Analysis Overview
SHA256
1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38bc6fc8dc06c595a08ad
Threat Level: Known bad
The file 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe was found to be: Known bad.
Malicious Activity Summary
SectopRAT payload
SectopRAT
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-25 23:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-25 23:46
Reported
2024-09-25 23:48
Platform
win7-20240903-en
Max time kernel
141s
Max time network
127s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2404 wrote to memory of 2904 | N/A | C:\Users\Admin\AppData\Local\Temp\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2404 wrote to memory of 2904 | N/A | C:\Users\Admin\AppData\Local\Temp\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2404 wrote to memory of 2904 | N/A | C:\Users\Admin\AppData\Local\Temp\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2404 wrote to memory of 2904 | N/A | C:\Users\Admin\AppData\Local\Temp\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe
"C:\Users\Admin\AppData\Local\Temp\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 460
Network
Files
memory/2404-0-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2404-1-0x0000000000400000-0x0000000001220000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\f502969e
| MD5 | f477a739e2d63d878730880c77f7145f |
| SHA1 | f7b7640b5bf5a0fd4968334522b0609fb7cc2cc5 |
| SHA256 | a6217d1567efffc623b6087a1dbfb771604a58f4d069777e57d086aae0378ad0 |
| SHA512 | b9fc9b682a90b655be8a1191fe6160f1611f31b884b798b79025be9d566fedb18bddd1bc5f4d12b796116ca848380373c5dbb738e713b519c7f1d401be849ff8 |
memory/2404-7-0x0000000075360000-0x0000000075FAA000-memory.dmp
memory/2404-8-0x0000000077370000-0x0000000077519000-memory.dmp
memory/2404-10-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2404-9-0x0000000000400000-0x0000000001220000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-25 23:46
Reported
2024-09-25 23:48
Platform
win10v2004-20240802-en
Max time kernel
119s
Max time network
155s
Command Line
Signatures
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3152 set thread context of 728 | N/A | C:\Users\Admin\AppData\Local\Temp\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe | C:\Windows\SysWOW64\more.com |
| PID 728 set thread context of 1860 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\AsusFCNotification.job | C:\Windows\SysWOW64\more.com | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\more.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe
"C:\Users\Admin\AppData\Local\Temp\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.11.19.2.in-addr.arpa | udp |
| RU | 213.109.202.97:15647 | tcp | |
| US | 8.8.8.8:53 | 97.202.109.213.in-addr.arpa | udp |
| RU | 213.109.202.97:9000 | tcp | |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/3152-0-0x0000000001ED0000-0x0000000001ED1000-memory.dmp
memory/3152-1-0x00000000009A0000-0x00000000017C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\f047ea4
| MD5 | f477a739e2d63d878730880c77f7145f |
| SHA1 | f7b7640b5bf5a0fd4968334522b0609fb7cc2cc5 |
| SHA256 | a6217d1567efffc623b6087a1dbfb771604a58f4d069777e57d086aae0378ad0 |
| SHA512 | b9fc9b682a90b655be8a1191fe6160f1611f31b884b798b79025be9d566fedb18bddd1bc5f4d12b796116ca848380373c5dbb738e713b519c7f1d401be849ff8 |
memory/3152-7-0x00000000757B0000-0x0000000075D63000-memory.dmp
memory/3152-8-0x00007FFDE7450000-0x00007FFDE7645000-memory.dmp
memory/3152-9-0x00000000757C3000-0x00000000757C5000-memory.dmp
memory/3152-10-0x00000000757B0000-0x0000000075D63000-memory.dmp
memory/3152-11-0x0000000001ED0000-0x0000000001ED1000-memory.dmp
memory/3152-13-0x00000000757C3000-0x00000000757C5000-memory.dmp
memory/3152-14-0x00000000757B0000-0x0000000075D63000-memory.dmp
memory/728-18-0x00000000757B0000-0x0000000075D63000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\15f675a1
| MD5 | 05fb80286ea4ff7fe6543ebf2c68f2e5 |
| SHA1 | 2716ffeb724a7511c143e2cefba791de5def7d2d |
| SHA256 | ae7f701ef05647b663dee99d64a8e5cedcac3ef51442073de34e2cd09fae314e |
| SHA512 | 9a26e031dfd6ad52bf09c0e49a0e930627d58afe4debc10048bddd0217f163cd54f2bc5358220a8d59a5aae2b62637c1ccc1905ef7715042c7feabd07f046b4c |
memory/728-19-0x00007FFDE7450000-0x00007FFDE7645000-memory.dmp
memory/728-21-0x00000000757B0000-0x0000000075D63000-memory.dmp
memory/728-23-0x00000000757B0000-0x0000000075D63000-memory.dmp
memory/728-25-0x0000000003E50000-0x0000000004403000-memory.dmp
memory/728-26-0x00000000757B0000-0x0000000075D63000-memory.dmp
memory/728-27-0x00000000757B0000-0x0000000075D63000-memory.dmp
memory/1860-30-0x0000000074C30000-0x0000000074C4F000-memory.dmp
memory/728-33-0x00000000757B0000-0x0000000075D63000-memory.dmp
memory/728-34-0x0000000003E50000-0x0000000004403000-memory.dmp
memory/1860-35-0x000000007438E000-0x000000007438F000-memory.dmp
memory/1860-36-0x0000000000D00000-0x0000000000DC6000-memory.dmp
memory/1860-37-0x0000000005250000-0x00000000052E2000-memory.dmp
memory/1860-38-0x00000000058A0000-0x0000000005E44000-memory.dmp
memory/1860-39-0x0000000005580000-0x0000000005742000-memory.dmp
memory/1860-40-0x00000000053B0000-0x0000000005426000-memory.dmp
memory/1860-41-0x0000000005430000-0x0000000005480000-memory.dmp
memory/1860-42-0x0000000074380000-0x0000000074B30000-memory.dmp
memory/1860-43-0x0000000005230000-0x000000000523A000-memory.dmp
memory/1860-44-0x0000000006480000-0x00000000069AC000-memory.dmp
memory/1860-45-0x0000000006100000-0x000000000611E000-memory.dmp
memory/1860-46-0x00000000062F0000-0x0000000006356000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5D50.tmp
| MD5 | a603e09d617fea7517059b4924b1df93 |
| SHA1 | 31d66e1496e0229c6a312f8be05da3f813b3fa9e |
| SHA256 | ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7 |
| SHA512 | eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc |
C:\Users\Admin\AppData\Local\Temp\tmp5D72.tmp
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
memory/1860-70-0x0000000008020000-0x000000000802A000-memory.dmp
memory/1860-72-0x000000007438E000-0x000000007438F000-memory.dmp
memory/1860-73-0x0000000074380000-0x0000000074B30000-memory.dmp
memory/1860-74-0x00000000054E0000-0x00000000054F2000-memory.dmp
memory/1860-75-0x00000000057C0000-0x00000000057FC000-memory.dmp