sectoprat | 3d74c37ade5a7082617acb0cb1697eb18c9a61f7099b04b76967140f3a8d03ec

Analysis

max time kernel
113s
max time network
120s
platform
windows10_x64
resource
win10v20201028
submitted
09-01-2021 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hfix.exe
Size

976KB
MD5

d7c8605a63f8f65eca9833f926d69ca1
SHA1

dc9936697678ea0ab1ab9313f02e60ebb9789a7f
SHA256

3d74c37ade5a7082617acb0cb1697eb18c9a61f7099b04b76967140f3a8d03ec
SHA512

dcc402d9c2392a219995b1ac853c580ccfb7ad18f60b36ca4aa1018e09c2fe1de41495c748d7d698c7a4031a7d5ff07f9a89502913174302f3c24b39eaf1c081

Score

10^/10

sectoprat persistence rat spyware trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3824-22-0x0000000000610000-0x000000000062A000-memory.dmp	family_sectoprat

Executes dropped EXE 3 IoCs

Processes:

smss.comsmss.comRegAsm.exe

pid process

1096 smss.com
2136 smss.com
3824 RegAsm.exe
Drops startup file 1 IoCs

Processes:

smss.com

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\meAPqxlTjq.url smss.com
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1096	smss.com
2136	smss.com
3824	RegAsm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\meAPqxlTjq.url	smss.com

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hfix.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	hfix.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	hfix.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 eth0.me
Suspicious use of SetThreadContext 1 IoCs

Processes:

smss.com

description pid process target process

PID 2136 set thread context of 3824 2136 smss.com RegAsm.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

3172 PING.EXE
752 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 3824 RegAsm.exe

flow	ioc
16	eth0.me

description	pid	process	target process
PID 2136 set thread context of 3824	2136	smss.com	RegAsm.exe

pid	process
3172	PING.EXE
752	PING.EXE

description	pid	process
Token: SeDebugPrivilege	3824	RegAsm.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

hfix.execmd.execmd.exesmss.comsmss.com

description	pid	process	target process
PID 756 wrote to memory of 1592	756	hfix.exe	cmd.exe
PID 756 wrote to memory of 1592	756	hfix.exe	cmd.exe
PID 756 wrote to memory of 1592	756	hfix.exe	cmd.exe
PID 756 wrote to memory of 2384	756	hfix.exe	cmd.exe
PID 756 wrote to memory of 2384	756	hfix.exe	cmd.exe
PID 756 wrote to memory of 2384	756	hfix.exe	cmd.exe
PID 2384 wrote to memory of 2700	2384	cmd.exe	certutil.exe
PID 2384 wrote to memory of 2700	2384	cmd.exe	certutil.exe
PID 2384 wrote to memory of 2700	2384	cmd.exe	certutil.exe
PID 2384 wrote to memory of 2824	2384	cmd.exe	cmd.exe
PID 2384 wrote to memory of 2824	2384	cmd.exe	cmd.exe
PID 2384 wrote to memory of 2824	2384	cmd.exe	cmd.exe
PID 2824 wrote to memory of 3172	2824	cmd.exe	PING.EXE
PID 2824 wrote to memory of 3172	2824	cmd.exe	PING.EXE
PID 2824 wrote to memory of 3172	2824	cmd.exe	PING.EXE
PID 2824 wrote to memory of 2680	2824	cmd.exe	findstr.exe
PID 2824 wrote to memory of 2680	2824	cmd.exe	findstr.exe
PID 2824 wrote to memory of 2680	2824	cmd.exe	findstr.exe
PID 2824 wrote to memory of 556	2824	cmd.exe	certutil.exe
PID 2824 wrote to memory of 556	2824	cmd.exe	certutil.exe
PID 2824 wrote to memory of 556	2824	cmd.exe	certutil.exe
PID 2824 wrote to memory of 1096	2824	cmd.exe	smss.com
PID 2824 wrote to memory of 1096	2824	cmd.exe	smss.com
PID 2824 wrote to memory of 1096	2824	cmd.exe	smss.com
PID 2824 wrote to memory of 752	2824	cmd.exe	PING.EXE
PID 2824 wrote to memory of 752	2824	cmd.exe	PING.EXE
PID 2824 wrote to memory of 752	2824	cmd.exe	PING.EXE
PID 1096 wrote to memory of 2136	1096	smss.com	smss.com
PID 1096 wrote to memory of 2136	1096	smss.com	smss.com
PID 1096 wrote to memory of 2136	1096	smss.com	smss.com
PID 2136 wrote to memory of 3824	2136	smss.com	RegAsm.exe
PID 2136 wrote to memory of 3824	2136	smss.com	RegAsm.exe
PID 2136 wrote to memory of 3824	2136	smss.com	RegAsm.exe
PID 2136 wrote to memory of 3824	2136	smss.com	RegAsm.exe
PID 2136 wrote to memory of 3824	2136	smss.com	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\hfix.exe
"C:\Users\Admin\AppData\Local\Temp\hfix.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\cmd.exe
cmd /c riZlWR
2⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
cmd /c certutil -decode 8-5 87-37 & cmd < 87-37
2⤵
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\SysWOW64\certutil.exe
certutil -decode 8-5 87-37
3⤵
PID:2700

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\PING.EXE
ping -n 1 sRmI.sRmI
4⤵
- Runs ping.exe
PID:3172

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^vodCXkXHPfWDyEQVgtNChSVdD$" 11-35
4⤵
PID:2680

C:\Windows\SysWOW64\certutil.exe
certutil -decode 7-30 n
4⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.com
smss.com n
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.com n
5⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2136

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11-35
MD5
c88aa70d7fff6fde70fcd5163b008d65

SHA1
04520f30c1bca2e8e10a72ac3d96fb4c80c9aaf7

SHA256
9a0d7eba0a5202895dd053438141ee3e9afe3c866b357c989214cd4b1fdb3a8f

SHA512
ad85a5f6098ade69573ffdd9470c69a14aae3722a0fa68c3ecb5a9dc9b3e4303220a8a17e0ba5a58cc6afbe2d5834e51f83f160a752663d0f624ddf0656e4580

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7-30
MD5
a878beea90f9898f2dbe466cbbb6a786

SHA1
4dac0f48676d2352c464578a61eb301d594c873b

SHA256
09b37c245755d43c8fc3697d048b5f96999e663424224af57a182b6b903cc174

SHA512
ccca4466234425116dcc0f8fb7f549db676dcb647efe85b59e316f11baa2bf797d187e89922e855a6080cf658d5a84c1a2775204c67f15ea36cb465dc45ff251

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\8-5
MD5
f2d78b0f9c86a075bf92c3e86f150e04

SHA1
082335e25031279e47c7224969f03a2fd268dbe8

SHA256
f9e00fca5b5a3cf6cf3db08464334eeddbbcf844824c627938b6daa6dedec70c

SHA512
5366dff7271f253002f6e30a254ea2dd8552f0bb8afe6e067d0e4f47a0f9020d449e2473e11f159f2db9425e336b2635a017eaff51c12cc6195eb692603ebc13

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\84-45
MD5
ec60d2194f9fb16507176fbd6ebb5ff1

SHA1
ffb43e1c5f8b331bc9480d343fd63d757033f219

SHA256
730fe18cb53e3f99ef8497da93c6e122509087641b8cff2e8587ee9a7d447d58

SHA512
067b9310e78e239c7796f4b91072e4b2a0e7374561d2b82efbd8028013214e15aa37b22124ab7357ebad30083878b24f94e7d72bd8402db76420c6079821223d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\87-37
MD5
7a353582db655ff2b2737e0f3a669bae

SHA1
0be22e6b160186bc3248b2841c403caeff97b331

SHA256
d79b150ba10e3179eff91082e29d2895f09f1d48a6b1132062868c6fa55882c0

SHA512
71fb8660eee6216e6dec1c6760cd6b48b2494d3e95927469e746a25db2be19bf0d460d7443f619d207a75e51c6a552dc336e56b6e9edc307952bc8a1859fcaa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n
MD5
47e476763c1365238c201ab15baa4d7f

SHA1
ef93f3a797c12858f1e7adb5db7c2f9985dd60d7

SHA256
1e2115f572645145839da6eac0d39a7452bef39db10f1cade5be3c4608768dbd

SHA512
074bc31e8b1e7eced12e2a4a6e8fd1ab55624669ef26a3d999966ef407cadf79d5efe74b0bbd88da7036946e274012698e59f5a7e3e5ac224c16ecb6b9ab3503

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/556-11-0x0000000000000000-mapping.dmp

Download
memory/752-16-0x0000000000000000-mapping.dmp

Download
memory/1096-13-0x0000000000000000-mapping.dmp

Download
memory/1096-14-0x0000000000000000-mapping.dmp

Download
memory/1592-2-0x0000000000000000-mapping.dmp

Download
memory/2136-18-0x0000000000000000-mapping.dmp

Download
memory/2384-3-0x0000000000000000-mapping.dmp

Download
memory/2680-9-0x0000000000000000-mapping.dmp

Download
memory/2700-4-0x0000000000000000-mapping.dmp

Download
memory/2824-7-0x0000000000000000-mapping.dmp

Download
memory/3172-8-0x0000000000000000-mapping.dmp

Download
memory/3824-22-0x0000000000610000-0x000000000062A000-memory.dmp

Filesize
104KB

Download
memory/3824-26-0x0000000072E00000-0x00000000734EE000-memory.dmp

Filesize
6.9MB

Download
memory/3824-29-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/3824-30-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/3824-31-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/3824-32-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/3824-33-0x0000000005D20000-0x0000000005D21000-memory.dmp

Filesize
4KB

Download
memory/3824-34-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/3824-35-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download