Analysis Overview
SHA256
459a684a6e6299ffbd967855a504ff2311cba4a8eccae192b1f4146cc3bf7382
Threat Level: Known bad
The file 571ec37bbc0a7b94c3a3829ee47e5bad was found to be: Known bad.
Malicious Activity Summary
RedLine payload
SectopRAT
SectopRAT payload
RedLine
Suspicious use of SetThreadContext
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-01-12 17:55
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-12 17:55
Reported
2024-01-12 17:57
Platform
win10v2004-20231215-en
Max time kernel
153s
Max time network
162s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1028 set thread context of 4824 | N/A | C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe | C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe
"C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe"
C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe
"C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 5.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.109.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| NL | 185.92.73.140:80 | 185.92.73.140 | tcp |
| NL | 185.92.73.140:443 | tcp | |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.73.92.185.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| NL | 185.92.73.140:443 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| NL | 185.92.73.140:443 | tcp | |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| NL | 185.92.73.140:443 | tcp | |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| NL | 185.92.73.140:443 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.178.17.96.in-addr.arpa | udp |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp |
Files
memory/1028-0-0x0000000074550000-0x0000000074D00000-memory.dmp
memory/1028-1-0x0000000000A40000-0x0000000000A66000-memory.dmp
memory/1028-2-0x0000000005920000-0x0000000005EC4000-memory.dmp
memory/1028-3-0x0000000005450000-0x00000000054EC000-memory.dmp
memory/1028-4-0x00000000053B0000-0x00000000053D4000-memory.dmp
memory/1028-5-0x0000000005420000-0x0000000005430000-memory.dmp
memory/4824-6-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\571ec37bbc0a7b94c3a3829ee47e5bad.exe.log
| MD5 | f5a69d9216974a1b017e4e94be20c63f |
| SHA1 | 6993175a82e6ffa484b2bfbf691668f11484ef17 |
| SHA256 | 471ce598bfe72b7166f3e1b669c84436e2d6cb758dd98e8d0e4cb44a230f42ee |
| SHA512 | d9164f8573c6cabd01357e8f27e1500100ae932aed51f6a08734dc739e36c61e2e8b231f6ce3aaac2d9b279c3ade0ad7c5189925ee7d75d4820acfdd2cac11fd |
memory/4824-10-0x0000000074550000-0x0000000074D00000-memory.dmp
memory/1028-9-0x0000000074550000-0x0000000074D00000-memory.dmp
memory/4824-11-0x00000000057F0000-0x0000000005E08000-memory.dmp
memory/4824-12-0x0000000005290000-0x00000000052A2000-memory.dmp
memory/4824-13-0x00000000052F0000-0x000000000532C000-memory.dmp
memory/4824-14-0x00000000054F0000-0x0000000005500000-memory.dmp
memory/4824-15-0x0000000005330000-0x000000000537C000-memory.dmp
memory/4824-16-0x0000000005610000-0x000000000571A000-memory.dmp
memory/4824-17-0x0000000074550000-0x0000000074D00000-memory.dmp
memory/4824-18-0x00000000054F0000-0x0000000005500000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-12 17:55
Reported
2024-01-12 17:57
Platform
win7-20231215-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2088 set thread context of 1456 | N/A | C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe | C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe
"C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe"
C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe
"C:\Users\Admin\AppData\Local\Temp\571ec37bbc0a7b94c3a3829ee47e5bad.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 185.92.73.140:80 | 185.92.73.140 | tcp |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp |
Files
memory/2088-0-0x0000000000BD0000-0x0000000000BF6000-memory.dmp
memory/2088-1-0x0000000074420000-0x0000000074B0E000-memory.dmp
memory/2088-2-0x0000000000540000-0x0000000000564000-memory.dmp
memory/2088-3-0x0000000004C70000-0x0000000004CB0000-memory.dmp
memory/1456-4-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1456-6-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1456-8-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1456-10-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1456-12-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1456-14-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2088-16-0x0000000074420000-0x0000000074B0E000-memory.dmp
memory/1456-17-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1456-19-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1456-20-0x0000000073D30000-0x000000007441E000-memory.dmp
memory/1456-21-0x0000000004340000-0x0000000004380000-memory.dmp
memory/1456-22-0x0000000073D30000-0x000000007441E000-memory.dmp
memory/1456-23-0x0000000004340000-0x0000000004380000-memory.dmp