sectoprat | f4f8097c5f69c88f2b5623e8b9d0cf4658627a632104a10d4fcdc15b32d963f3

General

Target

69c3d5a7edebb0ed71c7cdfa42ae8a78c4eb74655d159939c3e212fd89dd7791.exe
Size

3.9MB
MD5

4bd0a75b3ace98a7226f3a22fbe29745
SHA1

316aea2a19ecbee6414f04799352ce6bdc654484
SHA256

69c3d5a7edebb0ed71c7cdfa42ae8a78c4eb74655d159939c3e212fd89dd7791
SHA512

52c24ed3701286be24e3335ce6f78c504caa3bcb4315349da958f0a2279ab55ffdbb92166d58de0bd7fea902a83704fe88a78e3f6226a55131f7587d16ab36a3
SSDEEP

49152:ynn8p9K3Tb8TpGeF7fhzjwZeJz+Uf1CAEmB1SQjiejeCEu50TzNCop+OBu:yn8c8MKaAJaUFj1S9ejeCEC4okrBu

Score

10^/10

sectoprat rat trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/1020-22-0x0000000007C20000-0x0000000007D20000-memory.dmp	family_sectoprat
behavioral2/memory/8-21-0x0000000000400000-0x00000000004D2000-memory.dmp	family_sectoprat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\The_new_style_of_the_installer.lnk	69c3d5a7edebb0ed71c7cdfa42ae8a78c4eb74655d159939c3e212fd89dd7791.exe

Loads dropped DLL 1 IoCs

pid	Process
1020	69c3d5a7edebb0ed71c7cdfa42ae8a78c4eb74655d159939c3e212fd89dd7791.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1020 set thread context of 8	1020	69c3d5a7edebb0ed71c7cdfa42ae8a78c4eb74655d159939c3e212fd89dd7791.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3936	1020	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	8	RegAsm.exe
Token: SeDebugPrivilege	1020	69c3d5a7edebb0ed71c7cdfa42ae8a78c4eb74655d159939c3e212fd89dd7791.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 8	1020	69c3d5a7edebb0ed71c7cdfa42ae8a78c4eb74655d159939c3e212fd89dd7791.exe	89
PID 1020 wrote to memory of 8	1020	69c3d5a7edebb0ed71c7cdfa42ae8a78c4eb74655d159939c3e212fd89dd7791.exe	89
PID 1020 wrote to memory of 8	1020	69c3d5a7edebb0ed71c7cdfa42ae8a78c4eb74655d159939c3e212fd89dd7791.exe	89
PID 1020 wrote to memory of 8	1020	69c3d5a7edebb0ed71c7cdfa42ae8a78c4eb74655d159939c3e212fd89dd7791.exe	89
PID 1020 wrote to memory of 8	1020	69c3d5a7edebb0ed71c7cdfa42ae8a78c4eb74655d159939c3e212fd89dd7791.exe	89
PID 1020 wrote to memory of 8	1020	69c3d5a7edebb0ed71c7cdfa42ae8a78c4eb74655d159939c3e212fd89dd7791.exe	89
PID 1020 wrote to memory of 8	1020	69c3d5a7edebb0ed71c7cdfa42ae8a78c4eb74655d159939c3e212fd89dd7791.exe	89
PID 1020 wrote to memory of 8	1020	69c3d5a7edebb0ed71c7cdfa42ae8a78c4eb74655d159939c3e212fd89dd7791.exe	89

C:\Users\Admin\AppData\Local\Temp\69c3d5a7edebb0ed71c7cdfa42ae8a78c4eb74655d159939c3e212fd89dd7791.exe
"C:\Users\Admin\AppData\Local\Temp\69c3d5a7edebb0ed71c7cdfa42ae8a78c4eb74655d159939c3e212fd89dd7791.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:8
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 1000
  2⤵
  - Program crash
  PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1020 -ip 1020
1⤵
PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
513KB

MD5
db4bf495180b45241d9a574545bb1031

SHA1
ba4f46680dc63834b504b12546467ce7bc244bf8

SHA256
d8550e559fb01fc5e7cb571bf1d369cbc1dd0bb840105008cf17e64b7a730ca6

SHA512
8e4285b12f7c690f65d328b2302faaa5dae96b29a0f34b0ccff856fbe6ff56202aff519a40704cef8d202630a35bb0c6c7775055aec74e7e339899cede58c7f8

Download Submit
memory/8-21-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/8-35-0x0000000074E10000-0x00000000755C0000-memory.dmp

Filesize
7.7MB

Download
memory/8-25-0x0000000005080000-0x0000000005242000-memory.dmp

Filesize
1.8MB

Download
memory/8-26-0x0000000074E10000-0x00000000755C0000-memory.dmp

Filesize
7.7MB

Download
memory/8-28-0x0000000004EB0000-0x0000000004F26000-memory.dmp

Filesize
472KB

Download
memory/1020-6-0x00000000056C0000-0x00000000056CA000-memory.dmp

Filesize
40KB

Download
memory/1020-27-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download
memory/1020-8-0x0000000007450000-0x00000000075E2000-memory.dmp

Filesize
1.6MB

Download
memory/1020-14-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download
memory/1020-17-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download
memory/1020-18-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download
memory/1020-23-0x0000000007C20000-0x0000000007D20000-memory.dmp

Filesize
1024KB

Download
memory/1020-22-0x0000000007C20000-0x0000000007D20000-memory.dmp

Filesize
1024KB

Download
memory/1020-0-0x0000000074E10000-0x00000000755C0000-memory.dmp

Filesize
7.7MB

Download
memory/1020-24-0x0000000074E10000-0x00000000755C0000-memory.dmp

Filesize
7.7MB

Download
memory/1020-5-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download
memory/1020-7-0x00000000060C0000-0x000000000631E000-memory.dmp

Filesize
2.4MB

Download
memory/1020-4-0x0000000005740000-0x00000000057DC000-memory.dmp

Filesize
624KB

Download
memory/1020-3-0x0000000005500000-0x0000000005592000-memory.dmp

Filesize
584KB

Download
memory/1020-20-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download
memory/1020-19-0x0000000007C20000-0x0000000007D20000-memory.dmp

Filesize
1024KB

Download
memory/1020-16-0x0000000005860000-0x0000000005870000-memory.dmp

Filesize
64KB

Download
memory/1020-15-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download
memory/1020-2-0x0000000005A10000-0x0000000005FB4000-memory.dmp

Filesize
5.6MB

Download
memory/1020-34-0x0000000074E10000-0x00000000755C0000-memory.dmp

Filesize
7.7MB

Download
memory/1020-1-0x0000000000700000-0x0000000000AF0000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing