Analysis
-
max time kernel
295s -
max time network
297s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-10-2024 15:03
Static task
static1
Behavioral task
behavioral1
Sample
decrypted.exe
Resource
win7-20240903-en
General
-
Target
decrypted.exe
-
Size
11.7MB
-
MD5
53ce8ea949f61a9b11651c8eafecff76
-
SHA1
5cb51086968929125d0615739c380ff142e6ff55
-
SHA256
58e38db883597286180f4a5bb97386c6b8c5c400a8b1ca7254f3da7ef40acf9c
-
SHA512
e43d409f65c8e0cda692e3c1d2e1cf221b8995de9aef84b0c1429459c7c4a27979a8ce2aba7f89557db6ab2d78a1f37b26c99a7f90636e7e606c49c6a3715c73
-
SSDEEP
196608:g0hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhv:gXsJYxjo42bIImyaBFmY4ceu+C+n
Malware Config
Extracted
lumma
https://professitonwqu.shop/api
https://mobbipenju.store/api
https://eaglepawnoy.store/api
https://dissapoiznw.store/api
https://studennotediw.store/api
https://bathdoomgaz.store/api
https://spirittunek.store/api
Signatures
-
SectopRAT payload 1 IoCs
resource yara_rule behavioral2/memory/4940-188-0x0000000000400000-0x00000000004C6000-memory.dmp family_sectoprat -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation decrypted.tmp Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation AutoIt3.exe -
Executes dropped EXE 5 IoCs
pid Process 1288 decrypted.tmp 4636 decrypted.tmp 4120 AutoIt3.exe 1060 AutoIt3.exe 2876 tmpE6BE.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 1288 decrypted.tmp 4636 decrypted.tmp -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\eebbfca = "\"C:\\kgcchef\\AutoIt3.exe\" C:\\kgcchef\\eebbfca.a3x" AutoIt3.exe -
Enumerates processes with tasklist 1 TTPs 6 IoCs
pid Process 3732 tasklist.exe 4012 tasklist.exe 2072 tasklist.exe 1344 tasklist.exe 2744 tasklist.exe 924 tasklist.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1060 set thread context of 4940 1060 AutoIt3.exe 124 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language decrypted.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language decrypted.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AutoIt3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpE6BE.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language decrypted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language decrypted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AutoIt3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4756 cmd.exe 4420 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AutoIt3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AutoIt3.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4420 PING.EXE -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4636 decrypted.tmp 4636 decrypted.tmp 4940 InstallUtil.exe 4940 InstallUtil.exe 4940 InstallUtil.exe 2876 tmpE6BE.tmp.exe 2876 tmpE6BE.tmp.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2744 tasklist.exe Token: SeDebugPrivilege 924 tasklist.exe Token: SeDebugPrivilege 3732 tasklist.exe Token: SeDebugPrivilege 4012 tasklist.exe Token: SeDebugPrivilege 2072 tasklist.exe Token: SeDebugPrivilege 1344 tasklist.exe Token: SeDebugPrivilege 4940 InstallUtil.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4636 decrypted.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4940 InstallUtil.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1612 wrote to memory of 1288 1612 decrypted.exe 85 PID 1612 wrote to memory of 1288 1612 decrypted.exe 85 PID 1612 wrote to memory of 1288 1612 decrypted.exe 85 PID 1288 wrote to memory of 2516 1288 decrypted.tmp 86 PID 1288 wrote to memory of 2516 1288 decrypted.tmp 86 PID 1288 wrote to memory of 2516 1288 decrypted.tmp 86 PID 2516 wrote to memory of 4636 2516 decrypted.exe 87 PID 2516 wrote to memory of 4636 2516 decrypted.exe 87 PID 2516 wrote to memory of 4636 2516 decrypted.exe 87 PID 4636 wrote to memory of 1072 4636 decrypted.tmp 88 PID 4636 wrote to memory of 1072 4636 decrypted.tmp 88 PID 1072 wrote to memory of 2744 1072 cmd.exe 90 PID 1072 wrote to memory of 2744 1072 cmd.exe 90 PID 1072 wrote to memory of 3256 1072 cmd.exe 91 PID 1072 wrote to memory of 3256 1072 cmd.exe 91 PID 4636 wrote to memory of 4552 4636 decrypted.tmp 93 PID 4636 wrote to memory of 4552 4636 decrypted.tmp 93 PID 4552 wrote to memory of 924 4552 cmd.exe 95 PID 4552 wrote to memory of 924 4552 cmd.exe 95 PID 4552 wrote to memory of 3652 4552 cmd.exe 96 PID 4552 wrote to memory of 3652 4552 cmd.exe 96 PID 4636 wrote to memory of 1472 4636 decrypted.tmp 97 PID 4636 wrote to memory of 1472 4636 decrypted.tmp 97 PID 1472 wrote to memory of 3732 1472 cmd.exe 99 PID 1472 wrote to memory of 3732 1472 cmd.exe 99 PID 1472 wrote to memory of 2988 1472 cmd.exe 100 PID 1472 wrote to memory of 2988 1472 cmd.exe 100 PID 4636 wrote to memory of 3268 4636 decrypted.tmp 101 PID 4636 wrote to memory of 3268 4636 decrypted.tmp 101 PID 3268 wrote to memory of 4012 3268 cmd.exe 103 PID 3268 wrote to memory of 4012 3268 cmd.exe 103 PID 3268 wrote to memory of 436 3268 cmd.exe 104 PID 3268 wrote to memory of 436 3268 cmd.exe 104 PID 4636 wrote to memory of 1496 4636 decrypted.tmp 105 PID 4636 wrote to memory of 1496 4636 decrypted.tmp 105 PID 1496 wrote to memory of 2072 1496 cmd.exe 107 PID 1496 wrote to memory of 2072 1496 cmd.exe 107 PID 1496 wrote to memory of 628 1496 cmd.exe 108 PID 1496 wrote to memory of 628 1496 cmd.exe 108 PID 4636 wrote to memory of 2256 4636 decrypted.tmp 109 PID 4636 wrote to memory of 2256 4636 decrypted.tmp 109 PID 2256 wrote to memory of 1344 2256 cmd.exe 111 PID 2256 wrote to memory of 1344 2256 cmd.exe 111 PID 2256 wrote to memory of 1080 2256 cmd.exe 112 PID 2256 wrote to memory of 1080 2256 cmd.exe 112 PID 4636 wrote to memory of 4120 4636 decrypted.tmp 113 PID 4636 wrote to memory of 4120 4636 decrypted.tmp 113 PID 4636 wrote to memory of 4120 4636 decrypted.tmp 113 PID 4120 wrote to memory of 4756 4120 AutoIt3.exe 120 PID 4120 wrote to memory of 4756 4120 AutoIt3.exe 120 PID 4120 wrote to memory of 4756 4120 AutoIt3.exe 120 PID 4756 wrote to memory of 4420 4756 cmd.exe 122 PID 4756 wrote to memory of 4420 4756 cmd.exe 122 PID 4756 wrote to memory of 4420 4756 cmd.exe 122 PID 4756 wrote to memory of 1060 4756 cmd.exe 123 PID 4756 wrote to memory of 1060 4756 cmd.exe 123 PID 4756 wrote to memory of 1060 4756 cmd.exe 123 PID 1060 wrote to memory of 4940 1060 AutoIt3.exe 124 PID 1060 wrote to memory of 4940 1060 AutoIt3.exe 124 PID 1060 wrote to memory of 4940 1060 AutoIt3.exe 124 PID 1060 wrote to memory of 4940 1060 AutoIt3.exe 124 PID 1060 wrote to memory of 4940 1060 AutoIt3.exe 124 PID 4940 wrote to memory of 2876 4940 InstallUtil.exe 127 PID 4940 wrote to memory of 2876 4940 InstallUtil.exe 127
Processes
-
C:\Users\Admin\AppData\Local\Temp\decrypted.exe"C:\Users\Admin\AppData\Local\Temp\decrypted.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\is-KO7JT.tmp\decrypted.tmp"C:\Users\Admin\AppData\Local\Temp\is-KO7JT.tmp\decrypted.tmp" /SL5="$80054,11050682,1125376,C:\Users\Admin\AppData\Local\Temp\decrypted.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\decrypted.exe"C:\Users\Admin\AppData\Local\Temp\decrypted.exe" /VERYSILENT /NORESTART3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\is-4LHIJ.tmp\decrypted.tmp"C:\Users\Admin\AppData\Local\Temp\is-4LHIJ.tmp\decrypted.tmp" /SL5="$E0050,11050682,1125376,C:\Users\Admin\AppData\Local\Temp\decrypted.exe" /VERYSILENT /NORESTART4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\system32\find.exefind /I "wrsa.exe"6⤵PID:3256
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:924
-
-
C:\Windows\system32\find.exefind /I "opssvc.exe"6⤵PID:3652
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3732
-
-
C:\Windows\system32\find.exefind /I "avastui.exe"6⤵PID:2988
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4012
-
-
C:\Windows\system32\find.exefind /I "avgui.exe"6⤵PID:436
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
-
C:\Windows\system32\find.exefind /I "nswscsvc.exe"6⤵PID:628
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1344
-
-
C:\Windows\system32\find.exefind /I "sophoshealth.exe"6⤵PID:1080
-
-
-
C:\Users\Admin\AppData\Local\fragaria\AutoIt3.exe"C:\Users\Admin\AppData\Local\fragaria\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\fragaria\\VSIXConfigurationUpdater1.a3x"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\RopfISG.a3x && del C:\ProgramData\\RopfISG.a3x6⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.17⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4420
-
-
C:\Users\Admin\AppData\Local\fragaria\AutoIt3.exeAutoIt3.exe C:\ProgramData\\RopfISG.a3x7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe8⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\tmpE6BE.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE6BE.tmp.exe"9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2876
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
3.4MB
MD5edf47d593acf0e39438d621e8357ad34
SHA15732a17515b0112ce47637393043a1a2e4836218
SHA2565f0f2e763c33ef0d3bb30041927a39191a257b533e16f1f89bf2939d669c9412
SHA5128f49244aa4d4ba31ecef404b9f42b7e9798951a8065dea3699e10464ab676f72227c3084e51c7c256e385605cfa95a35bd88fff01477ecf426153ffcf2f9994f
-
Filesize
20KB
MD5a603e09d617fea7517059b4924b1df93
SHA131d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc
-
Filesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
Filesize
5.1MB
MD540ec60bf0761652fc0f5cc888128acff
SHA11fde0d7c443e47efbcd26135b8bdf961bec46a89
SHA2560d7341486b8814c8de2dd5660308e103f293d707da933289ca709ce0be39507e
SHA5127a863d1322947c0781ea839a918ac018d34545a75d2eb61612cea3aadf43f2221d8e993bc0f2a0c8b8f4f5250245142ca9a61d2573a305ea21a38b01e692ef85
-
Filesize
921KB
MD53f58a517f1f4796225137e7659ad2adb
SHA1e264ba0e9987b0ad0812e5dd4dd3075531cfe269
SHA2561da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48
SHA512acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634
-
Filesize
939KB
MD5c25a5d1ff98e3558b128797de0f7ede8
SHA1e6b742ba4fa0836f16b135ab530391ea52e7a83c
SHA2567344920e5ee6ff4f75013be233fea20b872bd4d9adcf0434eaeebcba79099819
SHA512f515507befee96cf2f86db0db2c8dda831063900729e0449df0f32a88c76c7752ee364d5d1e072175b5a9eccd6f54f72e5c08656b5bf8d711a414ceda91aa5c0
-
Filesize
60KB
MD5292aad866f9decedfdb2b3126fab6061
SHA1ea5273f207b22196dbed7e1ddc691ce4418a6d87
SHA2565da1f6349763ccbf7ada3167e0a8e1eeeb158c6cdd0b2aee8f9278812be0d59b
SHA512750573570f029858d689836c8ec7e49f9e3646783adeb34597a7cfd6411a86b2aa060626e7ed9d97ec7dac15d295b36ed03225fdd4238aad59cf2851c91a0119