sectoprat | 1f8dec69b76f70a555ed82874354b58e662a6fc382b45784e2cae8ae2978398c

Analysis

max time kernel
272s
max time network
300s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
01-02-2024 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f8dec69b76f70a555ed82874354b58e662a6fc382b45784e2cae8ae2978398c.exe
Size

3.9MB
MD5

6981e1fe652aea8534bc86365b2c1eea
SHA1

4df342b95bff205f57bcf1b1740f26eaee1eac75
SHA256

1f8dec69b76f70a555ed82874354b58e662a6fc382b45784e2cae8ae2978398c
SHA512

b72a326df5848b4b95bc8bb9ca3970fb06de4bc1217f25e3c6d70e05c9d81cbba23298599b665f7c927498fba17cc57ecca99d71e354279f006c69fbd297be13
SSDEEP

98304:mkvX9nnZHBwv59qYyHGqG1A6yPLD2LpvmB2jHNlRN+yFPEJbq:mkvX9nZHBwv59qOKD2dOcjHNlRau

Score

10^/10

sectoprat persistence rat trojan

Malware Config

Signatures

Detects Arechclient2 RAT 1 IoCs

Arechclient2.

Processes:

resource	yara_rule
behavioral2/memory/4280-19-0x0000000000400000-0x00000000004D4000-memory.dmp	MALWARE_Win_Arechclient

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4280-19-0x0000000000400000-0x00000000004D4000-memory.dmp	family_sectoprat
behavioral2/memory/3508-20-0x0000000006120000-0x0000000006220000-memory.dmp	family_sectoprat
behavioral2/memory/3508-18-0x0000000006120000-0x0000000006220000-memory.dmp	family_sectoprat

Loads dropped DLL 1 IoCs

Processes:

1f8dec69b76f70a555ed82874354b58e662a6fc382b45784e2cae8ae2978398c.exe

pid process

3508 1f8dec69b76f70a555ed82874354b58e662a6fc382b45784e2cae8ae2978398c.exe

pid	process
3508	1f8dec69b76f70a555ed82874354b58e662a6fc382b45784e2cae8ae2978398c.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dynamics_in_sales_figures_in_the_report = "C:\\Users\\Admin\\AppData\\Local\\Dynamics_in_sales_figures_in_the_report\\Dynamics_in_sales_figures_in_the_report.exe"	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

12 pastebin.com
13 pastebin.com

flow	ioc
12	pastebin.com
13	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

1f8dec69b76f70a555ed82874354b58e662a6fc382b45784e2cae8ae2978398c.exe

description	pid	process	target process
PID 3508 set thread context of 4280	3508	1f8dec69b76f70a555ed82874354b58e662a6fc382b45784e2cae8ae2978398c.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

1344 powershell.exe
1344 powershell.exe
1344 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

InstallUtil.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4280 InstallUtil.exe
Token: SeDebugPrivilege 1344 powershell.exe

pid	process
1344	powershell.exe
1344	powershell.exe
1344	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4280	InstallUtil.exe
Token: SeDebugPrivilege	1344	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

1f8dec69b76f70a555ed82874354b58e662a6fc382b45784e2cae8ae2978398c.exe

description	pid	process	target process
PID 3508 wrote to memory of 4280	3508	1f8dec69b76f70a555ed82874354b58e662a6fc382b45784e2cae8ae2978398c.exe	InstallUtil.exe
PID 3508 wrote to memory of 4280	3508	1f8dec69b76f70a555ed82874354b58e662a6fc382b45784e2cae8ae2978398c.exe	InstallUtil.exe
PID 3508 wrote to memory of 4280	3508	1f8dec69b76f70a555ed82874354b58e662a6fc382b45784e2cae8ae2978398c.exe	InstallUtil.exe
PID 3508 wrote to memory of 4280	3508	1f8dec69b76f70a555ed82874354b58e662a6fc382b45784e2cae8ae2978398c.exe	InstallUtil.exe
PID 3508 wrote to memory of 4280	3508	1f8dec69b76f70a555ed82874354b58e662a6fc382b45784e2cae8ae2978398c.exe	InstallUtil.exe
PID 3508 wrote to memory of 4280	3508	1f8dec69b76f70a555ed82874354b58e662a6fc382b45784e2cae8ae2978398c.exe	InstallUtil.exe
PID 3508 wrote to memory of 4280	3508	1f8dec69b76f70a555ed82874354b58e662a6fc382b45784e2cae8ae2978398c.exe	InstallUtil.exe
PID 3508 wrote to memory of 4280	3508	1f8dec69b76f70a555ed82874354b58e662a6fc382b45784e2cae8ae2978398c.exe	InstallUtil.exe
PID 3508 wrote to memory of 1344	3508	1f8dec69b76f70a555ed82874354b58e662a6fc382b45784e2cae8ae2978398c.exe	powershell.exe
PID 3508 wrote to memory of 1344	3508	1f8dec69b76f70a555ed82874354b58e662a6fc382b45784e2cae8ae2978398c.exe	powershell.exe
PID 3508 wrote to memory of 1344	3508	1f8dec69b76f70a555ed82874354b58e662a6fc382b45784e2cae8ae2978398c.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\1f8dec69b76f70a555ed82874354b58e662a6fc382b45784e2cae8ae2978398c.exe
"C:\Users\Admin\AppData\Local\Temp\1f8dec69b76f70a555ed82874354b58e662a6fc382b45784e2cae8ae2978398c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4280
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Dynamics_in_sales_figures_in_the_report';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Dynamics_in_sales_figures_in_the_report' -Value '"C:\Users\Admin\AppData\Local\Dynamics_in_sales_figures_in_the_report\Dynamics_in_sales_figures_in_the_report.exe"' -PropertyType 'String'
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sbbkwlvd.kee.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
583KB

MD5
6e67e80ef1b5807920c3f08d853f8dec

SHA1
00519629523d3b92db113799c7fcba1a39e8ea56

SHA256
d391675ac92420fbaf9f2ec39118d1d0fc112041cb04d78e95adc7b1a0dad150

SHA512
e6e8534a09cc070156dda4b4ed32a52ffbb43c9b231cd9e766558bab986b9d2dd96741260c61a4b1c6bffb3813e92dbeec19b1935612e4be22195ff56977292a

Download Submit
memory/1344-64-0x0000000009190000-0x0000000009235000-memory.dmp

Filesize
660KB

Download
memory/1344-292-0x0000000073D20000-0x000000007440E000-memory.dmp

Filesize
6.9MB

Download
memory/1344-264-0x0000000009300000-0x0000000009308000-memory.dmp

Filesize
32KB

Download
memory/1344-259-0x0000000009320000-0x000000000933A000-memory.dmp

Filesize
104KB

Download
memory/1344-281-0x0000000009370000-0x000000000938A000-memory.dmp

Filesize
104KB

Download
memory/1344-66-0x00000000093C0000-0x0000000009454000-memory.dmp

Filesize
592KB

Download
memory/1344-65-0x0000000006A30000-0x0000000006A40000-memory.dmp

Filesize
64KB

Download
memory/1344-58-0x0000000071440000-0x000000007148B000-memory.dmp

Filesize
300KB

Download
memory/1344-32-0x0000000073D20000-0x000000007440E000-memory.dmp

Filesize
6.9MB

Download
memory/1344-59-0x0000000009030000-0x000000000904E000-memory.dmp

Filesize
120KB

Download
memory/1344-57-0x0000000009050000-0x0000000009083000-memory.dmp

Filesize
204KB

Download
memory/1344-282-0x0000000009460000-0x0000000009482000-memory.dmp

Filesize
136KB

Download
memory/1344-40-0x0000000007FE0000-0x0000000008056000-memory.dmp

Filesize
472KB

Download
memory/1344-39-0x0000000007CA0000-0x0000000007CEB000-memory.dmp

Filesize
300KB

Download
memory/1344-38-0x00000000077F0000-0x000000000780C000-memory.dmp

Filesize
112KB

Download
memory/1344-37-0x0000000007890000-0x0000000007BE0000-memory.dmp

Filesize
3.3MB

Download
memory/1344-36-0x0000000007740000-0x00000000077A6000-memory.dmp

Filesize
408KB

Download
memory/1344-35-0x0000000007820000-0x0000000007886000-memory.dmp

Filesize
408KB

Download
memory/1344-34-0x00000000076A0000-0x00000000076C2000-memory.dmp

Filesize
136KB

Download
memory/1344-33-0x0000000007070000-0x0000000007698000-memory.dmp

Filesize
6.2MB

Download
memory/1344-31-0x0000000004470000-0x00000000044A6000-memory.dmp

Filesize
216KB

Download
memory/3508-16-0x0000000005C10000-0x0000000005C20000-memory.dmp

Filesize
64KB

Download
memory/3508-12-0x0000000005C10000-0x0000000005C20000-memory.dmp

Filesize
64KB

Download
memory/3508-21-0x0000000006730000-0x0000000006C2E000-memory.dmp

Filesize
5.0MB

Download
memory/3508-1-0x0000000073D20000-0x000000007440E000-memory.dmp

Filesize
6.9MB

Download
memory/3508-27-0x0000000073D20000-0x000000007440E000-memory.dmp

Filesize
6.9MB

Download
memory/3508-2-0x0000000005800000-0x000000000589C000-memory.dmp

Filesize
624KB

Download
memory/3508-3-0x0000000073D20000-0x000000007440E000-memory.dmp

Filesize
6.9MB

Download
memory/3508-17-0x0000000006120000-0x0000000006220000-memory.dmp

Filesize
1024KB

Download
memory/3508-18-0x0000000006120000-0x0000000006220000-memory.dmp

Filesize
1024KB

Download
memory/3508-20-0x0000000006120000-0x0000000006220000-memory.dmp

Filesize
1024KB

Download
memory/3508-4-0x0000000005C10000-0x0000000005C20000-memory.dmp

Filesize
64KB

Download
memory/3508-15-0x0000000005C10000-0x0000000005C20000-memory.dmp

Filesize
64KB

Download
memory/3508-0-0x0000000000AE0000-0x0000000000ECA000-memory.dmp

Filesize
3.9MB

Download
memory/3508-11-0x0000000005C10000-0x0000000005C20000-memory.dmp

Filesize
64KB

Download
memory/3508-14-0x0000000005C10000-0x0000000005C20000-memory.dmp

Filesize
64KB

Download
memory/3508-13-0x0000000006070000-0x0000000006080000-memory.dmp

Filesize
64KB

Download
memory/3508-5-0x0000000005C20000-0x0000000005DB2000-memory.dmp

Filesize
1.6MB

Download
memory/4280-28-0x00000000057F0000-0x0000000005840000-memory.dmp

Filesize
320KB

Download
memory/4280-19-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/4280-22-0x0000000005750000-0x00000000057E2000-memory.dmp

Filesize
584KB

Download
memory/4280-25-0x0000000005AC0000-0x0000000005C82000-memory.dmp

Filesize
1.8MB

Download
memory/4280-26-0x0000000073D20000-0x000000007440E000-memory.dmp

Filesize
6.9MB

Download
memory/4280-293-0x0000000073D20000-0x000000007440E000-memory.dmp

Filesize
6.9MB

Download