sectoprat | a95ce284875645f9a3d03d5df48b51a04f6933b2cf10aff3cb0a094fb1e3f89d

General

Target

a95ce284875645f9a3d03d5df48b51a04f6933b2cf10a.exe
Size

5.8MB
MD5

d00f2fedb3b345812dbeb9931d4806b6
SHA1

361648d679b3c2f8957fa45c2f29fe922204f542
SHA256

a95ce284875645f9a3d03d5df48b51a04f6933b2cf10aff3cb0a094fb1e3f89d
SHA512

be65349f5f85026fe4e1892b90d7f11f3a9e39440fb821391e67c4776aa638cb6086952adb719d223180f1cc345deb6977c882141afc31baab2b47aad539bcda
SSDEEP

98304:omyYbPZoUnM0BznCOKDxRWxnvNWJAq6R+Yxkzi0os:fZMcu0xVWJiVp0os

Score

10^/10

sectoprat evasion rat spyware trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/3484-154-0x0000000000400000-0x00000000004E0000-memory.dmp	family_sectoprat

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	InstallUtil.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	a95ce284875645f9a3d03d5df48b51a04f6933b2cf10a.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tokikahamiq.url	a95ce284875645f9a3d03d5df48b51a04f6933b2cf10a.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tokikahamiq.url	a95ce284875645f9a3d03d5df48b51a04f6933b2cf10a.exe

Executes dropped EXE 1 IoCs

pid	Process
996	xaroqu.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
41	eth0.me

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3300	a95ce284875645f9a3d03d5df48b51a04f6933b2cf10a.exe
3300	a95ce284875645f9a3d03d5df48b51a04f6933b2cf10a.exe
996	xaroqu.exe
996	xaroqu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 996 set thread context of 3484	996	xaroqu.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1908	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3300	a95ce284875645f9a3d03d5df48b51a04f6933b2cf10a.exe
3300	a95ce284875645f9a3d03d5df48b51a04f6933b2cf10a.exe
3300	a95ce284875645f9a3d03d5df48b51a04f6933b2cf10a.exe
3300	a95ce284875645f9a3d03d5df48b51a04f6933b2cf10a.exe
3300	a95ce284875645f9a3d03d5df48b51a04f6933b2cf10a.exe
3300	a95ce284875645f9a3d03d5df48b51a04f6933b2cf10a.exe
996	xaroqu.exe
996	xaroqu.exe
996	xaroqu.exe
996	xaroqu.exe
996	xaroqu.exe
996	xaroqu.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3484	InstallUtil.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3300 wrote to memory of 996	3300	a95ce284875645f9a3d03d5df48b51a04f6933b2cf10a.exe	87
PID 3300 wrote to memory of 996	3300	a95ce284875645f9a3d03d5df48b51a04f6933b2cf10a.exe	87
PID 3300 wrote to memory of 996	3300	a95ce284875645f9a3d03d5df48b51a04f6933b2cf10a.exe	87
PID 3300 wrote to memory of 3660	3300	a95ce284875645f9a3d03d5df48b51a04f6933b2cf10a.exe	88
PID 3300 wrote to memory of 3660	3300	a95ce284875645f9a3d03d5df48b51a04f6933b2cf10a.exe	88
PID 3300 wrote to memory of 3660	3300	a95ce284875645f9a3d03d5df48b51a04f6933b2cf10a.exe	88
PID 3660 wrote to memory of 1908	3660	cmd.exe	90
PID 3660 wrote to memory of 1908	3660	cmd.exe	90
PID 3660 wrote to memory of 1908	3660	cmd.exe	90
PID 996 wrote to memory of 3484	996	xaroqu.exe	91
PID 996 wrote to memory of 3484	996	xaroqu.exe	91
PID 996 wrote to memory of 3484	996	xaroqu.exe	91
PID 996 wrote to memory of 3484	996	xaroqu.exe	91
PID 996 wrote to memory of 3484	996	xaroqu.exe	91

C:\Users\Admin\AppData\Local\Temp\a95ce284875645f9a3d03d5df48b51a04f6933b2cf10a.exe
"C:\Users\Admin\AppData\Local\Temp\a95ce284875645f9a3d03d5df48b51a04f6933b2cf10a.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3300
- C:\ProgramData\bitame\xaroqu.exe
  "C:\ProgramData\bitame\xaroqu.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - UAC bypass
    - Suspicious use of AdjustPrivilegeToken
    PID:3484
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c @echo off & ping 127.0.0.1 -n 5 -w 1000 > nul & del "C:\Users\Admin\AppData\Local\Temp\a95ce284875645f9a3d03d5df48b51a04f6933b2cf10a.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3660
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5 -w 1000
    3⤵
    - Runs ping.exe
    PID:1908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bitame\xaroqu.exe

Filesize
374.6MB

MD5
09a9724757029ac1f2b2c2dc66246a5f

SHA1
36356e8c9fbc101513944316278bb6597927a868

SHA256
33cb589660843c5c138e1d09436644e007cd87bc198a7077375885d0e5b23602

SHA512
27fbd7c524812cc6f7af933bcba20dd2009aeb67350bc49987bb797971ccf6af64d8edd7c2e45f518abbbe6443b740d28a1cf2bb6155dd7e10fdb9a9974c4335

Download Submit
C:\ProgramData\bitame\xaroqu.exe

Filesize
372.6MB

MD5
d7becde35f9774ace31fd5984244931c

SHA1
d8006b3af01ba454fa3eb269477cacdfa0438a68

SHA256
aa2b39b66a6257fa41be5559b72d9a85c57dd951dea02744ce6cadff66af6265

SHA512
6401d72176223b2f346163cda9cdccde49e4085d8455922d9317017921e1d1e038802c31f52fef34894aeaa2ce743fb9d8e73b5c1beb0898fb37d77be3bfab72

Download Submit
memory/996-152-0x0000000001070000-0x0000000001080000-memory.dmp

Filesize
64KB

Download
memory/996-155-0x0000000000400000-0x0000000000DF9000-memory.dmp

Filesize
10.0MB

Download
memory/996-150-0x0000000000400000-0x0000000000DF9000-memory.dmp

Filesize
10.0MB

Download
memory/996-149-0x0000000000400000-0x0000000000DF9000-memory.dmp

Filesize
10.0MB

Download
memory/996-145-0x0000000000400000-0x0000000000DF9000-memory.dmp

Filesize
10.0MB

Download
memory/3300-143-0x0000000000400000-0x0000000000DF9000-memory.dmp

Filesize
10.0MB

Download
memory/3300-133-0x0000000000400000-0x0000000000DF9000-memory.dmp

Filesize
10.0MB

Download
memory/3300-138-0x00000000010A1000-0x00000000010AB000-memory.dmp

Filesize
40KB

Download
memory/3300-137-0x0000000000400000-0x0000000000DF9000-memory.dmp

Filesize
10.0MB

Download
memory/3300-132-0x0000000000400000-0x0000000000DF9000-memory.dmp

Filesize
10.0MB

Download
memory/3484-159-0x00000000051C0000-0x00000000051F8000-memory.dmp

Filesize
224KB

Download
memory/3484-162-0x0000000005270000-0x00000000052C0000-memory.dmp

Filesize
320KB

Download
memory/3484-154-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/3484-156-0x00000000050B0000-0x0000000005142000-memory.dmp

Filesize
584KB

Download
memory/3484-157-0x0000000005700000-0x0000000005CA4000-memory.dmp

Filesize
5.6MB

Download
memory/3484-158-0x0000000005150000-0x000000000517E000-memory.dmp

Filesize
184KB

Download
memory/3484-167-0x00000000076B0000-0x00000000076EC000-memory.dmp

Filesize
240KB

Download
memory/3484-160-0x00000000054A0000-0x0000000005662000-memory.dmp

Filesize
1.8MB

Download
memory/3484-161-0x00000000052D0000-0x0000000005346000-memory.dmp

Filesize
472KB

Download
memory/3484-153-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/3484-163-0x00000000053C0000-0x0000000005426000-memory.dmp

Filesize
408KB

Download
memory/3484-164-0x0000000006B80000-0x00000000070AC000-memory.dmp

Filesize
5.2MB

Download
memory/3484-165-0x00000000064C0000-0x00000000064DE000-memory.dmp

Filesize
120KB

Download
memory/3484-166-0x0000000007650000-0x0000000007662000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads