sectoprat | 84e1dc5203b40434e0bfa3320ce622bc3e14d3846a5447a1533ed6fabfffb6f6

Analysis

max time kernel
1183s
max time network
1196s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
02-07-2024 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LatencyMon.exe
Size

3.8MB
MD5

b5934aadb33c3458d522c40be73b2c05
SHA1

f484499f7ee91897a7e51743c17c173c409333a4
SHA256

84e1dc5203b40434e0bfa3320ce622bc3e14d3846a5447a1533ed6fabfffb6f6
SHA512

a91251797be880e95b953909a9d687a54b99eb624a4c3091ca3e1bd6a03948fe7cb8f0a8f72a525cca28c579a8ec1a2c9a8076ad8c403a9da770ab2f8a4bc41b
SSDEEP

98304:sVOXR0YaZN+KbaUYLr3p9AN41tBOKUTBXGx/eAG:kc0YaLXOr3fAu1tLUha/NG

Score

10^/10

sectoprat rat trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/1880-65-0x0000000001170000-0x0000000001236000-memory.dmp	family_sectoprat

Executes dropped EXE 3 IoCs

Processes:

LatencyMon.exeRttHlp.exeRttHlp.exe

pid process

1372 LatencyMon.exe
2488 RttHlp.exe
5020 RttHlp.exe
Loads dropped DLL 9 IoCs

Processes:

LatencyMon.exeRttHlp.exeRttHlp.exe

pid process

1372 LatencyMon.exe
2488 RttHlp.exe
2488 RttHlp.exe
2488 RttHlp.exe
5020 RttHlp.exe
5020 RttHlp.exe
5020 RttHlp.exe
5020 RttHlp.exe
5020 RttHlp.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

RttHlp.execmd.exe

description pid process target process

PID 5020 set thread context of 4512 5020 RttHlp.exe cmd.exe
PID 4512 set thread context of 1880 4512 cmd.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

RttHlp.exeRttHlp.execmd.exe

pid process

2488 RttHlp.exe
5020 RttHlp.exe
5020 RttHlp.exe
4512 cmd.exe
4512 cmd.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

RttHlp.execmd.exe

pid process

5020 RttHlp.exe
4512 cmd.exe
4512 cmd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 1880 MSBuild.exe

pid	process
1372	LatencyMon.exe
2488	RttHlp.exe
5020	RttHlp.exe

pid	process
1372	LatencyMon.exe
2488	RttHlp.exe
2488	RttHlp.exe
2488	RttHlp.exe
5020	RttHlp.exe
5020	RttHlp.exe
5020	RttHlp.exe
5020	RttHlp.exe
5020	RttHlp.exe

description	pid	process	target process
PID 5020 set thread context of 4512	5020	RttHlp.exe	cmd.exe
PID 4512 set thread context of 1880	4512	cmd.exe	MSBuild.exe

pid	process
2488	RttHlp.exe
5020	RttHlp.exe
5020	RttHlp.exe
4512	cmd.exe
4512	cmd.exe

pid	process
5020	RttHlp.exe
4512	cmd.exe
4512	cmd.exe

description	pid	process
Token: SeDebugPrivilege	1880	MSBuild.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

LatencyMon.exeLatencyMon.exeRttHlp.exeRttHlp.execmd.exe

description	pid	process	target process
PID 972 wrote to memory of 1372	972	LatencyMon.exe	LatencyMon.exe
PID 972 wrote to memory of 1372	972	LatencyMon.exe	LatencyMon.exe
PID 972 wrote to memory of 1372	972	LatencyMon.exe	LatencyMon.exe
PID 1372 wrote to memory of 2488	1372	LatencyMon.exe	RttHlp.exe
PID 1372 wrote to memory of 2488	1372	LatencyMon.exe	RttHlp.exe
PID 1372 wrote to memory of 2488	1372	LatencyMon.exe	RttHlp.exe
PID 2488 wrote to memory of 5020	2488	RttHlp.exe	RttHlp.exe
PID 2488 wrote to memory of 5020	2488	RttHlp.exe	RttHlp.exe
PID 2488 wrote to memory of 5020	2488	RttHlp.exe	RttHlp.exe
PID 5020 wrote to memory of 4512	5020	RttHlp.exe	cmd.exe
PID 5020 wrote to memory of 4512	5020	RttHlp.exe	cmd.exe
PID 5020 wrote to memory of 4512	5020	RttHlp.exe	cmd.exe
PID 5020 wrote to memory of 4512	5020	RttHlp.exe	cmd.exe
PID 4512 wrote to memory of 1880	4512	cmd.exe	MSBuild.exe
PID 4512 wrote to memory of 1880	4512	cmd.exe	MSBuild.exe
PID 4512 wrote to memory of 1880	4512	cmd.exe	MSBuild.exe
PID 4512 wrote to memory of 1880	4512	cmd.exe	MSBuild.exe
PID 4512 wrote to memory of 1880	4512	cmd.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\LatencyMon.exe
"C:\Users\Admin\AppData\Local\Temp\LatencyMon.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\TEMP\{B59A7F73-3D68-47C4-9D52-4F071B1E47AE}\.cr\LatencyMon.exe
"C:\Windows\TEMP\{B59A7F73-3D68-47C4-9D52-4F071B1E47AE}\.cr\LatencyMon.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\LatencyMon.exe" -burn.filehandle.attached=724 -burn.filehandle.self=720
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\TEMP\{E048B0B9-2FB3-4A57-9353-8C5ADACAB79B}\.ba\RttHlp.exe
"C:\Windows\TEMP\{E048B0B9-2FB3-4A57-9353-8C5ADACAB79B}\.ba\RttHlp.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2488

C:\Users\Admin\AppData\Roaming\exploreDaemonZL\RttHlp.exe
C:\Users\Admin\AppData\Roaming\exploreDaemonZL\RttHlp.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\59a6ea41

Filesize
1.4MB

MD5
28de72dba3da6e0dfb4941523cdf41c8

SHA1
27e4975aa3eb789e9899e9eca06ca329cf78f19d

SHA256
0cc91e1c2f9a6d9d5c87030a993ed7c111f8d172936615c2b836af12d962ae31

SHA512
0a4fbfecc8d9dc7138ab5a9ed72b12bea88a37acd9999a9dd2f45bed841e4f4f7a12ce20b2319eaf9c935743558ba26949a5725d8ec2ad79ae8946555ab791a9

Download Submit
C:\Windows\TEMP\{E048B0B9-2FB3-4A57-9353-8C5ADACAB79B}\.ba\Register.dll

Filesize
1.0MB

MD5
40b9628354ef4e6ef3c87934575545f4

SHA1
8fb5da182dea64c842953bf72fc573a74adaa155

SHA256
372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12

SHA512
02b0ea82efbfbe2e7308f86bfbec7a5109f3fe91d42731812d2e46aebedce50aabc565d2da9d3fbcd0f46febbff49c534419d1a91e0c14d5a80f06b74888c641

Download Submit
C:\Windows\TEMP\{E048B0B9-2FB3-4A57-9353-8C5ADACAB79B}\.ba\buoyage.dmg

Filesize
57KB

MD5
3db1ea342242328adb0fb8273818adca

SHA1
3f77d4daa288b43e68cc2c7516b3a1ce6ab1daf2

SHA256
901c8417b895ff41e9370ff1b98ffe01a4cdc2d064802cf7bd6927e15fa42130

SHA512
3389dd71d87fb32c970f8eef7125156a01c6d9c36c2c5685a38a885172b1f0a9a107a0d9c873a13f29f9e934817635edb77f76871dae760042e1ca345df24e39

Download Submit
C:\Windows\TEMP\{E048B0B9-2FB3-4A57-9353-8C5ADACAB79B}\.ba\rtl120.bpl

Filesize
1.1MB

MD5
adf82ed333fb5567f8097c7235b0e17f

SHA1
e6ccaf016fc45edcdadeb40da64c207ddb33859f

SHA256
d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50

SHA512
2253c7b51317a3b5734025b6c7639105dbc81c340703718d679a00c13d40dd74ccaba1f6d04b21ee440f19e82ba680aa4b2a6a75c618aed91bd85a132be9fc92

Download Submit
C:\Windows\TEMP\{E048B0B9-2FB3-4A57-9353-8C5ADACAB79B}\.ba\sanicle.ini

Filesize
1.2MB

MD5
a3f856336a62843ff630f5ed9379f76a

SHA1
2577ce4f212beb1523686a1661b617d16ee95820

SHA256
98381b504cf5878f5a833a578ba91b219c7e132e366589ffa5c12c2397b0a1ea

SHA512
5bbdbad5712869ebbbc0f496553481d033885c7ef08b11e286bdf53042d458633f1794c04488d3ee2d6cc1a616768c0314d26a51a7b0f5f85c7ce79bf7d7b241

