Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    32s
  • max time network
    293s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02-02-2024 04:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608.exe

  • Size

    3.7MB

  • MD5

    eca96e3eb1fe44265acc31373a1dadb9

  • SHA1

    3221c9a9d13cc4b0ae24b7d2cc807f18feb3ea4f

  • SHA256

    906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608

  • SHA512

    ce2829831d5e5bc8783dc1d871957184f48504bd2aa741456dab29dbdac72b1ad1c110964232655cae67992283dadfc96f46417bacb700b1bd55ba4b6494a6a1

  • SSDEEP

    98304:lbPH543INzdx/9yiXGBwmcFBcBL+PRao/Szic:lb/5cUxllGBgFamYF

Score
10/10
sectopratrattrojan

Malware Config

Signatures

  • Detects Arechclient2 RAT 1 IoCs

    Arechclient2.

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608.exe
    "C:\Users\Admin\AppData\Local\Temp\906623a415b6de1164c7798d3743a5fc06ca0ccc58ca76c8b35ef0a674991608.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4292
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Tests_for_preparation_for_the_academy';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Tests_for_preparation_for_the_academy' -Value '"C:\Users\Admin\AppData\Local\Tests_for_preparation_for_the_academy\Tests_for_preparation_for_the_academy.exe"' -PropertyType 'String'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2112
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4132

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v3x5pzgx.dak.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpFC25.tmp
    Filesize

    20KB

    MD5

    c9ff7748d8fcef4cf84a5501e996a641

    SHA1

    02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

    SHA256

    4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

    SHA512

    d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
    Filesize

    308KB

    MD5

    fa5b8977def37982e2f3f1e463c258cf

    SHA1

    c9d79088345b5e19cbd76bb8c7bfd41b586a95e9

    SHA256

    77406f13b276ae896ba68d04c068d5cdda000d8fd90982e12f6e9e89d3b30898

    SHA512

    d4d4b506a34eaa80226f8b3e8bdb9bc6f4468554b2776b187d711ff5fb4dcb03b5b3bd1b2529ce2ff71e551422a23ac594687cd2889b426b974ffc458ece5a6e

    Download Submit

  • memory/2112-33-0x00000000049A0000-0x00000000049D6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2112-309-0x0000000073DA0000-0x000000007448E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2112-298-0x0000000009950000-0x000000000996A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2112-299-0x00000000099A0000-0x00000000099C2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2112-267-0x0000000009850000-0x000000000986A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2112-64-0x000000007ED20000-0x000000007ED30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2112-66-0x0000000071440000-0x000000007148B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2112-74-0x00000000098B0000-0x0000000009944000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2112-73-0x00000000049F0000-0x0000000004A00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2112-67-0x0000000009570000-0x000000000958E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2112-72-0x00000000096E0000-0x0000000009785000-memory.dmp

    Filesize

    660KB

    Download

  • memory/2112-35-0x0000000073DA0000-0x000000007448E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2112-38-0x00000000049F0000-0x0000000004A00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2112-37-0x00000000049F0000-0x0000000004A00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2112-42-0x0000000007D00000-0x0000000007D66000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2112-65-0x00000000095B0000-0x00000000095E3000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2112-44-0x0000000007D70000-0x00000000080C0000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2112-272-0x0000000009840000-0x0000000009848000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2112-47-0x00000000081D0000-0x000000000821B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2112-45-0x00000000081A0000-0x00000000081BC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2112-41-0x0000000007C90000-0x0000000007CF6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2112-36-0x0000000007410000-0x0000000007A38000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2112-40-0x0000000007A90000-0x0000000007AB2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4132-28-0x00000000058B0000-0x00000000058C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4132-22-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/4132-310-0x0000000073DA0000-0x000000007448E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4132-29-0x00000000058C0000-0x0000000005A82000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4132-25-0x0000000073DA0000-0x000000007448E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4132-46-0x0000000005DA0000-0x0000000005DBE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4132-23-0x00000000055C0000-0x0000000005652000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4132-39-0x0000000005830000-0x00000000058A6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4132-311-0x00000000058B0000-0x00000000058C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4132-43-0x00000000069C0000-0x0000000006EEC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4132-34-0x00000000056E0000-0x0000000005730000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4292-21-0x0000000007510000-0x0000000007610000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4292-12-0x0000000005AF0000-0x0000000005B00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4292-30-0x0000000073DA0000-0x000000007448E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4292-19-0x0000000007510000-0x0000000007610000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4292-18-0x0000000005AF0000-0x0000000005B00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4292-17-0x0000000005AF0000-0x0000000005B00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4292-16-0x0000000005AF0000-0x0000000005B00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4292-15-0x0000000007460000-0x0000000007470000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4292-14-0x0000000005AF0000-0x0000000005B00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4292-24-0x0000000007C50000-0x000000000814E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4292-0-0x0000000000C20000-0x0000000000FE4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/4292-13-0x0000000005AF0000-0x0000000005B00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4292-2-0x0000000005820000-0x00000000058BC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4292-5-0x0000000005D00000-0x0000000005F6A000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/4292-6-0x00000000070A0000-0x0000000007232000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4292-4-0x0000000005AF0000-0x0000000005B00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4292-3-0x0000000073DA0000-0x000000007448E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4292-1-0x0000000073DA0000-0x000000007448E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4292-20-0x0000000007510000-0x0000000007610000-memory.dmp

    Filesize

    1024KB

    Download