Analysis

  • max time kernel
    122s
  • max time network
    171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-04-2024 10:08

General

  • Target

    349951ac18c322e5ce506de2451f93f0b6f915097e464f64f934bf66fb1fe4cd.exe

  • Size

    442KB

  • MD5

    5f356f42b80d282f8159d3ebe2f5e96a

  • SHA1

    1fd0b763d48a322256a097b97af2bff3457ef2f6

  • SHA256

    349951ac18c322e5ce506de2451f93f0b6f915097e464f64f934bf66fb1fe4cd

  • SHA512

    2ccf621132f85c586d20893a8e3ebe6ec739acc576ab2f87451c189f85f9038b819c0b12cebfc93922bf3d17dcd45f4d40649407e3e19e12ea34c707b6dc61cc

  • SSDEEP

    12288:8/YF+b8a+KLGNAKq48yhBV2S7PJwwh8na5rC:8Qw+1NE48yRZxwNna5rC

Malware Config

Signatures

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 1 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\349951ac18c322e5ce506de2451f93f0b6f915097e464f64f934bf66fb1fe4cd.exe
    "C:\Users\Admin\AppData\Local\Temp\349951ac18c322e5ce506de2451f93f0b6f915097e464f64f934bf66fb1fe4cd.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Users\Admin\AppData\Local\Temp\u1ss.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u1ss.0.exe"
      2⤵
      • Executes dropped EXE
      PID:2400
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 1148
        3⤵
        • Program crash
        PID:2024
    • C:\Users\Admin\AppData\Local\Temp\u1ss.2\run.exe
      "C:\Users\Admin\AppData\Local\Temp\u1ss.2\run.exe"
      2⤵
        PID:3660
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe
          3⤵
            PID:3800
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              4⤵
                PID:960
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:1104
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2400 -ip 2400
            1⤵
              PID:1968

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\681d78a6

              Filesize

              1.4MB

              MD5

              86dfc6af6f9c3cc6420677b031aa74c3

              SHA1

              a44f7b0debe0f8e9859c381f7ae73bec875bdcb1

              SHA256

              90269252551b2f4be013977a50012b0d3c28c0bdc92c31668996cbbf36c53b1b

              SHA512

              db4d2d8886081812e605ff1646fd929420375545e78e0cb41c26e9930f9c5d786e48d4e9dae6a35bafad7753e6c3422447aa073f1b82d8b9447ad57e591f376d

            • C:\Users\Admin\AppData\Local\Temp\u1ss.0.exe

              Filesize

              297KB

              MD5

              dc755a443b61deee2ea99e5f2360c414

              SHA1

              da5191cb200df63daa33a1c7632cd598ca09871a

              SHA256

              6a0a065c983fe5d0a5e3dcbee89a51dc92baf859e4a1c8dbd606569b317a7a75

              SHA512

              895b6c943e2ade9c7963db97395e3840b599328e4dcaf4d3e7cd453a65c7677cb4ba43e9289f50547afbe27d282fd2d6193f0aeeb39017c1b922569c75d2fe28

            • C:\Users\Admin\AppData\Local\Temp\u1ss.1.zip

              Filesize

              3.7MB

              MD5

              78d3ca6355c93c72b494bb6a498bf639

              SHA1

              2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e

              SHA256

              a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001

              SHA512

              1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea

            • C:\Users\Admin\AppData\Local\Temp\u1ss.2\UIxMarketPlugin.dll

              Filesize

              1.6MB

              MD5

              d1ba9412e78bfc98074c5d724a1a87d6

              SHA1

              0572f98d78fb0b366b5a086c2a74cc68b771d368

              SHA256

              cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15

              SHA512

              8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

            • C:\Users\Admin\AppData\Local\Temp\u1ss.2\bunch.dat

              Filesize

              1.3MB

              MD5

              1e8237d3028ab52821d69099e0954f97

              SHA1

              30a6ae353adda0c471c6ed5b7a2458b07185abf2

              SHA256

              9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742

              SHA512

              a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3

            • C:\Users\Admin\AppData\Local\Temp\u1ss.2\relay.dll

              Filesize

              1.5MB

              MD5

              10d51becd0bbce0fab147ff9658c565e

              SHA1

              4689a18112ff876d3c066bc8c14a08fd6b7b7a4a

              SHA256

              7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed

              SHA512

              29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29

            • C:\Users\Admin\AppData\Local\Temp\u1ss.2\run.exe

              Filesize

              2.4MB

              MD5

              9fb4770ced09aae3b437c1c6eb6d7334

              SHA1

              fe54b31b0db8665aa5b22bed147e8295afc88a03

              SHA256

              a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3

              SHA512

              140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

            • C:\Users\Admin\AppData\Local\Temp\u1ss.2\whale.dbf

              Filesize

              85KB

              MD5

              a723bf46048e0bfb15b8d77d7a648c3e

              SHA1

              8952d3c34e9341e4425571e10f22b782695bb915

              SHA256

              b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422

              SHA512

              ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273

            • memory/960-143-0x0000000005630000-0x0000000005640000-memory.dmp

              Filesize

              64KB

            • memory/960-141-0x00000000053C0000-0x0000000005452000-memory.dmp

              Filesize

              584KB

            • memory/960-146-0x00000000055B0000-0x0000000005600000-memory.dmp

              Filesize

              320KB

            • memory/960-145-0x0000000005530000-0x00000000055A6000-memory.dmp

              Filesize

              472KB

            • memory/960-139-0x00000000730E0000-0x0000000073890000-memory.dmp

              Filesize

              7.7MB

            • memory/960-140-0x0000000000D00000-0x0000000000DC6000-memory.dmp

              Filesize

              792KB

            • memory/960-142-0x0000000005A60000-0x0000000006004000-memory.dmp

              Filesize

              5.6MB

            • memory/960-135-0x00000000712D0000-0x0000000072524000-memory.dmp

              Filesize

              18.3MB

            • memory/960-144-0x0000000005810000-0x00000000059D2000-memory.dmp

              Filesize

              1.8MB

            • memory/2332-7-0x0000000005C80000-0x0000000005CED000-memory.dmp

              Filesize

              436KB

            • memory/2332-9-0x0000000000400000-0x000000000405F000-memory.dmp

              Filesize

              60.4MB

            • memory/2332-5-0x0000000004160000-0x0000000004260000-memory.dmp

              Filesize

              1024KB

            • memory/2332-4-0x0000000000400000-0x000000000405F000-memory.dmp

              Filesize

              60.4MB

            • memory/2332-1-0x0000000004160000-0x0000000004260000-memory.dmp

              Filesize

              1024KB

            • memory/2332-20-0x0000000000400000-0x000000000405F000-memory.dmp

              Filesize

              60.4MB

            • memory/2332-2-0x0000000005C80000-0x0000000005CED000-memory.dmp

              Filesize

              436KB

            • memory/2332-122-0x0000000000400000-0x000000000405F000-memory.dmp

              Filesize

              60.4MB

            • memory/2332-3-0x0000000000400000-0x000000000405F000-memory.dmp

              Filesize

              60.4MB

            • memory/2400-22-0x00000000040F0000-0x0000000004117000-memory.dmp

              Filesize

              156KB

            • memory/2400-23-0x0000000000400000-0x000000000403B000-memory.dmp

              Filesize

              60.2MB

            • memory/2400-21-0x0000000004170000-0x0000000004270000-memory.dmp

              Filesize

              1024KB

            • memory/3660-123-0x0000000072800000-0x000000007297B000-memory.dmp

              Filesize

              1.5MB

            • memory/3660-121-0x0000000072800000-0x000000007297B000-memory.dmp

              Filesize

              1.5MB

            • memory/3660-115-0x00007FF99AA90000-0x00007FF99AC85000-memory.dmp

              Filesize

              2.0MB

            • memory/3660-114-0x0000000072800000-0x000000007297B000-memory.dmp

              Filesize

              1.5MB

            • memory/3800-132-0x0000000072800000-0x000000007297B000-memory.dmp

              Filesize

              1.5MB

            • memory/3800-134-0x0000000072800000-0x000000007297B000-memory.dmp

              Filesize

              1.5MB

            • memory/3800-131-0x0000000072800000-0x000000007297B000-memory.dmp

              Filesize

              1.5MB

            • memory/3800-127-0x00007FF99AA90000-0x00007FF99AC85000-memory.dmp

              Filesize

              2.0MB

            • memory/3800-126-0x0000000072800000-0x000000007297B000-memory.dmp

              Filesize

              1.5MB