Overview

overview

10

Static

static

1

afbdaa974c...07.msi

windows7-x64

10

afbdaa974c...07.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/10/2024, 10:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    afbdaa974cdc9624fe94b5c0ca6ce01695570790a68cc9c86ea0619973f13d07.msi

  • Size

    2.9MB

  • MD5

    d87cc5fb2d4047d442446cc6d2d01cf9

  • SHA1

    8d2c76bb8248b1c8171c4cc198255d5613afe6fe

  • SHA256

    afbdaa974cdc9624fe94b5c0ca6ce01695570790a68cc9c86ea0619973f13d07

  • SHA512

    542e85c82bb770f8e4c6415597330d541be2a21c1e95f83c9e57db5df123255be831f4beab56f7211dd1b7c3823838ce3526fa16ae81f5d9bf4767ab46217333

  • SSDEEP

    49152:NiSoOl+YyNuCClJkqr6zeM4I/157fW8KvSu784p0mKZ+nYxgrFUhmnb+t1cVDUqb:Nt7+YJCCvkP4Id59Kvv8KGZgYyyuqtUF

Score
10/10
sectopratdiscoverypersistenceprivilege_escalationrattrojan

Malware Config

Signatures

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 18 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\afbdaa974cdc9624fe94b5c0ca6ce01695570790a68cc9c86ea0619973f13d07.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2468
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:964
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:4132
      • C:\Users\Admin\AppData\Local\Ormolu\ManyCam.exe
        "C:\Users\Admin\AppData\Local\Ormolu\ManyCam.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3352
        • C:\Windows\system32\pcaui.exe
          "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\Admin\AppData\Local\Ormolu\ManyCam.exe"
          3⤵
            PID:1052
          • C:\Users\Admin\AppData\Roaming\demoArchivebcz\ManyCam.exe
            C:\Users\Admin\AppData\Roaming\demoArchivebcz\ManyCam.exe
            3⤵
            • Suspicious use of SetThreadContext
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:4300
            • C:\Windows\system32\pcaui.exe
              "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\Admin\AppData\Roaming\demoArchivebcz\ManyCam.exe"
              4⤵
                PID:4924
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\SysWOW64\cmd.exe
                4⤵
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of WriteProcessMemory
                PID:5028
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:1820
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Checks SCSI registry key(s)
          • Suspicious use of AdjustPrivilegeToken
          PID:216

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Config.Msi\e57df26.rbs
          Filesize

          9KB

          MD5

          dcfd88aedcdb26470495adb8face64d2

          SHA1

          861b993386c40b1a1703725532d68300a273b87b

          SHA256

          4907f108a0f9de6e4dce6b19cab1acd8e8a365511fc21468ddab7dd61b84cf12

          SHA512

          40a42dbdf93db3af2b037a8a687880e37a0793c915085abd4aea008f714a1d055a648ea86601db0572d2636186fa11c87ce0108515d49157fcbf39981e3b1c22

          Download Submit

        • C:\Users\Admin\AppData\Local\Ormolu\CrashRpt.dll
          Filesize

          121KB

          MD5

          b2d1f5e4a1f0e8d85f0a8aeb7b8148c7

          SHA1

          871078213fcc0ce143f518bd69caa3156b385415

          SHA256

          c28e0aec124902e948c554436c0ebbebba9fc91c906ce2cd887fada0c64e3386

          SHA512

          1f6d97e02cd684cf4f4554b0e819196bd2811e19b964a680332268bcbb6dee0e17b2b35b6e66f0fe5622dffb0a734f39f8e49637a38e4fe7f10d3b5182b30260

          Download Submit

        • C:\Users\Admin\AppData\Local\Ormolu\ManyCam.exe
          Filesize

          1.7MB

          MD5

          ba699791249c311883baa8ce3432703b

          SHA1

          f8734601f9397cb5ebb8872af03f5b0639c2eac6

          SHA256

          7c4eb51a737a81c163f95b50ec54518b82fcf91389d0560e855f3e26cec07282

          SHA512

          6a0386424c61fbf525625ebe53bb2193accd51c2be9a2527fd567d0a6e112b0d1a047d8f7266d706b726e9c41ea77496e1ede186a5e59f5311eeea829a302325

          Download Submit

        • C:\Users\Admin\AppData\Local\Ormolu\cv099.dll
          Filesize

          664KB

          MD5

          2a8b33fee2f84490d52a3a7c75254971

          SHA1

          16ce2b1632a17949b92ce32a6211296fee431dca

          SHA256

          faff6a0745e1720413a028f77583fff013c3f4682756dc717a0549f1be3fefc2

          SHA512

          8daf104582547d6b3a6d8698836e279d88ad9a870e9fdd66c319ecada3757a3997f411976461ed30a5d24436baa7504355b49d4acec2f7cdfe10e1e392e0f7fb

          Download Submit

        • C:\Users\Admin\AppData\Local\Ormolu\cxcore099.dll
          Filesize

          908KB

          MD5

          286284d4ae1c67d0d5666b1417dcd575

          SHA1

          8b8a32577051823b003c78c86054874491e9ecfa

          SHA256

          37d9a8057d58b043ad037e9905797c215cd0832d48a29731c1687b23447ce298

          SHA512

          2efc47a8e104baa13e19bee3b3b3364da09cea80601bc87492de348f1c8d61008002540ba8f0df99b2d20e333d09ea8e097a87c97e91910d7d592d11a953917a

          Download Submit

        • C:\Users\Admin\AppData\Local\Ormolu\cximagecrt.dll
          Filesize

          487KB

          MD5

          c36f6e088c6457a43adb7edcd17803f3

          SHA1

          b25b9fb4c10b8421c8762c7e7b3747113d5702de

          SHA256

          8e1243454a29998cc7dc89caecfadc0d29e00e5776a8b5777633238b8cd66f72

          SHA512

          87cad4c3059bd7de02338922cf14e515af5cad663d473b19dd66a4c8befc8bce61c9c2b5a14671bc71951fdff345e4ca7a799250d622e2c9236ec03d74d4fe4e

          Download Submit

        • C:\Users\Admin\AppData\Local\Ormolu\dbghelp.dll
          Filesize

          478KB

          MD5

          aa1594596fa19609555e317d9b64be6a

          SHA1

          924b08d85b537be52142965c3ad33c01b457ea83

          SHA256

          5139413ea54dee9ec4f13b193d88ccae9adb8f0d8c1e2ba1aee460d8a0d5bb79

          SHA512

          759209846039d1efb2f6ddf3501f1f868989e81752bb7d617afd9fd4238c52162167b1a1732ec81bdfce469856c78439cc7c8d173b1f48de499dfee725b192dc

          Download Submit

        • C:\Users\Admin\AppData\Local\Ormolu\gxfiogr
          Filesize

          51KB

          MD5

          b590c33dd2a4c8ddedda46028181a405

          SHA1

          b0949a3396d84b8e4dca5d5026eb3b6c0679f7e3

          SHA256

          862aadcb096647394a5f6f5e646bf57b52567180505b6026e59539f6ded1eaa8

          SHA512

          e72b33ca405b551532a855a74f99aab1850756cbaefb9421d6e480e719b6ceead1d728dbc786d76d91532f0bbdcc241039dac35479bf90f7d2d665c6ab9f8da7

          Download Submit

        • C:\Users\Admin\AppData\Local\Ormolu\highgui099.dll
          Filesize

          388KB

          MD5

          a354c42fcb37a50ecad8dde250f6119e

          SHA1

          0eb4ad5e90d28a4a8553d82cec53072279af1961

          SHA256

          89db6973f4ec5859792bcd8a50cd10db6b847613f2cea5adef740eec141673b2

          SHA512

          981c82f6334961c54c80009b14a0c2cd48067baf6d502560d508be86f5185374a422609c7fdc9a2cde9b98a7061efab7fd9b1f4f421436a9112833122bc35059

          Download Submit

        • C:\Users\Admin\AppData\Local\Ormolu\rsjddfw
          Filesize

          1.2MB

          MD5

          2139118b4760969b3a7df8d1abf9c26f

          SHA1

          a076ee81fac8df2508e72c918ff2ad45d8bf8281

          SHA256

          f2158d2632256e1e8d6cd855937ff9b3d8ac738d993fb0be976880a8692d76eb

          SHA512

          5104382aa96d6c5d3c3b2a43ef465b1d690ef59ca4660fc026943b7c44cafb0bc569031a66ef9c10cbd119eb361b3b84fb7c190ba28c2588c34cd9c6472c0833

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\94e92900
          Filesize

          1.4MB

          MD5

          a53e94150bbc8b7682ae105e9a105acf

          SHA1

          1bd6677bdbf42abbf45c9d1577dcad0d439e46fb

          SHA256

          8f6b8a1608553019377bdd9aadfd78a24b1c2ad3f58c91a245dc167a53101994

          SHA512

          9e1d87f9025c8d248dfb6a775376c902f08059c4fc766ca85f8b5464f331d7e76d9446592b5b702ee7b5525a0bca4297adfba490df3a8df184bfeb9a75181559

          Download Submit

        • C:\Windows\Installer\e57df25.msi
          Filesize

          2.9MB

          MD5

          d87cc5fb2d4047d442446cc6d2d01cf9

          SHA1

          8d2c76bb8248b1c8171c4cc198255d5613afe6fe

          SHA256

          afbdaa974cdc9624fe94b5c0ca6ce01695570790a68cc9c86ea0619973f13d07

          SHA512

          542e85c82bb770f8e4c6415597330d541be2a21c1e95f83c9e57db5df123255be831f4beab56f7211dd1b7c3823838ce3526fa16ae81f5d9bf4767ab46217333

          Download Submit

        • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
          Filesize

          24.1MB

          MD5

          dd59d92c830382d9ad5abe93b0d436ce

          SHA1

          e627727bcd284551d05a5dc9b4c6d40411609148

          SHA256

          6f79622e4a42013bf22eb4f7051d1b941b4bc7cf97f10b48d8f91de572160e8d

          SHA512

          c55d02dfa2e5e656121f602332e89259387dd1db725e3bc62a111545296fc06319849b08d020f3290903d71f1793e6a7b38aa86be06f74862489df2e16579e57

          Download Submit

        • \??\Volume{fb297ba4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{536465ed-e7e2-4aec-b437-48bf927b1b38}_OnDiskSnapshotProp
          Filesize

          6KB

          MD5

          02bd0cab3a11df77c58e6960ea3eac9f

          SHA1

          3c5c789c9dfa0eb6f427f920ae1d5f895bdf3a8e

          SHA256

          de89c22256b8a64762b066b817de5ae4699025ef8f867ac9317e2f271a192283

          SHA512

          5d7e3dd798042f01483700b99d55a3bff21e2e0617b44234ff480c937a71f03a027965f859901fda4f23d347193bb0a1bed9c2b0cc8e5e0b96b66bfbd22b69f0

          Download Submit

        • memory/1820-112-0x00000000050C0000-0x0000000005110000-memory.dmp

          Filesize

          320KB

          Download

        • memory/1820-111-0x0000000005110000-0x0000000005186000-memory.dmp

          Filesize

          472KB

          Download

        • memory/1820-110-0x0000000005260000-0x0000000005422000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1820-109-0x0000000005640000-0x0000000005BE4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/1820-108-0x0000000004FF0000-0x0000000005082000-memory.dmp

          Filesize

          584KB

          Download

        • memory/1820-107-0x0000000000900000-0x00000000009C6000-memory.dmp

          Filesize

          792KB

          Download

        • memory/1820-104-0x00000000736F0000-0x0000000074944000-memory.dmp

          Filesize

          18.3MB

          Download

        • memory/3352-49-0x0000000001C80000-0x0000000001CE2000-memory.dmp

          Filesize

          392KB

          Download

        • memory/3352-46-0x0000000001B90000-0x0000000001C7C000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3352-57-0x00007FFFC1010000-0x00007FFFC1205000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3352-56-0x0000000074C20000-0x0000000074D9B000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3352-52-0x0000000001D00000-0x0000000001DAD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/4300-95-0x0000000074C20000-0x0000000074D9B000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4300-94-0x00007FFFC1010000-0x00007FFFC1205000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4300-93-0x0000000074C20000-0x0000000074D9B000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4300-87-0x0000000001CF0000-0x0000000001D9D000-memory.dmp

          Filesize

          692KB

          Download

        • memory/4300-83-0x0000000001C00000-0x0000000001CEC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/4300-89-0x0000000001DA0000-0x0000000001E02000-memory.dmp

          Filesize

          392KB

          Download

        • memory/5028-100-0x00007FFFC1010000-0x00007FFFC1205000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5028-102-0x0000000074C20000-0x0000000074D9B000-memory.dmp

          Filesize

          1.5MB

          Download