sectoprat | 1aedfdbaf7c4a2b95b19e5c48108c3da0c0f5c6269c782f10c4e36151042ec03

General

Target

4204b7ce4d84788188751160930920a7.exe
Size

6.7MB
MD5

4204b7ce4d84788188751160930920a7
SHA1

cc2b9ff9fd510fda0c2820f76800648c5c87497d
SHA256

1aedfdbaf7c4a2b95b19e5c48108c3da0c0f5c6269c782f10c4e36151042ec03
SHA512

4a3ec8f0f805e87bd9b02ab49b59f08677fd45239bec939fc67cb09d677086092f738fd0b3720f00a5cce265f1db0b49343495afa8e6149783dc7a065e684f99
SSDEEP

98304:ixvhXTq3zYs4PtSY9/QJKOK8Bf0t+JKnEK5b2VU7AqT3faUM2SFmu7H1ClGnWngf:0XW3+tWJVBf0ttnEK5YqT+kGWng1VVF

Score

10^/10

sectoprat rat spyware trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1564-106-0x0000000000400000-0x00000000004C6000-memory.dmp	family_sectoprat

Executes dropped EXE 2 IoCs

Processes:

UniversalInstaller.exeUniversalInstaller.exe

pid process

2480 UniversalInstaller.exe
2600 UniversalInstaller.exe
Loads dropped DLL 5 IoCs

Processes:

4204b7ce4d84788188751160930920a7.exeUniversalInstaller.exeUniversalInstaller.execmd.exe

pid process

1656 4204b7ce4d84788188751160930920a7.exe
2480 UniversalInstaller.exe
2480 UniversalInstaller.exe
2600 UniversalInstaller.exe
2188 cmd.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2480	UniversalInstaller.exe
2600	UniversalInstaller.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

UniversalInstaller.execmd.exe

description	pid	process	target process
PID 2600 set thread context of 2188	2600	UniversalInstaller.exe	cmd.exe
PID 2188 set thread context of 1564	2188	cmd.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

4204b7ce4d84788188751160930920a7.exeUniversalInstaller.exeUniversalInstaller.execmd.exeMSBuild.exe

pid	process
1656	4204b7ce4d84788188751160930920a7.exe
1656	4204b7ce4d84788188751160930920a7.exe
2480	UniversalInstaller.exe
2600	UniversalInstaller.exe
2600	UniversalInstaller.exe
2188	cmd.exe
2188	cmd.exe
1564	MSBuild.exe
1564	MSBuild.exe
1564	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

UniversalInstaller.execmd.exe

pid process

2600 UniversalInstaller.exe
2188 cmd.exe
2188 cmd.exe

pid	process
2600	UniversalInstaller.exe
2188	cmd.exe
2188	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

4204b7ce4d84788188751160930920a7.exe

description	pid	process
Token: SeBackupPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	1656	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	1656	4204b7ce4d84788188751160930920a7.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

UniversalInstaller.exeUniversalInstaller.exeMSBuild.exe

pid process

2480 UniversalInstaller.exe
2480 UniversalInstaller.exe
2600 UniversalInstaller.exe
2600 UniversalInstaller.exe
1564 MSBuild.exe

pid	process
2480	UniversalInstaller.exe
2480	UniversalInstaller.exe
2600	UniversalInstaller.exe
2600	UniversalInstaller.exe
1564	MSBuild.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

4204b7ce4d84788188751160930920a7.exeUniversalInstaller.exeUniversalInstaller.execmd.exe

description	pid	process	target process
PID 1656 wrote to memory of 2480	1656	4204b7ce4d84788188751160930920a7.exe	UniversalInstaller.exe
PID 1656 wrote to memory of 2480	1656	4204b7ce4d84788188751160930920a7.exe	UniversalInstaller.exe
PID 1656 wrote to memory of 2480	1656	4204b7ce4d84788188751160930920a7.exe	UniversalInstaller.exe
PID 1656 wrote to memory of 2480	1656	4204b7ce4d84788188751160930920a7.exe	UniversalInstaller.exe
PID 1656 wrote to memory of 2480	1656	4204b7ce4d84788188751160930920a7.exe	UniversalInstaller.exe
PID 1656 wrote to memory of 2480	1656	4204b7ce4d84788188751160930920a7.exe	UniversalInstaller.exe
PID 1656 wrote to memory of 2480	1656	4204b7ce4d84788188751160930920a7.exe	UniversalInstaller.exe
PID 2480 wrote to memory of 2600	2480	UniversalInstaller.exe	UniversalInstaller.exe
PID 2480 wrote to memory of 2600	2480	UniversalInstaller.exe	UniversalInstaller.exe
PID 2480 wrote to memory of 2600	2480	UniversalInstaller.exe	UniversalInstaller.exe
PID 2480 wrote to memory of 2600	2480	UniversalInstaller.exe	UniversalInstaller.exe
PID 2480 wrote to memory of 2600	2480	UniversalInstaller.exe	UniversalInstaller.exe
PID 2480 wrote to memory of 2600	2480	UniversalInstaller.exe	UniversalInstaller.exe
PID 2480 wrote to memory of 2600	2480	UniversalInstaller.exe	UniversalInstaller.exe
PID 2600 wrote to memory of 2188	2600	UniversalInstaller.exe	cmd.exe
PID 2600 wrote to memory of 2188	2600	UniversalInstaller.exe	cmd.exe
PID 2600 wrote to memory of 2188	2600	UniversalInstaller.exe	cmd.exe
PID 2600 wrote to memory of 2188	2600	UniversalInstaller.exe	cmd.exe
PID 2600 wrote to memory of 2188	2600	UniversalInstaller.exe	cmd.exe
PID 2188 wrote to memory of 1564	2188	cmd.exe	MSBuild.exe
PID 2188 wrote to memory of 1564	2188	cmd.exe	MSBuild.exe
PID 2188 wrote to memory of 1564	2188	cmd.exe	MSBuild.exe
PID 2188 wrote to memory of 1564	2188	cmd.exe	MSBuild.exe
PID 2188 wrote to memory of 1564	2188	cmd.exe	MSBuild.exe
PID 2188 wrote to memory of 1564	2188	cmd.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\4204b7ce4d84788188751160930920a7.exe
"C:\Users\Admin\AppData\Local\Temp\4204b7ce4d84788188751160930920a7.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\AppData\Local\Temp\LJU_Uninstall\UniversalInstaller.exe
C:\Users\Admin\AppData\Local\Temp\LJU_Uninstall\UniversalInstaller.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480

C:\Users\Admin\AppData\Roaming\LJU_Uninstall\UniversalInstaller.exe
C:\Users\Admin\AppData\Roaming\LJU_Uninstall\UniversalInstaller.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1564

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LJU_Uninstall\UIxMarketPlugin.dll
Filesize
1.6MB

MD5
d1ba9412e78bfc98074c5d724a1a87d6

SHA1
0572f98d78fb0b366b5a086c2a74cc68b771d368

SHA256
cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15

SHA512
8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LJU_Uninstall\incurable.wmv
Filesize
1.3MB

MD5
e2cd36f484e44abf600f77a40a3c313c

SHA1
ca222dd676fd3be67c52287fa9c5207eb4328415

SHA256
2963af5676a4373f44e4620fee27c69b4da3a1fe315734cf5af4c656d640ecfe

SHA512
8ea90d7e2ca3acce7f67f76376e4de6e1c1fc68f33e46b822bb25291026fec64263d50c65a7f78999f6667cd6eecc58ca9c53f84caf40f4e1c9c64207b147437

Download Submit
C:\Users\Admin\AppData\Local\Temp\LJU_Uninstall\relay.dll
Filesize
1.5MB

MD5
fe637ff7a6aae4a74306bae07c561b11

SHA1
22e50d0b680ef4110cd156d0da8b965be3b31968

SHA256
6122b4ceb394e4a441b4f7ac92745b1aa64b6c83a4101d6d326e130efa5a5d10

SHA512
97a68dfae7e387684a6f6bb00b68688f91e2135f4b60b6bd551291518f77b48b718b72bca8cca1dbf6f2c8721e5ee1b2bb6fbe68989c931ddbc8b19c741cd64d

