Overview

overview

10

Static

static

1

SendBugReportNew.exe

windows7-x64

10

SendBugReportNew.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    21-07-2024 13:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SendBugReportNew.exe

  • Size

    1.3MB

  • MD5

    58717509c1521eacfcc7cda39e6bd45c

  • SHA1

    5102dc3a82e8a2710ac67521f85f43f5296b5045

  • SHA256

    d76d0650b630fdb70756a446e0a43672b5da1c2a74014118b02133923305da9a

  • SHA512

    c637c2960b8a0bc111b408af05a0879d9a10f05d802ee7b8b9f115cb54606f76f4475375cecfa9fdb0518be0340b2c5bd23f8fe100dc21db88287a9227c0e69f

  • SSDEEP

    24576:NpzWZ5CkBgB9IxAr7BptfYfG1inqCi2BZbqvWmAUlddWdBMTvNisj273HY:85CkyBbr7vbgHi2HAYwT1H274

Score
10/10
sectopratratspywaretrojan

Malware Config

Signatures

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SendBugReportNew.exe
    "C:\Users\Admin\AppData\Local\Temp\SendBugReportNew.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Users\Admin\AppData\Roaming\Aprsvc_dbg\SendBugReportNew.exe
      C:\Users\Admin\AppData\Roaming\Aprsvc_dbg\SendBugReportNew.exe
      2⤵
      • Suspicious use of SetThreadContext
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1932
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\SysWOW64\cmd.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2380
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:236

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\d70350ef
    Filesize

    1.4MB

    MD5

    9ad16c0cef31d1dc960f827994734297

    SHA1

    76d25eda9401aeb7a60c088ff5481174087b313c

    SHA256

    68f3353fe82c333a4dfaf73be05c539ee4d46d92bc786fc97b6129a1e5aef9cb

    SHA512

    8c41269f1d22043c3d0efc4aa4d53039b36da5069b7981219fbfc8d7ac1fe4af57d33d82999b568c5b4f724c47869968105c0c3c0a0675d9654762c7e3a76f84

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp6200.tmp
    Filesize

    20KB

    MD5

    c9ff7748d8fcef4cf84a5501e996a641

    SHA1

    02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

    SHA256

    4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

    SHA512

    d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Aprsvc_dbg\SendBugReportNew.exe
    Filesize

    1.3MB

    MD5

    58717509c1521eacfcc7cda39e6bd45c

    SHA1

    5102dc3a82e8a2710ac67521f85f43f5296b5045

    SHA256

    d76d0650b630fdb70756a446e0a43672b5da1c2a74014118b02133923305da9a

    SHA512

    c637c2960b8a0bc111b408af05a0879d9a10f05d802ee7b8b9f115cb54606f76f4475375cecfa9fdb0518be0340b2c5bd23f8fe100dc21db88287a9227c0e69f

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Aprsvc_dbg\quartette.odp
    Filesize

    24KB

    MD5

    dc8b747af5a4a6f530933d0d204306cc

    SHA1

    0577922289562a05082ea5ff5ddc0169c4174615

    SHA256

    d8f4dd80780a30fc288f02bae15bec50056b9becd3bf7e0973b65360828938f6

    SHA512

    5665d922e44dad98764cb72911830ee89687a801564c5349b7fcda1b5423413c0e5740381e0f998cf23bbe60a9bbeda6606d5c2bc660d84bd74260439960ec50

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Aprsvc_dbg\quaternary.dwg
    Filesize

    1.2MB

    MD5

    63f2bc904f3f7ce92603300cebc3d2fa

    SHA1

    3aaeca63b2a4a3d559c7222e618dcf5f97912713

    SHA256

    b74bb36aff597e53ad3ab3f5ac11ba2f25ff9b4bef8c3ea82f528bb44d34f16c

    SHA512

    65d342f422f17f021e481d4e6262980a03a533a5b98b0c8be6791b9cdcbfc977dee71ab8b5f4a2532f084e8c18adac3b4ea75a5fd501603fcab2ab62ae4ee45b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Aprsvc_dbg\rtl120.bpl
    Filesize

    1.1MB

    MD5

    e71e48e31ac728a6de7c020645f0c32f

    SHA1

    7f86eadd1b7a0ab87b7ce7c2029bdef3d6fe1d8d

    SHA256

    40a1d1a2f276738f568700ddccac99cdcd35b973fc8be86ab826c0d1abc9d6ff

    SHA512

    5e41dbe7efac8a042a14c2f976d1afcd45e3f7531fb60daab61ac17ffd339d34e1c6746fce9e4b591b026598a89e38f36c6d24e33e2de0b39d81806259f9be2a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Aprsvc_dbg\vclx120.bpl
    Filesize

    223KB

    MD5

    8aaa3926885b3fa7ae0448f5e700cb79

    SHA1

    47bd7d281ddde5ebef8599482212743bf2f7e67b

    SHA256

    47396c301fbe78bfaf9e344936a0f7a4e6d174c096f847e160d822e48012162d

    SHA512

    86d395ca89ec2a988f035ecb32640ddac99247e2568673246388fe310e8c3a44807049e8f3482fae86c453d5e3529a8f2daf8614a1086b6d979e64fd917bbe3a

    Download Submit
  • \Users\Admin\AppData\Roaming\Aprsvc_dbg\vcl120.bpl
    Filesize

    1.9MB

    MD5

    a71bbdfc5c36bdd147abd55a778a63b6

    SHA1

    7416783dce8fe1963e20fd527c1b8e1ab30ef83c

    SHA256

    8c6ff2c73cb991db66ecab6de2214f39c1ae1e8138bde88168daa04be077ef48

    SHA512

    193fef09a77711d6f38ff52b4316948b274c4484c6f4556e55a13db32cee79549ff71cbb59965ccd560f81c43295625016e9bdcefe8f6ac5554746e021d3f66f

    Download Submit
  • memory/236-90-0x0000000000400000-0x00000000004C6000-memory.dmp
    Filesize

    792KB

    Download
  • memory/236-86-0x0000000072920000-0x0000000073982000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/236-89-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/236-88-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1932-26-0x00000000746E2000-0x00000000746E4000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1932-32-0x0000000050120000-0x000000005030D000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1932-25-0x00000000773A0000-0x0000000077549000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1932-27-0x00000000746D0000-0x0000000074844000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1932-28-0x00000000746D0000-0x0000000074844000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1932-31-0x0000000050000000-0x0000000050116000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1932-24-0x00000000746D0000-0x0000000074844000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1932-33-0x0000000050310000-0x0000000050349000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2380-34-0x00000000746D0000-0x0000000074844000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/2380-36-0x00000000773A0000-0x0000000077549000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/2380-83-0x00000000746D0000-0x0000000074844000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/2380-84-0x00000000746D0000-0x0000000074844000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/2380-87-0x00000000746D0000-0x0000000074844000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/2416-0-0x00000000747C0000-0x0000000074934000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/2416-14-0x0000000050000000-0x0000000050116000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2416-11-0x0000000000400000-0x0000000000585000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/2416-16-0x0000000050120000-0x000000005030D000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/2416-18-0x0000000050310000-0x0000000050349000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2416-1-0x00000000773A0000-0x0000000077549000-memory.dmp
    Filesize

    1.7MB

    Download