sectoprat | 235d78cfb4c8c030df218d8417f37f9b540db6993f9c6bb103f49d98f00e4650

Analysis

max time kernel
255s
max time network
299s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
28/01/2024, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

235d78cfb4c8c030df218d8417f37f9b540db6993f9c6bb103f49d98f00e4650.exe
Size

6.2MB
MD5

e3c25f983601af66e080d0f5e11399a8
SHA1

5673bc9f3014fca13dea83f83e7b11e25737a75f
SHA256

235d78cfb4c8c030df218d8417f37f9b540db6993f9c6bb103f49d98f00e4650
SHA512

3e58ed4d89dccde0e7870c347f387fad512b1f3e4f9a8fc5c5a9746693a0e07caad4b4d37ce12c9d8d0b96cef80b641fc5952153acff27564bf97119a6d8101b
SSDEEP

98304:eWxdy9X3bxdKRYPkOSG3lJ2ZNrQxO9LHGOZVXbZsZe7CYA179lMgCRqt:tg3bxduYPkpG3ENUxO9miZ57Lkl3

Score

10^/10

sectoprat persistence rat trojan

Malware Config

Signatures

Detects Arechclient2 RAT 1 IoCs

Arechclient2.

resource	yara_rule
behavioral2/memory/2912-21-0x0000000000400000-0x00000000004D4000-memory.dmp	MALWARE_Win_Arechclient

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/2912-21-0x0000000000400000-0x00000000004D4000-memory.dmp	family_sectoprat

Loads dropped DLL 1 IoCs

pid	Process
5064	235d78cfb4c8c030df218d8417f37f9b540db6993f9c6bb103f49d98f00e4650.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-33539905-3698238643-2080195461-1000\Software\Microsoft\Windows\CurrentVersion\Run\Courses_for_professional_development = "C:\\Users\\Admin\\AppData\\Local\\Courses_for_professional_development\\Courses_for_professional_development.exe"	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5064 set thread context of 2912	5064	235d78cfb4c8c030df218d8417f37f9b540db6993f9c6bb103f49d98f00e4650.exe	73

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1872	powershell.exe
1872	powershell.exe
1872	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	InstallUtil.exe
Token: SeDebugPrivilege	1872	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 2912	5064	235d78cfb4c8c030df218d8417f37f9b540db6993f9c6bb103f49d98f00e4650.exe	73
PID 5064 wrote to memory of 2912	5064	235d78cfb4c8c030df218d8417f37f9b540db6993f9c6bb103f49d98f00e4650.exe	73
PID 5064 wrote to memory of 2912	5064	235d78cfb4c8c030df218d8417f37f9b540db6993f9c6bb103f49d98f00e4650.exe	73
PID 5064 wrote to memory of 2912	5064	235d78cfb4c8c030df218d8417f37f9b540db6993f9c6bb103f49d98f00e4650.exe	73
PID 5064 wrote to memory of 2912	5064	235d78cfb4c8c030df218d8417f37f9b540db6993f9c6bb103f49d98f00e4650.exe	73
PID 5064 wrote to memory of 2912	5064	235d78cfb4c8c030df218d8417f37f9b540db6993f9c6bb103f49d98f00e4650.exe	73
PID 5064 wrote to memory of 2912	5064	235d78cfb4c8c030df218d8417f37f9b540db6993f9c6bb103f49d98f00e4650.exe	73
PID 5064 wrote to memory of 2912	5064	235d78cfb4c8c030df218d8417f37f9b540db6993f9c6bb103f49d98f00e4650.exe	73
PID 5064 wrote to memory of 1872	5064	235d78cfb4c8c030df218d8417f37f9b540db6993f9c6bb103f49d98f00e4650.exe	74
PID 5064 wrote to memory of 1872	5064	235d78cfb4c8c030df218d8417f37f9b540db6993f9c6bb103f49d98f00e4650.exe	74
PID 5064 wrote to memory of 1872	5064	235d78cfb4c8c030df218d8417f37f9b540db6993f9c6bb103f49d98f00e4650.exe	74

C:\Users\Admin\AppData\Local\Temp\235d78cfb4c8c030df218d8417f37f9b540db6993f9c6bb103f49d98f00e4650.exe
"C:\Users\Admin\AppData\Local\Temp\235d78cfb4c8c030df218d8417f37f9b540db6993f9c6bb103f49d98f00e4650.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Courses_for_professional_development';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Courses_for_professional_development' -Value '"C:\Users\Admin\AppData\Local\Courses_for_professional_development\Courses_for_professional_development.exe"' -PropertyType 'String'
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ysjldzce.3po.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1E24.tmp

