Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-01-2021 08:01
Static task
static1
Behavioral task
behavioral1
Sample
hfix.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
hfix.exe
Resource
win10v20201028
General
-
Target
hfix.exe
-
Size
976KB
-
MD5
d7c8605a63f8f65eca9833f926d69ca1
-
SHA1
dc9936697678ea0ab1ab9313f02e60ebb9789a7f
-
SHA256
3d74c37ade5a7082617acb0cb1697eb18c9a61f7099b04b76967140f3a8d03ec
-
SHA512
dcc402d9c2392a219995b1ac853c580ccfb7ad18f60b36ca4aa1018e09c2fe1de41495c748d7d698c7a4031a7d5ff07f9a89502913174302f3c24b39eaf1c081
Malware Config
Signatures
-
SectopRAT Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/852-26-0x0000000000090000-0x00000000000AA000-memory.dmp family_sectoprat behavioral1/memory/852-29-0x0000000000090000-0x00000000000AA000-memory.dmp family_sectoprat behavioral1/memory/852-30-0x0000000000090000-0x00000000000AA000-memory.dmp family_sectoprat -
Executes dropped EXE 3 IoCs
Processes:
smss.comsmss.comRegAsm.exepid process 1092 smss.com 828 smss.com 852 RegAsm.exe -
Drops startup file 1 IoCs
Processes:
smss.comdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\meAPqxlTjq.url smss.com -
Loads dropped DLL 4 IoCs
Processes:
cmd.exesmss.comsmss.comRegAsm.exepid process 1788 cmd.exe 1092 smss.com 828 smss.com 852 RegAsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
hfix.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce hfix.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" hfix.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 eth0.me -
Suspicious use of SetThreadContext 1 IoCs
Processes:
smss.comdescription pid process target process PID 828 set thread context of 852 828 smss.com RegAsm.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 852 RegAsm.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
hfix.execmd.execmd.exesmss.comsmss.comdescription pid process target process PID 1036 wrote to memory of 2024 1036 hfix.exe cmd.exe PID 1036 wrote to memory of 2024 1036 hfix.exe cmd.exe PID 1036 wrote to memory of 2024 1036 hfix.exe cmd.exe PID 1036 wrote to memory of 2024 1036 hfix.exe cmd.exe PID 1036 wrote to memory of 1156 1036 hfix.exe cmd.exe PID 1036 wrote to memory of 1156 1036 hfix.exe cmd.exe PID 1036 wrote to memory of 1156 1036 hfix.exe cmd.exe PID 1036 wrote to memory of 1156 1036 hfix.exe cmd.exe PID 1156 wrote to memory of 2004 1156 cmd.exe certutil.exe PID 1156 wrote to memory of 2004 1156 cmd.exe certutil.exe PID 1156 wrote to memory of 2004 1156 cmd.exe certutil.exe PID 1156 wrote to memory of 2004 1156 cmd.exe certutil.exe PID 1156 wrote to memory of 1788 1156 cmd.exe cmd.exe PID 1156 wrote to memory of 1788 1156 cmd.exe cmd.exe PID 1156 wrote to memory of 1788 1156 cmd.exe cmd.exe PID 1156 wrote to memory of 1788 1156 cmd.exe cmd.exe PID 1788 wrote to memory of 1660 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 1660 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 1660 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 1660 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 664 1788 cmd.exe findstr.exe PID 1788 wrote to memory of 664 1788 cmd.exe findstr.exe PID 1788 wrote to memory of 664 1788 cmd.exe findstr.exe PID 1788 wrote to memory of 664 1788 cmd.exe findstr.exe PID 1788 wrote to memory of 400 1788 cmd.exe certutil.exe PID 1788 wrote to memory of 400 1788 cmd.exe certutil.exe PID 1788 wrote to memory of 400 1788 cmd.exe certutil.exe PID 1788 wrote to memory of 400 1788 cmd.exe certutil.exe PID 1788 wrote to memory of 1092 1788 cmd.exe smss.com PID 1788 wrote to memory of 1092 1788 cmd.exe smss.com PID 1788 wrote to memory of 1092 1788 cmd.exe smss.com PID 1788 wrote to memory of 1092 1788 cmd.exe smss.com PID 1788 wrote to memory of 676 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 676 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 676 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 676 1788 cmd.exe PING.EXE PID 1092 wrote to memory of 828 1092 smss.com smss.com PID 1092 wrote to memory of 828 1092 smss.com smss.com PID 1092 wrote to memory of 828 1092 smss.com smss.com PID 1092 wrote to memory of 828 1092 smss.com smss.com PID 828 wrote to memory of 852 828 smss.com RegAsm.exe PID 828 wrote to memory of 852 828 smss.com RegAsm.exe PID 828 wrote to memory of 852 828 smss.com RegAsm.exe PID 828 wrote to memory of 852 828 smss.com RegAsm.exe PID 828 wrote to memory of 852 828 smss.com RegAsm.exe PID 828 wrote to memory of 852 828 smss.com RegAsm.exe PID 828 wrote to memory of 852 828 smss.com RegAsm.exe PID 828 wrote to memory of 852 828 smss.com RegAsm.exe PID 828 wrote to memory of 852 828 smss.com RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\hfix.exe"C:\Users\Admin\AppData\Local\Temp\hfix.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c riZlWR2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c certutil -decode 8-5 87-37 & cmd < 87-372⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\certutil.execertutil -decode 8-5 87-373⤵
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 1 sRmI.sRmI4⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^vodCXkXHPfWDyEQVgtNChSVdD$" 11-354⤵
-
C:\Windows\SysWOW64\certutil.execertutil -decode 7-30 n4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.comsmss.com n4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.com n5⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11-35MD5
c88aa70d7fff6fde70fcd5163b008d65
SHA104520f30c1bca2e8e10a72ac3d96fb4c80c9aaf7
SHA2569a0d7eba0a5202895dd053438141ee3e9afe3c866b357c989214cd4b1fdb3a8f
SHA512ad85a5f6098ade69573ffdd9470c69a14aae3722a0fa68c3ecb5a9dc9b3e4303220a8a17e0ba5a58cc6afbe2d5834e51f83f160a752663d0f624ddf0656e4580
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7-30MD5
a878beea90f9898f2dbe466cbbb6a786
SHA14dac0f48676d2352c464578a61eb301d594c873b
SHA25609b37c245755d43c8fc3697d048b5f96999e663424224af57a182b6b903cc174
SHA512ccca4466234425116dcc0f8fb7f549db676dcb647efe85b59e316f11baa2bf797d187e89922e855a6080cf658d5a84c1a2775204c67f15ea36cb465dc45ff251
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\8-5MD5
f2d78b0f9c86a075bf92c3e86f150e04
SHA1082335e25031279e47c7224969f03a2fd268dbe8
SHA256f9e00fca5b5a3cf6cf3db08464334eeddbbcf844824c627938b6daa6dedec70c
SHA5125366dff7271f253002f6e30a254ea2dd8552f0bb8afe6e067d0e4f47a0f9020d449e2473e11f159f2db9425e336b2635a017eaff51c12cc6195eb692603ebc13
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\84-45MD5
ec60d2194f9fb16507176fbd6ebb5ff1
SHA1ffb43e1c5f8b331bc9480d343fd63d757033f219
SHA256730fe18cb53e3f99ef8497da93c6e122509087641b8cff2e8587ee9a7d447d58
SHA512067b9310e78e239c7796f4b91072e4b2a0e7374561d2b82efbd8028013214e15aa37b22124ab7357ebad30083878b24f94e7d72bd8402db76420c6079821223d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\87-37MD5
7a353582db655ff2b2737e0f3a669bae
SHA10be22e6b160186bc3248b2841c403caeff97b331
SHA256d79b150ba10e3179eff91082e29d2895f09f1d48a6b1132062868c6fa55882c0
SHA51271fb8660eee6216e6dec1c6760cd6b48b2494d3e95927469e746a25db2be19bf0d460d7443f619d207a75e51c6a552dc336e56b6e9edc307952bc8a1859fcaa7
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nMD5
47e476763c1365238c201ab15baa4d7f
SHA1ef93f3a797c12858f1e7adb5db7c2f9985dd60d7
SHA2561e2115f572645145839da6eac0d39a7452bef39db10f1cade5be3c4608768dbd
SHA512074bc31e8b1e7eced12e2a4a6e8fd1ab55624669ef26a3d999966ef407cadf79d5efe74b0bbd88da7036946e274012698e59f5a7e3e5ac224c16ecb6b9ab3503
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
memory/400-11-0x0000000000000000-mapping.dmp
-
memory/664-9-0x0000000000000000-mapping.dmp
-
memory/676-17-0x0000000000000000-mapping.dmp
-
memory/828-21-0x0000000000000000-mapping.dmp
-
memory/852-26-0x0000000000090000-0x00000000000AA000-memory.dmpFilesize
104KB
-
memory/852-25-0x0000000000090000-0x00000000000AA000-memory.dmpFilesize
104KB
-
memory/852-29-0x0000000000090000-0x00000000000AA000-memory.dmpFilesize
104KB
-
memory/852-30-0x0000000000090000-0x00000000000AA000-memory.dmpFilesize
104KB
-
memory/852-33-0x0000000074230000-0x000000007491E000-memory.dmpFilesize
6.9MB
-
memory/1092-15-0x0000000000000000-mapping.dmp
-
memory/1092-14-0x0000000000000000-mapping.dmp
-
memory/1156-3-0x0000000000000000-mapping.dmp
-
memory/1660-8-0x0000000000000000-mapping.dmp
-
memory/1788-7-0x0000000000000000-mapping.dmp
-
memory/2004-4-0x0000000000000000-mapping.dmp
-
memory/2024-2-0x0000000000000000-mapping.dmp