Overview

overview

10

Static

static

1

a15f053b71...4d.exe

windows11-21h2-x64

10

Resubmissions

22-05-2024 14:51

240522-r8f9xsfa6s 10

Analysis

  • max time kernel
    1183s
  • max time network
    1185s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    22-05-2024 14:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a15f053b71cda0497efdec08b4680267b936024d.exe

  • Size

    6.6MB

  • MD5

    064d9b8a16b733266a651332c622a54e

  • SHA1

    a15f053b71cda0497efdec08b4680267b936024d

  • SHA256

    8e723f79d696edac7fa9da08d07dd796b4fa6f56886a2f10ea66e618bf0273f1

  • SHA512

    18cee323ab07689c6e030d647f0296ec97a12af860fce2252d72d11f3f54c69aca266329fa58cf08213417fd0de54dfab7477a3d9923e83812470fa1b8c79110

  • SSDEEP

    98304:OHiCrTw8ZnKEkrssgY6B++D0VH5Z1UqoVoMvoH:Qr615rieH

Score
10/10
sectopratratspywaretrojan

Malware Config

Signatures

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 14 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious behavior: MapViewOfSection 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a15f053b71cda0497efdec08b4680267b936024d.exe
    "C:\Users\Admin\AppData\Local\Temp\a15f053b71cda0497efdec08b4680267b936024d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\SysWOW64\netsh.exe
      2⤵
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4012
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1312
  • C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
    C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3080
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\SysWOW64\netsh.exe
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        3⤵
          PID:2452
    • C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
      C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Windows\SysWOW64\netsh.exe
        C:\Windows\SysWOW64\netsh.exe
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1868
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          3⤵
            PID:4804
      • C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
        C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1944
        • C:\Windows\SysWOW64\netsh.exe
          C:\Windows\SysWOW64\netsh.exe
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1344
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
            3⤵
              PID:4792
        • C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
          C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:420
          • C:\Windows\SysWOW64\netsh.exe
            C:\Windows\SysWOW64\netsh.exe
            2⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:1336
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              3⤵
                PID:3276
          • C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
            C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
            1⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:3168
            • C:\Windows\SysWOW64\netsh.exe
              C:\Windows\SysWOW64\netsh.exe
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:3296
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                3⤵
                  PID:1056
            • C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
              C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
              1⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:2056
              • C:\Windows\SysWOW64\netsh.exe
                C:\Windows\SysWOW64\netsh.exe
                2⤵
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of WriteProcessMemory
                PID:5072
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  3⤵
                    PID:1640

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Initial Access

              Execution

              Persistence

              Privilege Escalation

              Defense Evasion

              Credential Access

              Unsecured Credentials

              1
              T1552

              Credentials In Files

              1
              T1552.001

              Discovery

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Exfiltration

              Command and Control

              Impact

              Resource Development

              Reconnaissance

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log
                Filesize

                410B

                MD5

                595b2b7794a0b04788c75aa8f0076a58

                SHA1

                ba783556d6bd69f69adf72e02b28be49eda4161f

                SHA256

                bc4bad840727fda53dc12d08840e47bfc0583be9bb1d512af15ccbc48790ce2e

                SHA512

                aaec254c32eed006381c75cdb9a559a82b5ff6b852aab10f2a84f0c54b44b24aaea74c29a0e8228425b9e8226b676c9a008ba4639a99c7ae78adcdf058ffd3dd

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\8cb685dc
                Filesize

                1.4MB

                MD5

                bb79b37303351aed686bafdbda965145

                SHA1

                29dfc99df03ebeba465887c1c93990244010701f

                SHA256

                832bd77a59171267e41c2559bce0abd6c8a5d172367726dd289f3fc133beae29

                SHA512

                6cb74f6fe35775c562cbf1c8126d633259e4b6077638fff57f70326bac8e3a0e6deaa7ca26de9bab6364cf88fa750bfb7c2af6cde82f73ed731989685b75de8a

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\904aa7dc
                Filesize

