Analysis
-
max time kernel
95s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27-06-2022 08:53
Static task
static1
Behavioral task
behavioral1
Sample
78ea47b51ee8f1ae3dc5b98e56c43d3f.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
78ea47b51ee8f1ae3dc5b98e56c43d3f.exe
-
Size
1.0MB
-
MD5
78ea47b51ee8f1ae3dc5b98e56c43d3f
-
SHA1
99e64c6a730642430ef80215393adbfba11122b6
-
SHA256
24972cecda20154015c31f4a8820764cbfa958d2968ab2b4a7c9e3e43510b888
-
SHA512
7a773021c6c02e5905ff1e3e99b3fb6cbfd5b6617ff831aea5b4cdf416e3d044e55895a5bf1e6fe5da3e3d6272fa82f7b88aaf592d6d61d94477e927a65fb19b
Malware Config
Signatures
-
SectopRAT Payload 6 IoCs
resource yara_rule behavioral1/memory/568-62-0x0000000000400000-0x00000000004A2000-memory.dmp family_sectoprat behavioral1/memory/568-63-0x0000000000400000-0x00000000004A2000-memory.dmp family_sectoprat behavioral1/memory/568-64-0x0000000000400000-0x00000000004A2000-memory.dmp family_sectoprat behavioral1/memory/568-65-0x000000000049C29E-mapping.dmp family_sectoprat behavioral1/memory/568-67-0x0000000000400000-0x00000000004A2000-memory.dmp family_sectoprat behavioral1/memory/568-69-0x0000000000400000-0x00000000004A2000-memory.dmp family_sectoprat -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" jsc.exe -
suricata: ET MALWARE Arechclient2 Backdoor CnC Init
suricata: ET MALWARE Arechclient2 Backdoor CnC Init
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 eth0.me -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2024 set thread context of 568 2024 78ea47b51ee8f1ae3dc5b98e56c43d3f.exe 27 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2024 78ea47b51ee8f1ae3dc5b98e56c43d3f.exe 2024 78ea47b51ee8f1ae3dc5b98e56c43d3f.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2024 78ea47b51ee8f1ae3dc5b98e56c43d3f.exe Token: SeRestorePrivilege 2024 78ea47b51ee8f1ae3dc5b98e56c43d3f.exe Token: SeBackupPrivilege 2024 78ea47b51ee8f1ae3dc5b98e56c43d3f.exe Token: SeDebugPrivilege 568 jsc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2024 wrote to memory of 568 2024 78ea47b51ee8f1ae3dc5b98e56c43d3f.exe 27 PID 2024 wrote to memory of 568 2024 78ea47b51ee8f1ae3dc5b98e56c43d3f.exe 27 PID 2024 wrote to memory of 568 2024 78ea47b51ee8f1ae3dc5b98e56c43d3f.exe 27 PID 2024 wrote to memory of 568 2024 78ea47b51ee8f1ae3dc5b98e56c43d3f.exe 27 PID 2024 wrote to memory of 568 2024 78ea47b51ee8f1ae3dc5b98e56c43d3f.exe 27 PID 2024 wrote to memory of 568 2024 78ea47b51ee8f1ae3dc5b98e56c43d3f.exe 27 PID 2024 wrote to memory of 568 2024 78ea47b51ee8f1ae3dc5b98e56c43d3f.exe 27 PID 2024 wrote to memory of 568 2024 78ea47b51ee8f1ae3dc5b98e56c43d3f.exe 27 PID 2024 wrote to memory of 568 2024 78ea47b51ee8f1ae3dc5b98e56c43d3f.exe 27 PID 2024 wrote to memory of 568 2024 78ea47b51ee8f1ae3dc5b98e56c43d3f.exe 27 PID 2024 wrote to memory of 568 2024 78ea47b51ee8f1ae3dc5b98e56c43d3f.exe 27 PID 2024 wrote to memory of 568 2024 78ea47b51ee8f1ae3dc5b98e56c43d3f.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\78ea47b51ee8f1ae3dc5b98e56c43d3f.exe"C:\Users\Admin\AppData\Local\Temp\78ea47b51ee8f1ae3dc5b98e56c43d3f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵
- UAC bypass
- Suspicious use of AdjustPrivilegeToken
PID:568
-