sectoprat | 1aedfdbaf7c4a2b95b19e5c48108c3da0c0f5c6269c782f10c4e36151042ec03

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4204b7ce4d84788188751160930920a7.exe
Size

6.7MB
MD5

4204b7ce4d84788188751160930920a7
SHA1

cc2b9ff9fd510fda0c2820f76800648c5c87497d
SHA256

1aedfdbaf7c4a2b95b19e5c48108c3da0c0f5c6269c782f10c4e36151042ec03
SHA512

4a3ec8f0f805e87bd9b02ab49b59f08677fd45239bec939fc67cb09d677086092f738fd0b3720f00a5cce265f1db0b49343495afa8e6149783dc7a065e684f99
SSDEEP

98304:ixvhXTq3zYs4PtSY9/QJKOK8Bf0t+JKnEK5b2VU7AqT3faUM2SFmu7H1ClGnWngf:0XW3+tWJVBf0ttnEK5YqT+kGWng1VVF

Score

10^/10

sectoprat rat spyware trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3244-58-0x0000000000900000-0x00000000009C6000-memory.dmp	family_sectoprat

Executes dropped EXE 2 IoCs

Processes:

UniversalInstaller.exeUniversalInstaller.exe

pid process

2180 UniversalInstaller.exe
1228 UniversalInstaller.exe
Loads dropped DLL 2 IoCs

Processes:

UniversalInstaller.exeUniversalInstaller.exe

pid process

2180 UniversalInstaller.exe
1228 UniversalInstaller.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2180	UniversalInstaller.exe
1228	UniversalInstaller.exe

pid	process
2180	UniversalInstaller.exe
1228	UniversalInstaller.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

UniversalInstaller.execmd.exe

description	pid	process	target process
PID 1228 set thread context of 3284	1228	UniversalInstaller.exe	cmd.exe
PID 3284 set thread context of 3244	3284	cmd.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

4204b7ce4d84788188751160930920a7.exeUniversalInstaller.exeUniversalInstaller.execmd.exeMSBuild.exe

pid	process
3772	4204b7ce4d84788188751160930920a7.exe
3772	4204b7ce4d84788188751160930920a7.exe
2180	UniversalInstaller.exe
1228	UniversalInstaller.exe
1228	UniversalInstaller.exe
3284	cmd.exe
3284	cmd.exe
3244	MSBuild.exe
3244	MSBuild.exe
3244	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

UniversalInstaller.execmd.exe

pid process

1228 UniversalInstaller.exe
3284 cmd.exe
3284 cmd.exe

pid	process
1228	UniversalInstaller.exe
3284	cmd.exe
3284	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

4204b7ce4d84788188751160930920a7.exe

description	pid	process
Token: SeBackupPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeRestorePrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeChangeNotifyPrivilege	3772	4204b7ce4d84788188751160930920a7.exe
Token: SeBackupPrivilege	3772	4204b7ce4d84788188751160930920a7.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

UniversalInstaller.exeUniversalInstaller.exeMSBuild.exe

pid process

2180 UniversalInstaller.exe
2180 UniversalInstaller.exe
1228 UniversalInstaller.exe
1228 UniversalInstaller.exe
3244 MSBuild.exe

pid	process
2180	UniversalInstaller.exe
2180	UniversalInstaller.exe
1228	UniversalInstaller.exe
1228	UniversalInstaller.exe
3244	MSBuild.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

4204b7ce4d84788188751160930920a7.exeUniversalInstaller.exeUniversalInstaller.execmd.exe

description	pid	process	target process
PID 3772 wrote to memory of 2180	3772	4204b7ce4d84788188751160930920a7.exe	UniversalInstaller.exe
PID 3772 wrote to memory of 2180	3772	4204b7ce4d84788188751160930920a7.exe	UniversalInstaller.exe
PID 3772 wrote to memory of 2180	3772	4204b7ce4d84788188751160930920a7.exe	UniversalInstaller.exe
PID 2180 wrote to memory of 1228	2180	UniversalInstaller.exe	UniversalInstaller.exe
PID 2180 wrote to memory of 1228	2180	UniversalInstaller.exe	UniversalInstaller.exe
PID 2180 wrote to memory of 1228	2180	UniversalInstaller.exe	UniversalInstaller.exe
PID 1228 wrote to memory of 3284	1228	UniversalInstaller.exe	cmd.exe
PID 1228 wrote to memory of 3284	1228	UniversalInstaller.exe	cmd.exe
PID 1228 wrote to memory of 3284	1228	UniversalInstaller.exe	cmd.exe
PID 1228 wrote to memory of 3284	1228	UniversalInstaller.exe	cmd.exe
PID 3284 wrote to memory of 3244	3284	cmd.exe	MSBuild.exe
PID 3284 wrote to memory of 3244	3284	cmd.exe	MSBuild.exe
PID 3284 wrote to memory of 3244	3284	cmd.exe	MSBuild.exe
PID 3284 wrote to memory of 3244	3284	cmd.exe	MSBuild.exe
PID 3284 wrote to memory of 3244	3284	cmd.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\4204b7ce4d84788188751160930920a7.exe
"C:\Users\Admin\AppData\Local\Temp\4204b7ce4d84788188751160930920a7.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3772

C:\Users\Admin\AppData\Local\Temp\LJU_Uninstall\UniversalInstaller.exe
C:\Users\Admin\AppData\Local\Temp\LJU_Uninstall\UniversalInstaller.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180

C:\Users\Admin\AppData\Roaming\LJU_Uninstall\UniversalInstaller.exe
C:\Users\Admin\AppData\Roaming\LJU_Uninstall\UniversalInstaller.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3244

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LJU_Uninstall\UIxMarketPlugin.dll
Filesize
1.6MB

MD5
d1ba9412e78bfc98074c5d724a1a87d6

SHA1
0572f98d78fb0b366b5a086c2a74cc68b771d368

SHA256
cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15

SHA512
8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LJU_Uninstall\UniversalInstaller.exe
Filesize
2.4MB

MD5
9fb4770ced09aae3b437c1c6eb6d7334

SHA1
fe54b31b0db8665aa5b22bed147e8295afc88a03

SHA256
a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3

SHA512
140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

Download Submit
C:\Users\Admin\AppData\Local\Temp\LJU_Uninstall\incurable.wmv
Filesize
1.3MB

MD5
e2cd36f484e44abf600f77a40a3c313c

SHA1
ca222dd676fd3be67c52287fa9c5207eb4328415

SHA256
2963af5676a4373f44e4620fee27c69b4da3a1fe315734cf5af4c656d640ecfe

SHA512
8ea90d7e2ca3acce7f67f76376e4de6e1c1fc68f33e46b822bb25291026fec64263d50c65a7f78999f6667cd6eecc58ca9c53f84caf40f4e1c9c64207b147437

Download Submit
C:\Users\Admin\AppData\Local\Temp\LJU_Uninstall\relay.dll
Filesize
1.5MB

MD5
fe637ff7a6aae4a74306bae07c561b11

SHA1
22e50d0b680ef4110cd156d0da8b965be3b31968

SHA256
6122b4ceb394e4a441b4f7ac92745b1aa64b6c83a4101d6d326e130efa5a5d10

SHA512
97a68dfae7e387684a6f6bb00b68688f91e2135f4b60b6bd551291518f77b48b718b72bca8cca1dbf6f2c8721e5ee1b2bb6fbe68989c931ddbc8b19c741cd64d

Download Submit
C:\Users\Admin\AppData\Local\Temp\LJU_Uninstall\storiette.psd
Filesize
15KB

MD5
e130d08bc94db4675e7883f1643ed6de

SHA1
3b292178565112dc8361c1aca1a170a2158c7f0c

SHA256
97abec36adc375fb4f1588d31bba8c7bbbcc994b683ded4740716a5e91f8dfcf

SHA512
7575364958befe5866d7a2476c590bbf920880eab3e48410fd47142fe7168455404d8c13e270d435db1416151115fae0c85e656974d78682c1447ae4384eb467

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1f06256
Filesize
6.1MB

MD5
801147e5cb055570902e096a2a24c0a7

SHA1
07404973935a8df05137bc16d21b1af9478c657c

SHA256
d0c791338c1ad30ad7974f19ec8398c930b6eb39ce31fe1c66ac64979c67aecc

SHA512
70d9b21a6d4d4338a776737c14eee3051b6fbe8272f9e247cab372c2fabcc3cf2683e2667e2660cd381fc7d94129130ca6348c09f739232708f1f5c64a4f8dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3c77f1b
Filesize
1.4MB

MD5
26866bed6435f0562a5f85872f7507e9

SHA1
f6425d38e9e8c37074b831c3524c7dc6a4b570da

SHA256
075ac72e7d9d1c88ffd7dbace59f279f8105a8c24fc78bcf15864c8f4c3ef8ca

SHA512
2b014b19c3c0ca2580b37720e927bc2d5d2b9082bff8802d3774d6e025dfae464ac66c6998240e1e194d5a4f7a18d56f13afcf324c130e4318516817ba705ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD9D7.tmp
Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDA09.tmp
Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
memory/1228-45-0x00000000751E0000-0x000000007535B000-memory.dmp

Filesize
1.5MB

Download
memory/1228-46-0x00007FFCE9DD0000-0x00007FFCE9FC5000-memory.dmp

Filesize
2.0MB

Download
memory/1228-48-0x00000000751E0000-0x000000007535B000-memory.dmp

Filesize
1.5MB

Download
memory/2180-30-0x00000000751E0000-0x000000007535B000-memory.dmp

Filesize
1.5MB

Download
memory/2180-31-0x00007FFCE9DD0000-0x00007FFCE9FC5000-memory.dmp

Filesize
2.0MB

Download
memory/3244-61-0x00000000052D0000-0x0000000005492000-memory.dmp

Filesize
1.8MB

Download
memory/3244-65-0x0000000006180000-0x00000000066AC000-memory.dmp

Filesize
5.2MB

Download
memory/3244-94-0x0000000005560000-0x000000000559C000-memory.dmp

Filesize
240KB

Download
memory/3244-93-0x00000000051C0000-0x00000000051D2000-memory.dmp

Filesize
72KB

Download
memory/3244-91-0x0000000006E60000-0x0000000006E6A000-memory.dmp

Filesize
40KB

Download
memory/3244-67-0x0000000005DC0000-0x0000000005E26000-memory.dmp

Filesize
408KB

Download
memory/3244-66-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

Filesize
120KB

Download
memory/3244-62-0x0000000005070000-0x00000000050E6000-memory.dmp

Filesize
472KB

Download
memory/3244-64-0x0000000004F40000-0x0000000004F4A000-memory.dmp

Filesize
40KB

Download
memory/3244-55-0x0000000072D80000-0x0000000073FD4000-memory.dmp

Filesize
18.3MB

Download
memory/3244-58-0x0000000000900000-0x00000000009C6000-memory.dmp

Filesize
792KB

Download
memory/3244-59-0x0000000004F50000-0x0000000004FE2000-memory.dmp

Filesize
584KB

Download
memory/3244-60-0x00000000055A0000-0x0000000005B44000-memory.dmp

Filesize
5.6MB

Download
memory/3244-63-0x0000000005150000-0x00000000051A0000-memory.dmp

Filesize
320KB

Download
memory/3284-51-0x00007FFCE9DD0000-0x00007FFCE9FC5000-memory.dmp

Filesize
2.0MB

Download
memory/3284-53-0x00000000751E0000-0x000000007535B000-memory.dmp

Filesize
1.5MB

Download
memory/3772-0-0x0000000000400000-0x0000000000AE3000-memory.dmp

Filesize
6.9MB

Download
memory/3772-11-0x00000000751E0000-0x000000007535B000-memory.dmp

Filesize
1.5MB

Download
memory/3772-8-0x00000000751F2000-0x00000000751F4000-memory.dmp

Filesize
8KB

Download
memory/3772-21-0x00000000751E0000-0x000000007535B000-memory.dmp

Filesize
1.5MB

Download
memory/3772-7-0x00007FFCE9DD0000-0x00007FFCE9FC5000-memory.dmp

Filesize
2.0MB

Download
memory/3772-6-0x00000000751E0000-0x000000007535B000-memory.dmp

Filesize
1.5MB

Download
memory/3772-47-0x00000000751E0000-0x000000007535B000-memory.dmp

Filesize
1.5MB

Download
memory/3772-22-0x00000000751E0000-0x000000007535B000-memory.dmp

Filesize
1.5MB

Download
memory/3772-16-0x00000000751E0000-0x000000007535B000-memory.dmp

Filesize
1.5MB

Download