Overview

overview

10

Static

static

1

SendBugReportNew.exe

windows7-x64

10

SendBugReportNew.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-07-2024 13:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SendBugReportNew.exe

  • Size

    1.3MB

  • MD5

    58717509c1521eacfcc7cda39e6bd45c

  • SHA1

    5102dc3a82e8a2710ac67521f85f43f5296b5045

  • SHA256

    d76d0650b630fdb70756a446e0a43672b5da1c2a74014118b02133923305da9a

  • SHA512

    c637c2960b8a0bc111b408af05a0879d9a10f05d802ee7b8b9f115cb54606f76f4475375cecfa9fdb0518be0340b2c5bd23f8fe100dc21db88287a9227c0e69f

  • SSDEEP

    24576:NpzWZ5CkBgB9IxAr7BptfYfG1inqCi2BZbqvWmAUlddWdBMTvNisj273HY:85CkyBbr7vbgHi2HAYwT1H274

Score
10/10
sectopratratspywaretrojan

Malware Config

Signatures

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SendBugReportNew.exe
    "C:\Users\Admin\AppData\Local\Temp\SendBugReportNew.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4356
    • C:\Users\Admin\AppData\Roaming\Aprsvc_dbg\SendBugReportNew.exe
      C:\Users\Admin\AppData\Roaming\Aprsvc_dbg\SendBugReportNew.exe
      2⤵
      • Suspicious use of SetThreadContext
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3280
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\SysWOW64\cmd.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2788
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3892

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\f8d1f55f
    Filesize

    1.4MB

    MD5

    97e201cf490983b59c5d19500284aec9

    SHA1

    0bd11a1abb28d0b020e8df6b9ef1c462b9976448

    SHA256

    9d1a953ade19892e1b3b2420e3299c18a1140ef8f6fcbcc0d74c58c52053e235

    SHA512

    18e6ffca14b70cda37dfeda8945bade0da4e526bf83bcad27abfbaab5cd1c262e22dc4377a900d41760dd5dbd92e0d0d16dc092f6efc44af9f66666e3593995e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp11FE.tmp
    Filesize

    20KB

    MD5

    a603e09d617fea7517059b4924b1df93

    SHA1

    31d66e1496e0229c6a312f8be05da3f813b3fa9e

    SHA256

    ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

    SHA512

    eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp1230.tmp
    Filesize

    20KB

    MD5

    49693267e0adbcd119f9f5e02adf3a80

    SHA1

    3ba3d7f89b8ad195ca82c92737e960e1f2b349df

    SHA256

    d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

    SHA512

    b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Aprsvc_dbg\SendBugReportNew.exe
    Filesize

    1.3MB

    MD5

    58717509c1521eacfcc7cda39e6bd45c

    SHA1

    5102dc3a82e8a2710ac67521f85f43f5296b5045

    SHA256

    d76d0650b630fdb70756a446e0a43672b5da1c2a74014118b02133923305da9a

    SHA512

    c637c2960b8a0bc111b408af05a0879d9a10f05d802ee7b8b9f115cb54606f76f4475375cecfa9fdb0518be0340b2c5bd23f8fe100dc21db88287a9227c0e69f

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Aprsvc_dbg\quartette.odp
    Filesize

    24KB

    MD5

    dc8b747af5a4a6f530933d0d204306cc

    SHA1

    0577922289562a05082ea5ff5ddc0169c4174615

    SHA256

    d8f4dd80780a30fc288f02bae15bec50056b9becd3bf7e0973b65360828938f6

    SHA512

    5665d922e44dad98764cb72911830ee89687a801564c5349b7fcda1b5423413c0e5740381e0f998cf23bbe60a9bbeda6606d5c2bc660d84bd74260439960ec50

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Aprsvc_dbg\quaternary.dwg
    Filesize

    1.2MB

    MD5

    63f2bc904f3f7ce92603300cebc3d2fa

    SHA1

    3aaeca63b2a4a3d559c7222e618dcf5f97912713

    SHA256

    b74bb36aff597e53ad3ab3f5ac11ba2f25ff9b4bef8c3ea82f528bb44d34f16c

    SHA512

    65d342f422f17f021e481d4e6262980a03a533a5b98b0c8be6791b9cdcbfc977dee71ab8b5f4a2532f084e8c18adac3b4ea75a5fd501603fcab2ab62ae4ee45b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Aprsvc_dbg\rtl120.bpl
    Filesize

    1.1MB

    MD5

    e71e48e31ac728a6de7c020645f0c32f

    SHA1

    7f86eadd1b7a0ab87b7ce7c2029bdef3d6fe1d8d

    SHA256

    40a1d1a2f276738f568700ddccac99cdcd35b973fc8be86ab826c0d1abc9d6ff

    SHA512

    5e41dbe7efac8a042a14c2f976d1afcd45e3f7531fb60daab61ac17ffd339d34e1c6746fce9e4b591b026598a89e38f36c6d24e33e2de0b39d81806259f9be2a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Aprsvc_dbg\vcl120.bpl
    Filesize

    1.9MB

    MD5

    a71bbdfc5c36bdd147abd55a778a63b6

    SHA1

    7416783dce8fe1963e20fd527c1b8e1ab30ef83c

    SHA256

    8c6ff2c73cb991db66ecab6de2214f39c1ae1e8138bde88168daa04be077ef48

    SHA512

    193fef09a77711d6f38ff52b4316948b274c4484c6f4556e55a13db32cee79549ff71cbb59965ccd560f81c43295625016e9bdcefe8f6ac5554746e021d3f66f

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Aprsvc_dbg\vclx120.bpl
    Filesize

    223KB

    MD5

    8aaa3926885b3fa7ae0448f5e700cb79

    SHA1

    47bd7d281ddde5ebef8599482212743bf2f7e67b

    SHA256

    47396c301fbe78bfaf9e344936a0f7a4e6d174c096f847e160d822e48012162d

    SHA512

    86d395ca89ec2a988f035ecb32640ddac99247e2568673246388fe310e8c3a44807049e8f3482fae86c453d5e3529a8f2daf8614a1086b6d979e64fd917bbe3a

    Download Submit
  • memory/2788-35-0x0000000074D10000-0x0000000074E8B000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/2788-41-0x0000000074D10000-0x0000000074E8B000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/2788-40-0x0000000074D10000-0x0000000074E8B000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/2788-37-0x00007FFD634B0000-0x00007FFD636A5000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/2788-43-0x0000000074D10000-0x0000000074E8B000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/3280-32-0x0000000050000000-0x0000000050116000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/3280-25-0x0000000074D10000-0x0000000074E8B000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/3280-29-0x0000000074D10000-0x0000000074E8B000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/3280-34-0x0000000050310000-0x0000000050349000-memory.dmp
    Filesize

    228KB

    Download
  • memory/3280-28-0x0000000074D10000-0x0000000074E8B000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/3280-33-0x0000000050120000-0x000000005030D000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/3280-27-0x0000000074D22000-0x0000000074D24000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3280-31-0x0000000000400000-0x0000000000585000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/3280-26-0x00007FFD634B0000-0x00007FFD636A5000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/3892-48-0x0000000004BE0000-0x0000000004C72000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3892-51-0x0000000004D00000-0x0000000004D76000-memory.dmp
    Filesize

    472KB

    Download
  • memory/3892-83-0x0000000000BD0000-0x0000000000C0C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/3892-82-0x00000000008E0000-0x00000000008F2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3892-44-0x00000000731D0000-0x0000000074424000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/3892-47-0x0000000000520000-0x00000000005E6000-memory.dmp
    Filesize

    792KB

    Download
  • memory/3892-80-0x0000000007890000-0x000000000789A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3892-49-0x0000000005230000-0x00000000057D4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3892-50-0x0000000004FD0000-0x0000000005192000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/3892-56-0x0000000005A70000-0x0000000005AD6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3892-52-0x0000000004D80000-0x0000000004DD0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3892-53-0x0000000004C90000-0x0000000004C9A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3892-54-0x0000000005E10000-0x000000000633C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/3892-55-0x0000000005980000-0x000000000599E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4356-10-0x0000000050000000-0x0000000050116000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/4356-9-0x0000000000400000-0x0000000000585000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/4356-1-0x00007FFD634B0000-0x00007FFD636A5000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/4356-0-0x0000000074D10000-0x0000000074E8B000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/4356-12-0x0000000050120000-0x000000005030D000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/4356-13-0x0000000050310000-0x0000000050349000-memory.dmp
    Filesize

    228KB

    Download