sectoprat | 59b7de2bc1f7034bccc74460898d0039e6d9edd567083f7176ce88cb909c994b

General

Target

6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe
Size

1.9MB
MD5

f473ff1ba37b4f1ecbf113e0a03979cf
SHA1

9600f413fa59744941bdf3635c86faa9de7689c0
SHA256

6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0
SHA512

7541ea9a6a1b5a47d587364246f4c54fa5365e73233acc7aa6ef351cba1796dd5a610e1dab890f07a182e98d763005e12e3d91ec1b5fefcef3d506805808c511
SSDEEP

12288:LQqdWF4mPTWRETEK8zukxzWBvEqQnUbz7nqIVvu+KWzbCU9aMpIhO4RlWUNNGqR+:LdQDFV3V+SdSO4m

Score

10^/10

sectoprat persistence rat trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1576-71-0x0000000000400000-0x00000000004A6000-memory.dmp	family_sectoprat
behavioral1/memory/1576-72-0x0000000000400000-0x00000000004A6000-memory.dmp	family_sectoprat
behavioral1/memory/1576-74-0x0000000000400000-0x00000000004A6000-memory.dmp	family_sectoprat
behavioral1/memory/1576-76-0x0000000000400000-0x00000000004A6000-memory.dmp	family_sectoprat
behavioral1/memory/1576-78-0x0000000000400000-0x00000000004A6000-memory.dmp	family_sectoprat
behavioral1/memory/1576-79-0x0000000004670000-0x00000000046B0000-memory.dmp	family_sectoprat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gthkkia = "\"C:\\Users\\Admin\\AppData\\Roaming\\Yjcsviun\\Gthkkia.exe\""	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

Processes:

6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe

description	pid	process	target process
PID 1324 set thread context of 1576	1324	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1332 powershell.exe
1744 powershell.exe

pid	process
1332	powershell.exe
1744	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exe6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exepowershell.exe6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe

description	pid	process
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	1324	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	1576	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.execmd.exe

description	pid	process	target process
PID 1324 wrote to memory of 1332	1324	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	powershell.exe
PID 1324 wrote to memory of 1332	1324	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	powershell.exe
PID 1324 wrote to memory of 1332	1324	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	powershell.exe
PID 1324 wrote to memory of 1332	1324	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	powershell.exe
PID 1324 wrote to memory of 564	1324	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	cmd.exe
PID 1324 wrote to memory of 564	1324	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	cmd.exe
PID 1324 wrote to memory of 564	1324	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	cmd.exe
PID 1324 wrote to memory of 564	1324	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	cmd.exe
PID 564 wrote to memory of 1744	564	cmd.exe	powershell.exe
PID 564 wrote to memory of 1744	564	cmd.exe	powershell.exe
PID 564 wrote to memory of 1744	564	cmd.exe	powershell.exe
PID 564 wrote to memory of 1744	564	cmd.exe	powershell.exe
PID 1324 wrote to memory of 1576	1324	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe
PID 1324 wrote to memory of 1576	1324	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe
PID 1324 wrote to memory of 1576	1324	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe
PID 1324 wrote to memory of 1576	1324	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe
PID 1324 wrote to memory of 1576	1324	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe
PID 1324 wrote to memory of 1576	1324	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe
PID 1324 wrote to memory of 1576	1324	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe
PID 1324 wrote to memory of 1576	1324	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe
PID 1324 wrote to memory of 1576	1324	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe

C:\Users\Admin\AppData\Local\Temp\6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe
"C:\Users\Admin\AppData\Local\Temp\6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
2⤵
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Users\Admin\AppData\Local\Temp\6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe
C:\Users\Admin\AppData\Local\Temp\6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PIRZEUAKFWWC39738OUO.temp

Filesize
7KB

MD5
0f1dbeb5bdf3bd6486b63b4769728565

SHA1
79dbe8d6068930e44ac7e7e74152e0a6b3a8349d

SHA256
3fd4151c475ca850fe67e83613a6bfc9d2ecbbe4be5346c9f253556f46f45e95

SHA512
7453d401c14bc5a5182db8ed2b1a0d308fe45e514d46a45eef24d7bf6871a4cb2eceeab38db0c2d0b9dffd77822ff5bc2b0d2bb4b4321f808e631ba27222ef52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0f1dbeb5bdf3bd6486b63b4769728565

SHA1
79dbe8d6068930e44ac7e7e74152e0a6b3a8349d

SHA256
3fd4151c475ca850fe67e83613a6bfc9d2ecbbe4be5346c9f253556f46f45e95

SHA512
7453d401c14bc5a5182db8ed2b1a0d308fe45e514d46a45eef24d7bf6871a4cb2eceeab38db0c2d0b9dffd77822ff5bc2b0d2bb4b4321f808e631ba27222ef52

Download Submit
memory/1324-54-0x0000000000FC0000-0x00000000011AC000-memory.dmp

Filesize
1.9MB

Download
memory/1324-55-0x0000000000AE0000-0x0000000000BD8000-memory.dmp

Filesize
992KB

Download
memory/1324-56-0x0000000000480000-0x00000000004DE000-memory.dmp

Filesize
376KB

Download
memory/1324-57-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/1324-61-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/1332-60-0x00000000022F0000-0x0000000002330000-memory.dmp

Filesize
256KB

Download
memory/1576-72-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1576-69-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1576-70-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1576-71-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1576-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1576-74-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1576-76-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1576-78-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1576-79-0x0000000004670000-0x00000000046B0000-memory.dmp

Filesize
256KB

Download
memory/1576-80-0x0000000004670000-0x00000000046B0000-memory.dmp

Filesize
256KB

Download
memory/1744-67-0x0000000002700000-0x0000000002740000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads