Malware Analysis Report

2024-12-08 01:32

Sample ID 240912-mfyw2ssanq
Target EarthTime.exe
SHA256 bcff246f0739ed98f8aa615d256e7e00bc1cb24c8cabaea609b25c3f050c7805
Tags
sectoprat discovery rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bcff246f0739ed98f8aa615d256e7e00bc1cb24c8cabaea609b25c3f050c7805

Threat Level: Known bad

The file EarthTime.exe was found to be: Known bad.

Malicious Activity Summary

sectoprat discovery rat trojan

SectopRAT

SectopRAT payload

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-12 10:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-12 10:25

Reported

2024-09-12 10:27

Platform

win7-20240903-en

Max time kernel

138s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EarthTime.exe"

Signatures

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1344 set thread context of 2604 N/A C:\Users\Admin\AppData\Local\Temp\EarthTime.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 set thread context of 576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EarthTime.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EarthTime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EarthTime.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EarthTime.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\EarthTime.exe

"C:\Users\Admin\AppData\Local\Temp\EarthTime.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Network

Country Destination Domain Proto
RU 45.141.87.55:15647 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
RU 45.141.87.55:15647 tcp
RU 45.141.87.55:15647 tcp

Files

memory/1344-0-0x0000000000400000-0x0000000000F7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e7854643

MD5 b74bbd41a2a210e44b06bc0a3d804dc2
SHA1 d516d0f5b31f6dbd5c431e5c7a9353546ed376d9
SHA256 762408f967aea9e5b03d999e01f149b822fadcf30b42d75b9738c04c4f4ef1fd
SHA512 c040331c34f1fe65227ac01d3f6c53575dc98a98c71e6cbca372ba5a4fc454c6f998f0ebf5956ea96a08c24e2e3027203c39cfd7c52f0c9349b8afb031b89db4

memory/1344-6-0x0000000074EE0000-0x0000000075054000-memory.dmp

memory/1344-7-0x0000000077C90000-0x0000000077E39000-memory.dmp

memory/1344-8-0x0000000074EF3000-0x0000000074EF5000-memory.dmp

memory/1344-9-0x0000000074EE0000-0x0000000075054000-memory.dmp

memory/2604-13-0x0000000074EE0000-0x0000000075054000-memory.dmp

memory/1344-12-0x0000000074EE0000-0x0000000075054000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eaf23a0b

MD5 1bfcde9b7b64ddb3c579d3a91a60e2bd
SHA1 61cecf500fa0af9ab02d4a9999b33da411e3a899
SHA256 74b0c70a0fd5cc05b62e10cc61d281ce0b91d1c24e65dbea218a6bd9ed88c6a4
SHA512 176112b59b2760f3b18016c6022c2c8ba37f164eaf1c35e4aad433ecfdd00bf470e8d5df8e66488d4da1d27ed0cb8c0606eec2174ce99a2aee296ac209e0c58e

memory/2604-15-0x0000000077C90000-0x0000000077E39000-memory.dmp

memory/2604-63-0x0000000074EE0000-0x0000000075054000-memory.dmp

memory/2604-64-0x0000000074EE0000-0x0000000075054000-memory.dmp

memory/2604-67-0x0000000074EE0000-0x0000000075054000-memory.dmp

memory/576-68-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/576-69-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/576-66-0x0000000073210000-0x0000000074272000-memory.dmp

memory/576-70-0x0000000000400000-0x00000000004C6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-12 10:25

Reported

2024-09-12 10:27

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EarthTime.exe"

Signatures

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1916 set thread context of 1440 N/A C:\Users\Admin\AppData\Local\Temp\EarthTime.exe C:\Windows\SysWOW64\cmd.exe
PID 1440 set thread context of 1456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EarthTime.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EarthTime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EarthTime.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EarthTime.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\EarthTime.exe

"C:\Users\Admin\AppData\Local\Temp\EarthTime.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 45.141.87.55:15647 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 45.141.87.55:15647 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 45.141.87.55:15647 tcp

Files

memory/1916-0-0x0000000000400000-0x0000000000F7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\21c9bf56

MD5 b74bbd41a2a210e44b06bc0a3d804dc2
SHA1 d516d0f5b31f6dbd5c431e5c7a9353546ed376d9
SHA256 762408f967aea9e5b03d999e01f149b822fadcf30b42d75b9738c04c4f4ef1fd
SHA512 c040331c34f1fe65227ac01d3f6c53575dc98a98c71e6cbca372ba5a4fc454c6f998f0ebf5956ea96a08c24e2e3027203c39cfd7c52f0c9349b8afb031b89db4

memory/1916-6-0x0000000074A30000-0x0000000074BAB000-memory.dmp

memory/1916-7-0x00007FFCE59F0000-0x00007FFCE5BE5000-memory.dmp

memory/1916-8-0x0000000074A43000-0x0000000074A45000-memory.dmp

memory/1916-9-0x0000000074A30000-0x0000000074BAB000-memory.dmp

memory/1916-10-0x0000000074A30000-0x0000000074BAB000-memory.dmp

memory/1440-12-0x0000000074A30000-0x0000000074BAB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\26b841a8

MD5 3d5a7f821141b5cd8cee4c6ee1ddf6ad
SHA1 75d2a455335e963cfedb15d2e49cf3da5e13add1
SHA256 4655b97aced2b7c53dbbca0d5f676de05f5da2bf8fd6119fe2a4fd91a061f502
SHA512 ec94dc59ca272b4b92170c36bb113df80f658fb2fdf35d02f5efb5d1041a44ed5b762443a106914f50e811b121961868c7a8f74572f338d06a75ebd306df74c4

memory/1440-14-0x00007FFCE59F0000-0x00007FFCE5BE5000-memory.dmp

memory/1440-16-0x0000000074A30000-0x0000000074BAB000-memory.dmp

memory/1440-17-0x0000000074A30000-0x0000000074BAB000-memory.dmp

memory/1440-19-0x0000000074A30000-0x0000000074BAB000-memory.dmp

memory/1456-20-0x00000000735D0000-0x0000000074824000-memory.dmp

memory/1456-23-0x0000000074BFE000-0x0000000074BFF000-memory.dmp

memory/1456-24-0x0000000000B40000-0x0000000000C06000-memory.dmp

memory/1456-25-0x0000000005130000-0x00000000051C2000-memory.dmp

memory/1456-26-0x0000000005780000-0x0000000005D24000-memory.dmp

memory/1456-27-0x00000000053C0000-0x0000000005582000-memory.dmp

memory/1456-28-0x00000000051D0000-0x0000000005246000-memory.dmp

memory/1456-29-0x0000000005250000-0x00000000052A0000-memory.dmp

memory/1456-30-0x0000000074BFE000-0x0000000074BFF000-memory.dmp