sectoprat | b791f566ac178a53e80d08a3aad7b3b2d2dc762cc084e19d0fdc28c9d12473ec

General

Target

b791f566ac178a53e80d08a3aad7b3b2d2dc762cc084e19d0fdc28c9d12473ec.exe
Size

6.5MB
MD5

9286844b73ccb48854e1a603cd32a39d
SHA1

6919e99ed913abd39b377b875dba690b34e1ab65
SHA256

b791f566ac178a53e80d08a3aad7b3b2d2dc762cc084e19d0fdc28c9d12473ec
SHA512

e4bbb50e8e7098c3b33c1885afcd514084142f15c229ab9bbdb3cf873621fd9b8b560338379b3970be9a3c8ec93ea6441578dce7080c879c2c8761618159ba52
SSDEEP

98304:z/KaPjsr/EC+VfUyHEA+R1bByG+H1iV9RLafmbByG+H1iV9YbByG+H1iV9JT4o+x:Njsr/E/Vdy19k1iN39k1iU9k1iNfqOU

Score

10^/10

sectoprat persistence rat trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2852-2-0x0000000002410000-0x00000000024E8000-memory.dmp	family_sectoprat
behavioral1/memory/2020-16-0x0000000000090000-0x0000000000156000-memory.dmp	family_sectoprat
behavioral1/memory/2020-15-0x0000000000090000-0x0000000000156000-memory.dmp	family_sectoprat
behavioral1/memory/2020-13-0x0000000000090000-0x0000000000156000-memory.dmp	family_sectoprat
behavioral1/memory/2020-11-0x0000000000090000-0x0000000000156000-memory.dmp	family_sectoprat
behavioral1/memory/2020-9-0x0000000000090000-0x0000000000156000-memory.dmp	family_sectoprat
behavioral1/memory/2852-17-0x0000000002410000-0x00000000024E8000-memory.dmp	family_sectoprat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b791f566ac178a53e80d08a3aad7b3b2d2dc762cc084e19d0fdc28c9d12473ec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\ProgramData\\3Q8Szx5vLnKmK4J5\\fix.vbs"	b791f566ac178a53e80d08a3aad7b3b2d2dc762cc084e19d0fdc28c9d12473ec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

3 pastebin.com
4 pastebin.com

flow	ioc
3	pastebin.com
4	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

b791f566ac178a53e80d08a3aad7b3b2d2dc762cc084e19d0fdc28c9d12473ec.exe

description	pid	process	target process
PID 2852 set thread context of 2020	2852	b791f566ac178a53e80d08a3aad7b3b2d2dc762cc084e19d0fdc28c9d12473ec.exe	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 2020 RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2020	RegAsm.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b791f566ac178a53e80d08a3aad7b3b2d2dc762cc084e19d0fdc28c9d12473ec.exe

description	pid	process	target process
PID 2852 wrote to memory of 2020	2852	b791f566ac178a53e80d08a3aad7b3b2d2dc762cc084e19d0fdc28c9d12473ec.exe	RegAsm.exe
PID 2852 wrote to memory of 2020	2852	b791f566ac178a53e80d08a3aad7b3b2d2dc762cc084e19d0fdc28c9d12473ec.exe	RegAsm.exe
PID 2852 wrote to memory of 2020	2852	b791f566ac178a53e80d08a3aad7b3b2d2dc762cc084e19d0fdc28c9d12473ec.exe	RegAsm.exe
PID 2852 wrote to memory of 2020	2852	b791f566ac178a53e80d08a3aad7b3b2d2dc762cc084e19d0fdc28c9d12473ec.exe	RegAsm.exe
PID 2852 wrote to memory of 2020	2852	b791f566ac178a53e80d08a3aad7b3b2d2dc762cc084e19d0fdc28c9d12473ec.exe	RegAsm.exe
PID 2852 wrote to memory of 2020	2852	b791f566ac178a53e80d08a3aad7b3b2d2dc762cc084e19d0fdc28c9d12473ec.exe	RegAsm.exe
PID 2852 wrote to memory of 2020	2852	b791f566ac178a53e80d08a3aad7b3b2d2dc762cc084e19d0fdc28c9d12473ec.exe	RegAsm.exe
PID 2852 wrote to memory of 2020	2852	b791f566ac178a53e80d08a3aad7b3b2d2dc762cc084e19d0fdc28c9d12473ec.exe	RegAsm.exe
PID 2852 wrote to memory of 2020	2852	b791f566ac178a53e80d08a3aad7b3b2d2dc762cc084e19d0fdc28c9d12473ec.exe	RegAsm.exe
PID 2852 wrote to memory of 2020	2852	b791f566ac178a53e80d08a3aad7b3b2d2dc762cc084e19d0fdc28c9d12473ec.exe	RegAsm.exe
PID 2852 wrote to memory of 2020	2852	b791f566ac178a53e80d08a3aad7b3b2d2dc762cc084e19d0fdc28c9d12473ec.exe	RegAsm.exe
PID 2852 wrote to memory of 2020	2852	b791f566ac178a53e80d08a3aad7b3b2d2dc762cc084e19d0fdc28c9d12473ec.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\b791f566ac178a53e80d08a3aad7b3b2d2dc762cc084e19d0fdc28c9d12473ec.exe
"C:\Users\Admin\AppData\Local\Temp\b791f566ac178a53e80d08a3aad7b3b2d2dc762cc084e19d0fdc28c9d12473ec.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2020-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2020-5-0x0000000000090000-0x0000000000156000-memory.dmp

Filesize
792KB

Download
memory/2020-7-0x0000000000090000-0x0000000000156000-memory.dmp

Filesize
792KB

Download
memory/2020-16-0x0000000000090000-0x0000000000156000-memory.dmp

Filesize
792KB

Download
memory/2020-15-0x0000000000090000-0x0000000000156000-memory.dmp

Filesize
792KB

Download
memory/2020-13-0x0000000000090000-0x0000000000156000-memory.dmp

Filesize
792KB

Download
memory/2020-11-0x0000000000090000-0x0000000000156000-memory.dmp

Filesize
792KB

Download
memory/2020-9-0x0000000000090000-0x0000000000156000-memory.dmp

Filesize
792KB

Download
memory/2852-2-0x0000000002410000-0x00000000024E8000-memory.dmp

Filesize
864KB

Download
memory/2852-14-0x0000000000400000-0x0000000000ACC000-memory.dmp

Filesize
6.8MB

Download
memory/2852-17-0x0000000002410000-0x00000000024E8000-memory.dmp

Filesize
864KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads