Analysis Overview
SHA256
58e38db883597286180f4a5bb97386c6b8c5c400a8b1ca7254f3da7ef40acf9c
Threat Level: Known bad
The file decrypted.exe was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer, LummaC
SectopRAT payload
SectopRAT
Downloads MZ/PE file
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates processes with tasklist
System Location Discovery: System Language Discovery
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-05 15:13
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-05 15:13
Reported
2024-10-05 15:16
Platform
win7-20240903-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Lumma Stealer, LummaC
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-TGBTE.tmp\decrypted.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JGTRM.tmp\decrypted.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\fragaria\AutoIt3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\fragaria\AutoIt3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp4FB9.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\decrypted.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-TGBTE.tmp\decrypted.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\decrypted.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JGTRM.tmp\decrypted.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JGTRM.tmp\decrypted.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eebbfca = "\"C:\\kgcchef\\AutoIt3.exe\" C:\\kgcchef\\eebbfca.a3x" | C:\Users\Admin\AppData\Local\fragaria\AutoIt3.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3008 set thread context of 1868 | N/A | C:\Users\Admin\AppData\Local\fragaria\AutoIt3.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\decrypted.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\fragaria\AutoIt3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp4FB9.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-TGBTE.tmp\decrypted.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\decrypted.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-JGTRM.tmp\decrypted.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\fragaria\AutoIt3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\fragaria\AutoIt3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\fragaria\AutoIt3.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\tmp4FB9.tmp.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\tmp4FB9.tmp.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\tmp4FB9.tmp.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JGTRM.tmp\decrypted.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JGTRM.tmp\decrypted.tmp | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp4FB9.tmp.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JGTRM.tmp\decrypted.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\decrypted.exe
"C:\Users\Admin\AppData\Local\Temp\decrypted.exe"
C:\Users\Admin\AppData\Local\Temp\is-TGBTE.tmp\decrypted.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TGBTE.tmp\decrypted.tmp" /SL5="$4010A,11050682,1125376,C:\Users\Admin\AppData\Local\Temp\decrypted.exe"
C:\Users\Admin\AppData\Local\Temp\decrypted.exe
"C:\Users\Admin\AppData\Local\Temp\decrypted.exe" /VERYSILENT /NORESTART
C:\Users\Admin\AppData\Local\Temp\is-JGTRM.tmp\decrypted.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JGTRM.tmp\decrypted.tmp" /SL5="$70122,11050682,1125376,C:\Users\Admin\AppData\Local\Temp\decrypted.exe" /VERYSILENT /NORESTART
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "wrsa.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "opssvc.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "avastui.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "avgui.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "nswscsvc.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "sophoshealth.exe"
C:\Users\Admin\AppData\Local\fragaria\AutoIt3.exe
"C:\Users\Admin\AppData\Local\fragaria\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\fragaria\\VSIXConfigurationUpdater1.a3x"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\Y0fR5wVEk.a3x && del C:\ProgramData\\Y0fR5wVEk.a3x
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Users\Admin\AppData\Local\fragaria\AutoIt3.exe
AutoIt3.exe C:\ProgramData\\Y0fR5wVEk.a3x
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Users\Admin\AppData\Local\Temp\tmp4FB9.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4FB9.tmp.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 45.141.87.50:15647 | tcp | |
| RU | 45.141.87.50:9000 | 45.141.87.50 | tcp |
| US | 8.8.8.8:53 | crimsonbike.com | udp |
| RU | 45.143.167.133:443 | crimsonbike.com | tcp |
| US | 8.8.8.8:53 | professitonwqu.shop | udp |
| US | 172.67.142.14:443 | professitonwqu.shop | tcp |
| US | 8.8.8.8:53 | mobbipenju.store | udp |
| US | 172.67.208.181:443 | mobbipenju.store | tcp |
| US | 8.8.8.8:53 | eaglepawnoy.store | udp |
| US | 172.67.156.136:443 | eaglepawnoy.store | tcp |
| US | 8.8.8.8:53 | dissapoiznw.store | udp |
| US | 104.21.63.7:443 | dissapoiznw.store | tcp |
| US | 8.8.8.8:53 | studennotediw.store | udp |
| US | 172.67.186.147:443 | studennotediw.store | tcp |
| US | 8.8.8.8:53 | bathdoomgaz.store | udp |
| US | 104.21.6.95:443 | bathdoomgaz.store | tcp |
| US | 8.8.8.8:53 | spirittunek.store | udp |
| US | 104.21.9.4:443 | spirittunek.store | tcp |
| US | 8.8.8.8:53 | licendfilteo.site | udp |
| US | 8.8.8.8:53 | clearancek.site | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | feelystroll.buzz | udp |
| US | 104.21.0.152:443 | feelystroll.buzz | tcp |
Files
memory/2168-0-0x0000000000880000-0x00000000009A1000-memory.dmp
memory/2168-2-0x0000000000881000-0x0000000000929000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-TGBTE.tmp\decrypted.tmp
| MD5 | edf47d593acf0e39438d621e8357ad34 |
| SHA1 | 5732a17515b0112ce47637393043a1a2e4836218 |
| SHA256 | 5f0f2e763c33ef0d3bb30041927a39191a257b533e16f1f89bf2939d669c9412 |
| SHA512 | 8f49244aa4d4ba31ecef404b9f42b7e9798951a8065dea3699e10464ab676f72227c3084e51c7c256e385605cfa95a35bd88fff01477ecf426153ffcf2f9994f |
memory/1844-8-0x0000000000100000-0x0000000000101000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-A0RA6.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/1960-15-0x0000000000880000-0x00000000009A1000-memory.dmp
memory/1844-17-0x0000000000950000-0x0000000000CD0000-memory.dmp
memory/2168-28-0x0000000000880000-0x00000000009A1000-memory.dmp
\Users\Admin\AppData\Local\fragaria\AutoIt3.exe
| MD5 | 3f58a517f1f4796225137e7659ad2adb |
| SHA1 | e264ba0e9987b0ad0812e5dd4dd3075531cfe269 |
| SHA256 | 1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48 |
| SHA512 | acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634 |
C:\Users\Admin\AppData\Local\fragaria\VSIXConfigurationUpdater1.a3x
| MD5 | 292aad866f9decedfdb2b3126fab6061 |
| SHA1 | ea5273f207b22196dbed7e1ddc691ce4418a6d87 |
| SHA256 | 5da1f6349763ccbf7ada3167e0a8e1eeeb158c6cdd0b2aee8f9278812be0d59b |
| SHA512 | 750573570f029858d689836c8ec7e49f9e3646783adeb34597a7cfd6411a86b2aa060626e7ed9d97ec7dac15d295b36ed03225fdd4238aad59cf2851c91a0119 |
memory/1164-179-0x0000000000920000-0x0000000000CA0000-memory.dmp
C:\Users\Admin\AppData\Local\fragaria\VSIXConfigurationUpdater.wav
| MD5 | c25a5d1ff98e3558b128797de0f7ede8 |
| SHA1 | e6b742ba4fa0836f16b135ab530391ea52e7a83c |
| SHA256 | 7344920e5ee6ff4f75013be233fea20b872bd4d9adcf0434eaeebcba79099819 |
| SHA512 | f515507befee96cf2f86db0db2c8dda831063900729e0449df0f32a88c76c7752ee364d5d1e072175b5a9eccd6f54f72e5c08656b5bf8d711a414ceda91aa5c0 |
memory/1960-182-0x0000000000880000-0x00000000009A1000-memory.dmp
