Analysis Overview
SHA256
3d243c5f576ffa3f0f3e405764686809b9be85e791b946d2f1f3bc117fd17d26
Threat Level: Known bad
The file 7d183dcb376ad8afea5c7fc6afe23028 was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
SectopRAT
SectopRAT payload
Unsigned PE
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-01-28 12:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-28 12:12
Reported
2024-01-28 12:15
Platform
win7-20231215-en
Max time kernel
142s
Max time network
153s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7d183dcb376ad8afea5c7fc6afe23028.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7d183dcb376ad8afea5c7fc6afe23028.exe
"C:\Users\Admin\AppData\Local\Temp\7d183dcb376ad8afea5c7fc6afe23028.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.114:8887 | tcp | |
| RU | 185.215.113.114:8887 | tcp | |
| RU | 185.215.113.114:8887 | tcp | |
| RU | 185.215.113.114:8887 | tcp | |
| RU | 185.215.113.114:8887 | tcp | |
| RU | 185.215.113.114:8887 | tcp | |
| RU | 185.215.113.114:8887 | tcp |
Files
memory/1516-1-0x0000000002DD0000-0x0000000002ED0000-memory.dmp
memory/1516-2-0x0000000000220000-0x000000000024F000-memory.dmp
memory/1516-3-0x0000000003060000-0x0000000003080000-memory.dmp
memory/1516-4-0x0000000000400000-0x0000000002CD6000-memory.dmp
memory/1516-5-0x0000000007270000-0x00000000072B0000-memory.dmp
memory/1516-6-0x0000000007270000-0x00000000072B0000-memory.dmp
memory/1516-7-0x0000000004670000-0x000000000468E000-memory.dmp
memory/1516-8-0x0000000074860000-0x0000000074F4E000-memory.dmp
memory/1516-9-0x0000000007270000-0x00000000072B0000-memory.dmp
memory/1516-12-0x0000000002DD0000-0x0000000002ED0000-memory.dmp
memory/1516-13-0x0000000007270000-0x00000000072B0000-memory.dmp
memory/1516-14-0x0000000007270000-0x00000000072B0000-memory.dmp
memory/1516-15-0x0000000007270000-0x00000000072B0000-memory.dmp
memory/1516-16-0x0000000074860000-0x0000000074F4E000-memory.dmp
memory/1516-17-0x0000000007270000-0x00000000072B0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-28 12:12
Reported
2024-01-28 12:15
Platform
win10v2004-20231215-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7d183dcb376ad8afea5c7fc6afe23028.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7d183dcb376ad8afea5c7fc6afe23028.exe
"C:\Users\Admin\AppData\Local\Temp\7d183dcb376ad8afea5c7fc6afe23028.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| RU | 185.215.113.114:8887 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| RU | 185.215.113.114:8887 | tcp | |
| RU | 185.215.113.114:8887 | tcp | |
| RU | 185.215.113.114:8887 | tcp | |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| RU | 185.215.113.114:8887 | tcp | |
| RU | 185.215.113.114:8887 | tcp | |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
| RU | 185.215.113.114:8887 | tcp |
Files
memory/5084-1-0x0000000002F60000-0x0000000003060000-memory.dmp
memory/5084-2-0x0000000002EA0000-0x0000000002ECF000-memory.dmp
memory/5084-3-0x0000000004ED0000-0x0000000004EF0000-memory.dmp
memory/5084-4-0x0000000000400000-0x0000000002CD6000-memory.dmp
memory/5084-5-0x0000000004F10000-0x0000000004F20000-memory.dmp
memory/5084-6-0x00000000074E0000-0x0000000007A84000-memory.dmp
memory/5084-7-0x0000000074920000-0x00000000750D0000-memory.dmp
memory/5084-8-0x0000000004F10000-0x0000000004F20000-memory.dmp
memory/5084-9-0x0000000004F20000-0x0000000004F3E000-memory.dmp
memory/5084-10-0x0000000007A90000-0x00000000080A8000-memory.dmp
memory/5084-11-0x0000000005130000-0x0000000005142000-memory.dmp
memory/5084-12-0x0000000005150000-0x000000000518C000-memory.dmp
memory/5084-13-0x0000000004F10000-0x0000000004F20000-memory.dmp
memory/5084-14-0x00000000080D0000-0x000000000811C000-memory.dmp
memory/5084-15-0x0000000008260000-0x000000000836A000-memory.dmp
memory/5084-16-0x0000000000400000-0x0000000002CD6000-memory.dmp
memory/5084-17-0x0000000002F60000-0x0000000003060000-memory.dmp
memory/5084-19-0x0000000002EA0000-0x0000000002ECF000-memory.dmp
memory/5084-20-0x0000000004F10000-0x0000000004F20000-memory.dmp
memory/5084-21-0x0000000074920000-0x00000000750D0000-memory.dmp
memory/5084-22-0x0000000004F10000-0x0000000004F20000-memory.dmp
memory/5084-24-0x0000000004F10000-0x0000000004F20000-memory.dmp