sectoprat | 44997a5aa2709c2cef26ea501d4f01140d34b59f0fd182282354598eef4b224b

General

Target

44997a5aa2709c2cef26ea501d4f01140d34b59f0fd182282354598eef4b224b.exe
Size

6.5MB
MD5

bfc5ea31b4aeefec1508e8f5b458e574
SHA1

976fe53a467068719f70a856dca3bb7b65a9d6dc
SHA256

44997a5aa2709c2cef26ea501d4f01140d34b59f0fd182282354598eef4b224b
SHA512

146ef0163df8be2c8e5a834c27d731c817e0540a30d4e4746109fd564c33d2d7f00560017f0d5b9ade9eea05611ed440f64022f97e30949e5bb58041452f590e
SSDEEP

98304:vi0rHj8I5IxALsFFyTFaYTXMHyAw8aMAKa392mAYYqUSoYTk0KGjp2kizn:vi0rDyraTFNKyLUAKw2B7qUShTkQjDir

Score

10^/10

sectoprat discovery rat spyware trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4708-49-0x0000000000B40000-0x0000000000C06000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

44997a5aa2709c2cef26ea501d4f01140d34b59f0fd182282354598eef4b224b.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	44997a5aa2709c2cef26ea501d4f01140d34b59f0fd182282354598eef4b224b.exe

Executes dropped EXE 2 IoCs

Processes:

Mp3tag.exeMp3tag.exe

pid	Process
2640	Mp3tag.exe
2236	Mp3tag.exe

Loads dropped DLL 3 IoCs

Processes:

Mp3tag.exeMp3tag.exe

pid	Process
2640	Mp3tag.exe
2236	Mp3tag.exe
2236	Mp3tag.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 2 IoCs

Processes:

Mp3tag.execmd.exe

description	pid	Process	procid_target
PID 2236 set thread context of 4936	2236	Mp3tag.exe	84
PID 4936 set thread context of 4708	4936	cmd.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeMSBuild.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Mp3tag.exeMp3tag.execmd.exeMSBuild.exe

pid	Process
2640	Mp3tag.exe
2236	Mp3tag.exe
2236	Mp3tag.exe
4936	cmd.exe
4936	cmd.exe
4708	MSBuild.exe
4708	MSBuild.exe
4708	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

Mp3tag.execmd.exe

pid	Process
2236	Mp3tag.exe
4936	cmd.exe
4936	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description	pid	Process
Token: SeDebugPrivilege	4708	MSBuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid	Process
4708	MSBuild.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

44997a5aa2709c2cef26ea501d4f01140d34b59f0fd182282354598eef4b224b.exeMp3tag.exeMp3tag.execmd.exe

description	pid	Process	procid_target
PID 1224 wrote to memory of 2640	1224	44997a5aa2709c2cef26ea501d4f01140d34b59f0fd182282354598eef4b224b.exe	81
PID 1224 wrote to memory of 2640	1224	44997a5aa2709c2cef26ea501d4f01140d34b59f0fd182282354598eef4b224b.exe	81
PID 2640 wrote to memory of 2236	2640	Mp3tag.exe	83
PID 2640 wrote to memory of 2236	2640	Mp3tag.exe	83
PID 2236 wrote to memory of 4936	2236	Mp3tag.exe	84
PID 2236 wrote to memory of 4936	2236	Mp3tag.exe	84
PID 2236 wrote to memory of 4936	2236	Mp3tag.exe	84
PID 2236 wrote to memory of 4936	2236	Mp3tag.exe	84
PID 4936 wrote to memory of 4708	4936	cmd.exe	95
PID 4936 wrote to memory of 4708	4936	cmd.exe	95
PID 4936 wrote to memory of 4708	4936	cmd.exe	95
PID 4936 wrote to memory of 4708	4936	cmd.exe	95
PID 4936 wrote to memory of 4708	4936	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\44997a5aa2709c2cef26ea501d4f01140d34b59f0fd182282354598eef4b224b.exe
"C:\Users\Admin\AppData\Local\Temp\44997a5aa2709c2cef26ea501d4f01140d34b59f0fd182282354598eef4b224b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\Bijouterie\Mp3tag.exe
  "C:\Users\Admin\AppData\Local\Temp\Bijouterie\Mp3tag.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Roaming\Downloadplugin\Mp3tag.exe
    C:\Users\Admin\AppData\Roaming\Downloadplugin\Mp3tag.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4936
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4bd55656

Filesize
1.4MB

MD5
a731a2e0f98d875881553c867f1ff9e8

SHA1
1a7d941ad3c655b3d2b691df58dd722a503d4eba

SHA256
a49eb7b728639fabfba9acb6e79df57c61bb823c7bc5452114840f04fed1ed2a

SHA512
7e3d68d12459ae7b36549252a3ee3731b38c2f9a978452c26b8736ff0a76352602606524931aa2b86d698d9a68a9929805a55987c6176d146468553fda14924b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bijouterie\Mp3tag.exe

Filesize
12.0MB

MD5
a7118dffeac3772076f1a39a364d608d

SHA1
6b984d9446f23579e154ec47437b9cf820fd6b67

SHA256
f1973746ac0a703b23526f68c639436f0b26b0bc71c4f5adf36dc5f6e8a7f4d0

SHA512
f547c13b78acda9ca0523f0f8cd966c906f70a23a266ac86156dc7e17e6349e5f506366787e7a7823e2b07b0d614c9bd08e34ca5cc4f48799b0fe36ac836e890

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bijouterie\fgq

Filesize
1.2MB

MD5
f6461ccd814a2ead19beeba2125b5368

SHA1
449ede26eeb5234f02a9d4b5a19fa7b6ffc4a1df

SHA256
8fb4e6d589830f39db50877b542b11281e56762caaa2742719b2ac042dd6cbd1

SHA512
fa8c7368597d79451fc47447ea1ac9e831b2b7835c6542a161bd74b0084da66fff4ac0555dce0eea64630887a2d953674125b1e2e9295a37b7bac678dc606fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bijouterie\tak_deco_lib.dll

Filesize
315KB

MD5
ee7f11beaf317ef7185b0cec9a8ccff4

SHA1
274ebb8d1adfa6d49e1d3fc85cf942357c8a7653

SHA256
6c2d0a8831e82fc3889e94ef3e986660e38175ae406fea5a66e3d1f5c014ee97

SHA512
cdeec3fbd4eff63f64aad6559c36654416afae5e7314df1a756580dc52b6024c52f0f3803356b85d2095dfc136de9234271a14ec843af3cf3836b67bb30362b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bijouterie\ymv

Filesize
14KB

MD5
c40639e251f6f49d3f4c140cd1fc3d9c

SHA1
7f531f2ad30f3bf2f637cea7087f3e432cc54adf

SHA256
2481d67eeef5025767464e90969c913f198eaa8171f8ebb8e61cd92ca880293f

SHA512
d327399a1fb31203fd1b8aa991369da907a4538bd77f69b0fc6568221cc3099300437d8e5f3f959c501ffcef2e728971f33e2fcf0d453e96a84458a23abb9480

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5041.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
memory/2236-33-0x0000000000810000-0x000000000086E000-memory.dmp

Filesize
376KB

Download
memory/2236-36-0x00007FF86D5F0000-0x00007FF86D762000-memory.dmp

Filesize
1.4MB

Download
memory/2236-37-0x00007FF86D5F0000-0x00007FF86D762000-memory.dmp

Filesize
1.4MB

Download
memory/2236-39-0x0000000000810000-0x000000000086E000-memory.dmp

Filesize
376KB

Download
memory/2640-21-0x00007FF86D5F0000-0x00007FF86D762000-memory.dmp

Filesize
1.4MB

Download
memory/2640-29-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4708-49-0x0000000000B40000-0x0000000000C06000-memory.dmp

Filesize
792KB

Download
memory/4708-54-0x0000000005310000-0x0000000005360000-memory.dmp

Filesize
320KB

Download
memory/4708-79-0x0000000005710000-0x000000000574C000-memory.dmp

Filesize
240KB

Download
memory/4708-50-0x00000000051D0000-0x0000000005262000-memory.dmp

Filesize
584KB

Download
memory/4708-51-0x00000000058A0000-0x0000000005E44000-memory.dmp

Filesize
5.6MB

Download
memory/4708-52-0x0000000005540000-0x0000000005702000-memory.dmp

Filesize
1.8MB

Download
memory/4708-53-0x00000000053F0000-0x0000000005466000-memory.dmp

Filesize
472KB

Download
memory/4708-46-0x0000000073610000-0x0000000074864000-memory.dmp

Filesize
18.3MB

Download
memory/4708-55-0x00000000052A0000-0x00000000052AA000-memory.dmp

Filesize
40KB

Download
memory/4708-56-0x0000000006480000-0x00000000069AC000-memory.dmp

Filesize
5.2MB

Download
memory/4708-57-0x0000000005FA0000-0x0000000005FBE000-memory.dmp

Filesize
120KB

Download
memory/4708-58-0x0000000006090000-0x00000000060F6000-memory.dmp

Filesize
408KB

Download
memory/4708-78-0x0000000005490000-0x00000000054A2000-memory.dmp

Filesize
72KB

Download
memory/4708-76-0x0000000007F10000-0x0000000007F1A000-memory.dmp

Filesize
40KB

Download
memory/4936-41-0x00007FF87C370000-0x00007FF87C565000-memory.dmp

Filesize
2.0MB

Download
memory/4936-44-0x0000000075090000-0x000000007520B000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads