Analysis Overview
SHA256
ad475abae33ea4782ee51c912038e06710ad570c06032ae60d9a9b0ca9730386
Threat Level: Known bad
The file 9fe5f95d5355185b04b8e78d1c8cebe4.bin was found to be: Known bad.
Malicious Activity Summary
RedLine
SectopRAT payload
Sectoprat family
RedLine payload
SectopRAT
Redline family
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-02 01:40
Signatures
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-02 01:40
Reported
2024-09-02 01:42
Platform
win10v2004-20240802-en
Max time kernel
132s
Max time network
151s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6f2dbdabc774d30faa0ae37b727451912b504326b791a1737c7e4a8c41de85ad.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6f2dbdabc774d30faa0ae37b727451912b504326b791a1737c7e4a8c41de85ad.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6f2dbdabc774d30faa0ae37b727451912b504326b791a1737c7e4a8c41de85ad.exe
"C:\Users\Admin\AppData\Local\Temp\6f2dbdabc774d30faa0ae37b727451912b504326b791a1737c7e4a8c41de85ad.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4360,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4408 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 207.32.219.79:40826 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 207.32.219.79:40826 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 207.32.219.79:40826 | tcp | |
| US | 207.32.219.79:40826 | tcp | |
| US | 207.32.219.79:40826 | tcp | |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
| US | 207.32.219.79:40826 | tcp |
Files
memory/732-0-0x000000007517E000-0x000000007517F000-memory.dmp
memory/732-1-0x0000000000A10000-0x0000000000A2E000-memory.dmp
memory/732-2-0x0000000005AD0000-0x00000000060E8000-memory.dmp
memory/732-3-0x00000000053D0000-0x00000000053E2000-memory.dmp
memory/732-4-0x0000000005430000-0x000000000546C000-memory.dmp
memory/732-5-0x00000000054B0000-0x00000000054FC000-memory.dmp
memory/732-6-0x0000000075170000-0x0000000075920000-memory.dmp
memory/732-7-0x00000000056E0000-0x00000000057EA000-memory.dmp
memory/732-8-0x000000007517E000-0x000000007517F000-memory.dmp
memory/732-9-0x0000000075170000-0x0000000075920000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-02 01:40
Reported
2024-09-02 01:42
Platform
win7-20240708-en
Max time kernel
131s
Max time network
141s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6f2dbdabc774d30faa0ae37b727451912b504326b791a1737c7e4a8c41de85ad.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6f2dbdabc774d30faa0ae37b727451912b504326b791a1737c7e4a8c41de85ad.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6f2dbdabc774d30faa0ae37b727451912b504326b791a1737c7e4a8c41de85ad.exe
"C:\Users\Admin\AppData\Local\Temp\6f2dbdabc774d30faa0ae37b727451912b504326b791a1737c7e4a8c41de85ad.exe"
Network
| Country | Destination | Domain | Proto |
| US | 207.32.219.79:40826 | tcp | |
| US | 207.32.219.79:40826 | tcp | |
| US | 207.32.219.79:40826 | tcp | |
| US | 207.32.219.79:40826 | tcp | |
| US | 207.32.219.79:40826 | tcp | |
| US | 207.32.219.79:40826 | tcp |
Files
memory/1716-0-0x000000007433E000-0x000000007433F000-memory.dmp
memory/1716-1-0x0000000000200000-0x000000000021E000-memory.dmp
memory/1716-2-0x0000000074330000-0x0000000074A1E000-memory.dmp
memory/1716-3-0x000000007433E000-0x000000007433F000-memory.dmp
memory/1716-4-0x0000000074330000-0x0000000074A1E000-memory.dmp