Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-10-2024 15:13
Static task
static1
Behavioral task
behavioral1
Sample
decrypted.exe
Resource
win7-20240903-en
General
-
Target
decrypted.exe
-
Size
11.7MB
-
MD5
53ce8ea949f61a9b11651c8eafecff76
-
SHA1
5cb51086968929125d0615739c380ff142e6ff55
-
SHA256
58e38db883597286180f4a5bb97386c6b8c5c400a8b1ca7254f3da7ef40acf9c
-
SHA512
e43d409f65c8e0cda692e3c1d2e1cf221b8995de9aef84b0c1429459c7c4a27979a8ce2aba7f89557db6ab2d78a1f37b26c99a7f90636e7e606c49c6a3715c73
-
SSDEEP
196608:g0hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhv:gXsJYxjo42bIImyaBFmY4ceu+C+n
Malware Config
Signatures
-
SectopRAT payload 1 IoCs
resource yara_rule behavioral2/memory/4756-188-0x0000000000400000-0x00000000004C6000-memory.dmp family_sectoprat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation AutoIt3.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation decrypted.tmp -
Executes dropped EXE 4 IoCs
pid Process 2704 decrypted.tmp 2612 decrypted.tmp 1140 AutoIt3.exe 1028 AutoIt3.exe -
Loads dropped DLL 2 IoCs
pid Process 2704 decrypted.tmp 2612 decrypted.tmp -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\eebbfca = "\"C:\\kgcchef\\AutoIt3.exe\" C:\\kgcchef\\eebbfca.a3x" AutoIt3.exe -
Enumerates processes with tasklist 1 TTPs 6 IoCs
pid Process 4456 tasklist.exe 3268 tasklist.exe 4740 tasklist.exe 2708 tasklist.exe 4132 tasklist.exe 1372 tasklist.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1028 set thread context of 4756 1028 AutoIt3.exe 121 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language decrypted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language decrypted.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AutoIt3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language decrypted.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language decrypted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AutoIt3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 696 cmd.exe 3924 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AutoIt3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AutoIt3.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3924 PING.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2612 decrypted.tmp 2612 decrypted.tmp 4756 InstallUtil.exe 4756 InstallUtil.exe 4756 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 4132 tasklist.exe Token: SeDebugPrivilege 1372 tasklist.exe Token: SeDebugPrivilege 4456 tasklist.exe Token: SeDebugPrivilege 3268 tasklist.exe Token: SeDebugPrivilege 4740 tasklist.exe Token: SeDebugPrivilege 2708 tasklist.exe Token: SeDebugPrivilege 4756 InstallUtil.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2612 decrypted.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4756 InstallUtil.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 708 wrote to memory of 2704 708 decrypted.exe 82 PID 708 wrote to memory of 2704 708 decrypted.exe 82 PID 708 wrote to memory of 2704 708 decrypted.exe 82 PID 2704 wrote to memory of 656 2704 decrypted.tmp 83 PID 2704 wrote to memory of 656 2704 decrypted.tmp 83 PID 2704 wrote to memory of 656 2704 decrypted.tmp 83 PID 656 wrote to memory of 2612 656 decrypted.exe 84 PID 656 wrote to memory of 2612 656 decrypted.exe 84 PID 656 wrote to memory of 2612 656 decrypted.exe 84 PID 2612 wrote to memory of 1688 2612 decrypted.tmp 85 PID 2612 wrote to memory of 1688 2612 decrypted.tmp 85 PID 1688 wrote to memory of 4132 1688 cmd.exe 87 PID 1688 wrote to memory of 4132 1688 cmd.exe 87 PID 1688 wrote to memory of 1932 1688 cmd.exe 88 PID 1688 wrote to memory of 1932 1688 cmd.exe 88 PID 2612 wrote to memory of 3688 2612 decrypted.tmp 90 PID 2612 wrote to memory of 3688 2612 decrypted.tmp 90 PID 3688 wrote to memory of 1372 3688 cmd.exe 92 PID 3688 wrote to memory of 1372 3688 cmd.exe 92 PID 3688 wrote to memory of 1336 3688 cmd.exe 93 PID 3688 wrote to memory of 1336 3688 cmd.exe 93 PID 2612 wrote to memory of 3512 2612 decrypted.tmp 94 PID 2612 wrote to memory of 3512 2612 decrypted.tmp 94 PID 3512 wrote to memory of 4456 3512 cmd.exe 96 PID 3512 wrote to memory of 4456 3512 cmd.exe 96 PID 3512 wrote to memory of 3600 3512 cmd.exe 97 PID 3512 wrote to memory of 3600 3512 cmd.exe 97 PID 2612 wrote to memory of 1212 2612 decrypted.tmp 98 PID 2612 wrote to memory of 1212 2612 decrypted.tmp 98 PID 1212 wrote to memory of 3268 1212 cmd.exe 100 PID 1212 wrote to memory of 3268 1212 cmd.exe 100 PID 1212 wrote to memory of 2468 1212 cmd.exe 101 PID 1212 wrote to memory of 2468 1212 cmd.exe 101 PID 2612 wrote to memory of 4832 2612 decrypted.tmp 102 PID 2612 wrote to memory of 4832 2612 decrypted.tmp 102 PID 4832 wrote to memory of 4740 4832 cmd.exe 104 PID 4832 wrote to memory of 4740 4832 cmd.exe 104 PID 4832 wrote to memory of 1960 4832 cmd.exe 105 PID 4832 wrote to memory of 1960 4832 cmd.exe 105 PID 2612 wrote to memory of 644 2612 decrypted.tmp 106 PID 2612 wrote to memory of 644 2612 decrypted.tmp 106 PID 644 wrote to memory of 2708 644 cmd.exe 108 PID 644 wrote to memory of 2708 644 cmd.exe 108 PID 644 wrote to memory of 3684 644 cmd.exe 109 PID 644 wrote to memory of 3684 644 cmd.exe 109 PID 2612 wrote to memory of 1140 2612 decrypted.tmp 110 PID 2612 wrote to memory of 1140 2612 decrypted.tmp 110 PID 2612 wrote to memory of 1140 2612 decrypted.tmp 110 PID 1140 wrote to memory of 696 1140 AutoIt3.exe 117 PID 1140 wrote to memory of 696 1140 AutoIt3.exe 117 PID 1140 wrote to memory of 696 1140 AutoIt3.exe 117 PID 696 wrote to memory of 3924 696 cmd.exe 119 PID 696 wrote to memory of 3924 696 cmd.exe 119 PID 696 wrote to memory of 3924 696 cmd.exe 119 PID 696 wrote to memory of 1028 696 cmd.exe 120 PID 696 wrote to memory of 1028 696 cmd.exe 120 PID 696 wrote to memory of 1028 696 cmd.exe 120 PID 1028 wrote to memory of 4756 1028 AutoIt3.exe 121 PID 1028 wrote to memory of 4756 1028 AutoIt3.exe 121 PID 1028 wrote to memory of 4756 1028 AutoIt3.exe 121 PID 1028 wrote to memory of 4756 1028 AutoIt3.exe 121 PID 1028 wrote to memory of 4756 1028 AutoIt3.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\decrypted.exe"C:\Users\Admin\AppData\Local\Temp\decrypted.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Users\Admin\AppData\Local\Temp\is-SDLIQ.tmp\decrypted.tmp"C:\Users\Admin\AppData\Local\Temp\is-SDLIQ.tmp\decrypted.tmp" /SL5="$502A6,11050682,1125376,C:\Users\Admin\AppData\Local\Temp\decrypted.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\decrypted.exe"C:\Users\Admin\AppData\Local\Temp\decrypted.exe" /VERYSILENT /NORESTART3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Users\Admin\AppData\Local\Temp\is-AD0M7.tmp\decrypted.tmp"C:\Users\Admin\AppData\Local\Temp\is-AD0M7.tmp\decrypted.tmp" /SL5="$A0062,11050682,1125376,C:\Users\Admin\AppData\Local\Temp\decrypted.exe" /VERYSILENT /NORESTART4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4132
-
-
C:\Windows\system32\find.exefind /I "wrsa.exe"6⤵PID:1932
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1372
-
-
C:\Windows\system32\find.exefind /I "opssvc.exe"6⤵PID:1336
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4456
-
-
C:\Windows\system32\find.exefind /I "avastui.exe"6⤵PID:3600
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3268
-
-
C:\Windows\system32\find.exefind /I "avgui.exe"6⤵PID:2468
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4740
-
-
C:\Windows\system32\find.exefind /I "nswscsvc.exe"6⤵PID:1960
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
C:\Windows\system32\find.exefind /I "sophoshealth.exe"6⤵PID:3684
-
-
-
C:\Users\Admin\AppData\Local\fragaria\AutoIt3.exe"C:\Users\Admin\AppData\Local\fragaria\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\fragaria\\VSIXConfigurationUpdater1.a3x"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\LdulAnb1r.a3x && del C:\ProgramData\\LdulAnb1r.a3x6⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.17⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3924
-
-
C:\Users\Admin\AppData\Local\fragaria\AutoIt3.exeAutoIt3.exe C:\ProgramData\\LdulAnb1r.a3x7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe8⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4756
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5edf47d593acf0e39438d621e8357ad34
SHA15732a17515b0112ce47637393043a1a2e4836218
SHA2565f0f2e763c33ef0d3bb30041927a39191a257b533e16f1f89bf2939d669c9412
SHA5128f49244aa4d4ba31ecef404b9f42b7e9798951a8065dea3699e10464ab676f72227c3084e51c7c256e385605cfa95a35bd88fff01477ecf426153ffcf2f9994f
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
20KB
MD5a603e09d617fea7517059b4924b1df93
SHA131d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc
-
Filesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
Filesize
921KB
MD53f58a517f1f4796225137e7659ad2adb
SHA1e264ba0e9987b0ad0812e5dd4dd3075531cfe269
SHA2561da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48
SHA512acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634
-
Filesize
939KB
MD5c25a5d1ff98e3558b128797de0f7ede8
SHA1e6b742ba4fa0836f16b135ab530391ea52e7a83c
SHA2567344920e5ee6ff4f75013be233fea20b872bd4d9adcf0434eaeebcba79099819
SHA512f515507befee96cf2f86db0db2c8dda831063900729e0449df0f32a88c76c7752ee364d5d1e072175b5a9eccd6f54f72e5c08656b5bf8d711a414ceda91aa5c0
-
Filesize
60KB
MD5292aad866f9decedfdb2b3126fab6061
SHA1ea5273f207b22196dbed7e1ddc691ce4418a6d87
SHA2565da1f6349763ccbf7ada3167e0a8e1eeeb158c6cdd0b2aee8f9278812be0d59b
SHA512750573570f029858d689836c8ec7e49f9e3646783adeb34597a7cfd6411a86b2aa060626e7ed9d97ec7dac15d295b36ed03225fdd4238aad59cf2851c91a0119