                1.4MB

                MD5

                14bacd6d01f76c333f9a5eaec6769c1f

                SHA1

                0eda34d639ef60004776d1b7df89fef2afc696a9

                SHA256

                6bf2af4c1f4ea42dc69c4215b7656b40b2cfef203bd8177c31c3832d78436be6

                SHA512

                f83fde9b33d124ffd4defc949ccd506c75187f602b42a538d64670b9712825078e80477d9153b57ed0a82babec269e263083927d5af22684ef988b6200797d98

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\c1a43df5
                Filesize

                1.4MB

                MD5

                090a858c9fdecb91fff399b98384a480

                SHA1

                227e88411bde058fd61635225f47a5ba8f656227

                SHA256

                3f613d6220036e5527bdaba824f303117662ffa48903abb0accad36d76466b7a

                SHA512

                e4b3b07b025a10cd81f57039371f824ab4bdfac38d031eb4d8c7577aaa17ade9376b085344073ebba7c679a0b9f8cd7e1cbd3a8d6ff176379cb8bd08bdef5191

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\tmpC045.tmp
                Filesize

                20KB

                MD5

                42c395b8db48b6ce3d34c301d1eba9d5

                SHA1

                b7cfa3de344814bec105391663c0df4a74310996

                SHA256

                5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

                SHA512

                7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\tmpC067.tmp
                Filesize

                20KB

                MD5

                22be08f683bcc01d7a9799bbd2c10041

                SHA1

                2efb6041cf3d6e67970135e592569c76fc4c41de

                SHA256

                451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

                SHA512

                0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

                Download Submit
              • C:\Users\Admin\AppData\Roaming\SecurityUpdate\OrtosLauncher.exe
                Filesize

                6.6MB

                MD5

                064d9b8a16b733266a651332c622a54e

                SHA1

                a15f053b71cda0497efdec08b4680267b936024d

                SHA256

                8e723f79d696edac7fa9da08d07dd796b4fa6f56886a2f10ea66e618bf0273f1

                SHA512

                18cee323ab07689c6e030d647f0296ec97a12af860fce2252d72d11f3f54c69aca266329fa58cf08213417fd0de54dfab7477a3d9923e83812470fa1b8c79110

                Download Submit
              • C:\Windows\Tasks\Ortos Launcher.job
                Filesize

                300B

                MD5

                c7a361f3995732cdb4473dceda0fd93e

                SHA1

                23afa872ceccf05afcc610f943aa4f4a567de7fc

                SHA256

                82afb3b787907d05a9b9137a9cabe8ebff40ff00a0d58a8862dc4aea04e05667

                SHA512

                a2a90db1526dbef003dcf16c4c7a818aca9fa616c98d0602b1f603f33af2c329904cdf7dbd2d4b483185ca2361a5fddce49be8988604a1aede3c033f23bbbab8

                Download Submit
              • memory/420-304-0x0000000000400000-0x0000000000AC3000-memory.dmp
                Filesize

                6.8MB

                Download
              • memory/420-310-0x000000006E6A0000-0x000000006E81D000-memory.dmp
                Filesize

                1.5MB

                Download
              • memory/420-311-0x00007FFC6A820000-0x00007FFC6AA29000-memory.dmp
                Filesize

                2.0MB

                Download
              • memory/420-312-0x000000006E6A0000-0x000000006E81D000-memory.dmp
                Filesize

                1.5MB

                Download
              • memory/1056-334-0x0000000071A90000-0x0000000072DA7000-memory.dmp
                Filesize

                19.1MB

                Download
              • memory/1312-29-0x000000007475E000-0x000000007475F000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1312-32-0x00000000058E0000-0x0000000005E86000-memory.dmp
                Filesize

                5.6MB

                Download
              • memory/1312-63-0x0000000007E50000-0x0000000007E5A000-memory.dmp
                Filesize

                40KB

                Download
              • memory/1312-227-0x000000007475E000-0x000000007475F000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1312-24-0x0000000071A90000-0x0000000072DA7000-memory.dmp
                Filesize

