Analysis
-
max time kernel
289s -
max time network
293s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24-08-2024 11:15
Static task
static1
Behavioral task
behavioral1
Sample
AutoIt3.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
run.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
script.a3x
Resource
win10v2004-20240802-en
General
-
Target
run.bat
-
Size
34B
-
MD5
87d72f7fe17d44947ad61d3b37c72ba4
-
SHA1
ce2aa9009aafbb41eaebf96a616fefa81a3f7950
-
SHA256
90d062ca877bb672557a58271bbdec6e9fe4517e106437b8dbafb6367fd1e86e
-
SHA512
374cdca46bdb508c8eadf8a26ed22d9e08b4c0e2ad6d9a164922a09ee8eb9fa88a98cf11a13f65e41ff2c019db55cf3e3be4b3b3d27d544c61fe773660c0fbc0
Malware Config
Signatures
-
SectopRAT payload 1 IoCs
resource yara_rule behavioral2/memory/4940-6-0x0000000000400000-0x00000000004C6000-memory.dmp family_sectoprat -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bakgbcb = "\"C:\\aehcfbk\\AutoIt3.exe\" C:\\aehcfbk\\bakgbcb.a3x" AutoIt3.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 21 pastebin.com 22 pastebin.com -
Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs
Using AutoIT for possible automate script.
pid Process 2736 AutoIt3.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2736 set thread context of 4940 2736 AutoIt3.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AutoIt3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AutoIt3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AutoIt3.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4940 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2116 wrote to memory of 2736 2116 cmd.exe 85 PID 2116 wrote to memory of 2736 2116 cmd.exe 85 PID 2116 wrote to memory of 2736 2116 cmd.exe 85 PID 2736 wrote to memory of 4940 2736 AutoIt3.exe 89 PID 2736 wrote to memory of 4940 2736 AutoIt3.exe 89 PID 2736 wrote to memory of 4940 2736 AutoIt3.exe 89 PID 2736 wrote to memory of 4940 2736 AutoIt3.exe 89 PID 2736 wrote to memory of 4940 2736 AutoIt3.exe 89
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\run.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\AutoIt3.exeAutoIt3.exe script.a3x2⤵
- Adds Run key to start application
- Command and Scripting Interpreter: AutoIT
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4940
-
-