Analysis Overview
SHA256
0b47db74abe595407c186f64d9a51895147468d4007d39aa7e2b98c165544dda
Threat Level: Known bad
The file c1a656d313538356cb86db92c0ce5ddf was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
SectopRAT
SectopRAT payload
Unsigned PE
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-03-11 21:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-11 21:28
Reported
2024-03-11 21:31
Platform
win7-20240220-en
Max time kernel
142s
Max time network
149s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c1a656d313538356cb86db92c0ce5ddf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c1a656d313538356cb86db92c0ce5ddf.exe
"C:\Users\Admin\AppData\Local\Temp\c1a656d313538356cb86db92c0ce5ddf.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.114:8887 | tcp | |
| RU | 185.215.113.114:8887 | tcp | |
| RU | 185.215.113.114:8887 | tcp | |
| RU | 185.215.113.114:8887 | tcp | |
| RU | 185.215.113.114:8887 | tcp | |
| RU | 185.215.113.114:8887 | tcp | |
| RU | 185.215.113.114:8887 | tcp |
Files
memory/2700-1-0x0000000000A90000-0x0000000000B90000-memory.dmp
memory/2700-2-0x0000000000220000-0x000000000024F000-memory.dmp
memory/2700-3-0x0000000000400000-0x00000000008BE000-memory.dmp
memory/2700-4-0x0000000074380000-0x0000000074A6E000-memory.dmp
memory/2700-6-0x0000000000360000-0x0000000000380000-memory.dmp
memory/2700-5-0x0000000004E30000-0x0000000004E70000-memory.dmp
memory/2700-7-0x0000000004E30000-0x0000000004E70000-memory.dmp
memory/2700-8-0x0000000002290000-0x00000000022AE000-memory.dmp
memory/2700-9-0x0000000004E30000-0x0000000004E70000-memory.dmp
memory/2700-11-0x0000000000A90000-0x0000000000B90000-memory.dmp
memory/2700-12-0x0000000074380000-0x0000000074A6E000-memory.dmp
memory/2700-14-0x0000000004E30000-0x0000000004E70000-memory.dmp
memory/2700-15-0x0000000004E30000-0x0000000004E70000-memory.dmp
memory/2700-16-0x0000000004E30000-0x0000000004E70000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-11 21:28
Reported
2024-03-11 21:31
Platform
win10v2004-20231215-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c1a656d313538356cb86db92c0ce5ddf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c1a656d313538356cb86db92c0ce5ddf.exe
"C:\Users\Admin\AppData\Local\Temp\c1a656d313538356cb86db92c0ce5ddf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| RU | 185.215.113.114:8887 | tcp | |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.215.113.114:8887 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| RU | 185.215.113.114:8887 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| RU | 185.215.113.114:8887 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| RU | 185.215.113.114:8887 | tcp | |
| RU | 185.215.113.114:8887 | tcp | |
| RU | 185.215.113.114:8887 | tcp |
Files
memory/4960-1-0x0000000000B80000-0x0000000000C80000-memory.dmp
memory/4960-2-0x0000000002620000-0x000000000264F000-memory.dmp
memory/4960-3-0x0000000000400000-0x00000000008BE000-memory.dmp
memory/4960-5-0x0000000074700000-0x0000000074EB0000-memory.dmp
memory/4960-4-0x0000000002780000-0x00000000027A0000-memory.dmp
memory/4960-6-0x00000000051D0000-0x00000000051E0000-memory.dmp
memory/4960-7-0x00000000051D0000-0x00000000051E0000-memory.dmp
memory/4960-8-0x00000000051E0000-0x0000000005784000-memory.dmp
memory/4960-9-0x0000000002A40000-0x0000000002A5E000-memory.dmp
memory/4960-10-0x0000000005790000-0x0000000005DA8000-memory.dmp
memory/4960-11-0x0000000002B00000-0x0000000002B12000-memory.dmp
memory/4960-12-0x0000000005080000-0x00000000050BC000-memory.dmp
memory/4960-13-0x00000000051D0000-0x00000000051E0000-memory.dmp
memory/4960-14-0x00000000050D0000-0x000000000511C000-memory.dmp
memory/4960-15-0x0000000005E40000-0x0000000005F4A000-memory.dmp
memory/4960-16-0x0000000000B80000-0x0000000000C80000-memory.dmp
memory/4960-17-0x0000000002620000-0x000000000264F000-memory.dmp
memory/4960-18-0x0000000000400000-0x00000000008BE000-memory.dmp
memory/4960-19-0x0000000074700000-0x0000000074EB0000-memory.dmp
memory/4960-20-0x00000000051D0000-0x00000000051E0000-memory.dmp
memory/4960-22-0x00000000051D0000-0x00000000051E0000-memory.dmp
memory/4960-23-0x00000000051D0000-0x00000000051E0000-memory.dmp
memory/4960-24-0x00000000051D0000-0x00000000051E0000-memory.dmp