Analysis
-
max time kernel
132s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24-08-2024 08:37
Static task
static1
Behavioral task
behavioral1
Sample
33690d81049c4d66fd256523068749816bc4124c7f74612820d48b530fc7ba35.exe
Resource
win7-20240708-en
General
-
Target
33690d81049c4d66fd256523068749816bc4124c7f74612820d48b530fc7ba35.exe
-
Size
2.4MB
-
MD5
5d8015f50eea4c4dc4e99aa83da9fdf4
-
SHA1
6949d89a9357e01bd620e54683e68d50757a9985
-
SHA256
33690d81049c4d66fd256523068749816bc4124c7f74612820d48b530fc7ba35
-
SHA512
077b63d40bd74a22eace786f485de0657a5a33043ab697139990f110c6597c0b56008d4c1fcb0b5bdb1157fdddab4d16401fadebc36fb5dbcadbcada177c81b8
-
SSDEEP
49152:+pz3qVn+A4GA+B5ROpbmQFNioD77iabCv/+dZMETIUdffL/X/CH93YHLicHM:+p2p+HGA+B5Rybdv/u/aZHzH723YH0
Malware Config
Signatures
-
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3148-72-0x0000000001360000-0x0000000001426000-memory.dmp family_sectoprat -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
33690d81049c4d66fd256523068749816bc4124c7f74612820d48b530fc7ba35.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation 33690d81049c4d66fd256523068749816bc4124c7f74612820d48b530fc7ba35.exe -
Executes dropped EXE 2 IoCs
Processes:
Newfts.exeNewfts.exepid process 3336 Newfts.exe 1060 Newfts.exe -
Loads dropped DLL 8 IoCs
Processes:
Newfts.exeNewfts.exepid process 3336 Newfts.exe 3336 Newfts.exe 3336 Newfts.exe 3336 Newfts.exe 1060 Newfts.exe 1060 Newfts.exe 1060 Newfts.exe 1060 Newfts.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
Newfts.execmd.exedescription pid process target process PID 1060 set thread context of 3516 1060 Newfts.exe cmd.exe PID 3516 set thread context of 3148 3516 cmd.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exeMSBuild.exe33690d81049c4d66fd256523068749816bc4124c7f74612820d48b530fc7ba35.exeNewfts.exeNewfts.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 33690d81049c4d66fd256523068749816bc4124c7f74612820d48b530fc7ba35.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Newfts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Newfts.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
Newfts.exeNewfts.execmd.exeMSBuild.exepid process 3336 Newfts.exe 1060 Newfts.exe 1060 Newfts.exe 1060 Newfts.exe 3516 cmd.exe 3516 cmd.exe 3516 cmd.exe 3516 cmd.exe 3148 MSBuild.exe 3148 MSBuild.exe 3148 MSBuild.exe 3148 MSBuild.exe 3148 MSBuild.exe 3148 MSBuild.exe 3148 MSBuild.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
Newfts.execmd.exepid process 1060 Newfts.exe 3516 cmd.exe 3516 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 3148 MSBuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 3148 MSBuild.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
33690d81049c4d66fd256523068749816bc4124c7f74612820d48b530fc7ba35.exeNewfts.exeNewfts.execmd.exedescription pid process target process PID 2768 wrote to memory of 3336 2768 33690d81049c4d66fd256523068749816bc4124c7f74612820d48b530fc7ba35.exe Newfts.exe PID 2768 wrote to memory of 3336 2768 33690d81049c4d66fd256523068749816bc4124c7f74612820d48b530fc7ba35.exe Newfts.exe PID 2768 wrote to memory of 3336 2768 33690d81049c4d66fd256523068749816bc4124c7f74612820d48b530fc7ba35.exe Newfts.exe PID 3336 wrote to memory of 1060 3336 Newfts.exe Newfts.exe PID 3336 wrote to memory of 1060 3336 Newfts.exe Newfts.exe PID 3336 wrote to memory of 1060 3336 Newfts.exe Newfts.exe PID 1060 wrote to memory of 3516 1060 Newfts.exe cmd.exe PID 1060 wrote to memory of 3516 1060 Newfts.exe cmd.exe PID 1060 wrote to memory of 3516 1060 Newfts.exe cmd.exe PID 1060 wrote to memory of 3516 1060 Newfts.exe cmd.exe PID 3516 wrote to memory of 3148 3516 cmd.exe MSBuild.exe PID 3516 wrote to memory of 3148 3516 cmd.exe MSBuild.exe PID 3516 wrote to memory of 3148 3516 cmd.exe MSBuild.exe PID 3516 wrote to memory of 3148 3516 cmd.exe MSBuild.exe PID 3516 wrote to memory of 3148 3516 cmd.