Download Submit
C:\Windows\Temp\{B59A7F73-3D68-47C4-9D52-4F071B1E47AE}\.cr\LatencyMon.exe

Filesize
3.5MB

MD5
ef3ab0d0dd34828d3705c01ee262328d

SHA1
a2bbeaff63737ed57224344c0f175cb0dcb1eaaa

SHA256
eb5dde75d692a5968cbef7eeeff57aaac5b1992855c2dd27091ef432d681097c

SHA512
e31d4d94cce19f9bfdb19ca88493a60846aec5341b4145c216df14491652079448c993f66960ce56638cc5b38087de5259490c0ed784c85488bb56b4e86ec39b

Download Submit
C:\Windows\Temp\{E048B0B9-2FB3-4A57-9353-8C5ADACAB79B}\.ba\Dietary.dll

Filesize
958KB

MD5
652e1a8e8faa840cb70f36f8bb4caff2

SHA1
abe2c3505e100a5002be7ff887fadd3002b5c6bd

SHA256
c18439f2289a9272d7f059309cd8fd70af6386433d6da20f6cdca1fcaf34d51f

SHA512
030ac302d84edd5825c35fa44412cc124df9ea05746c811350889e9a9237e2119e7f2ff3b0bc377d772c89f076dbc1c5bf0256ea3932f768b7d558d42467fb6b

Download Submit
C:\Windows\Temp\{E048B0B9-2FB3-4A57-9353-8C5ADACAB79B}\.ba\RttHlp.exe

Filesize
135KB

MD5
a2d70fbab5181a509369d96b682fc641

SHA1
22afcdc180400c4d2b9e5a6db2b8a26bff54dd38

SHA256
8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473

SHA512
219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83

Download Submit
C:\Windows\Temp\{E048B0B9-2FB3-4A57-9353-8C5ADACAB79B}\.ba\vcl120.bpl

Filesize
1.9MB

MD5
0184d10198c4c49f16c859add01f1f0c

SHA1
758f87da7b9b5d6bef999f80b1792daaf4a4f6f1

SHA256
ecd2e6bf1a52d0173cfdf5216c0484519a7d09da23667d31525f51b58908ee9b

SHA512
55c6d7a2e38990257f9edef710d23f0550f0f8e6f010020a09f22d81a80f92ea9330c9a835131513a467e9ed889a400500a186478dc9b2d5c55fed9b858a6ff7

Download Submit
memory/1880-70-0x0000000005B00000-0x0000000005B76000-memory.dmp

Filesize
472KB

Download
memory/1880-69-0x0000000005980000-0x00000000059D0000-memory.dmp

Filesize
320KB

Download
memory/1880-68-0x0000000005C50000-0x0000000005E12000-memory.dmp

Filesize
1.8MB

Download
memory/1880-67-0x0000000006030000-0x00000000065D6000-memory.dmp

Filesize
5.6MB

Download
memory/1880-66-0x00000000059E0000-0x0000000005A72000-memory.dmp

Filesize
584KB

Download
memory/1880-65-0x0000000001170000-0x0000000001236000-memory.dmp

Filesize
792KB

Download
memory/1880-62-0x0000000072660000-0x0000000073977000-memory.dmp

Filesize
19.1MB

Download
memory/2488-38-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2488-26-0x00007FF992700000-0x00007FF992909000-memory.dmp

Filesize
2.0MB

Download
memory/2488-45-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/2488-41-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/2488-25-0x0000000073980000-0x0000000073AFD000-memory.dmp

Filesize
1.5MB

Download
memory/4512-58-0x00007FF992700000-0x00007FF992909000-memory.dmp

Filesize
2.0MB

Download
memory/4512-60-0x0000000073980000-0x0000000073AFD000-memory.dmp

Filesize
1.5MB

Download
memory/5020-52-0x0000000073980000-0x0000000073AFD000-memory.dmp

Filesize
1.5MB

Download
memory/5020-55-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/5020-51-0x00007FF992700000-0x00007FF992909000-memory.dmp

Filesize
2.0MB

Download
memory/5020-49-0x0000000073980000-0x0000000073AFD000-memory.dmp

Filesize
1.5MB

Download