Analysis

  • max time kernel
    124s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 11:26

General

  • Target

    06e81f5bb3b70ddd48d4711afd1f75776bc1e28e787ffd5dab9459083796f437.exe

  • Size

    4.0MB

  • MD5

    67b0d57e74adeef2f15582f95c9d5c43

  • SHA1

    4d359d98992b6ee3b47aa7667fcd74d25ca715bd

  • SHA256

    06e81f5bb3b70ddd48d4711afd1f75776bc1e28e787ffd5dab9459083796f437

  • SHA512

    f2691b4fdbbce2cf34483227362ff93d4b96f170ac17337d54971b0cc340da7beabedeb25bf26aaeeacb92e1066b93ccec65e742481e293928ea20c795be4a5e

  • SSDEEP

    49152:PjKdrRvp7grhJqZyc0PGMMlADKD7IRHxg:PjKdrRvJchJq6GPlA2D0RHxg

Malware Config

Signatures

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 1 IoCs
  • Sectoprat family
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3404
      • C:\Users\Admin\AppData\Local\Temp\06e81f5bb3b70ddd48d4711afd1f75776bc1e28e787ffd5dab9459083796f437.exe
        "C:\Users\Admin\AppData\Local\Temp\06e81f5bb3b70ddd48d4711afd1f75776bc1e28e787ffd5dab9459083796f437.exe"
        2⤵
        • Checks computer location settings
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1204
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c copy Updated Updated.bat & Updated.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3160
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:4424
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa opssvc"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:5096
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:4776
          • C:\Windows\SysWOW64\findstr.exe
            findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:824
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c md 182431
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2976
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V "TranslateTileAuthorsPerhaps" Intervention
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1612
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c copy /b ..\Crude + ..\Cindy + ..\Dairy + ..\Gel + ..\Midlands + ..\Personally + ..\Pi + ..\Bytes + ..\Consequences + ..\Passion + ..\Pt + ..\Instrument + ..\Including + ..\Variations d
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4772
          • C:\Users\Admin\AppData\Local\Temp\182431\Vertical.pif
            Vertical.pif d
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:5080
            • C:\Users\Admin\AppData\Local\Temp\182431\RegAsm.exe
              C:\Users\Admin\AppData\Local\Temp\182431\RegAsm.exe
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:3456
          • C:\Windows\SysWOW64\choice.exe
            choice /d y /t 5
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2180
      • C:\Windows\SysWOW64\cmd.exe
        cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PulsePlay.url" & echo URL="C:\Users\Admin\AppData\Local\FitTech Pulse Solutions\PulsePlay.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PulsePlay.url" & exit
        2⤵
        • Drops startup file
        • System Location Discovery: System Language Discovery
        PID:1224

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\182431\RegAsm.exe

      Filesize

      63KB

      MD5

      0d5df43af2916f47d00c1573797c1a13

      SHA1

      230ab5559e806574d26b4c20847c368ed55483b0

      SHA256

      c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

      SHA512

      f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

    • C:\Users\Admin\AppData\Local\Temp\182431\Vertical.pif

      Filesize

      921KB

      MD5

      78ba0653a340bac5ff152b21a83626cc

      SHA1

      b12da9cb5d024555405040e65ad89d16ae749502

      SHA256

      05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

      SHA512

      efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

    • C:\Users\Admin\AppData\Local\Temp\182431\d

      Filesize

      1.0MB

      MD5

      ab6fc0faae4a12761aaae1b3c1d0a758

      SHA1

      965f3e1e308598f496119f9534b8f1084e90d8aa

      SHA256

      b818021c5ceaea01f0be9e7bcfd937cc59ce94aef6624623b654e1afda5c310b

      SHA512

      c8b3b85428ab91527b6e037092b1e054bee16c63175cef41e7c1b529c2e2c8a9f505e64be34be7ccf25cd44c2a18e60f6f15cb6bcda3d5dfafa1b83906b73e55

    • C:\Users\Admin\AppData\Local\Temp\Bytes

      Filesize

      90KB

      MD5

      c01b332e3a11467f671235a76812e8d4

      SHA1

      237036c27858bb0db4804461025eb959952dce95

      SHA256

      b0bbe2a19773f84a9e37394c35fde71f9b188493af47c081edf72026b1241b8f

      SHA512

      5c04e4684ddc8be1518cd5289e4c4893960218b2b4ead02bded03ebc9a3eb074ef958d60eea37b6b3b6a7168f9bf4957c958f2d08dd12f70880aeaaf40cc9154

    • C:\Users\Admin\AppData\Local\Temp\Cindy

      Filesize

      68KB

      MD5

      39ec26daad78eed4fb300767bd798a01

      SHA1

      61e608cc48176ad997230cca5f39642cfa07ddf3

      SHA256

      d31cecf0caceae2a48b045923da0b9b7dc2f43f774ccb56ffdd2bc0ba674bc18

      SHA512

      ad5260b2d46604755a9127915fd2b2061c2fab0bbc870f1198bef9ca504a95b35c0165101287f07aa0c19df31e2713dbbb896e1ed95a8b7f5b26076550d2a8bb

    • C:\Users\Admin\AppData\Local\Temp\Consequences

      Filesize

      80KB

      MD5

      3124ca857fb535aa4a2c11456faf00e1

      SHA1

      df27db61d0a609f40a455cb02dcd5016af7cc1ae

      SHA256

      8805679202eeb14d3e2f98f2797a8dd3cf7392ac7b4ca9c1e015f6368d58b197

      SHA512

      8bca00f712ffd60f4faa188683df7416b9d1acf39430a70a5a52fa8cb036572b4ad3bd47190dd591387f294c3050855c034c45780124dc909164d334a251d6b4

    • C:\Users\Admin\AppData\Local\Temp\Crude

      Filesize

      97KB

      MD5

      e01fb12ea20d30c89075035846a87f57

      SHA1

      8f15aaf4db772e268860d7b8f28dff85a52c3d19

      SHA256

      016ce3fec6aa62b0dda8b13a0068dfb5c91e3be2ffef8e5bdc0cea28b3af8017

      SHA512

      75b040c7845636dce7e6e092972be3299fa41fb7923a32750af6dfa4f81b5d20209ec7bfc48e98df0dee3b9c040fc91b1c8bcc97e4a801340bc837f718594a26

    • C:\Users\Admin\AppData\Local\Temp\Dairy

      Filesize

      92KB

      MD5

      220078e66fdc102ff02ca2fbf6e117ba

      SHA1

      2ce10b969d50f5cf0fdc08b78359b30800b505d0

      SHA256

      001bf3526dbaa7f6bf886a93514691c2e3441854bae023a6a7c1e8cd10631a5c

      SHA512

      c90a2957ac695087f5cf7527f7fa19faeb90b9b561ea0bc2d95bd92df0c1963dea871767258f9a12a959102353dcfc07ae4f12eeb968a3baffd6b76b7dad04b6

    • C:\Users\Admin\AppData\Local\Temp\Gel

      Filesize

      83KB

      MD5

      ffd9c045eaaadcc191bf8b357d9dd248

      SHA1

      adf3868196d03c6ae1865da6dd8fba5311b76ef3

      SHA256

      9a2376bd930dd4b9a2a797709981a5030ca2c95dcec7afc13dedc1da5935fc18

      SHA512

      36f02b7a322d668eba0b43f33c668d1fd8d1ee6818904a04e987305ad49b15aa606d541839af266e0a938ff76f92779d567d4853d28f870890a87b0e24b20c9d

    • C:\Users\Admin\AppData\Local\Temp\Including

      Filesize

      93KB

      MD5

      dbdbdf30b526da5cb5b5f359aba9849c

      SHA1

      6a9d9ca5ebc896b93f4487b7a9cf1f51c48ddd05

      SHA256

      7bc24564859051e7be97420e77489aff8a707bf052da5ead0d42c49686b387b2

      SHA512

      f23125997477c6fb83332966ddab10af790a556f4b173e177c51126fd8dbf81006c591636cc26f9b6d223b12c6ff50ae0962cdd51bcc16ef5eaf4fa23559e51a

    • C:\Users\Admin\AppData\Local\Temp\Instrument

      Filesize

      61KB

      MD5

      845830c862ded35d0f140a8a928b5ddf

      SHA1

      7fbaddef7a6883a4b754d658acf356c7d0d4d449

      SHA256

      f2cb7652cdef016971b5b984da8247316dd89e93b54c07e3e929a0ae2fbdf646

      SHA512

      e76014ae1a993ebc825cd572c7f4dfdc6465a9461e0e544537345dd19d49f164171cbe4226005a23d5ea59645515840e7a88357dd619c427b81f2bb4012f06d7

    • C:\Users\Admin\AppData\Local\Temp\Intervention

      Filesize

      11KB

      MD5

      f8613f1c5e5d2ef9dbc0e08c59f1a370

      SHA1

      2d71b8e5b081c3bdc568392fa78d2d17608b27e4

      SHA256

      b01881a93e17dccfd001716af8635c91fc5053d65473ddcec17ffbe7f132ed19

      SHA512

      00511f63ede157792fb6d71a374eca1f4917cf3ab51e55bd4e1dbf18db35072498d6284960815bf9b5b966d3356f1fb5f89f94e8c385e5f7be91e8d06c2ce2fb

    • C:\Users\Admin\AppData\Local\Temp\Marina

      Filesize

      910KB

      MD5

      c8534c420bd071b7e339ebd7ef6c1468

      SHA1

      fba60cea7cdc81c766710fe1a740b9bda532b3ae

      SHA256

      5069bed38d8f4bc96f01c234231aab92c788d7b55b7d5d871ac0f923c1d86b89

      SHA512

      7ae788f93034507aa3edf7ee48932a7adf760e5aaeaff25fa938a5d8198243f8583ae9417bc33011523fdb8c9df6514c644474ffff74dae28735b5e3de2543bb

    • C:\Users\Admin\AppData\Local\Temp\Midlands

      Filesize

      60KB

      MD5

      cd94aa394d58da8b9f2186d381587b9e

      SHA1

      2ecddf09b6afee79433e6109d12ee4f9c379bd57

      SHA256

      73e0835f689169a8bd5131720fcba30ce90b3e57a68d9fa2820aa3640924821f

      SHA512

      e31f867fbf5275f8859f945a2cd81b65bf97e4a6c020f56d5b1e765a4278440f4bd5d818e25e57d5cc24ae88e2a8de60c49fdec141e230388c345a1467687f3b

    • C:\Users\Admin\AppData\Local\Temp\Passion

      Filesize

      86KB

      MD5

      1dade994b130d28535e4f49061d80a49

      SHA1

      a629befdcfc033764bd8211648fa6fb37b23d811

      SHA256

      02de9e5170b559027acd5d17c310406ade0973c9c5a7098fc073cb6f8c14b222

      SHA512

      a431fdda839d8df3f9ef989244fc2e0409c890e1b6a3e7e781e4a3f0897c7262a9b74a73e02922b2dd50120dc9d86fca408ee00a5c64fc1466c379d9a086760c

    • C:\Users\Admin\AppData\Local\Temp\Personally

      Filesize

      60KB

      MD5

      529a3c8027f8361594bd00931358de45

      SHA1

      843e85834d75676a6604f560a733f505ad7cd490

      SHA256

      9743ee659d899ffe9e9c1e7282dfb47b66108083d829241c382b1836091dc7c6

      SHA512

      7926e0b83ca3d9d3a8f8a0def10d338c7b72f95cf08003ad73e1c139b40147953c65c1094bb3fd44d2b23cb98b8edf08e8726d8fca77fab8fd96e75ae85e8f38

    • C:\Users\Admin\AppData\Local\Temp\Pi

      Filesize

      80KB

      MD5

      fb79add8b131958f1d94022a9389e271

      SHA1

      e2a76ab8275ac14a85ae15d671cfb19ba4b6e6a1

      SHA256

      438a0c08c8d7b267e457b8c5ee32c8a65f19c511fc1d1040dfaeb671c598eaca

      SHA512

      4185ba078617f3f184e8b0d83b69cc6f51160d1390295c7059fb88aab15431ef9e15231ab2c346c2b6d02e43c3c84670e636a9e2bd27d64fa125b29204294840

    • C:\Users\Admin\AppData\Local\Temp\Pt

      Filesize

      75KB

      MD5

      1e8b12d6df53dc4ba341102fc37429ca

      SHA1

      342e2794f467642aeaa2251c8bb28645ad95e18a

      SHA256

      4a783c99eeb22a80a33fa66f1909242fff5edb631e881fcfaa0a6bb26d3eec92

      SHA512

      d51963f1c0995c10f01fd8a264bf31cfe9c5fd6cc0b42fda7f944aa9d241abcad3250e1ce048fe99dc0fd13ee54277f53eeed1ba9d46b3c8f19b2161539785d7

    • C:\Users\Admin\AppData\Local\Temp\Updated

      Filesize

      24KB

      MD5

      7774a5a9ffe2ea20d55be80a82668e90

      SHA1

      c13891b2113de705446c3d487a9217488f06c498

      SHA256

      1c8731eea8d882904fa1c4964b10dd0d2364b42cda737ccb1b01ade9b7a7c43b

      SHA512

      ebdc2ca54906683737c6c4bada71e4a24d0a0b102e85f70ecf6ed865b8ebc4fe71497314b7d8b6c3e166bad12a3bcb194e1ad5583da50b70be1ddd99d53e61d0

    • C:\Users\Admin\AppData\Local\Temp\Variations

      Filesize

      39KB

      MD5

      3d86fe9bba66a1b64c284af57604e202

      SHA1

      ab5f0ff3a16badd35b7bfbf3b89b5d00858eeefc

      SHA256

      b338c54c01733fbe39d62bf1e56dbc74197dab4a4bff846fef78d0ccd2b22c21

      SHA512

      c1f5c53ce6949c45497a6b56745ba285a78fba586a1e94fd8af9502deaecfdf36d7886e4fea0c11cd9760503bb51d1f8998491a7743b5f27f4cc3a5f31023bbe

    • memory/3456-589-0x0000000000700000-0x00000000007C6000-memory.dmp

      Filesize

      792KB

    • memory/3456-592-0x0000000004C50000-0x0000000004CE2000-memory.dmp

      Filesize

      584KB

    • memory/3456-593-0x00000000052B0000-0x0000000005854000-memory.dmp

      Filesize

      5.6MB

    • memory/3456-594-0x0000000004ED0000-0x0000000005092000-memory.dmp

      Filesize

      1.8MB

    • memory/3456-595-0x0000000004D80000-0x0000000004DF6000-memory.dmp

      Filesize

      472KB

    • memory/3456-596-0x0000000004E50000-0x0000000004EA0000-memory.dmp

      Filesize

      320KB