Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
15-11-2024 16:57
General
-
Target
bc94d3e144094adfc05a04725116e9b740796a7591c771b62941a06aa6a96129.exe
-
Size
4.0MB
-
MD5
29a2e4569a2eb8cab1be4d226784827e
-
SHA1
f79f2f382f3c1764b55aa160ecf6ed84358fb070
-
SHA256
bc94d3e144094adfc05a04725116e9b740796a7591c771b62941a06aa6a96129
-
SHA512
e205b3813619504eed8b4ae938fad247cb70e9172a15e32f64316bbc2afe225d7a9e7e3e1925bc9c35659b9f5e8b80012fc02bb24afe3d60fb8ef74a40a2e482
-
SSDEEP
49152:PjKdrRvp7grhJqZyc0PGMMlADKD7IRHxw:PjKdrRvJchJq6GPlA2D0RHxw
Malware Config
Signatures
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 3 IoCs
-
Sectoprat family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of FindShellTrayWindow 29 IoCs
-
Suspicious use of SendNotifyMessage 23 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\bc94d3e144094adfc05a04725116e9b740796a7591c771b62941a06aa6a96129.exe"C:\Users\Admin\AppData\Local\Temp\bc94d3e144094adfc05a04725116e9b740796a7591c771b62941a06aa6a96129.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Updated Updated.bat & Updated.bat3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 1824314⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "TranslateTileAuthorsPerhaps" Intervention4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Crude + ..\Cindy + ..\Dairy + ..\Gel + ..\Midlands + ..\Personally + ..\Pi + ..\Bytes + ..\Consequences + ..\Passion + ..\Pt + ..\Instrument + ..\Including + ..\Variations d4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\182431\Vertical.pifVertical.pif d4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\182431\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\182431\RegAsm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exe/separate6⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ctfmon.exectfmon.exe7⤵
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde7⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 54⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PulsePlay.url" & echo URL="C:\Users\Admin\AppData\Local\FitTech Pulse Solutions\PulsePlay.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PulsePlay.url" & exit2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5881⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5ab6fc0faae4a12761aaae1b3c1d0a758
SHA1965f3e1e308598f496119f9534b8f1084e90d8aa
SHA256b818021c5ceaea01f0be9e7bcfd937cc59ce94aef6624623b654e1afda5c310b
SHA512c8b3b85428ab91527b6e037092b1e054bee16c63175cef41e7c1b529c2e2c8a9f505e64be34be7ccf25cd44c2a18e60f6f15cb6bcda3d5dfafa1b83906b73e55
-
Filesize
90KB
MD5c01b332e3a11467f671235a76812e8d4
SHA1237036c27858bb0db4804461025eb959952dce95
SHA256b0bbe2a19773f84a9e37394c35fde71f9b188493af47c081edf72026b1241b8f
SHA5125c04e4684ddc8be1518cd5289e4c4893960218b2b4ead02bded03ebc9a3eb074ef958d60eea37b6b3b6a7168f9bf4957c958f2d08dd12f70880aeaaf40cc9154
-
Filesize
68KB
MD539ec26daad78eed4fb300767bd798a01
SHA161e608cc48176ad997230cca5f39642cfa07ddf3
SHA256d31cecf0caceae2a48b045923da0b9b7dc2f43f774ccb56ffdd2bc0ba674bc18
SHA512ad5260b2d46604755a9127915fd2b2061c2fab0bbc870f1198bef9ca504a95b35c0165101287f07aa0c19df31e2713dbbb896e1ed95a8b7f5b26076550d2a8bb
-
Filesize
80KB
MD53124ca857fb535aa4a2c11456faf00e1
SHA1df27db61d0a609f40a455cb02dcd5016af7cc1ae
SHA2568805679202eeb14d3e2f98f2797a8dd3cf7392ac7b4ca9c1e015f6368d58b197
SHA5128bca00f712ffd60f4faa188683df7416b9d1acf39430a70a5a52fa8cb036572b4ad3bd47190dd591387f294c3050855c034c45780124dc909164d334a251d6b4
-
Filesize
97KB
MD5e01fb12ea20d30c89075035846a87f57
SHA18f15aaf4db772e268860d7b8f28dff85a52c3d19
SHA256016ce3fec6aa62b0dda8b13a0068dfb5c91e3be2ffef8e5bdc0cea28b3af8017
SHA51275b040c7845636dce7e6e092972be3299fa41fb7923a32750af6dfa4f81b5d20209ec7bfc48e98df0dee3b9c040fc91b1c8bcc97e4a801340bc837f718594a26
-
Filesize
92KB
MD5220078e66fdc102ff02ca2fbf6e117ba
SHA12ce10b969d50f5cf0fdc08b78359b30800b505d0
SHA256001bf3526dbaa7f6bf886a93514691c2e3441854bae023a6a7c1e8cd10631a5c
SHA512c90a2957ac695087f5cf7527f7fa19faeb90b9b561ea0bc2d95bd92df0c1963dea871767258f9a12a959102353dcfc07ae4f12eeb968a3baffd6b76b7dad04b6
-
Filesize
83KB
MD5ffd9c045eaaadcc191bf8b357d9dd248
SHA1adf3868196d03c6ae1865da6dd8fba5311b76ef3
SHA2569a2376bd930dd4b9a2a797709981a5030ca2c95dcec7afc13dedc1da5935fc18
SHA51236f02b7a322d668eba0b43f33c668d1fd8d1ee6818904a04e987305ad49b15aa606d541839af266e0a938ff76f92779d567d4853d28f870890a87b0e24b20c9d
-
Filesize
93KB
MD5dbdbdf30b526da5cb5b5f359aba9849c
SHA16a9d9ca5ebc896b93f4487b7a9cf1f51c48ddd05
SHA2567bc24564859051e7be97420e77489aff8a707bf052da5ead0d42c49686b387b2
SHA512f23125997477c6fb83332966ddab10af790a556f4b173e177c51126fd8dbf81006c591636cc26f9b6d223b12c6ff50ae0962cdd51bcc16ef5eaf4fa23559e51a
-
Filesize
61KB
MD5845830c862ded35d0f140a8a928b5ddf
SHA17fbaddef7a6883a4b754d658acf356c7d0d4d449
SHA256f2cb7652cdef016971b5b984da8247316dd89e93b54c07e3e929a0ae2fbdf646
SHA512e76014ae1a993ebc825cd572c7f4dfdc6465a9461e0e544537345dd19d49f164171cbe4226005a23d5ea59645515840e7a88357dd619c427b81f2bb4012f06d7
-
Filesize
11KB
MD5f8613f1c5e5d2ef9dbc0e08c59f1a370
SHA12d71b8e5b081c3bdc568392fa78d2d17608b27e4
SHA256b01881a93e17dccfd001716af8635c91fc5053d65473ddcec17ffbe7f132ed19
SHA51200511f63ede157792fb6d71a374eca1f4917cf3ab51e55bd4e1dbf18db35072498d6284960815bf9b5b966d3356f1fb5f89f94e8c385e5f7be91e8d06c2ce2fb
-
Filesize
910KB
MD5c8534c420bd071b7e339ebd7ef6c1468
SHA1fba60cea7cdc81c766710fe1a740b9bda532b3ae
SHA2565069bed38d8f4bc96f01c234231aab92c788d7b55b7d5d871ac0f923c1d86b89
SHA5127ae788f93034507aa3edf7ee48932a7adf760e5aaeaff25fa938a5d8198243f8583ae9417bc33011523fdb8c9df6514c644474ffff74dae28735b5e3de2543bb
-
Filesize
60KB
MD5cd94aa394d58da8b9f2186d381587b9e
SHA12ecddf09b6afee79433e6109d12ee4f9c379bd57
SHA25673e0835f689169a8bd5131720fcba30ce90b3e57a68d9fa2820aa3640924821f
SHA512e31f867fbf5275f8859f945a2cd81b65bf97e4a6c020f56d5b1e765a4278440f4bd5d818e25e57d5cc24ae88e2a8de60c49fdec141e230388c345a1467687f3b
-
Filesize
86KB
MD51dade994b130d28535e4f49061d80a49
SHA1a629befdcfc033764bd8211648fa6fb37b23d811
SHA25602de9e5170b559027acd5d17c310406ade0973c9c5a7098fc073cb6f8c14b222
SHA512a431fdda839d8df3f9ef989244fc2e0409c890e1b6a3e7e781e4a3f0897c7262a9b74a73e02922b2dd50120dc9d86fca408ee00a5c64fc1466c379d9a086760c
-
Filesize
60KB
MD5529a3c8027f8361594bd00931358de45
SHA1843e85834d75676a6604f560a733f505ad7cd490
SHA2569743ee659d899ffe9e9c1e7282dfb47b66108083d829241c382b1836091dc7c6
SHA5127926e0b83ca3d9d3a8f8a0def10d338c7b72f95cf08003ad73e1c139b40147953c65c1094bb3fd44d2b23cb98b8edf08e8726d8fca77fab8fd96e75ae85e8f38
-
Filesize
80KB
MD5fb79add8b131958f1d94022a9389e271
SHA1e2a76ab8275ac14a85ae15d671cfb19ba4b6e6a1
SHA256438a0c08c8d7b267e457b8c5ee32c8a65f19c511fc1d1040dfaeb671c598eaca
SHA5124185ba078617f3f184e8b0d83b69cc6f51160d1390295c7059fb88aab15431ef9e15231ab2c346c2b6d02e43c3c84670e636a9e2bd27d64fa125b29204294840
-
Filesize
75KB
MD51e8b12d6df53dc4ba341102fc37429ca
SHA1342e2794f467642aeaa2251c8bb28645ad95e18a
SHA2564a783c99eeb22a80a33fa66f1909242fff5edb631e881fcfaa0a6bb26d3eec92
SHA512d51963f1c0995c10f01fd8a264bf31cfe9c5fd6cc0b42fda7f944aa9d241abcad3250e1ce048fe99dc0fd13ee54277f53eeed1ba9d46b3c8f19b2161539785d7
-
Filesize
24KB
MD57774a5a9ffe2ea20d55be80a82668e90
SHA1c13891b2113de705446c3d487a9217488f06c498
SHA2561c8731eea8d882904fa1c4964b10dd0d2364b42cda737ccb1b01ade9b7a7c43b
SHA512ebdc2ca54906683737c6c4bada71e4a24d0a0b102e85f70ecf6ed865b8ebc4fe71497314b7d8b6c3e166bad12a3bcb194e1ad5583da50b70be1ddd99d53e61d0
-
Filesize
39KB
MD53d86fe9bba66a1b64c284af57604e202
SHA1ab5f0ff3a16badd35b7bfbf3b89b5d00858eeefc
SHA256b338c54c01733fbe39d62bf1e56dbc74197dab4a4bff846fef78d0ccd2b22c21
SHA512c1f5c53ce6949c45497a6b56745ba285a78fba586a1e94fd8af9502deaecfdf36d7886e4fea0c11cd9760503bb51d1f8998491a7743b5f27f4cc3a5f31023bbe
-
Filesize
63KB
MD5b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
Filesize
921KB
MD578ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
Filesize
792KB
-
Filesize
792KB
-
Filesize
792KB
-
Filesize
64KB