Analysis Overview
SHA256
a4854606241ba9091e1f51cf14d2f12297ac717ad49ec4d1d624cb440a8a7a55
Threat Level: Known bad
The file 7b0211c7fd8829ecb11e6270e12730a8 was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
SectopRAT
SectopRAT payload
Unsigned PE
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-01-27 18:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-27 18:53
Reported
2024-01-27 18:56
Platform
win7-20231215-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7b0211c7fd8829ecb11e6270e12730a8.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7b0211c7fd8829ecb11e6270e12730a8.exe
"C:\Users\Admin\AppData\Local\Temp\7b0211c7fd8829ecb11e6270e12730a8.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.114:8887 | tcp | |
| RU | 185.215.113.114:8887 | tcp | |
| RU | 185.215.113.114:8887 | tcp | |
| RU | 185.215.113.114:8887 | tcp | |
| RU | 185.215.113.114:8887 | tcp | |
| RU | 185.215.113.114:8887 | tcp | |
| RU | 185.215.113.114:8887 | tcp |
Files
memory/1704-2-0x00000000002A0000-0x00000000002CF000-memory.dmp
memory/1704-1-0x0000000002D00000-0x0000000002E00000-memory.dmp
memory/1704-3-0x0000000002CE0000-0x0000000002D00000-memory.dmp
memory/1704-7-0x0000000007140000-0x0000000007180000-memory.dmp
memory/1704-6-0x0000000007140000-0x0000000007180000-memory.dmp
memory/1704-5-0x0000000000400000-0x0000000002C86000-memory.dmp
memory/1704-4-0x0000000004640000-0x000000000465E000-memory.dmp
memory/1704-8-0x0000000074D50000-0x000000007543E000-memory.dmp
memory/1704-11-0x0000000007140000-0x0000000007180000-memory.dmp
memory/1704-10-0x0000000002D00000-0x0000000002E00000-memory.dmp
memory/1704-13-0x0000000074D50000-0x000000007543E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-27 18:53
Reported
2024-01-27 18:56
Platform
win10v2004-20231222-en
Max time kernel
142s
Max time network
149s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7b0211c7fd8829ecb11e6270e12730a8.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7b0211c7fd8829ecb11e6270e12730a8.exe
"C:\Users\Admin\AppData\Local\Temp\7b0211c7fd8829ecb11e6270e12730a8.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.215.113.114:8887 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| RU | 185.215.113.114:8887 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| RU | 185.215.113.114:8887 | tcp | |
| US | 8.8.8.8:53 | 208.178.17.96.in-addr.arpa | udp |
| RU | 185.215.113.114:8887 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| RU | 185.215.113.114:8887 | tcp | |
| RU | 185.215.113.114:8887 | tcp | |
| RU | 185.215.113.114:8887 | tcp |
Files
memory/224-2-0x0000000002DF0000-0x0000000002E1F000-memory.dmp
memory/224-1-0x0000000002E30000-0x0000000002F30000-memory.dmp
memory/224-3-0x0000000004A20000-0x0000000004A40000-memory.dmp
memory/224-4-0x0000000007380000-0x0000000007924000-memory.dmp
memory/224-5-0x0000000004D90000-0x0000000004DAE000-memory.dmp
memory/224-6-0x0000000000400000-0x0000000002C86000-memory.dmp
memory/224-7-0x0000000007370000-0x0000000007380000-memory.dmp
memory/224-8-0x0000000007370000-0x0000000007380000-memory.dmp
memory/224-11-0x0000000008000000-0x0000000008012000-memory.dmp
memory/224-10-0x0000000075280000-0x0000000075A30000-memory.dmp
memory/224-9-0x0000000007970000-0x0000000007F88000-memory.dmp
memory/224-12-0x0000000008020000-0x000000000805C000-memory.dmp
memory/224-13-0x0000000007370000-0x0000000007380000-memory.dmp
memory/224-14-0x0000000008080000-0x00000000080CC000-memory.dmp
memory/224-15-0x0000000008210000-0x000000000831A000-memory.dmp
memory/224-17-0x0000000002E30000-0x0000000002F30000-memory.dmp
memory/224-18-0x0000000002DF0000-0x0000000002E1F000-memory.dmp
memory/224-20-0x0000000007370000-0x0000000007380000-memory.dmp
memory/224-21-0x0000000075280000-0x0000000075A30000-memory.dmp
memory/224-22-0x0000000007370000-0x0000000007380000-memory.dmp