Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
24-08-2024 01:17
Static task
static1
Behavioral task
behavioral1
Sample
6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe
Resource
win7-20240708-en
General
-
Target
6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe
-
Size
4.2MB
-
MD5
d9fc72797b06c9b700a6fed73d0304ef
-
SHA1
c90f6ef5e0840f9aaec9a26b1d10fedaa731bad6
-
SHA256
6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2
-
SHA512
3f1038154efbc1920994fde7943ea28cbea723a752a38268e680745e2f7064aad31226f9ea8f9e92645340ba72ff4dd5acec35685dca5692a5ff34c4f9471b63
-
SSDEEP
98304:tfUb4zBmhCaLVK80qY7sUljNFSytleS3dDp58/YLOYEEBPFg7:tfUsECEnUljNEyf5yVYTBe7
Malware Config
Signatures
-
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2124-111-0x0000000000400000-0x00000000004C6000-memory.dmp family_sectoprat -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Executes dropped EXE 3 IoCs
Processes:
6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exeNewfts.exeNewfts.exepid process 1448 6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe 2900 Newfts.exe 3008 Newfts.exe -
Loads dropped DLL 9 IoCs
Processes:
6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exeNewfts.exeNewfts.execmd.exepid process 2360 6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe 1448 6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe 1448 6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe 2900 Newfts.exe 2900 Newfts.exe 2900 Newfts.exe 3008 Newfts.exe 3008 Newfts.exe 2676 cmd.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Newfts.execmd.exedescription pid process target process PID 3008 set thread context of 2676 3008 Newfts.exe cmd.exe PID 2676 set thread context of 2124 2676 cmd.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MSBuild.exe6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exeNewfts.exeNewfts.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Newfts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Newfts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Newfts.exeNewfts.execmd.exeMSBuild.exepid process 2900 Newfts.exe 3008 Newfts.exe 3008 Newfts.exe 2676 cmd.exe 2676 cmd.exe 2124 MSBuild.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
Newfts.execmd.exepid process 3008 Newfts.exe 2676 cmd.exe 2676 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 2124 MSBuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 2124 MSBuild.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exeNewfts.exeNewfts.execmd.exedescription pid process target process PID 2360 wrote to memory of 1448 2360 6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe 6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe PID 2360 wrote to memory of 1448 2360 6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe 6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe PID 2360 wrote to memory of 1448 2360 6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe 6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe PID 2360 wrote to memory of 1448 2360 6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe 6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe PID 2360 wrote to memory of 1448 2360 6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe 6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe PID 2360 wrote to memory of 1448 2360 6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe 6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe PID 2360 wrote to memory of 1448 2360 6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe 6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe PID 1448 wrote to memory of 2900 1448 6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe Newfts.exe PID 1448 wrote to memory of 2900 1448 6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe Newfts.exe PID 1448 wrote to memory of 2900 1448 6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe Newfts.exe PID 1448 wrote to memory of 2900 1448 6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe Newfts.exe PID 2900 wrote to memory of 3008 2900 Newfts.exe Newfts.exe PID 2900 wrote to memory of 3008 2900 Newfts.exe Newfts.exe PID 2900 wrote to memory of 3008 2900 Newfts.exe Newfts.exe PID 2900 wrote to memory of 3008 2900 Newfts.exe Newfts.exe PID 3008 wrote to memory of 2676 3008 Newfts.exe cmd.exe PID 3008 wrote to memory of 2676 3008 Newfts.exe cmd.exe PID 3008 wrote to memory of 2676 3008 Newfts.exe cmd.exe PID 3008 wrote to memory of 2676 3008 Newfts.exe cmd.exe PID 3008 wrote to memory of 2676 3008 Newfts.exe cmd.exe PID 2676 wrote to memory of 2124 2676 cmd.exe MSBuild.exe PID 2676 wrote to memory of 2124 2676 cmd.exe MSBuild.exe PID 2676 wrote to memory of 2124 2676 cmd.exe MSBuild.exe PID 2676 wrote to memory of 2124 2676 cmd.exe MSBuild.exe PID 2676 wrote to memory of 2124 2676 cmd.exe MSBuild.exe PID 2676 wrote to memory of 2124 2676 cmd.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe"C:\Users\Admin\AppData\Local\Temp\6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\Temp\{4DA78C20-D26C-4EF8-AD36-B8377B311090}\.cr\6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe"C:\Windows\Temp\{4DA78C20-D26C-4EF8-AD36-B8377B311090}\.cr\6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe" -burn.filehandle.attached=180 -burn.filehandle.self=1882⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\Temp\{F5D3168C-0B5E-4EFC-8A13-AC0945F168D7}\.ba\Newfts.exe"C:\Windows\Temp\{F5D3168C-0B5E-4EFC-8A13-AC0945F168D7}\.ba\Newfts.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Roaming\ControlAgent\Newfts.exeC:\Users\Admin\AppData\Roaming\ControlAgent\Newfts.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe5⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2124
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5352254969f0045b64eeee71d7a66ee04
SHA1785087bd8c2d1a2c9d0cbcc75ca2e9563fd05cf3
SHA2566e8b89014de8c2478ab53679fa7845dacf2cf9ab172c97b1ae40fb16f9c1a42b
SHA5129286476e77b401b50fc1ec9970643994b5d07d618defcc3b13b1c818bc91550c74f535158dd82476611ded3c4f8f949b7c25493cfe13d982a6df045ce555f727
-
Filesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
Filesize
1.1MB
MD559c15c71fd599ff745a862d0b8932919
SHA18384f88b4cac4694cf510ca0d3f867fd83cc9e18
SHA256c4ed07ad748661ce776ac6ebb4f8bef7619586bfb4443ce58c92d4b889f3d5c2
SHA512be3425d55dcaa361bc8481b87b2086454baca79a3c948de9acf9ef7d3084d6d987c328d665b45dfcd0510e2c97c980aa63d7cd669fe9fc1a67983c325593481e
-
Filesize
1.2MB
MD5ca2c3c20f55b0da8e982c72a4ea1ffc2
SHA1aa1ff231fd59a076d53fa421d72396d78ae45a69
SHA2560d895c1d2f698e11cc37e8a4b298d8d8d10612b2291b8214ef63c9f514b68613
SHA51202c84203e2875785c38969af5b7d646b187601a14622719977be05bf76b8c3f9e43f894073b0ce8594e098479fdd707b60f112a0a7051cdb8788579930615a95
-
Filesize
72KB
MD540219f3404f3bf20aa6f67d81699a8c5
SHA1cb93980efa55d293b46579a5aee23179ea035617
SHA256508cf8b0ac76cdfd7d5e95a405e97450836b7f6e9af31eceddc8e3c79def0582
SHA51252d58946fb7deeaea75d41fccd28f3eb3780e911d73031a6c43bf9f4f226437bf150d35b374d1190a98faaace351c84f25d34a518a25c9534a7c2db8676f6917
-
\Windows\Temp\{4DA78C20-D26C-4EF8-AD36-B8377B311090}\.cr\6abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2.exe
Filesize4.2MB
MD5d9fc72797b06c9b700a6fed73d0304ef
SHA1c90f6ef5e0840f9aaec9a26b1d10fedaa731bad6
SHA2566abb9de7f6c663e542cd3d7b481b0907566f8c2acdacc6178091dacc7891d2b2
SHA5123f1038154efbc1920994fde7943ea28cbea723a752a38268e680745e2f7064aad31226f9ea8f9e92645340ba72ff4dd5acec35685dca5692a5ff34c4f9471b63
-
Filesize
526KB
MD54e2520dc94c402b86d56fc753c47b76b
SHA19548a80b39c68686d7171a7355d006ca963b8162
SHA256def6a7fd395ec7e533444744b1f1831111a0f6967826d864011feb697a966ca0
SHA512aed76f882dce18a715ac781199ca90331e4946f7bf5632cd99239c2cec46e71a1cc446128f316b5de658214d840b7c285c381665299dc528e0c161c7fc95e541
-
Filesize
2.1MB
MD5db7e67835fce6cf9889f0f68ca9c29a9
SHA15565afda37006a66f0e4546105be60bbe7970616
SHA256dbd3057a58fd3407c95418bc5d9c253adc8c658ee338f22d58374ed3ea37b738
SHA512bc2714bb408715e5e1cec1337b831e26dbda208183955a07ec8653a38c9c0f25f60f333a154b738927ce085e7bbff438963b941a6c2773b3e7325cd900e7651b
-
Filesize
1.4MB
MD51af414d0c40005d10648c25d66a4a4b5
SHA10abb38dfc2172fe72bb2bab8cf3fa0a13f79cd89
SHA25672953ba8c26604feffdf37a210750d51ed33fd2cc3db1c1d24875f68603e3fb7
SHA5129e159dcaddf36a8388a0a970bcd19bda5654f913d80e02a6c6164ab37c749629c4eb88697cd611506f8da424bc32114f9a515e7e7bd2e9699ba420c2fd5f049f