sectoprat | 906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608

Analysis

max time kernel
298s
max time network
301s
platform
windows10-1703_x64
resource
win10-20231220-en
resource tags

arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
submitted
01-02-2024 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608.exe
Size

3.7MB
MD5

eca96e3eb1fe44265acc31373a1dadb9
SHA1

3221c9a9d13cc4b0ae24b7d2cc807f18feb3ea4f
SHA256

906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608
SHA512

ce2829831d5e5bc8783dc1d871957184f48504bd2aa741456dab29dbdac72b1ad1c110964232655cae67992283dadfc96f46417bacb700b1bd55ba4b6494a6a1
SSDEEP

98304:lbPH543INzdx/9yiXGBwmcFBcBL+PRao/Szic:lb/5cUxllGBgFamYF

Score

10^/10

sectoprat persistence rat trojan

Malware Config

Signatures

Detects Arechclient2 RAT 1 IoCs

Arechclient2.

Processes:

resource	yara_rule
behavioral2/memory/3260-21-0x0000000000400000-0x00000000004D4000-memory.dmp	MALWARE_Win_Arechclient

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3260-21-0x0000000000400000-0x00000000004D4000-memory.dmp	family_sectoprat

Loads dropped DLL 1 IoCs

Processes:

906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608.exe

pid process

212 906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608.exe

pid	process
212	906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tests_for_preparation_for_the_academy = "C:\\Users\\Admin\\AppData\\Local\\Tests_for_preparation_for_the_academy\\Tests_for_preparation_for_the_academy.exe"	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

5 pastebin.com
6 pastebin.com

flow	ioc
5	pastebin.com
6	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608.exe

description	pid	process	target process
PID 212 set thread context of 3260	212	906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

2940 powershell.exe
2940 powershell.exe
2940 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

InstallUtil.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3260 InstallUtil.exe
Token: SeDebugPrivilege 2940 powershell.exe

pid	process
2940	powershell.exe
2940	powershell.exe
2940	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3260	InstallUtil.exe
Token: SeDebugPrivilege	2940	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608.exe

description	pid	process	target process
PID 212 wrote to memory of 4508	212	906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608.exe	InstallUtil.exe
PID 212 wrote to memory of 4508	212	906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608.exe	InstallUtil.exe
PID 212 wrote to memory of 4508	212	906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608.exe	InstallUtil.exe
PID 212 wrote to memory of 2976	212	906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608.exe	InstallUtil.exe
PID 212 wrote to memory of 2976	212	906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608.exe	InstallUtil.exe
PID 212 wrote to memory of 2976	212	906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608.exe	InstallUtil.exe
PID 212 wrote to memory of 3260	212	906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608.exe	InstallUtil.exe
PID 212 wrote to memory of 3260	212	906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608.exe	InstallUtil.exe
PID 212 wrote to memory of 3260	212	906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608.exe	InstallUtil.exe
PID 212 wrote to memory of 3260	212	906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608.exe	InstallUtil.exe
PID 212 wrote to memory of 3260	212	906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608.exe	InstallUtil.exe
PID 212 wrote to memory of 3260	212	906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608.exe	InstallUtil.exe
PID 212 wrote to memory of 3260	212	906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608.exe	InstallUtil.exe
PID 212 wrote to memory of 3260	212	906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608.exe	InstallUtil.exe
PID 212 wrote to memory of 2940	212	906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608.exe	powershell.exe
PID 212 wrote to memory of 2940	212	906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608.exe	powershell.exe
PID 212 wrote to memory of 2940	212	906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608.exe
"C:\Users\Admin\AppData\Local\Temp\906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:212
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Tests_for_preparation_for_the_academy';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Tests_for_preparation_for_the_academy' -Value '"C:\Users\Admin\AppData\Local\Tests_for_preparation_for_the_academy\Tests_for_preparation_for_the_academy.exe"' -PropertyType 'String'
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_humpquad.ull.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
13KB

MD5
9f0738b3af467270ec85efe043d6ef4c

SHA1
87303ce9abb7162b9cbaa699252720485ec9f04f

SHA256
07abd65c3c5feb01310f959cd5bb0b26bbf821ad96cf41a563113b62c234a2d5

SHA512
aba2fb9db22d27114ecb5b99c46cc956da58cf148943ea1402f960f109e2cf945d7ffa420de7afb7b715b9589dae8cf37107996f324f3193fdda293e2e56474e

Download Submit
memory/212-17-0x0000000005920000-0x0000000005930000-memory.dmp

Filesize
64KB

Download
memory/212-6-0x0000000006ED0000-0x0000000007062000-memory.dmp

Filesize
1.6MB

Download
memory/212-5-0x0000000005B30000-0x0000000005D9A000-memory.dmp

Filesize
2.4MB

Download
memory/212-4-0x0000000005920000-0x0000000005930000-memory.dmp

Filesize
64KB

Download
memory/212-2-0x0000000005820000-0x00000000058BC000-memory.dmp

Filesize
624KB

Download
memory/212-16-0x0000000005920000-0x0000000005930000-memory.dmp

Filesize
64KB

Download
memory/212-15-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/212-14-0x0000000005920000-0x0000000005930000-memory.dmp

Filesize
64KB

Download
memory/212-27-0x0000000073200000-0x00000000738EE000-memory.dmp

Filesize
6.9MB

Download
memory/212-3-0x0000000073200000-0x00000000738EE000-memory.dmp

Filesize
6.9MB

Download
memory/212-12-0x0000000005920000-0x0000000005930000-memory.dmp

Filesize
64KB

Download
memory/212-13-0x0000000005920000-0x0000000005930000-memory.dmp

Filesize
64KB

Download
memory/212-18-0x00000000075E0000-0x00000000076E0000-memory.dmp

Filesize
1024KB

Download
memory/212-19-0x00000000075E0000-0x00000000076E0000-memory.dmp

Filesize
1024KB

Download
memory/212-0-0x0000000000AA0000-0x0000000000E64000-memory.dmp

Filesize
3.8MB

Download
memory/212-20-0x00000000075E0000-0x00000000076E0000-memory.dmp

Filesize
1024KB

Download
memory/212-1-0x0000000073200000-0x00000000738EE000-memory.dmp

Filesize
6.9MB

Download
memory/212-23-0x0000000007C10000-0x000000000810E000-memory.dmp

Filesize
5.0MB

Download
memory/2940-38-0x0000000007740000-0x00000000077A6000-memory.dmp

Filesize
408KB

Download
memory/2940-60-0x00000000091B0000-0x00000000091E3000-memory.dmp

Filesize
204KB

Download
memory/2940-37-0x0000000006F00000-0x0000000006F22000-memory.dmp

Filesize
136KB

Download
memory/2940-32-0x0000000073200000-0x00000000738EE000-memory.dmp

Filesize
6.9MB

Download
memory/2940-34-0x0000000004620000-0x0000000004630000-memory.dmp

Filesize
64KB

Download
memory/2940-39-0x00000000077B0000-0x0000000007816000-memory.dmp

Filesize
408KB

Download
memory/2940-40-0x0000000007990000-0x0000000007CE0000-memory.dmp

Filesize
3.3MB

Download
memory/2940-41-0x0000000007840000-0x000000000785C000-memory.dmp

Filesize
112KB

Download
memory/2940-42-0x0000000007DE0000-0x0000000007E2B000-memory.dmp

Filesize
300KB

Download
memory/2940-35-0x0000000004620000-0x0000000004630000-memory.dmp

Filesize
64KB

Download
memory/2940-43-0x0000000008050000-0x00000000080C6000-memory.dmp

Filesize
472KB

Download
memory/2940-33-0x0000000004590000-0x00000000045C6000-memory.dmp

Filesize
216KB

Download
memory/2940-295-0x0000000073200000-0x00000000738EE000-memory.dmp

Filesize
6.9MB

Download
memory/2940-284-0x0000000009530000-0x000000000954A000-memory.dmp

Filesize
104KB

Download
memory/2940-285-0x0000000009580000-0x00000000095A2000-memory.dmp

Filesize
136KB

Download
memory/2940-262-0x0000000009440000-0x000000000945A000-memory.dmp

Filesize
104KB

Download
memory/2940-267-0x0000000009430000-0x0000000009438000-memory.dmp

Filesize
32KB

Download
memory/2940-62-0x0000000009170000-0x000000000918E000-memory.dmp

Filesize
120KB

Download
memory/2940-67-0x00000000091F0000-0x0000000009295000-memory.dmp

Filesize
660KB

Download
memory/2940-68-0x0000000004620000-0x0000000004630000-memory.dmp

Filesize
64KB

Download
memory/2940-69-0x0000000009490000-0x0000000009524000-memory.dmp

Filesize
592KB

Download
memory/2940-61-0x0000000070910000-0x000000007095B000-memory.dmp

Filesize
300KB

Download
memory/2940-36-0x0000000006FB0000-0x00000000075D8000-memory.dmp

Filesize
6.2MB

Download
memory/3260-21-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3260-22-0x0000000005040000-0x00000000050D2000-memory.dmp

Filesize
584KB

Download
memory/3260-25-0x0000000073200000-0x00000000738EE000-memory.dmp

Filesize
6.9MB

Download
memory/3260-28-0x0000000005350000-0x0000000005512000-memory.dmp

Filesize
1.8MB

Download
memory/3260-31-0x0000000005180000-0x00000000051D0000-memory.dmp

Filesize
320KB

Download
memory/3260-296-0x0000000073200000-0x00000000738EE000-memory.dmp

Filesize
6.9MB

Download