16000-memory.dmp
memory/4924-4-0x0000000004E20000-0x0000000004E3E000-memory.dmp
memory/4924-5-0x0000000004E50000-0x0000000004E64000-memory.dmp
memory/2712-6-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\184d122b490b7ddd40bb242632966c12.exe.log
| MD5 | 3654bd2c6957761095206ffdf92b0cb9 |
| SHA1 | 6f10f7b5867877de7629afcff644c265e79b4ad3 |
| SHA256 | c2a4be94cf4ed33d698d9838f4ffb47047da796e733ec11562463a1621212ab4 |
| SHA512 | e2a81248cca7732ce098088d5237897493fd3629e28d66bc13e5f9191f72cd52893f4a53905906af12d5c6de475738b6c7f6b718a32869e9ee0deb3a54672f79 |
memory/2712-10-0x0000000005460000-0x0000000005A78000-memory.dmp
memory/4924-9-0x0000000074450000-0x0000000074C00000-memory.dmp
memory/2712-11-0x0000000074450000-0x0000000074C00000-memory.dmp
memory/2712-12-0x0000000004EA0000-0x0000000004EB2000-memory.dmp
memory/2712-13-0x0000000004F40000-0x0000000004F7C000-memory.dmp
memory/2712-14-0x0000000004E90000-0x0000000004EA0000-memory.dmp
memory/2712-15-0x0000000004F80000-0x0000000004FCC000-memory.dmp
memory/2712-16-0x00000000051F0000-0x00000000052FA000-memory.dmp
memory/2712-17-0x0000000074450000-0x0000000074C00000-memory.dmp
memory/2712-18-0x0000000004E90000-0x0000000004EA0000-memory.dmp