Overview

overview

10

Static

static

1

f6ed1f34f6...91.exe

windows7-x64

10

f6ed1f34f6...91.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-03-2023 05:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f6ed1f34f629ab51dba4c63dc57c1a91.exe

  • Size

    6.8MB

  • MD5

    f6ed1f34f629ab51dba4c63dc57c1a91

  • SHA1

    b62bbeef12de9a18ecf785153b9b429bca733aba

  • SHA256

    104645c74843e385754502a80a935156b585c6969fba1be83efe9b554a746560

  • SHA512

    853b9c762d5ce15948b2a23e26f581b02ac16749157669fd8ec702e7cdab25aded95ece117b2ed971cedee9d4df724340ad946e8cb8e775bd749e7de61fb468d

  • SSDEEP

    196608:7DANPFmCV+OoxomMRb4MGK3oI8XY2OqjoRK:70HPE+7GK3oVhOI

Score
10/10
sectopratbootkitevasionpersistencerattrojan

Malware Config

Signatures

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6ed1f34f629ab51dba4c63dc57c1a91.exe
    "C:\Users\Admin\AppData\Local\Temp\f6ed1f34f629ab51dba4c63dc57c1a91.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Drops startup file
    • Checks whether UAC is enabled
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4352
    • C:\ProgramData\kidequoxayes\kecovi.exe
      "C:\ProgramData\kidequoxayes\kecovi.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4968
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4016
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c @echo off & ping 127.0.0.1 -n 5 -w 1000 > nul & del "C:\Users\Admin\AppData\Local\Temp\f6ed1f34f629ab51dba4c63dc57c1a91.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3472
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 5 -w 1000
        3⤵
        • Runs ping.exe
        PID:3940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\kidequoxayes\kecovi.exe
    Filesize

    656.8MB

    MD5

    5203b21a7197dbdc609141209258646d

    SHA1

    c54155859b18af061b6cb46a329ec4aecbbe0077

    SHA256

    7dc7b4d834c091fd35647857f39317be4deb6e3744e3f4f2a2ff4fda258d28b7

    SHA512

    95c81e3fc405faeb238e85b4a2b1c3d26ef4ab4eba0a6d2a6156d19186a17d502bd86ebcd1a0a96a7089b88976eb987a76e729c33a591074078f9e9e7155437a

    Download Submit
  • C:\ProgramData\kidequoxayes\kecovi.exe
    Filesize

    656.8MB

    MD5

    5203b21a7197dbdc609141209258646d

    SHA1

    c54155859b18af061b6cb46a329ec4aecbbe0077

    SHA256

    7dc7b4d834c091fd35647857f39317be4deb6e3744e3f4f2a2ff4fda258d28b7

    SHA512

    95c81e3fc405faeb238e85b4a2b1c3d26ef4ab4eba0a6d2a6156d19186a17d502bd86ebcd1a0a96a7089b88976eb987a76e729c33a591074078f9e9e7155437a

    Download Submit
  • C:\ProgramData\kidequoxayes\kecovi.exe
    Filesize

    656.8MB

    MD5

    5203b21a7197dbdc609141209258646d

    SHA1

    c54155859b18af061b6cb46a329ec4aecbbe0077

    SHA256

    7dc7b4d834c091fd35647857f39317be4deb6e3744e3f4f2a2ff4fda258d28b7

    SHA512

    95c81e3fc405faeb238e85b4a2b1c3d26ef4ab4eba0a6d2a6156d19186a17d502bd86ebcd1a0a96a7089b88976eb987a76e729c33a591074078f9e9e7155437a

    Download Submit
  • C:\ProgramData\mntemp
    Filesize

    16B

    MD5

    b19a4205f90c549c25f5da39604816ac

    SHA1

    75491ac56838dc08896d4f2ba565e759bc706759

    SHA256

    42a654a48aa31d713ad2b1bb9758d4580229355568835713ecfc8abd2f56b3d2

    SHA512

    d75a960672f576ffad44b5225be4053881166f1fbb2692adf7b77fee46d3c7211564ae79b5fe198cd2f0bc1cc57ed00886afdbdb49ce8f76c9faba9b6187874d

    Download Submit
  • memory/4016-160-0x0000000000400000-0x00000000004D6000-memory.dmp
    Filesize

    856KB

    Download
  • memory/4016-169-0x0000000005940000-0x0000000005950000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4016-168-0x0000000005940000-0x0000000005950000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4016-167-0x0000000005650000-0x0000000005688000-memory.dmp
    Filesize

    224KB

    Download
  • memory/4016-166-0x0000000005620000-0x000000000564E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/4016-165-0x00000000056C0000-0x0000000005752000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4016-164-0x0000000005BD0000-0x0000000006174000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4016-161-0x0000000000400000-0x00000000004D6000-memory.dmp
    Filesize

    856KB

    Download
  • memory/4352-150-0x0000000001660000-0x0000000001670000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4352-155-0x0000000000400000-0x00000000012AE000-memory.dmp
    Filesize

    14.7MB

    Download
  • memory/4352-133-0x0000000000400000-0x00000000012AE000-memory.dmp
    Filesize

    14.7MB

    Download
  • memory/4352-139-0x0000000000400000-0x00000000012AE000-memory.dmp
    Filesize

    14.7MB

    Download
  • memory/4352-138-0x0000000001660000-0x0000000001670000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4352-137-0x0000000001660000-0x0000000001670000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4968-159-0x00000000037F0000-0x0000000003800000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4968-158-0x0000000000400000-0x00000000012AE000-memory.dmp
    Filesize

    14.7MB

    Download
  • memory/4968-162-0x00000000037F0000-0x0000000003800000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4968-163-0x0000000000400000-0x00000000012AE000-memory.dmp
    Filesize

    14.7MB

    Download
  • memory/4968-156-0x0000000000400000-0x00000000012AE000-memory.dmp
    Filesize

    14.7MB

    Download