sectoprat | dc083a97abcc87f3d153b21cf4b0ff19ca7cadc3f698b9ecfd1402b93884ac58

General

Target

msn.exe
Size

5.5MB
MD5

537915708fe4e81e18e99d5104b353ed
SHA1

128ddb7096e5b748c72dc13f55b593d8d20aa3fb
SHA256

6dc7275f2143d1de0ca66c487b0f2ebff3d4c6a79684f03b9619bf23143ecf74
SHA512

9ceaaf7aa5889be9f5606646403133782d004b9d78ef83d7007dfce67c0f4f688d7931aebc74f1fc30aac2f1dd6281bdadfb52bc3ea46aca33b334adb4067ae2
SSDEEP

49152:ERUl697ngPTrho9J8kgdjbHNZ5PP/Re5m3mxVN6KEp0v7J7k66ZRkQTXw+sljVop:uAXqnhON8m3mzNHTdw6YSX+sleu5y

Score

10^/10

sectoprat discovery rat spyware trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/3828-39-0x0000000000820000-0x00000000008E6000-memory.dmp	family_sectoprat

Executes dropped EXE 1 IoCs

pid	Process
3976	msn.exe

Loads dropped DLL 3 IoCs

pid	Process
3976	msn.exe
3976	msn.exe
3976	msn.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3976 set thread context of 5044	3976	msn.exe	87
PID 5044 set thread context of 3828	5044	cmd.exe	100

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msn.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3688	msn.exe
3976	msn.exe
3976	msn.exe
5044	cmd.exe
5044	cmd.exe
3828	MSBuild.exe
3828	MSBuild.exe
3828	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3976	msn.exe
5044	cmd.exe
5044	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3828	MSBuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3828	MSBuild.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 3976	3688	msn.exe	85
PID 3688 wrote to memory of 3976	3688	msn.exe	85
PID 3688 wrote to memory of 3976	3688	msn.exe	85
PID 3976 wrote to memory of 5044	3976	msn.exe	87
PID 3976 wrote to memory of 5044	3976	msn.exe	87
PID 3976 wrote to memory of 5044	3976	msn.exe	87
PID 3976 wrote to memory of 5044	3976	msn.exe	87
PID 5044 wrote to memory of 3828	5044	cmd.exe	100
PID 5044 wrote to memory of 3828	5044	cmd.exe	100
PID 5044 wrote to memory of 3828	5044	cmd.exe	100
PID 5044 wrote to memory of 3828	5044	cmd.exe	100
PID 5044 wrote to memory of 3828	5044	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\msn.exe
"C:\Users\Admin\AppData\Local\Temp\msn.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3688
- C:\ProgramData\Svclocalv4\msn.exe
  C:\ProgramData\Svclocalv4\msn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Svclocalv4\ContactsUX.dll

Filesize
331KB

MD5
54ee6a204238313dc6aca21c7e036c17

SHA1
531fd1c18e2e4984c72334eb56af78a1048da6c7

SHA256
0abf68b8409046a1555d48ac506fd26fda4b29d8d61e07bc412a4e21de2782fd

SHA512
19a2e371712aab54b75059d39a9aea6e7de2eb69b3ffc0332e60df617ebb9de61571b2ca722cddb75c9cbc79f8200d03f73539f21f69366eae3c7641731c7820

Download Submit
C:\ProgramData\Svclocalv4\MSNCore.dll

Filesize
991KB

MD5
deaa38a71c85d2f9d4ba71343d1603da

SHA1
bdbb492512cee480794e761d1bea718db14013ec

SHA256
1dc120f34b294e964eee949c4d1ebd9c271715d46b38ae082fec2f1d505e8d65

SHA512
87b152b642a020e07ad46e9ed5b4a462c12cf0918f82025c230f662eddb3bf4b2d3aa15ca770970beae5988dd5d5d9b7bcaf7a77c6d2f3acf6d12826f3a9ead7

Download Submit
C:\ProgramData\Svclocalv4\bqbr

Filesize
1.2MB

MD5
3a05d26d5f082069d4c556b9858c5fdc

SHA1
37c11326ee5279ce552261f145fe49e1fc49d05c

SHA256
a4da5697b73c5d24e98dfeeaae89ae41c18d5105d0b130562c48b75f7e3a0b39

SHA512
1bdc73e784894d9934834b1c9416313b25eab515f010c48df08efe5b7b570cd10766cceb672268daf7fdf916672f086dcb581f7a9ad237d2dc18e4f3a895beba

Download Submit
C:\ProgramData\Svclocalv4\gld

Filesize
88KB

MD5
06a62106f0d01ed3a971415b57366a8b

SHA1
9d905a38a4f53961a3828b2f759062b428dd25a9

SHA256
6c5fb0f5e586cac39cf4e06e918dad243053cb103a82afeed32d92732834cc93

SHA512
4565dfe2e72a4a08d2a66722cb3ab736a2fa45f0c0ad368805d778f57f3bade2c82b2f8eab3006e4258cf5be84e96a46233e68be4d14fec50382cd94c13a4d74

Download Submit
C:\ProgramData\Svclocalv4\msidcrl40.dll

Filesize
784KB

MD5
f1f8d156bbdd5945a4f933ac7fa7cc41

SHA1
e581235e9f1a3a8a63b8a470eaed882bc93b9085

SHA256
344ac8e5debb1a496c3648f941801cdc6ffdfcc7eef8ed38e62270a2e20b1c3a

SHA512
86d799af3be251edecf6a552f473b94a0ba2d738b7b5f4a84c31bb34db4ea458f5e50090370bdf82f945e684dd5d66b88ebe3c902305bb0a435aca1331cb4ad9

Download Submit
C:\ProgramData\Svclocalv4\msn.exe

Filesize
5.5MB

MD5
537915708fe4e81e18e99d5104b353ed

SHA1
128ddb7096e5b748c72dc13f55b593d8d20aa3fb

SHA256
6dc7275f2143d1de0ca66c487b0f2ebff3d4c6a79684f03b9619bf23143ecf74

SHA512
9ceaaf7aa5889be9f5606646403133782d004b9d78ef83d7007dfce67c0f4f688d7931aebc74f1fc30aac2f1dd6281bdadfb52bc3ea46aca33b334adb4067ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee7c570e

Filesize
1.5MB

MD5
202eee927219fe1637b3c991aff2f428

SHA1
f766bd1d685fffb036a222e03cbe2525ee0e1fe7

SHA256
25fab0c9372cc4d9075184c09482198eebfba3c366204488ace972eb10174844

SHA512
7d0b81ce64d19ea7e50f44181e472cd37f05538357ec1aca02d79f173025a93fe18bedd764a7b169e706411d20f07047df323858ca210039eaf9e7fe55c30c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE727.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
memory/3688-1-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/3688-0-0x0000000074420000-0x000000007459B000-memory.dmp

Filesize
1.5MB

Download
memory/3828-46-0x0000000006040000-0x000000000656C000-memory.dmp

Filesize
5.2MB

Download
memory/3828-45-0x0000000004DA0000-0x0000000004DAA000-memory.dmp

Filesize
40KB

Download
memory/3828-41-0x0000000005460000-0x0000000005A04000-memory.dmp

Filesize
5.6MB

Download
memory/3828-48-0x0000000005C30000-0x0000000005C96000-memory.dmp

Filesize
408KB

Download
memory/3828-68-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/3828-47-0x0000000005B40000-0x0000000005B5E000-memory.dmp

Filesize
120KB

Download
memory/3828-69-0x0000000005090000-0x00000000050CC000-memory.dmp

Filesize
240KB

Download
memory/3828-66-0x00000000079E0000-0x00000000079EA000-memory.dmp

Filesize
40KB

Download
memory/3828-44-0x0000000004FB0000-0x0000000005000000-memory.dmp

Filesize
320KB

Download
memory/3828-43-0x0000000004F30000-0x0000000004FA6000-memory.dmp

Filesize
472KB

Download
memory/3828-42-0x0000000005220000-0x00000000053E2000-memory.dmp

Filesize
1.8MB

Download
memory/3828-36-0x0000000072EF0000-0x0000000074144000-memory.dmp

Filesize
18.3MB

Download
memory/3828-39-0x0000000000820000-0x00000000008E6000-memory.dmp

Filesize
792KB

Download
memory/3828-40-0x0000000004DB0000-0x0000000004E42000-memory.dmp

Filesize
584KB

Download
memory/3976-21-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/3976-24-0x0000000074420000-0x000000007459B000-memory.dmp

Filesize
1.5MB

Download
memory/3976-23-0x0000000074420000-0x000000007459B000-memory.dmp

Filesize
1.5MB

Download
memory/3976-22-0x0000000074433000-0x0000000074435000-memory.dmp

Filesize
8KB

Download
memory/3976-20-0x0000000074420000-0x000000007459B000-memory.dmp

Filesize
1.5MB

Download
memory/5044-35-0x0000000074420000-0x000000007459B000-memory.dmp

Filesize
1.5MB

Download
memory/5044-33-0x0000000074420000-0x000000007459B000-memory.dmp

Filesize
1.5MB

Download
memory/5044-32-0x0000000074420000-0x000000007459B000-memory.dmp

Filesize
1.5MB

Download
memory/5044-30-0x0000000074420000-0x000000007459B000-memory.dmp

Filesize
1.5MB

Download
memory/5044-28-0x00007FF8EE890000-0x00007FF8EEA85000-memory.dmp

Filesize
2.0MB

Download
memory/5044-29-0x0000000074420000-0x000000007459B000-memory.dmp

Filesize
1.5MB

Download
memory/5044-26-0x0000000074420000-0x000000007459B000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing