Analysis

  • max time kernel
    122s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2024 01:54

General

  • Target

    f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe

  • Size

    11.2MB

  • MD5

    4fa734db8e9f7ce5ecd217b34ecc6969

  • SHA1

    fbfc15ded2ebd130c92d812c26dc052561f7ff83

  • SHA256

    f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b

  • SHA512

    76ffd5839721ba668762c4458fd8da8fa8edc656c232e5957c253acc67c599846b89bc9acda1ec8dc5b07d229e143d3deca415c528ba4c04bf9264670f74f48a

  • SSDEEP

    196608:FfhVx6cyJczra+6msUjFD8rXPLJy5rRUlXmBPzLMAoUsJBK7iskeDqQ7poZ:FfrABJq2+6mnD8b9y9RU8zLMAoUsJBKK

Malware Config

Signatures

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 2 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe
    "C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Users\Admin\AppData\Local\Temp\is-2OES6.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-2OES6.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp" /SL5="$40026,10740751,812544,C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe
        "C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe" /VERYSILENT /NORESTART
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2380
        • C:\Users\Admin\AppData\Local\Temp\is-N37AA.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-N37AA.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp" /SL5="$301D2,10740751,812544,C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe" /VERYSILENT /NORESTART
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2164
          • C:\Windows\system32\cmd.exe
            "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1196
            • C:\Windows\system32\tasklist.exe
              tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
              6⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:2900
            • C:\Windows\system32\find.exe
              find /I "wrsa.exe"
              6⤵
                PID:2920
            • C:\Windows\system32\cmd.exe
              "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2700
              • C:\Windows\system32\tasklist.exe
                tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
                6⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:2232
              • C:\Windows\system32\find.exe
                find /I "opssvc.exe"
                6⤵
                  PID:2836
              • C:\Windows\system32\cmd.exe
                "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1768
                • C:\Windows\system32\tasklist.exe
                  tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
                  6⤵
                  • Enumerates processes with tasklist
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2012
                • C:\Windows\system32\find.exe
                  find /I "avastui.exe"
                  6⤵
                    PID:1712
                • C:\Windows\system32\cmd.exe
                  "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2316
                  • C:\Windows\system32\tasklist.exe
                    tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
                    6⤵
                    • Enumerates processes with tasklist
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1704
                  • C:\Windows\system32\find.exe
                    find /I "avgui.exe"
                    6⤵
                      PID:2080
                  • C:\Windows\system32\cmd.exe
                    "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:564
                    • C:\Windows\system32\tasklist.exe
                      tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
                      6⤵
                      • Enumerates processes with tasklist
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3032
                    • C:\Windows\system32\find.exe
                      find /I "nswscsvc.exe"
                      6⤵
                        PID:480
                    • C:\Windows\system32\cmd.exe
                      "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
                      5⤵
                        PID:1556
                        • C:\Windows\system32\tasklist.exe
                          tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
                          6⤵
                          • Enumerates processes with tasklist
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2324
                        • C:\Windows\system32\find.exe
                          find /I "sophoshealth.exe"
                          6⤵
                            PID:832
                        • C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
                          "C:\Users\Admin\AppData\Local\acetiam\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\acetiam\\grayhound1..a3x"
                          5⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2228
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\Gg2Ofncpo.a3x && del C:\ProgramData\\Gg2Ofncpo.a3x
                            6⤵
                            • Loads dropped DLL
                            • System Location Discovery: System Language Discovery
                            • System Network Configuration Discovery: Internet Connection Discovery
                            PID:2484
                            • C:\Windows\SysWOW64\PING.EXE
                              ping -n 5 127.0.0.1
                              7⤵
                              • System Location Discovery: System Language Discovery
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:2396
                            • C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
                              AutoIt3.exe C:\ProgramData\\Gg2Ofncpo.a3x
                              7⤵
                              • Executes dropped EXE
                              • Adds Run key to start application
                              • Suspicious use of SetThreadContext
                              • System Location Discovery: System Language Discovery
                              • Checks processor information in registry
                              PID:1532
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                8⤵
                                  PID:2420
                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                  8⤵
                                    PID:1192
                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                    8⤵
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of SetWindowsHookEx
                                    PID:1496

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\tmpE967.tmp

                      Filesize

                      20KB

                      MD5

                      c9ff7748d8fcef4cf84a5501e996a641

                      SHA1

                      02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

                      SHA256

                      4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

                      SHA512

                      d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

                    • C:\Users\Admin\AppData\Local\acetiam\grayhound.pptx

                      Filesize

                      940KB

                      MD5

                      0bc6d1c595e440233c6daa45813657a0

                      SHA1

                      3a04c1fcd93642fe7b0ad47d67c29344ebddc9a3

                      SHA256

                      1841f77c752744d0054847a13cccc5851408d2e38caafcb153e37c56a01f6bac

                      SHA512

                      0fe0b161095deaa389ca9b81e8d0b5210598d1f750cc849828bca77168a9e7be0d747ac01c0a2f1d338e2562dcad7ca372c346b575ceb481b9cd7a24da10362f

                    • C:\Users\Admin\AppData\Local\acetiam\grayhound1..a3x

                      Filesize

                      62KB

                      MD5

                      647d824a19511783d1a011f8b775c1d4

                      SHA1

                      46b0213afa55d27a688e9729ac120d4574318cb5

                      SHA256

                      8674025ff9edbf37ad8d7e1af8b93bd63e0fe2e8eaea61ee6e1317c468a0e48b

                      SHA512

                      ed57dcb8817d329bf989b642be2244976f7725edecb5565788eb1643b81b58fd22c39dcdec827b3f7067ae844f4b62622bf8d079679df10af4f203f67efe1d1f

                    • \Users\Admin\AppData\Local\Temp\is-2OES6.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp

                      Filesize

                      3.1MB

                      MD5

                      81636f80b1e7c0b8f946c8ff0081436a

                      SHA1

                      9e7b01f8324e089b925cb9050ce74cd099c58370

                      SHA256

                      ca3de247b4d58905e04277ee2386cedaeff38a0fad1f46bfff304ba9f0710f35

                      SHA512

                      67432e1a56e043573bc67d904f4c735f70333b35fe6efe2bb11ee1137bdd96bdbd3ed2956dbf8314b3a15ea2b2260fb5d3904481efb96c7dbb6661a32b13a85a

                    • \Users\Admin\AppData\Local\Temp\is-F0KN9.tmp\_isetup\_iscrypt.dll

                      Filesize

                      2KB

                      MD5

                      a69559718ab506675e907fe49deb71e9

                      SHA1

                      bc8f404ffdb1960b50c12ff9413c893b56f2e36f

                      SHA256

                      2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

                      SHA512

                      e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

                    • \Users\Admin\AppData\Local\acetiam\AutoIt3.exe

                      Filesize

                      921KB

                      MD5

                      3f58a517f1f4796225137e7659ad2adb

                      SHA1

                      e264ba0e9987b0ad0812e5dd4dd3075531cfe269

                      SHA256

                      1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

                      SHA512

                      acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

                    • memory/1352-24-0x00000000013C0000-0x0000000001494000-memory.dmp

                      Filesize

                      848KB

                    • memory/1352-0-0x00000000013C0000-0x0000000001494000-memory.dmp

                      Filesize

                      848KB

                    • memory/1352-2-0x00000000013C1000-0x0000000001469000-memory.dmp

                      Filesize

                      672KB

                    • memory/1496-192-0x0000000000400000-0x00000000004C6000-memory.dmp

                      Filesize

                      792KB

                    • memory/1496-194-0x0000000000400000-0x00000000004C6000-memory.dmp

                      Filesize

                      792KB

                    • memory/1496-193-0x0000000000400000-0x00000000004C6000-memory.dmp

                      Filesize

                      792KB

                    • memory/2008-17-0x0000000000060000-0x0000000000394000-memory.dmp

                      Filesize

                      3.2MB

                    • memory/2008-8-0x0000000000480000-0x0000000000481000-memory.dmp

                      Filesize

                      4KB

                    • memory/2164-180-0x0000000000260000-0x0000000000594000-memory.dmp

                      Filesize

                      3.2MB

                    • memory/2380-15-0x00000000013C0000-0x0000000001494000-memory.dmp

                      Filesize

                      848KB

                    • memory/2380-182-0x00000000013C0000-0x0000000001494000-memory.dmp

                      Filesize

                      848KB