                19.1MB

                Download
              • memory/1312-228-0x0000000005510000-0x0000000005522000-memory.dmp
                Filesize

                72KB

                Download
              • memory/1312-229-0x0000000005570000-0x00000000055AC000-memory.dmp
                Filesize

                240KB

                Download
              • memory/1312-30-0x0000000000B00000-0x0000000000BC6000-memory.dmp
                Filesize

                792KB

                Download
              • memory/1312-31-0x0000000005290000-0x0000000005322000-memory.dmp
                Filesize

                584KB

                Download
              • memory/1312-66-0x0000000005650000-0x0000000005662000-memory.dmp
                Filesize

                72KB

                Download
              • memory/1312-33-0x00000000056C0000-0x0000000005882000-memory.dmp
                Filesize

                1.8MB

                Download
              • memory/1312-35-0x0000000005480000-0x00000000054D0000-memory.dmp
                Filesize

                320KB

                Download
              • memory/1312-34-0x00000000053B0000-0x0000000005426000-memory.dmp
                Filesize

                472KB

                Download
              • memory/1312-36-0x0000000005280000-0x000000000528A000-memory.dmp
                Filesize

                40KB

                Download
              • memory/1312-37-0x00000000064C0000-0x00000000069EC000-memory.dmp
                Filesize

                5.2MB

                Download
              • memory/1312-38-0x0000000006020000-0x000000000603E000-memory.dmp
                Filesize

                120KB

                Download
              • memory/1312-39-0x00000000060F0000-0x0000000006156000-memory.dmp
                Filesize

                408KB

                Download
              • memory/1336-316-0x00007FFC6A820000-0x00007FFC6AA29000-memory.dmp
                Filesize

                2.0MB

                Download
              • memory/1344-299-0x00007FFC6A820000-0x00007FFC6AA29000-memory.dmp
                Filesize

                2.0MB

                Download
              • memory/1640-269-0x0000000000400000-0x0000000000AC3000-memory.dmp
                Filesize

                6.8MB

                Download
              • memory/1640-275-0x000000006E6A0000-0x000000006E81D000-memory.dmp
                Filesize

                1.5MB

                Download
              • memory/1640-276-0x00007FFC6A820000-0x00007FFC6AA29000-memory.dmp
                Filesize

                2.0MB

                Download
              • memory/1640-277-0x000000006E6A0000-0x000000006E81D000-memory.dmp
                Filesize

                1.5MB

                Download
              • memory/1640-351-0x0000000071A90000-0x0000000072DA7000-memory.dmp
                Filesize

                19.1MB

                Download
              • memory/1868-281-0x00007FFC6A820000-0x00007FFC6AA29000-memory.dmp
                Filesize

                2.0MB

                Download
              • memory/1944-295-0x000000006E6A0000-0x000000006E81D000-memory.dmp
                Filesize

                1.5MB

                Download
              • memory/1944-294-0x00007FFC6A820000-0x00007FFC6AA29000-memory.dmp
                Filesize

                2.0MB

                Download
              • memory/1944-293-0x000000006E6A0000-0x000000006E81D000-memory.dmp
                Filesize

                1.5MB

                Download
              • memory/1944-287-0x0000000000400000-0x0000000000AC3000-memory.dmp
                Filesize

                6.8MB

                Download
              • memory/2056-344-0x000000006E6A0000-0x000000006E81D000-memory.dmp
                Filesize

                1.5MB

                Download
              • memory/2056-338-0x0000000000400000-0x0000000000AC3000-memory.dmp
                Filesize

                6.8MB

                Download
              • memory/2056-346-0x000000006E6A0000-0x000000006E81D000-memory.dmp
                Filesize

                1.5MB

                Download
              • memory/2056-345-0x00007FFC6A820000-0x00007FFC6AA29000-memory.dmp
                Filesize

                2.0MB

                Download
              • memory/2268-262-0x00007FFC6A820000-0x00007FFC6AA29000-memory.dmp
                Filesize

                2.0MB

                Download
              • memory/2452-264-0x0000000071A90000-0x0000000072DA7000-memory.dmp
                Filesize

