sectoprat | 33517bc5bc45adf5bbb741822b1fcce08f83b32a5ebd89dcd1038f4d23fcfd74

Analysis

max time kernel
141s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
22/04/2024, 12:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

33517bc5bc45adf5bbb741822b1fcce08f83b32a5ebd89dcd1038f4d23fcfd74.exe
Size

415KB
MD5

2db819c7b4fd221df0ea591c26357844
SHA1

b77cf650fca15b35a1694bb409270892be53d70d
SHA256

33517bc5bc45adf5bbb741822b1fcce08f83b32a5ebd89dcd1038f4d23fcfd74
SHA512

331fd4bff8f92b280399e9ead36361e55f6303ae213e249813e7c680ab6c71b826184a1618f93c285b611f49ce4323df4873b67100ab769881a1cd924df1cc9e
SSDEEP

6144:YKkvQFITU9Ldd19xaz94FF9CbCix9/iJSiROJPnmTxUhJrP:rkv0ITU9pDq0LC+49aJSYOPnkgP

Score

10^/10

sectoprat stealc rat stealer trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/3228-113-0x00000000011A0000-0x0000000001266000-memory.dmp	family_sectoprat

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
2428	u3rs.0.exe
800	Qg_Appv5.exe
2864	ptInst.exe
3780	ptInst.exe

Loads dropped DLL 7 IoCs

pid	Process
2864	ptInst.exe
2864	ptInst.exe
2864	ptInst.exe
3780	ptInst.exe
3780	ptInst.exe
3780	ptInst.exe
3780	ptInst.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3780 set thread context of 2624	3780	ptInst.exe	89
PID 2624 set thread context of 3228	2624	cmd.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
420	2428	WerFault.exe	80

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
800	Qg_Appv5.exe
800	Qg_Appv5.exe
800	Qg_Appv5.exe
800	Qg_Appv5.exe
2864	ptInst.exe
3780	ptInst.exe
3780	ptInst.exe
2624	cmd.exe
2624	cmd.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3780	ptInst.exe
2624	cmd.exe
2624	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3228	MSBuild.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 2428	4888	33517bc5bc45adf5bbb741822b1fcce08f83b32a5ebd89dcd1038f4d23fcfd74.exe	80
PID 4888 wrote to memory of 2428	4888	33517bc5bc45adf5bbb741822b1fcce08f83b32a5ebd89dcd1038f4d23fcfd74.exe	80
PID 4888 wrote to memory of 2428	4888	33517bc5bc45adf5bbb741822b1fcce08f83b32a5ebd89dcd1038f4d23fcfd74.exe	80
PID 4888 wrote to memory of 800	4888	33517bc5bc45adf5bbb741822b1fcce08f83b32a5ebd89dcd1038f4d23fcfd74.exe	86
PID 4888 wrote to memory of 800	4888	33517bc5bc45adf5bbb741822b1fcce08f83b32a5ebd89dcd1038f4d23fcfd74.exe	86
PID 4888 wrote to memory of 800	4888	33517bc5bc45adf5bbb741822b1fcce08f83b32a5ebd89dcd1038f4d23fcfd74.exe	86
PID 800 wrote to memory of 2864	800	Qg_Appv5.exe	87
PID 800 wrote to memory of 2864	800	Qg_Appv5.exe	87
PID 800 wrote to memory of 2864	800	Qg_Appv5.exe	87
PID 2864 wrote to memory of 3780	2864	ptInst.exe	88
PID 2864 wrote to memory of 3780	2864	ptInst.exe	88
PID 2864 wrote to memory of 3780	2864	ptInst.exe	88
PID 3780 wrote to memory of 2624	3780	ptInst.exe	89
PID 3780 wrote to memory of 2624	3780	ptInst.exe	89
PID 3780 wrote to memory of 2624	3780	ptInst.exe	89
PID 3780 wrote to memory of 2624	3780	ptInst.exe	89
PID 2624 wrote to memory of 3228	2624	cmd.exe	92
PID 2624 wrote to memory of 3228	2624	cmd.exe	92
PID 2624 wrote to memory of 3228	2624	cmd.exe	92
PID 2624 wrote to memory of 3228	2624	cmd.exe	92
PID 2624 wrote to memory of 3228	2624	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\33517bc5bc45adf5bbb741822b1fcce08f83b32a5ebd89dcd1038f4d23fcfd74.exe
"C:\Users\Admin\AppData\Local\Temp\33517bc5bc45adf5bbb741822b1fcce08f83b32a5ebd89dcd1038f4d23fcfd74.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Users\Admin\AppData\Local\Temp\u3rs.0.exe
  "C:\Users\Admin\AppData\Local\Temp\u3rs.0.exe"
  2⤵
  - Executes dropped EXE
  PID:2428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1368
    3⤵
    - Program crash
    PID:420
- C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe
  "C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:800
- - C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\ptInst.exe
    C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\ptInst.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Users\Admin\AppData\Roaming\Uninstallcheck_alpha\ptInst.exe
      C:\Users\Admin\AppData\Roaming\Uninstallcheck_alpha\ptInst.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:3780
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2428 -ip 2428
1⤵
PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4f4eb097

Filesize
3.8MB

MD5
13418f74a7ce25cdd6997c9fcb718a0e

SHA1
f4c880821fee72c37c882b1e8ebf100efcafe31c

SHA256
a890935a36903669f35522c85c75e296404a4595453f060398cb64c5b0d6dfd0

SHA512
59017162877bbbdf823450a946e3e54e9130d8ebbf5baba24471c68a10d1fad3452be08c693cd7a78d0bf2fcfd6d3086edeec1a379f9b53fd66bb246c128d4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5dbac20d

Filesize
1.4MB

MD5
a7edd64c42d35c12a32ed2a558651494

SHA1
c786deabe6e5402e2c907846ce7c4d7357708ccf

SHA256
2aa90421c03488bad6e2b5af6dbbcbbc1bcf8f0419a3caa06c4836ec7d69152b

SHA512
8521e51fe6e3325da64695fc12d9f5081254031af72fa70a74cbf94c0d1ac2e002526d0566661d0f274045a340bdb7c20a877a4ae9c97b9d13e136ec2c2efafc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe

Filesize
7.6MB

MD5
862bf3003dca41d88ac49a6846149623

SHA1
b34f1d42dd0649d6b83f9a92124a554f48df0434

SHA256
50c10789db130a98c63e6e7f6e23b1c89b38c5ea4678f1e06fd1796fba25c75c

SHA512
fe5ab7888633dbfecca57ecd1732360796c2f19c62fc4282e2a92e9b8b440cc01e25b7a0c6a608cf9c2e9c9e3c49a8509a08851afcaef7e1afc21c0abcc2c969

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\WCLDll.dll

Filesize
590KB

MD5
63206e3b4f1fa4dcfbe1f2cc5d0c4e9d

SHA1
fe731b2e9c296d9ecc75ed96c2d29fe46c7cd924

SHA256
8f5b8645b5e5ea48acc411b21a1b3cd56d2660ac931989b9f064c8ff82039885

SHA512
32bdcce9e8e7f1ebe50e114f65f762391d52f482a112515ccb16b09653b93873528ea1a7473a2512075bf8f729997a65f455bf6599482e997b85e06a2f87f3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\cosmetician.mpeg

Filesize
79KB

MD5
8e1bbc6d6c4d207393b59853f73945ae

SHA1
b66d632eae41267175bf5332d43a785dd929d79f

SHA256
b04725aaa99b27e04c02bec7d98fb4511331ea53761272325fff9c27a679e279

SHA512
1b45a7be00f54498df289641745ca6ee99e11d63100fb838b96c2d9412f8b5f0ea5aa8b964f32a4f9182cd599765f5ca08b91e8e8eecd06d1c53543284a59001

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\msvcp140.dll

Filesize
427KB

MD5
71a0aa2d05e9174cefd568347bd9c70f

SHA1
cb9247a0fa59e47f72df7d1752424b33a903bbb2

SHA256
fdb3d86c512adff90967cb860d02a4682850ab96727f0376e4d4836504c50e47

SHA512
6e65520528facaa4058720eb16d6bfdcc7bb36923b7e8e6551f3526709f0fabafab123999e618438e6abe7efed4a1332547cfc988f2b24b0e3d91198b95a911a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\ptInst.exe

Filesize
938KB

MD5
b15bac961f62448c872e1dc6d3931016

SHA1
1dcb61babb08fe5db711e379cb67335357a5db82

SHA256
bf1a0c67b433f52ebd304553f022baa34bfbca258c932d2b4b8b956b1467bfa5

SHA512
932119f7dc6710239481c80ad8baaed5c14a2085fcc514b6522671b1a4ebbaf488e43453f11d5aaf6dcef7a245db8de44d93ff255f7cf8385b7d00f31f2cc370

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\quersprung.vhd

Filesize
1.3MB

MD5
3bee67dd0e04559c8fdc7761336dee47

SHA1
027ef9dca01fb928db79e57b418130165f06ed5f

SHA256
57745aba2885cf8bf770e7e9195697c05e35333417ca23af153367bf31cbf812

SHA512
35fb66f98a57b0d14c3044a91abac3e0670d516edfd691d6670df034e8454c550d3d2e702ab90cd32b70fcba8aeb2e02b7b3a07b6a340a932738968473f77dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\vcruntime140.dll

Filesize
81KB

MD5
16b26bc43943531d7d7e379632ed4e63

SHA1
565287de39649e59e653a3612478c2186096d70a

SHA256
346f72c9a7584c2ab6ce65cd38a616c77ebddc0bbab2274c4e89dd5e62237517

SHA512
b5b7b4b8c5ab4276a34956e43f586272b1803ec3609253fee1bcc0a549aed7ba11d47404b023f7b67af701726bab95cca55738e7bd5bca272eca5ac71bb418cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3rs.0.exe

Filesize
270KB

MD5
ed299ec697e23c6b62fac53ea4758a6b

SHA1
de5d9a926681c63c41b6ec29eb3b8522dfe5c84e

SHA256
a5863b69f1f7b4cd895754679831f8ee5eef8c41c4c72a9319bd47afcb1d4b22

SHA512
29b7ba235e2c2a58ef446d7e7320831172bb969851f4d493050378a475c0f1751babc6edb9abb433f9a3a2b7b29d09d3817b9b8aedd08b3c277471092402118a

Download Submit
memory/800-60-0x00000000736E0000-0x000000007385D000-memory.dmp

Filesize
1.5MB

Download
memory/800-37-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/800-38-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/800-96-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/800-44-0x00000000736E0000-0x000000007385D000-memory.dmp

Filesize
1.5MB

Download
memory/800-45-0x00007FFFCE520000-0x00007FFFCE729000-memory.dmp

Filesize
2.0MB

Download
memory/800-47-0x00000000736E0000-0x000000007385D000-memory.dmp

Filesize
1.5MB

Download
memory/800-95-0x00000000736E0000-0x000000007385D000-memory.dmp

Filesize
1.5MB

Download
memory/800-59-0x00000000736E0000-0x000000007385D000-memory.dmp

Filesize
1.5MB

Download
memory/2428-14-0x00000000030B0000-0x00000000030D7000-memory.dmp

Filesize
156KB

Download
memory/2428-13-0x0000000002D60000-0x0000000002E60000-memory.dmp

Filesize
1024KB

Download
memory/2428-16-0x0000000000400000-0x0000000002C26000-memory.dmp

Filesize
40.1MB

Download
memory/2428-15-0x0000000000400000-0x0000000002C26000-memory.dmp

Filesize
40.1MB

Download
memory/2624-112-0x00000000736E0000-0x000000007385D000-memory.dmp

Filesize
1.5MB

Download
memory/2624-99-0x00000000736E0000-0x000000007385D000-memory.dmp

Filesize
1.5MB

Download
memory/2624-106-0x00000000736E0000-0x000000007385D000-memory.dmp

Filesize
1.5MB

Download
memory/2624-105-0x00000000736E0000-0x000000007385D000-memory.dmp

Filesize
1.5MB

Download
memory/2624-101-0x00007FFFCE520000-0x00007FFFCE729000-memory.dmp

Filesize
2.0MB

Download
memory/2864-72-0x00000000736E0000-0x000000007385D000-memory.dmp

Filesize
1.5MB

Download
memory/2864-73-0x00007FFFCE520000-0x00007FFFCE729000-memory.dmp

Filesize
2.0MB

Download
memory/3228-116-0x0000000005FA0000-0x0000000006546000-memory.dmp

Filesize
5.6MB

Download
memory/3228-118-0x0000000005CB0000-0x0000000005E72000-memory.dmp

Filesize
1.8MB

Download
memory/3228-124-0x0000000005AD0000-0x0000000005AE0000-memory.dmp

Filesize
64KB

Download
memory/3228-123-0x0000000073BE0000-0x0000000074391000-memory.dmp

Filesize
7.7MB

Download
memory/3228-117-0x0000000005AD0000-0x0000000005AE0000-memory.dmp

Filesize
64KB

Download
memory/3228-115-0x0000000005950000-0x00000000059E2000-memory.dmp

Filesize
584KB

Download
memory/3228-114-0x0000000073BE0000-0x0000000074391000-memory.dmp

Filesize
7.7MB

Download
memory/3228-113-0x00000000011A0000-0x0000000001266000-memory.dmp

Filesize
792KB

Download
memory/3228-121-0x0000000005B60000-0x0000000005BD6000-memory.dmp

Filesize
472KB

Download
memory/3228-119-0x0000000005A10000-0x0000000005A60000-memory.dmp

Filesize
320KB

Download
memory/3228-109-0x0000000072170000-0x0000000073487000-memory.dmp

Filesize
19.1MB

Download
memory/3780-97-0x00000000736E0000-0x000000007385D000-memory.dmp

Filesize
1.5MB

Download
memory/3780-92-0x00000000736E0000-0x000000007385D000-memory.dmp

Filesize
1.5MB

Download
memory/3780-94-0x00000000736E0000-0x000000007385D000-memory.dmp

Filesize
1.5MB

Download
memory/3780-93-0x00007FFFCE520000-0x00007FFFCE729000-memory.dmp

Filesize
2.0MB

Download
memory/4888-2-0x0000000004B10000-0x0000000004B7E000-memory.dmp

Filesize
440KB

Download
memory/4888-17-0x0000000000400000-0x0000000002C4A000-memory.dmp

Filesize
40.3MB

Download
memory/4888-20-0x0000000004B10000-0x0000000004B7E000-memory.dmp

Filesize
440KB

Download
memory/4888-3-0x0000000000400000-0x0000000002C4A000-memory.dmp

Filesize
40.3MB

Download
memory/4888-1-0x0000000002E50000-0x0000000002F50000-memory.dmp

Filesize
1024KB

Download
memory/4888-19-0x0000000002E50000-0x0000000002F50000-memory.dmp

Filesize
1024KB

Download
memory/4888-48-0x0000000000400000-0x0000000002C4A000-memory.dmp

Filesize
40.3MB

Download