memory/1868-192-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/1868-194-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/1868-193-0x0000000000400000-0x00000000004C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF884.tmp
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |
\Users\Admin\AppData\Local\Temp\tmp4FB9.tmp.exe
| MD5 | 40ec60bf0761652fc0f5cc888128acff |
| SHA1 | 1fde0d7c443e47efbcd26135b8bdf961bec46a89 |
| SHA256 | 0d7341486b8814c8de2dd5660308e103f293d707da933289ca709ce0be39507e |
| SHA512 | 7a863d1322947c0781ea839a918ac018d34545a75d2eb61612cea3aadf43f2221d8e993bc0f2a0c8b8f4f5250245142ca9a61d2573a305ea21a38b01e692ef85 |
memory/2856-216-0x0000000000930000-0x000000000098E000-memory.dmp
memory/2856-228-0x0000000000400000-0x0000000000922000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab8789.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar87AC.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-05 15:13
Reported
2024-10-05 15:16
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\fragaria\AutoIt3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-SDLIQ.tmp\decrypted.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-SDLIQ.tmp\decrypted.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-AD0M7.tmp\decrypted.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\fragaria\AutoIt3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\fragaria\AutoIt3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-SDLIQ.tmp\decrypted.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-AD0M7.tmp\decrypted.tmp | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\eebbfca = "\"C:\\kgcchef\\AutoIt3.exe\" C:\\kgcchef\\eebbfca.a3x" | C:\Users\Admin\AppData\Local\fragaria\AutoIt3.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1028 set thread context of 4756 | N/A | C:\Users\Admin\AppData\Local\fragaria\AutoIt3.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\decrypted.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-AD0M7.tmp\decrypted.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\fragaria\AutoIt3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-SDLIQ.tmp\decrypted.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\decrypted.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\fragaria\AutoIt3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\fragaria\AutoIt3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\fragaria\AutoIt3.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-AD0M7.tmp\decrypted.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-AD0M7.tmp\decrypted.tmp | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-AD0M7.tmp\decrypted.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\decrypted.exe
"C:\Users\Admin\AppData\Local\Temp\decrypted.exe"
C:\Users\Admin\AppData\Local\Temp\is-SDLIQ.tmp\decrypted.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SDLIQ.tmp\decrypted.tmp" /SL5="$502A6,11050682,1125376,C:\Users\Admin\AppData\Local\Temp\decrypted.exe"
C:\Users\Admin\AppData\Local\Temp\decrypted.exe
"C:\Users\Admin\AppData\Local\Temp\decrypted.exe" /VERYSILENT /NORESTART
C:\Users\Admin\AppData\Local\Temp\is-AD0M7.tmp\decrypted.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AD0M7.tmp\decrypted.tmp" /SL5="$A0062,11050682,1125376,C:\Users\Admin\AppData\Local\Temp\decrypted.exe" /VERYSILENT /NORESTART
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "wrsa.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "opssvc.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "avastui.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "avgui.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "nswscsvc.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "sophoshealth.exe"
C:\Users\Admin\AppData\Local\fragaria\AutoIt3.exe
"C:\Users\Admin\AppData\Local\fragaria\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\fragaria\\VSIXConfigurationUpdater1.a3x"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\LdulAnb1r.a3x && del C:\ProgramData\\LdulAnb1r.a3x