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
memory/1872-43-0x0000000008550000-0x000000000856C000-memory.dmp

Filesize
112KB

Download
memory/1872-44-0x0000000008870000-0x00000000088BB000-memory.dmp

Filesize
300KB

Download
memory/1872-40-0x0000000008020000-0x0000000008086000-memory.dmp

Filesize
408KB

Download
memory/1872-305-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/1872-294-0x0000000009C50000-0x0000000009C6A000-memory.dmp

Filesize
104KB

Download
memory/1872-295-0x0000000009D40000-0x0000000009D62000-memory.dmp

Filesize
136KB

Download
memory/1872-277-0x0000000009BE0000-0x0000000009BE8000-memory.dmp

Filesize
32KB

Download
memory/1872-272-0x0000000009C00000-0x0000000009C1A000-memory.dmp

Filesize
104KB

Download
memory/1872-73-0x0000000009CA0000-0x0000000009D34000-memory.dmp

Filesize
592KB

Download
memory/1872-36-0x00000000079F0000-0x0000000008018000-memory.dmp

Filesize
6.2MB

Download
memory/1872-32-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/1872-69-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/1872-68-0x0000000009A90000-0x0000000009B35000-memory.dmp

Filesize
660KB

Download
memory/1872-63-0x0000000009920000-0x000000000993E000-memory.dmp

Filesize
120KB

Download
memory/1872-37-0x00000000077C0000-0x00000000077E2000-memory.dmp

Filesize
136KB

Download
memory/1872-39-0x0000000007860000-0x00000000078C6000-memory.dmp

Filesize
408KB

Download
memory/1872-62-0x00000000716A0000-0x00000000716EB000-memory.dmp

Filesize
300KB

Download
memory/1872-33-0x0000000004D40000-0x0000000004D76000-memory.dmp

Filesize
216KB

Download
memory/1872-61-0x0000000009960000-0x0000000009993000-memory.dmp

Filesize
204KB

Download
memory/1872-42-0x0000000008200000-0x0000000008550000-memory.dmp

Filesize
3.3MB

Download
memory/1872-34-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/2912-27-0x0000000005830000-0x00000000059F2000-memory.dmp

Filesize
1.8MB

Download
memory/2912-29-0x0000000005530000-0x0000000005580000-memory.dmp

Filesize
320KB

Download
memory/2912-24-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/2912-41-0x0000000005C30000-0x0000000005C4E000-memory.dmp

Filesize
120KB

Download
memory/2912-35-0x0000000005660000-0x00000000056D6000-memory.dmp

Filesize
472KB

Download
memory/2912-38-0x0000000006930000-0x0000000006E5C000-memory.dmp

Filesize
5.2MB

Download
memory/2912-23-0x0000000005440000-0x00000000054D2000-memory.dmp

Filesize
584KB

Download
memory/2912-21-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2912-306-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/5064-16-0x0000000001690000-0x00000000016A0000-memory.dmp

Filesize
64KB

Download
memory/5064-17-0x0000000001690000-0x00000000016A0000-memory.dmp

Filesize
64KB

Download
memory/5064-1-0x0000000000670000-0x0000000000CAC000-memory.dmp

Filesize
6.2MB

Download
memory/5064-4-0x0000000001690000-0x00000000016A0000-memory.dmp

Filesize
64KB

Download
memory/5064-2-0x0000000005570000-0x000000000560C000-memory.dmp

Filesize
624KB

Download
memory/5064-28-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/5064-22-0x0000000007870000-0x0000000007D6E000-memory.dmp

Filesize
5.0MB

Download
memory/5064-20-0x0000000007230000-0x0000000007330000-memory.dmp

Filesize
1024KB

Download
memory/5064-18-0x0000000007230000-0x0000000007330000-memory.dmp

Filesize
1024KB

Download
memory/5064-19-0x0000000007230000-0x0000000007330000-memory.dmp

Filesize
1024KB

Download
memory/5064-0-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/5064-15-0x0000000001690000-0x00000000016A0000-memory.dmp

Filesize
64KB

Download
memory/5064-14-0x0000000003110000-0x0000000003120000-memory.dmp

Filesize
64KB

Download
memory/5064-12-0x0000000001690000-0x00000000016A0000-memory.dmp

Filesize
64KB

Download
memory/5064-13-0x0000000001690000-0x00000000016A0000-memory.dmp

Filesize
64KB

Download
memory/5064-3-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/5064-6-0x0000000005C70000-0x0000000005E02000-memory.dmp

Filesize
1.6MB

Download
memory/5064-5-0x0000000005860000-0x0000000005B68000-memory.dmp

Filesize
3.0MB

Download