sectoprat | 59b7de2bc1f7034bccc74460898d0039e6d9edd567083f7176ce88cb909c994b

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21/03/2023, 14:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe
Size

1.9MB
MD5

f473ff1ba37b4f1ecbf113e0a03979cf
SHA1

9600f413fa59744941bdf3635c86faa9de7689c0
SHA256

6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0
SHA512

7541ea9a6a1b5a47d587364246f4c54fa5365e73233acc7aa6ef351cba1796dd5a610e1dab890f07a182e98d763005e12e3d91ec1b5fefcef3d506805808c511
SSDEEP

12288:LQqdWF4mPTWRETEK8zukxzWBvEqQnUbz7nqIVvu+KWzbCU9aMpIhO4RlWUNNGqR+:LdQDFV3V+SdSO4m

Score

10^/10

sectoprat discovery evasion persistence rat spyware stealer trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/1680-175-0x0000000000400000-0x00000000004A6000-memory.dmp	family_sectoprat

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gthkkia = "\"C:\\Users\\Admin\\AppData\\Roaming\\Yjcsviun\\Gthkkia.exe\""	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
72	eth0.me

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1452 set thread context of 1680	1452	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
4600	taskkill.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
800	powershell.exe
800	powershell.exe
5104	powershell.exe
5104	powershell.exe
1680	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe
1680	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe
1680	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	800	powershell.exe
Token: SeDebugPrivilege	1452	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	1680	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe
Token: SeDebugPrivilege	4600	taskkill.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 800	1452	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	85
PID 1452 wrote to memory of 800	1452	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	85
PID 1452 wrote to memory of 800	1452	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	85
PID 1452 wrote to memory of 4148	1452	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	89
PID 1452 wrote to memory of 4148	1452	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	89
PID 1452 wrote to memory of 4148	1452	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	89
PID 4148 wrote to memory of 5104	4148	cmd.exe	91
PID 4148 wrote to memory of 5104	4148	cmd.exe	91
PID 4148 wrote to memory of 5104	4148	cmd.exe	91
PID 1452 wrote to memory of 1680	1452	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	92
PID 1452 wrote to memory of 1680	1452	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	92
PID 1452 wrote to memory of 1680	1452	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	92
PID 1452 wrote to memory of 1680	1452	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	92
PID 1452 wrote to memory of 1680	1452	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	92
PID 1452 wrote to memory of 1680	1452	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	92
PID 1452 wrote to memory of 1680	1452	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	92
PID 1452 wrote to memory of 1680	1452	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	92
PID 1680 wrote to memory of 4600	1680	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	102
PID 1680 wrote to memory of 4600	1680	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	102
PID 1680 wrote to memory of 4600	1680	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe	102

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe

C:\Users\Admin\AppData\Local\Temp\6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe
"C:\Users\Admin\AppData\Local\Temp\6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:800
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5104
- C:\Users\Admin\AppData\Local\Temp\6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe
  C:\Users\Admin\AppData\Local\Temp\6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe
  2⤵
  - UAC bypass
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1680
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /im chrome.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6ad791a223ab8bb728d8d27d371ae1f97ca419948af4bd660d4f84b1d34dc1a0.exe.log

Filesize
1KB

MD5
7200fb09b34d23375c2cff85323af4a4

SHA1
0994a0ab70a6f6c8c45b4664bed926779fbd5c2e

SHA256
e065d81294bae8c8404e57ce5d9d4db68472cefac1469e49f2e73671a4315e15

SHA512
417451e2279b9f1861d317edd8a517a7bb6d1e505c23fb89a16662059d23fbd789223b061ea73217d2042a2221f998c093928a28fd6d8054f53fa174f5dd02de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
6195a91754effb4df74dbc72cdf4f7a6

SHA1
aba262f5726c6d77659fe0d3195e36a85046b427

SHA256
3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5

SHA512
ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
21be51cd07b9dc2463a6a8db5bbce657

SHA1
53c4addf49aecd9c664c65c9c2542bf05131fe28

SHA256
92dd47140494a61ace18139627d018a7ef738e9900ac2c463d93469267763b5f

SHA512
4e370b1a80cc4fef5cc04011384dc3336a1adb398d74428b56e102710d60f92d040085fa6c55338de32a0e40b2fabd03cac7c85c6d616bcfb773d26725526bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j0fay0dj.jzc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/800-152-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/800-137-0x00000000058B0000-0x0000000005ED8000-memory.dmp

Filesize
6.2MB

Download
memory/800-138-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/800-140-0x00000000060D0000-0x0000000006136000-memory.dmp

Filesize
408KB

Download
memory/800-146-0x0000000006140000-0x00000000061A6000-memory.dmp

Filesize
408KB

Download
memory/800-151-0x0000000006790000-0x00000000067AE000-memory.dmp

Filesize
120KB

Download
memory/800-139-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/800-153-0x0000000007E00000-0x000000000847A000-memory.dmp

Filesize
6.5MB

Download
memory/800-154-0x0000000006C70000-0x0000000006C8A000-memory.dmp

Filesize
104KB

Download
memory/800-136-0x00000000051F0000-0x0000000005226000-memory.dmp

Filesize
216KB

Download
memory/800-156-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/800-157-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/800-158-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/1452-164-0x0000000007150000-0x00000000076F4000-memory.dmp

Filesize
5.6MB

Download
memory/1452-163-0x00000000060C0000-0x0000000006152000-memory.dmp

Filesize
584KB

Download
memory/1452-134-0x0000000005C10000-0x0000000005C32000-memory.dmp

Filesize
136KB

Download
memory/1452-133-0x0000000000E60000-0x000000000104C000-memory.dmp

Filesize
1.9MB

Download
memory/1452-155-0x0000000005C90000-0x0000000005CA0000-memory.dmp

Filesize
64KB

Download
memory/1452-135-0x0000000005C90000-0x0000000005CA0000-memory.dmp

Filesize
64KB

Download
memory/1680-216-0x0000000007250000-0x00000000072A0000-memory.dmp

Filesize
320KB

Download
memory/1680-179-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/1680-175-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1680-203-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/1680-210-0x0000000007A30000-0x0000000007A6C000-memory.dmp

Filesize
240KB

Download
memory/1680-208-0x0000000007380000-0x0000000007392000-memory.dmp

Filesize
72KB

Download
memory/1680-207-0x0000000006C80000-0x0000000006C9E000-memory.dmp

Filesize
120KB

Download
memory/1680-206-0x00000000073C0000-0x00000000078EC000-memory.dmp

Filesize
5.2MB

Download
memory/1680-205-0x0000000006B90000-0x0000000006C06000-memory.dmp

Filesize
472KB

Download
memory/1680-204-0x0000000006CC0000-0x0000000006E82000-memory.dmp

Filesize
1.8MB

Download
memory/5104-181-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/5104-199-0x0000000005C80000-0x0000000005C8E000-memory.dmp

Filesize
56KB

Download
memory/5104-200-0x0000000007370000-0x000000000738A000-memory.dmp

Filesize
104KB

Download
memory/5104-201-0x0000000007350000-0x0000000007358000-memory.dmp

Filesize
32KB

Download
memory/5104-198-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/5104-197-0x000000007FCE0000-0x000000007FCF0000-memory.dmp

Filesize
64KB

Download
memory/5104-196-0x00000000073F0000-0x0000000007486000-memory.dmp

Filesize
600KB

Download
memory/5104-195-0x00000000071B0000-0x00000000071BA000-memory.dmp

Filesize
40KB

Download
memory/5104-194-0x0000000006360000-0x000000000637E000-memory.dmp

Filesize
120KB

Download
memory/5104-184-0x00000000728C0000-0x000000007290C000-memory.dmp

Filesize
304KB

Download
memory/5104-183-0x0000000007020000-0x0000000007052000-memory.dmp

Filesize
200KB

Download
memory/5104-180-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download