sectoprat | 104645c74843e385754502a80a935156b585c6969fba1be83efe9b554a746560

General

Target

f6ed1f34f629ab51dba4c63dc57c1a91.exe
Size

6.8MB
MD5

f6ed1f34f629ab51dba4c63dc57c1a91
SHA1

b62bbeef12de9a18ecf785153b9b429bca733aba
SHA256

104645c74843e385754502a80a935156b585c6969fba1be83efe9b554a746560
SHA512

853b9c762d5ce15948b2a23e26f581b02ac16749157669fd8ec702e7cdab25aded95ece117b2ed971cedee9d4df724340ad946e8cb8e775bd749e7de61fb468d
SSDEEP

196608:7DANPFmCV+OoxomMRb4MGK3oI8XY2OqjoRK:70HPE+7GK3oVhOI

Score

10^/10

sectoprat bootkit evasion persistence rat trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1648-80-0x0000000000400000-0x00000000004D6000-memory.dmp	family_sectoprat
behavioral1/memory/1648-82-0x0000000000400000-0x00000000004D6000-memory.dmp	family_sectoprat
behavioral1/memory/1648-83-0x0000000000400000-0x00000000004D6000-memory.dmp	family_sectoprat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

f6ed1f34f629ab51dba4c63dc57c1a91.exekecovi.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f6ed1f34f629ab51dba4c63dc57c1a91.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	kecovi.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f6ed1f34f629ab51dba4c63dc57c1a91.exekecovi.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f6ed1f34f629ab51dba4c63dc57c1a91.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	kecovi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	kecovi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f6ed1f34f629ab51dba4c63dc57c1a91.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

668 cmd.exe

pid	process
668	cmd.exe

Drops startup file 2 IoCs

Processes:

f6ed1f34f629ab51dba4c63dc57c1a91.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\camilixato.url	f6ed1f34f629ab51dba4c63dc57c1a91.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\camilixato.url	f6ed1f34f629ab51dba4c63dc57c1a91.exe

Executes dropped EXE 1 IoCs

Processes:

kecovi.exe

pid process

540 kecovi.exe
Loads dropped DLL 1 IoCs

Processes:

f6ed1f34f629ab51dba4c63dc57c1a91.exe

pid process

1456 f6ed1f34f629ab51dba4c63dc57c1a91.exe

pid	process
540	kecovi.exe

pid	process
1456	f6ed1f34f629ab51dba4c63dc57c1a91.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f6ed1f34f629ab51dba4c63dc57c1a91.exekecovi.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f6ed1f34f629ab51dba4c63dc57c1a91.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	kecovi.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

f6ed1f34f629ab51dba4c63dc57c1a91.exekecovi.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	f6ed1f34f629ab51dba4c63dc57c1a91.exe
File opened for modification	\??\PhysicalDrive0	kecovi.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

f6ed1f34f629ab51dba4c63dc57c1a91.exekecovi.exe

pid process

1456 f6ed1f34f629ab51dba4c63dc57c1a91.exe
540 kecovi.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

kecovi.exe

description pid process target process

PID 540 set thread context of 1648 540 kecovi.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1344 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

f6ed1f34f629ab51dba4c63dc57c1a91.exekecovi.exe

pid process

1456 f6ed1f34f629ab51dba4c63dc57c1a91.exe
1456 f6ed1f34f629ab51dba4c63dc57c1a91.exe
540 kecovi.exe
540 kecovi.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

InstallUtil.exe

description pid process

Token: SeDebugPrivilege 1648 InstallUtil.exe

pid	process
1456	f6ed1f34f629ab51dba4c63dc57c1a91.exe
540	kecovi.exe

description	pid	process	target process
PID 540 set thread context of 1648	540	kecovi.exe	InstallUtil.exe

pid	process
1344	PING.EXE

pid	process
1456	f6ed1f34f629ab51dba4c63dc57c1a91.exe
1456	f6ed1f34f629ab51dba4c63dc57c1a91.exe
540	kecovi.exe
540	kecovi.exe

description	pid	process
Token: SeDebugPrivilege	1648	InstallUtil.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

f6ed1f34f629ab51dba4c63dc57c1a91.execmd.exekecovi.exe

description	pid	process	target process
PID 1456 wrote to memory of 540	1456	f6ed1f34f629ab51dba4c63dc57c1a91.exe	kecovi.exe
PID 1456 wrote to memory of 540	1456	f6ed1f34f629ab51dba4c63dc57c1a91.exe	kecovi.exe
PID 1456 wrote to memory of 540	1456	f6ed1f34f629ab51dba4c63dc57c1a91.exe	kecovi.exe
PID 1456 wrote to memory of 540	1456	f6ed1f34f629ab51dba4c63dc57c1a91.exe	kecovi.exe
PID 1456 wrote to memory of 540	1456	f6ed1f34f629ab51dba4c63dc57c1a91.exe	kecovi.exe
PID 1456 wrote to memory of 540	1456	f6ed1f34f629ab51dba4c63dc57c1a91.exe	kecovi.exe
PID 1456 wrote to memory of 540	1456	f6ed1f34f629ab51dba4c63dc57c1a91.exe	kecovi.exe
PID 1456 wrote to memory of 668	1456	f6ed1f34f629ab51dba4c63dc57c1a91.exe	cmd.exe
PID 1456 wrote to memory of 668	1456	f6ed1f34f629ab51dba4c63dc57c1a91.exe	cmd.exe
PID 1456 wrote to memory of 668	1456	f6ed1f34f629ab51dba4c63dc57c1a91.exe	cmd.exe
PID 1456 wrote to memory of 668	1456	f6ed1f34f629ab51dba4c63dc57c1a91.exe	cmd.exe
PID 668 wrote to memory of 1344	668	cmd.exe	PING.EXE
PID 668 wrote to memory of 1344	668	cmd.exe	PING.EXE
PID 668 wrote to memory of 1344	668	cmd.exe	PING.EXE
PID 668 wrote to memory of 1344	668	cmd.exe	PING.EXE
PID 540 wrote to memory of 1648	540	kecovi.exe	InstallUtil.exe
PID 540 wrote to memory of 1648	540	kecovi.exe	InstallUtil.exe
PID 540 wrote to memory of 1648	540	kecovi.exe	InstallUtil.exe
PID 540 wrote to memory of 1648	540	kecovi.exe	InstallUtil.exe
PID 540 wrote to memory of 1648	540	kecovi.exe	InstallUtil.exe
PID 540 wrote to memory of 1648	540	kecovi.exe	InstallUtil.exe
PID 540 wrote to memory of 1648	540	kecovi.exe	InstallUtil.exe
PID 540 wrote to memory of 1648	540	kecovi.exe	InstallUtil.exe
PID 540 wrote to memory of 1648	540	kecovi.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\f6ed1f34f629ab51dba4c63dc57c1a91.exe
"C:\Users\Admin\AppData\Local\Temp\f6ed1f34f629ab51dba4c63dc57c1a91.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1456

C:\ProgramData\kidequoxayes\kecovi.exe
"C:\ProgramData\kidequoxayes\kecovi.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c @echo off & ping 127.0.0.1 -n 5 -w 1000 > nul & del "C:\Users\Admin\AppData\Local\Temp\f6ed1f34f629ab51dba4c63dc57c1a91.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5 -w 1000
3⤵
- Runs ping.exe
PID:1344

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

3

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kidequoxayes\kecovi.exe
Filesize
612.2MB

MD5
a89ce8de3a4f7e04880bae4f46dff784

SHA1
85423058f8fbc938cef211cde3396647d85ca617

SHA256
73584df1a03af8dea7f3c9adb70aeec1a3b2225721ee25beb2803472204ce2cb

SHA512
2aae89e39a8cb1c1cb3a66bf26067f8e09c2b4a49bcc575bc64a927cff185b068efddc868647db00ccaf5a6b4efa494e2e9521591a541d50631cab394590607d

