Analysis

  • max time kernel
    126s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-09-2024 21:02

General

  • Target

    Adobe.exe

  • Size

    13.1MB

  • MD5

    94a4cf44784c5ee6d367a314baaad468

  • SHA1

    0598573a52eef7d17f95e6d164d13dc82cd9f218

  • SHA256

    28907701949c43559e5dfe1fed791b19bfa9f7009a171945dcd4d4b49f9cddd2

  • SHA512

    10d451ded975fd8b08e7d70708cbaac9ec931f5d06665eb7dc430874373aeb41a38128230429dfc2cd3a5eaca72493d8ee5dd3c3d152023cad1dcf67b77c6333

  • SSDEEP

    393216:BdnFCDbuNvhuGCDbuNetK0NYAaWzxDxE:zFCDbux0GCDbu

Malware Config

Signatures

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Adobe.exe
    "C:\Users\Admin\AppData\Local\Temp\Adobe.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:740
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2872
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:756
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4148,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4180 /prefetch:8
    1⤵
      PID:4692

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\5e1f6041

      Filesize

      1.4MB

      MD5

      587213bb38beb37007f2636f574a793a

      SHA1

      aa92dc86e5f8ca6e28543b14147c3480c37db8cb

      SHA256

      8941d07ebeed67ff4573ba4a83dfdbe5d922fbdda16f3525de283ba7c5c84c0b

      SHA512

      dab7fa550b8ea492acc63f35822057ef05876766cf28db768f21592571b0eeed82659396b566fe1311c456d59d9bdfd1cbbefa4418f159c219b518ad0c6f0fa4

    • C:\Users\Admin\AppData\Local\Temp\62142936

      Filesize

      1.4MB

      MD5

      17f0949cafaa03e6fb374d44a9f3aa00

      SHA1

      1c96158bf4535005adcbade6bd56f83722922c9e

      SHA256

      4b689f8023611ad33c006afb94b510719d6cba426da62457a53a90ed27b9eda2

      SHA512

      9cd4f3559d3fced8af4a78efde96a3307ce8f9218165d64044ee8f3cc513cfcc22008ba9cc8b8f6e05bd7af7b1d10cf5923118b4183885fa9072764d39f34b91

    • memory/740-1-0x0000000000820000-0x000000000154B000-memory.dmp

      Filesize

      13.2MB

    • memory/740-7-0x00000000744B0000-0x000000007462B000-memory.dmp

      Filesize

      1.5MB

    • memory/740-8-0x00007FFE89070000-0x00007FFE89265000-memory.dmp

      Filesize

      2.0MB

    • memory/740-9-0x00000000744C3000-0x00000000744C5000-memory.dmp

      Filesize

      8KB

    • memory/740-10-0x00000000744B0000-0x000000007462B000-memory.dmp

      Filesize

      1.5MB

    • memory/740-11-0x00000000744B0000-0x000000007462B000-memory.dmp

      Filesize

      1.5MB

    • memory/740-0-0x00000000034E0000-0x00000000034E1000-memory.dmp

      Filesize

      4KB

    • memory/756-25-0x00000000746AE000-0x00000000746AF000-memory.dmp

      Filesize

      4KB

    • memory/756-29-0x00000000059A0000-0x0000000005B62000-memory.dmp

      Filesize

      1.8MB

    • memory/756-32-0x00000000746AE000-0x00000000746AF000-memory.dmp

      Filesize

      4KB

    • memory/756-31-0x00000000057D0000-0x0000000005820000-memory.dmp

      Filesize

      320KB

    • memory/756-30-0x0000000005850000-0x00000000058C6000-memory.dmp

      Filesize

      472KB

    • memory/756-22-0x0000000073050000-0x00000000742A4000-memory.dmp

      Filesize

      18.3MB

    • memory/756-28-0x0000000005D80000-0x0000000006324000-memory.dmp

      Filesize

      5.6MB

    • memory/756-26-0x0000000001120000-0x00000000011E6000-memory.dmp

      Filesize

      792KB

    • memory/756-27-0x0000000005730000-0x00000000057C2000-memory.dmp

      Filesize

      584KB

    • memory/2872-14-0x00000000744B0000-0x000000007462B000-memory.dmp

      Filesize

      1.5MB

    • memory/2872-16-0x00007FFE89070000-0x00007FFE89265000-memory.dmp

      Filesize

      2.0MB

    • memory/2872-21-0x00000000744B0000-0x000000007462B000-memory.dmp

      Filesize

      1.5MB

    • memory/2872-19-0x00000000744B0000-0x000000007462B000-memory.dmp

      Filesize

      1.5MB

    • memory/2872-18-0x00000000744B0000-0x000000007462B000-memory.dmp

      Filesize

      1.5MB