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\33690d81049c4d66fd256523068749816bc4124c7f74612820d48b530fc7ba35.exe"C:\Users\Admin\AppData\Local\Temp\33690d81049c4d66fd256523068749816bc4124c7f74612820d48b530fc7ba35.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\Newfts.exe"C:\Users\Admin\AppData\Local\Temp\Newfts.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Users\Admin\AppData\Roaming\ControlAgent\Newfts.exeC:\Users\Admin\AppData\Roaming\ControlAgent\Newfts.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3148
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3036,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4352 /prefetch:81⤵PID:1132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=2988,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=3576 /prefetch:31⤵PID:3628
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2952,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=2336 /prefetch:81⤵PID:2016
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
1.4MB
MD5053045ab05056c95b483a917e2b93535
SHA10a769d3abc4452723645181ce27da915636cea6f
SHA2562433e00eb87a46fb484c08145a531eb70c6dd71102b7a6e8b492daaf77150f4e
SHA512550d40c2b3432d6083e542a80596769e4a667872113d675d60db9a2e7c33195fecc243031a6be035b0dc82268371317eb4e79f1152c8be93b00124890aced0df
-
Filesize
2.1MB
MD5db7e67835fce6cf9889f0f68ca9c29a9
SHA15565afda37006a66f0e4546105be60bbe7970616
SHA256dbd3057a58fd3407c95418bc5d9c253adc8c658ee338f22d58374ed3ea37b738
SHA512bc2714bb408715e5e1cec1337b831e26dbda208183955a07ec8653a38c9c0f25f60f333a154b738927ce085e7bbff438963b941a6c2773b3e7325cd900e7651b
-
Filesize
1.1MB
MD559c15c71fd599ff745a862d0b8932919
SHA18384f88b4cac4694cf510ca0d3f867fd83cc9e18
SHA256c4ed07ad748661ce776ac6ebb4f8bef7619586bfb4443ce58c92d4b889f3d5c2
SHA512be3425d55dcaa361bc8481b87b2086454baca79a3c948de9acf9ef7d3084d6d987c328d665b45dfcd0510e2c97c980aa63d7cd669fe9fc1a67983c325593481e
-
Filesize
1.4MB
MD51af414d0c40005d10648c25d66a4a4b5
SHA10abb38dfc2172fe72bb2bab8cf3fa0a13f79cd89
SHA25672953ba8c26604feffdf37a210750d51ed33fd2cc3db1c1d24875f68603e3fb7
SHA5129e159dcaddf36a8388a0a970bcd19bda5654f913d80e02a6c6164ab37c749629c4eb88697cd611506f8da424bc32114f9a515e7e7bd2e9699ba420c2fd5f049f
-
Filesize
1.2MB
MD5ca2c3c20f55b0da8e982c72a4ea1ffc2
SHA1aa1ff231fd59a076d53fa421d72396d78ae45a69
SHA2560d895c1d2f698e11cc37e8a4b298d8d8d10612b2291b8214ef63c9f514b68613
SHA51202c84203e2875785c38969af5b7d646b187601a14622719977be05bf76b8c3f9e43f894073b0ce8594e098479fdd707b60f112a0a7051cdb8788579930615a95
-
Filesize
20KB
MD5a603e09d617fea7517059b4924b1df93
SHA131d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc
-
Filesize
72KB
MD540219f3404f3bf20aa6f67d81699a8c5
SHA1cb93980efa55d293b46579a5aee23179ea035617
SHA256508cf8b0ac76cdfd7d5e95a405e97450836b7f6e9af31eceddc8e3c79def0582
SHA51252d58946fb7deeaea75d41fccd28f3eb3780e911d73031a6c43bf9f4f226437bf150d35b374d1190a98faaace351c84f25d34a518a25c9534a7c2db8676f6917