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Users\Admin\AppData\Local\fragaria\AutoIt3.exe
AutoIt3.exe C:\ProgramData\\LdulAnb1r.a3x
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| RU | 45.141.87.50:15647 | tcp | |
| US | 8.8.8.8:53 | 50.87.141.45.in-addr.arpa | udp |
| RU | 45.141.87.50:9000 | 45.141.87.50 | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/708-2-0x00000000008C1000-0x0000000000969000-memory.dmp
memory/708-0-0x00000000008C0000-0x00000000009E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-SDLIQ.tmp\decrypted.tmp
| MD5 | edf47d593acf0e39438d621e8357ad34 |
| SHA1 | 5732a17515b0112ce47637393043a1a2e4836218 |
| SHA256 | 5f0f2e763c33ef0d3bb30041927a39191a257b533e16f1f89bf2939d669c9412 |
| SHA512 | 8f49244aa4d4ba31ecef404b9f42b7e9798951a8065dea3699e10464ab676f72227c3084e51c7c256e385605cfa95a35bd88fff01477ecf426153ffcf2f9994f |
memory/2704-6-0x0000000003780000-0x0000000003781000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-SS3G3.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/656-13-0x00000000008C0000-0x00000000009E1000-memory.dmp
memory/2704-15-0x0000000000CE0000-0x0000000001060000-memory.dmp
memory/708-17-0x00000000008C0000-0x00000000009E1000-memory.dmp
memory/2612-25-0x0000000001000000-0x0000000001001000-memory.dmp
C:\Users\Admin\AppData\Local\fragaria\AutoIt3.exe
| MD5 | 3f58a517f1f4796225137e7659ad2adb |
| SHA1 | e264ba0e9987b0ad0812e5dd4dd3075531cfe269 |
| SHA256 | 1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48 |
| SHA512 | acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634 |
memory/656-177-0x00000000008C0000-0x00000000009E1000-memory.dmp
C:\Users\Admin\AppData\Local\fragaria\VSIXConfigurationUpdater.wav
| MD5 | c25a5d1ff98e3558b128797de0f7ede8 |
| SHA1 | e6b742ba4fa0836f16b135ab530391ea52e7a83c |
| SHA256 | 7344920e5ee6ff4f75013be233fea20b872bd4d9adcf0434eaeebcba79099819 |
| SHA512 | f515507befee96cf2f86db0db2c8dda831063900729e0449df0f32a88c76c7752ee364d5d1e072175b5a9eccd6f54f72e5c08656b5bf8d711a414ceda91aa5c0 |
C:\Users\Admin\AppData\Local\fragaria\VSIXConfigurationUpdater1.a3x
| MD5 | 292aad866f9decedfdb2b3126fab6061 |
| SHA1 | ea5273f207b22196dbed7e1ddc691ce4418a6d87 |
| SHA256 | 5da1f6349763ccbf7ada3167e0a8e1eeeb158c6cdd0b2aee8f9278812be0d59b |
| SHA512 | 750573570f029858d689836c8ec7e49f9e3646783adeb34597a7cfd6411a86b2aa060626e7ed9d97ec7dac15d295b36ed03225fdd4238aad59cf2851c91a0119 |
memory/2612-174-0x0000000000460000-0x00000000007E0000-memory.dmp
memory/4756-187-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/4756-188-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/4756-189-0x0000000004FF0000-0x0000000005082000-memory.dmp
memory/4756-190-0x0000000005700000-0x0000000005CA4000-memory.dmp
memory/4756-191-0x0000000005320000-0x00000000054E2000-memory.dmp
memory/4756-192-0x0000000005150000-0x00000000051C6000-memory.dmp
memory/4756-193-0x00000000050F0000-0x0000000005140000-memory.dmp
memory/4756-194-0x0000000005090000-0x000000000509A000-memory.dmp
memory/4756-195-0x00000000062E0000-0x000000000680C000-memory.dmp
memory/4756-196-0x00000000056D0000-0x00000000056EE000-memory.dmp
memory/4756-197-0x0000000005E70000-0x0000000005ED6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp3824.tmp
| MD5 | a603e09d617fea7517059b4924b1df93 |
| SHA1 | 31d66e1496e0229c6a312f8be05da3f813b3fa9e |
| SHA256 | ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7 |
| SHA512 | eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc |
C:\Users\Admin\AppData\Local\Temp\tmp3856.tmp
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
memory/4756-221-0x0000000007CA0000-0x0000000007CAA000-memory.dmp
memory/4756-223-0x0000000005230000-0x0000000005242000-memory.dmp
memory/4756-224-0x0000000005570000-0x00000000055AC000-memory.dmp