                19.1MB

                Download
              • memory/2524-7-0x0000000073FE0000-0x000000007415D000-memory.dmp
                Filesize

                1.5MB

                Download
              • memory/2524-0-0x00000000011F0000-0x00000000011F1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2524-1-0x0000000000400000-0x0000000000AC3000-memory.dmp
                Filesize

                6.8MB

                Download
              • memory/2524-8-0x00007FFC6A820000-0x00007FFC6AA29000-memory.dmp
                Filesize

                2.0MB

                Download
              • memory/2524-10-0x0000000073FE0000-0x000000007415D000-memory.dmp
                Filesize

                1.5MB

                Download
              • memory/2524-9-0x0000000073FF2000-0x0000000073FF4000-memory.dmp
                Filesize

                8KB

                Download
              • memory/2524-11-0x0000000073FE0000-0x000000007415D000-memory.dmp
                Filesize

                1.5MB

                Download
              • memory/3080-250-0x0000000000400000-0x0000000000AC3000-memory.dmp
                Filesize

                6.8MB

                Download
              • memory/3080-257-0x00007FFC6A820000-0x00007FFC6AA29000-memory.dmp
                Filesize

                2.0MB

                Download
              • memory/3080-258-0x000000006E6A0000-0x000000006E81D000-memory.dmp
                Filesize

                1.5MB

                Download
              • memory/3080-256-0x000000006E6A0000-0x000000006E81D000-memory.dmp
                Filesize

                1.5MB

                Download
              • memory/3168-329-0x000000006E6A0000-0x000000006E81D000-memory.dmp
                Filesize

                1.5MB

                Download
              • memory/3168-328-0x00007FFC6A820000-0x00007FFC6AA29000-memory.dmp
                Filesize

                2.0MB

                Download
              • memory/3168-327-0x000000006E6A0000-0x000000006E81D000-memory.dmp
                Filesize

                1.5MB

                Download
              • memory/3168-321-0x0000000000400000-0x0000000000AC3000-memory.dmp
                Filesize

                6.8MB

                Download
              • memory/3276-317-0x0000000071A90000-0x0000000072DA7000-memory.dmp
                Filesize

                19.1MB

                Download
              • memory/3296-333-0x00007FFC6A820000-0x00007FFC6AA29000-memory.dmp
                Filesize

                2.0MB

                Download
              • memory/4012-22-0x0000000073FEE000-0x0000000073FF0000-memory.dmp
                Filesize

                8KB

                Download
              • memory/4012-14-0x0000000073FE1000-0x0000000073FEF000-memory.dmp
                Filesize

                56KB

                Download
              • memory/4012-16-0x00007FFC6A820000-0x00007FFC6AA29000-memory.dmp
                Filesize

                2.0MB

                Download
              • memory/4012-19-0x0000000073FE1000-0x0000000073FEF000-memory.dmp
                Filesize

                56KB

                Download
              • memory/4012-18-0x0000000073FEE000-0x0000000073FF2000-memory.dmp
                Filesize

                16KB

                Download
              • memory/4012-21-0x0000000073FE1000-0x0000000073FEF000-memory.dmp
                Filesize

                56KB

                Download
              • memory/4012-23-0x0000000073FE1000-0x0000000073FEF000-memory.dmp
                Filesize

                56KB

                Download
              • memory/4012-25-0x0000000073FE1000-0x0000000073FEF000-memory.dmp
                Filesize

                56KB

                Download
              • memory/4012-28-0x0000000073FEE000-0x0000000073FF2000-memory.dmp
                Filesize

                16KB

                Download
              • memory/4792-300-0x0000000071A90000-0x0000000072DA7000-memory.dmp
                Filesize

                19.1MB

                Download
              • memory/4804-282-0x0000000071A90000-0x0000000072DA7000-memory.dmp
                Filesize

                19.1MB

                Download
              • memory/5072-350-0x00007FFC6A820000-0x00007FFC6AA29000-memory.dmp
                Filesize

                2.0MB

                Download