sectoprat | ff536d51ab667c0546c33352c460bbceb6722d333932ba992364b032cba6af1e

Analysis

max time kernel
71s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
25/05/2022, 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4253f3ea96808cba77b8ceb0f76d1d4.exe
Size

1.2MB
MD5

b4253f3ea96808cba77b8ceb0f76d1d4
SHA1

d4b776ae1c0fa40c532a812dd69cd199e1fef94e
SHA256

ff536d51ab667c0546c33352c460bbceb6722d333932ba992364b032cba6af1e
SHA512

bceebeb1435b0858b9462ad42fdab065c81f90db8f8ea19c6d08d14574720ec71a260b6675180362db9639d5707b0a11c7b6027d7c8e1055ba06a30c7cfb0c90

Score

10^/10

sectoprat evasion persistence rat suricata trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3360-149-0x0000000000700000-0x00000000007A0000-memory.dmp	family_sectoprat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2204 created 3212	2204	Miniato.exe.pif	55

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jsc.exe

suricata: ET MALWARE Arechclient2 Backdoor CnC Init
suricata: ET MALWARE Arechclient2 Backdoor CnC Init
suricata

Executes dropped EXE 1 IoCs

pid	Process
2204	Miniato.exe.pif

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TcxaZIJCTb.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TcxaZIJCTb.url	cmd.exe

Loads dropped DLL 6 IoCs

pid	Process
2204	Miniato.exe.pif
2204	Miniato.exe.pif
2204	Miniato.exe.pif
2204	Miniato.exe.pif
2204	Miniato.exe.pif
2204	Miniato.exe.pif

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b4253f3ea96808cba77b8ceb0f76d1d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b4253f3ea96808cba77b8ceb0f76d1d4.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	eth0.me

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2204 set thread context of 3360	2204	Miniato.exe.pif	99

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3652	sc.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1736	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2912	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2204	Miniato.exe.pif
2204	Miniato.exe.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1736	tasklist.exe
Token: SeDebugPrivilege	3360	jsc.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2204	Miniato.exe.pif
2204	Miniato.exe.pif
2204	Miniato.exe.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2204	Miniato.exe.pif
2204	Miniato.exe.pif
2204	Miniato.exe.pif

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 3652	1472	b4253f3ea96808cba77b8ceb0f76d1d4.exe	79
PID 1472 wrote to memory of 3652	1472	b4253f3ea96808cba77b8ceb0f76d1d4.exe	79
PID 1472 wrote to memory of 3652	1472	b4253f3ea96808cba77b8ceb0f76d1d4.exe	79
PID 1472 wrote to memory of 1012	1472	b4253f3ea96808cba77b8ceb0f76d1d4.exe	81
PID 1472 wrote to memory of 1012	1472	b4253f3ea96808cba77b8ceb0f76d1d4.exe	81
PID 1472 wrote to memory of 1012	1472	b4253f3ea96808cba77b8ceb0f76d1d4.exe	81
PID 1012 wrote to memory of 4196	1012	cmd.exe	83
PID 1012 wrote to memory of 4196	1012	cmd.exe	83
PID 1012 wrote to memory of 4196	1012	cmd.exe	83
PID 4196 wrote to memory of 1736	4196	cmd.exe	84
PID 4196 wrote to memory of 1736	4196	cmd.exe	84
PID 4196 wrote to memory of 1736	4196	cmd.exe	84
PID 4196 wrote to memory of 1956	4196	cmd.exe	85
PID 4196 wrote to memory of 1956	4196	cmd.exe	85
PID 4196 wrote to memory of 1956	4196	cmd.exe	85
PID 4196 wrote to memory of 4856	4196	cmd.exe	86
PID 4196 wrote to memory of 4856	4196	cmd.exe	86
PID 4196 wrote to memory of 4856	4196	cmd.exe	86
PID 4196 wrote to memory of 2204	4196	cmd.exe	87
PID 4196 wrote to memory of 2204	4196	cmd.exe	87
PID 4196 wrote to memory of 2204	4196	cmd.exe	87
PID 4196 wrote to memory of 2912	4196	cmd.exe	88
PID 4196 wrote to memory of 2912	4196	cmd.exe	88
PID 4196 wrote to memory of 2912	4196	cmd.exe	88
PID 2204 wrote to memory of 4772	2204	Miniato.exe.pif	89
PID 2204 wrote to memory of 4772	2204	Miniato.exe.pif	89
PID 2204 wrote to memory of 4772	2204	Miniato.exe.pif	89
PID 2204 wrote to memory of 3360	2204	Miniato.exe.pif	99
PID 2204 wrote to memory of 3360	2204	Miniato.exe.pif	99
PID 2204 wrote to memory of 3360	2204	Miniato.exe.pif	99
PID 2204 wrote to memory of 3360	2204	Miniato.exe.pif	99
PID 2204 wrote to memory of 3360	2204	Miniato.exe.pif	99

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3212
- C:\Users\Admin\AppData\Local\Temp\b4253f3ea96808cba77b8ceb0f76d1d4.exe
  "C:\Users\Admin\AppData\Local\Temp\b4253f3ea96808cba77b8ceb0f76d1d4.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\SysWOW64\sc.exe
    sc -?
    3⤵
    - Launches sc.exe
    PID:3652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cmd < Accostarmi.docm
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4196
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "imagename eq PSUAService.exe"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
    - - C:\Windows\SysWOW64\find.exe
        
        find /I /N "psuaservice.exe"
        5⤵
        
        PID:1956
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^NQFqoGVQxYSIQrfoDnUjNFfyoxAMOVRRNkbqlOvlnNcBNzehfgUVonIiAAROypwniwUFGfXOeJOqlOaOshvmqVIfCfmKWHyfLWxLmbHqsuTmKI$" Uggisce.docm
        5⤵
        
        PID:4856
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Miniato.exe.pif
        
        Miniato.exe.pif B
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2204
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        6⤵
        UAC bypass
        Suspicious use of AdjustPrivilegeToken
        
        PID:3360
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 5
        5⤵
        Runs ping.exe
        
        PID:2912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TcxaZIJCTb.url" & echo URL="C:\Users\Admin\AppData\Local\Temp\pjNyfBJOCF\uUgapzdfEfhSuk.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TcxaZIJCTb.url"
  2⤵
  - Drops startup file
  PID:4772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accostarmi.docm

Filesize
9KB

MD5
2e4cc7366c2aacb9e23849c39f911540

SHA1
9da62ff889dbc7e039dee70c3fd6222a68559bde

SHA256
6ca743496f8491784f4898c2723777bf540c8bceee0b4e0fb34870f2403f9f85

SHA512
767c1414794732856f299665277d0c5fe421b267dc5197fd6212409c8d317b35b2784ca78da6b7cf524ff664cab258d01e68b26a0f0ab45dbc45cd0e505fef7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DlkqiYeK.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DlkqiYeK.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DlkqiYeK.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DlkqiYeK.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DlkqiYeK.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DlkqiYeK.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mie.docm

Filesize
1.8MB

MD5
e8d8484158a1a4bbd57f762ff214be71

SHA1
7603b87e1d010ff3ad108957cdc88e6e93a07198

SHA256
52828d1bdd2f3e144791961fd8f1688e5e2f63b8ba9fdda524cb02f48fe966ea

SHA512
c93d7753f964023731012ec50c30e93b90af568e1d69464acfd234ef376246d44d0c9b0eafc2cb8f9c12df8f7429a2c74a4128d059d026702fef5d27b6c25655

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Miniato.exe.pif

Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Miniato.exe.pif

Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uggisce.docm

Filesize
924KB

MD5
baf39e622e32e47abca1466114b733b4

SHA1
d6e62574de5c9b0e90f27bde4ebde84e8f1cd57e

SHA256
0adb19033f1047bbc4eec2eb376738b7b1782dbd75c8f87088046d5f4058c5de

SHA512
88c6308c7b359622a4097918cb19fee8c12812abd3401ca1d8c2c96a14cc4781ce4fdb41fd013d737c6596a6a366c10d02e58d29bd8ad2a1a344dbfb0055be53

Download Submit
memory/3360-154-0x0000000004CF0000-0x0000000004D56000-memory.dmp

Filesize
408KB

Download
memory/3360-149-0x0000000000700000-0x00000000007A0000-memory.dmp

Filesize
640KB

Download
memory/3360-153-0x0000000005470000-0x0000000005A14000-memory.dmp

Filesize
5.6MB

Download
memory/3360-155-0x0000000005B20000-0x0000000005BB2000-memory.dmp

Filesize
584KB

Download
memory/3360-156-0x0000000006060000-0x0000000006222000-memory.dmp

Filesize
1.8MB

Download
memory/3360-157-0x0000000005F50000-0x0000000005FC6000-memory.dmp

Filesize
472KB

Download
memory/3360-158-0x0000000006760000-0x0000000006C8C000-memory.dmp

Filesize
5.2MB

Download
memory/3360-159-0x0000000005F10000-0x0000000005F2E000-memory.dmp

Filesize
120KB

Download