Download Submit
C:\Users\Admin\AppData\Local\Temp\LJU_Uninstall\storiette.psd
Filesize
15KB

MD5
e130d08bc94db4675e7883f1643ed6de

SHA1
3b292178565112dc8361c1aca1a170a2158c7f0c

SHA256
97abec36adc375fb4f1588d31bba8c7bbbcc994b683ded4740716a5e91f8dfcf

SHA512
7575364958befe5866d7a2476c590bbf920880eab3e48410fd47142fe7168455404d8c13e270d435db1416151115fae0c85e656974d78682c1447ae4384eb467

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4a31f9e
Filesize
6.1MB

MD5
801147e5cb055570902e096a2a24c0a7

SHA1
07404973935a8df05137bc16d21b1af9478c657c

SHA256
d0c791338c1ad30ad7974f19ec8398c930b6eb39ce31fe1c66ac64979c67aecc

SHA512
70d9b21a6d4d4338a776737c14eee3051b6fbe8272f9e247cab372c2fabcc3cf2683e2667e2660cd381fc7d94129130ca6348c09f739232708f1f5c64a4f8dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\aef095f5
Filesize
1.4MB

MD5
a8a52654b61b4824c6b70b6cd75c47f0

SHA1
2d7aaa60926ade9174b3ae27543460f404d98e0e

SHA256
fce3ae836a84eb6dd674f771b49a6826fe7e6d3b5f31d9aa29d8972fa88bcd65

SHA512
ece7fc56ad5d128de490ab2c5b51c94a1e585aad7fd1c3cf97ddb3bf731b4921befd297d871d51e0f55a14206d4a5f0cc8c7d91c1b4d9701de7c69c92a25264f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAFB2.tmp
Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
\Users\Admin\AppData\Local\Temp\LJU_Uninstall\UniversalInstaller.exe
Filesize
2.4MB

MD5
9fb4770ced09aae3b437c1c6eb6d7334

SHA1
fe54b31b0db8665aa5b22bed147e8295afc88a03

SHA256
a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3

SHA512
140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

Download Submit
memory/1564-104-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1564-105-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1564-103-0x0000000072B90000-0x0000000073BF2000-memory.dmp

Filesize
16.4MB

Download
memory/1564-106-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/1656-25-0x0000000074860000-0x00000000749D4000-memory.dmp

Filesize
1.5MB

Download
memory/1656-6-0x0000000074860000-0x00000000749D4000-memory.dmp

Filesize
1.5MB

Download
memory/1656-0-0x0000000000400000-0x0000000000AE3000-memory.dmp

Filesize
6.9MB

Download
memory/1656-26-0x0000000074860000-0x00000000749D4000-memory.dmp

Filesize
1.5MB

Download
memory/1656-7-0x0000000077610000-0x00000000777B9000-memory.dmp

Filesize
1.7MB

Download
memory/1656-16-0x0000000074860000-0x00000000749D4000-memory.dmp

Filesize
1.5MB

Download
memory/1656-51-0x0000000074860000-0x00000000749D4000-memory.dmp

Filesize
1.5MB

Download
memory/1656-8-0x0000000074872000-0x0000000074874000-memory.dmp

Filesize
8KB

Download
memory/1656-13-0x0000000074860000-0x00000000749D4000-memory.dmp

Filesize
1.5MB

Download
memory/2188-55-0x0000000077610000-0x00000000777B9000-memory.dmp

Filesize
1.7MB

Download
memory/2188-101-0x0000000074860000-0x00000000749D4000-memory.dmp

Filesize
1.5MB

Download
memory/2480-33-0x0000000077610000-0x00000000777B9000-memory.dmp

Filesize
1.7MB

Download
memory/2480-32-0x0000000074860000-0x00000000749D4000-memory.dmp

Filesize
1.5MB

Download
memory/2600-52-0x0000000074860000-0x00000000749D4000-memory.dmp

Filesize
1.5MB

Download
memory/2600-50-0x0000000077610000-0x00000000777B9000-memory.dmp

Filesize
1.7MB

Download
memory/2600-49-0x0000000074860000-0x00000000749D4000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads