Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-09-2024 17:40

General

  • Target

    f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe

  • Size

    11.2MB

  • MD5

    4fa734db8e9f7ce5ecd217b34ecc6969

  • SHA1

    fbfc15ded2ebd130c92d812c26dc052561f7ff83

  • SHA256

    f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b

  • SHA512

    76ffd5839721ba668762c4458fd8da8fa8edc656c232e5957c253acc67c599846b89bc9acda1ec8dc5b07d229e143d3deca415c528ba4c04bf9264670f74f48a

  • SSDEEP

    196608:FfhVx6cyJczra+6msUjFD8rXPLJy5rRUlXmBPzLMAoUsJBK7iskeDqQ7poZ:FfrABJq2+6mnD8b9y9RU8zLMAoUsJBKK

Malware Config

Signatures

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 1 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe
    "C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Users\Admin\AppData\Local\Temp\is-US226.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-US226.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp" /SL5="$120052,10740751,812544,C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3692
      • C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe
        "C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe" /VERYSILENT /NORESTART
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4340
        • C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp" /SL5="$9004C,10740751,812544,C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe" /VERYSILENT /NORESTART
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2996
          • C:\Windows\system32\cmd.exe
            "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1164
            • C:\Windows\system32\tasklist.exe
              tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
              6⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:4364
            • C:\Windows\system32\find.exe
              find /I "wrsa.exe"
              6⤵
                PID:3284
            • C:\Windows\system32\cmd.exe
              "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1248
              • C:\Windows\system32\tasklist.exe
                tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
                6⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:1168
              • C:\Windows\system32\find.exe
                find /I "opssvc.exe"
                6⤵
                  PID:5016
              • C:\Windows\system32\cmd.exe
                "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:4300
                • C:\Windows\system32\tasklist.exe
                  tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
                  6⤵
                  • Enumerates processes with tasklist
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4912
                • C:\Windows\system32\find.exe
                  find /I "avastui.exe"
                  6⤵
                    PID:4704
                • C:\Windows\system32\cmd.exe
                  "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1264
                  • C:\Windows\system32\tasklist.exe
                    tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
                    6⤵
                    • Enumerates processes with tasklist
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4916
                  • C:\Windows\system32\find.exe
                    find /I "avgui.exe"
                    6⤵
                      PID:2580
                  • C:\Windows\system32\cmd.exe
                    "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4248
                    • C:\Windows\system32\tasklist.exe
                      tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
                      6⤵
                      • Enumerates processes with tasklist
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3596
                    • C:\Windows\system32\find.exe
                      find /I "nswscsvc.exe"
                      6⤵
                        PID:908
                    • C:\Windows\system32\cmd.exe
                      "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1996
                      • C:\Windows\system32\tasklist.exe
                        tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
                        6⤵
                        • Enumerates processes with tasklist
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1256
                      • C:\Windows\system32\find.exe
                        find /I "sophoshealth.exe"
                        6⤵
                          PID:2732
                      • C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
                        "C:\Users\Admin\AppData\Local\acetiam\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\acetiam\\grayhound1..a3x"
                        5⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:1804
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\X78XPKeS.a3x && del C:\ProgramData\\X78XPKeS.a3x
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • System Network Configuration Discovery: Internet Connection Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:3064
                          • C:\Windows\SysWOW64\PING.EXE
                            ping -n 5 127.0.0.1
                            7⤵
                            • System Location Discovery: System Language Discovery
                            • System Network Configuration Discovery: Internet Connection Discovery
                            • Runs ping.exe
                            PID:2484
                          • C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
                            AutoIt3.exe C:\ProgramData\\X78XPKeS.a3x
                            7⤵
                            • Executes dropped EXE
                            • Adds Run key to start application
                            • Suspicious use of SetThreadContext
                            • System Location Discovery: System Language Discovery
                            • Checks processor information in registry
                            • Suspicious use of WriteProcessMemory
                            PID:4732
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                              C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                              8⤵
                                PID:2740
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                8⤵
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of SetWindowsHookEx
                                PID:5084

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\is-SOGR0.tmp\_isetup\_iscrypt.dll

                  Filesize

                  2KB

                  MD5

                  a69559718ab506675e907fe49deb71e9

                  SHA1

                  bc8f404ffdb1960b50c12ff9413c893b56f2e36f

                  SHA256

                  2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

                  SHA512

                  e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

                • C:\Users\Admin\AppData\Local\Temp\is-US226.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp

                  Filesize

                  3.1MB

                  MD5

                  81636f80b1e7c0b8f946c8ff0081436a

                  SHA1

                  9e7b01f8324e089b925cb9050ce74cd099c58370

                  SHA256

                  ca3de247b4d58905e04277ee2386cedaeff38a0fad1f46bfff304ba9f0710f35

                  SHA512

                  67432e1a56e043573bc67d904f4c735f70333b35fe6efe2bb11ee1137bdd96bdbd3ed2956dbf8314b3a15ea2b2260fb5d3904481efb96c7dbb6661a32b13a85a

                • C:\Users\Admin\AppData\Local\Temp\tmpF20.tmp

                  Filesize

                  20KB

                  MD5

                  a603e09d617fea7517059b4924b1df93

                  SHA1

                  31d66e1496e0229c6a312f8be05da3f813b3fa9e

                  SHA256

                  ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

                  SHA512

                  eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

                • C:\Users\Admin\AppData\Local\Temp\tmpF52.tmp

                  Filesize

                  20KB

                  MD5

                  49693267e0adbcd119f9f5e02adf3a80

                  SHA1

                  3ba3d7f89b8ad195ca82c92737e960e1f2b349df

                  SHA256

                  d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

                  SHA512

                  b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

                • C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe

                  Filesize

                  921KB

                  MD5

                  3f58a517f1f4796225137e7659ad2adb

                  SHA1

                  e264ba0e9987b0ad0812e5dd4dd3075531cfe269

                  SHA256

                  1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

                  SHA512

                  acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

                • C:\Users\Admin\AppData\Local\acetiam\grayhound.pptx

                  Filesize

                  940KB

                  MD5

                  0bc6d1c595e440233c6daa45813657a0

                  SHA1

                  3a04c1fcd93642fe7b0ad47d67c29344ebddc9a3

                  SHA256

                  1841f77c752744d0054847a13cccc5851408d2e38caafcb153e37c56a01f6bac

                  SHA512

                  0fe0b161095deaa389ca9b81e8d0b5210598d1f750cc849828bca77168a9e7be0d747ac01c0a2f1d338e2562dcad7ca372c346b575ceb481b9cd7a24da10362f

                • C:\Users\Admin\AppData\Local\acetiam\grayhound1..a3x

                  Filesize

                  62KB

                  MD5

                  647d824a19511783d1a011f8b775c1d4

                  SHA1

                  46b0213afa55d27a688e9729ac120d4574318cb5

                  SHA256

                  8674025ff9edbf37ad8d7e1af8b93bd63e0fe2e8eaea61ee6e1317c468a0e48b

                  SHA512

                  ed57dcb8817d329bf989b642be2244976f7725edecb5565788eb1643b81b58fd22c39dcdec827b3f7067ae844f4b62622bf8d079679df10af4f203f67efe1d1f

                • memory/2928-19-0x0000000000C00000-0x0000000000CD4000-memory.dmp

                  Filesize

                  848KB

                • memory/2928-0-0x0000000000C00000-0x0000000000CD4000-memory.dmp

                  Filesize

                  848KB

                • memory/2928-2-0x0000000000C01000-0x0000000000CA9000-memory.dmp

                  Filesize

                  672KB

                • memory/2996-22-0x0000000003360000-0x0000000003361000-memory.dmp

                  Filesize

                  4KB

                • memory/2996-176-0x0000000000CA0000-0x0000000000FD4000-memory.dmp

                  Filesize

                  3.2MB

                • memory/3692-17-0x0000000000B40000-0x0000000000E74000-memory.dmp

                  Filesize

                  3.2MB

                • memory/3692-6-0x0000000000B40000-0x0000000000E74000-memory.dmp

                  Filesize

                  3.2MB

                • memory/4340-13-0x0000000000C00000-0x0000000000CD4000-memory.dmp

                  Filesize

                  848KB

                • memory/4340-179-0x0000000000C00000-0x0000000000CD4000-memory.dmp

                  Filesize

                  848KB

                • memory/5084-188-0x0000000000400000-0x00000000004C6000-memory.dmp

                  Filesize

                  792KB

                • memory/5084-191-0x0000000005D90000-0x0000000006334000-memory.dmp

                  Filesize

                  5.6MB

                • memory/5084-192-0x0000000005A80000-0x0000000005C42000-memory.dmp

                  Filesize

                  1.8MB

                • memory/5084-193-0x00000000057E0000-0x0000000005856000-memory.dmp

                  Filesize

                  472KB

                • memory/5084-194-0x00000000058B0000-0x0000000005900000-memory.dmp

                  Filesize

                  320KB

                • memory/5084-195-0x00000000056D0000-0x00000000056DA000-memory.dmp

                  Filesize

                  40KB

                • memory/5084-196-0x0000000006970000-0x0000000006E9C000-memory.dmp

                  Filesize

                  5.2MB

                • memory/5084-197-0x0000000006470000-0x000000000648E000-memory.dmp

                  Filesize

                  120KB

                • memory/5084-198-0x0000000006560000-0x00000000065C6000-memory.dmp

                  Filesize

                  408KB

                • memory/5084-190-0x0000000005740000-0x00000000057D2000-memory.dmp

                  Filesize

                  584KB

                • memory/5084-189-0x0000000000400000-0x00000000004C6000-memory.dmp

                  Filesize

                  792KB

                • memory/5084-222-0x0000000007C90000-0x0000000007C9A000-memory.dmp

                  Filesize

                  40KB

                • memory/5084-224-0x0000000005920000-0x0000000005932000-memory.dmp

                  Filesize

                  72KB

                • memory/5084-225-0x00000000059C0000-0x00000000059FC000-memory.dmp

                  Filesize

                  240KB