Download Submit
C:\ProgramData\kidequoxayes\kecovi.exe
Filesize
639.9MB

MD5
d2fa721fbfb29d739d308cc6524472f8

SHA1
e16fea3a905634dbc8d4a248fea64f8399cbdca0

SHA256
7fcc0b63ef7055345eff9532920f76cb0ceca272aac04b85fa2f1473700f79a3

SHA512
746b5e591ec94521943f4c84a0485f190810bd350648c7a8cf855c9f12a236b4332dfa3c06ccc69ef9d1fb855b1b5d4b48ba778701f6132e37ac3aa7db2d0a50

Download Submit
C:\ProgramData\kidequoxayes\kecovi.exe
Filesize
656.8MB

MD5
5203b21a7197dbdc609141209258646d

SHA1
c54155859b18af061b6cb46a329ec4aecbbe0077

SHA256
7dc7b4d834c091fd35647857f39317be4deb6e3744e3f4f2a2ff4fda258d28b7

SHA512
95c81e3fc405faeb238e85b4a2b1c3d26ef4ab4eba0a6d2a6156d19186a17d502bd86ebcd1a0a96a7089b88976eb987a76e729c33a591074078f9e9e7155437a

Download Submit
C:\ProgramData\mntemp
Filesize
16B

MD5
b19a4205f90c549c25f5da39604816ac

SHA1
75491ac56838dc08896d4f2ba565e759bc706759

SHA256
42a654a48aa31d713ad2b1bb9758d4580229355568835713ecfc8abd2f56b3d2

SHA512
d75a960672f576ffad44b5225be4053881166f1fbb2692adf7b77fee46d3c7211564ae79b5fe198cd2f0bc1cc57ed00886afdbdb49ce8f76c9faba9b6187874d

Download Submit
\ProgramData\kidequoxayes\kecovi.exe
Filesize
298.8MB

MD5
00226dae437a59b7d671c512586f1cd6

SHA1
11dc153898f84042adfcd1f46ce7108c637f6f3b

SHA256
e899064cd6e8394bd83cc121da1cc496f4b2e706a61c6cb71dadecb75797d7e5

SHA512
bfa4554be4b4d644a1277ebfc84d74e664c7338afa1c4e5420e8dde2da416b9d4fb17bdea5088a619de262e544aaf46a96b52801ead74e18097613ebe7d29eed

Download Submit
memory/540-74-0x0000000003250000-0x0000000003290000-memory.dmp

Filesize
256KB

Download
memory/540-81-0x0000000000400000-0x00000000012AE000-memory.dmp

Filesize
14.7MB

Download
memory/540-75-0x0000000003250000-0x0000000003290000-memory.dmp

Filesize
256KB

Download
memory/540-70-0x0000000000400000-0x00000000012AE000-memory.dmp

Filesize
14.7MB

Download
memory/1456-58-0x0000000003030000-0x0000000003070000-memory.dmp

Filesize
256KB

Download
memory/1456-55-0x0000000000400000-0x00000000012AE000-memory.dmp

Filesize
14.7MB

Download
memory/1456-73-0x0000000000400000-0x00000000012AE000-memory.dmp

Filesize
14.7MB

Download
memory/1456-59-0x0000000003030000-0x0000000003070000-memory.dmp

Filesize
256KB

Download
memory/1456-69-0x0000000003EB0000-0x0000000004D5E000-memory.dmp

Filesize
14.7MB

Download
memory/1456-60-0x0000000000400000-0x00000000012AE000-memory.dmp

Filesize
14.7MB

Download
memory/1648-80-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1648-79-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1648-76-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1648-82-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1648-83-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1648-84-0x0000000004CE0000-0x0000000004D20000-memory.dmp

Filesize
256KB

Download
memory/1648-85-0x0000000004CE0000-0x0000000004D20000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads