Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
30-11-2024 01:59
General
-
Target
d864a359e3a19182e72109fe75408d21b10215938e8be4098c4dbbc8ce0b7c7c.exe
-
Size
83.6MB
-
MD5
a91b4875630c4f702ab63f94ed633da4
-
SHA1
d485e90a501aa11f89f684063e5fbe235937f0bf
-
SHA256
d864a359e3a19182e72109fe75408d21b10215938e8be4098c4dbbc8ce0b7c7c
-
SHA512
43e4a19efcb814ae3b418177679fb52d257fd9046b6ac4baaea2fdfecb8627bc80ecdfc8288139d669e639c748f63c043d5b6997147b580d64bab3518524b460
-
SSDEEP
1572864:ZyM8TruaFhFBQ4aidylq1RFVKl8J/1BbAYqnmy2QPz2Pt0BQGRClJygc:ZyMAeiTFny2ezE0QGiJygc
Malware Config
Signatures
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 1 IoCs
-
Sectoprat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d864a359e3a19182e72109fe75408d21b10215938e8be4098c4dbbc8ce0b7c7c.exe"C:\Users\Admin\AppData\Local\Temp\d864a359e3a19182e72109fe75408d21b10215938e8be4098c4dbbc8ce0b7c7c.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-MI76K.tmp\d864a359e3a19182e72109fe75408d21b10215938e8be4098c4dbbc8ce0b7c7c.tmp"C:\Users\Admin\AppData\Local\Temp\is-MI76K.tmp\d864a359e3a19182e72109fe75408d21b10215938e8be4098c4dbbc8ce0b7c7c.tmp" /SL5="$600F6,81954756,1209856,C:\Users\Admin\AppData\Local\Temp\d864a359e3a19182e72109fe75408d21b10215938e8be4098c4dbbc8ce0b7c7c.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\is-IIVIK.tmp\ExtractedContent.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SystemUtil\dobi.exe"C:\Users\Admin\AppData\Roaming\SystemUtil\dobi.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com5⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.6MB
MD59e31991a93a6c781884e89a8572f5ea0
SHA14b83364234b879525ce91bbaa5226e91749491ed
SHA256ecb718af37ec5b9c8b6a1f5aa535df409cad971852b01da72dfa3950dd51693a
SHA5121d8da914fe1f7a164696b52b4d1fab12bb4defe0e09c94f862edad3e2bd7727a5004df362280ca47b7cc8a1ca6c8d3ec39a6b4d90e77779ce609c35e004e436f
-
Filesize
1.4MB
MD506236950a6093d27ddc30b9031ac66da
SHA1fb23087765d801655f10b8db60a5efbc12a397a7
SHA25688055954c5a5e90e382dd83d6a43e982e8a7eb1ecaab4a07bc2bfd295641d013
SHA512dbde10b852037dff8b267daf50e77f2f37b5686c14ccdba1fdf107375c63d2c963f0e9823a89b60afedc9b69ed32bc07ad3f0bfbc46fe975e5a2f51967061be6
-
Filesize
5.5MB
MD5f7e2624867775590018ce9586ac1d4a8
SHA16e2e80d1bde207734647b48d71dc483ff56a29a1
SHA2560547b50b9070c88c19d054d1d2f084f72fe3717be07265af0ea4ce87ffd8ebc5
SHA512fa8312dbac3b24f3d8d09576084f04e7289f2878bd5b4157328fc51259ca918a8874fa1e60b0f095634abe2f86a64941c74f702ffb52ed80c0310d8622297c2e
-
Filesize
3.5MB
MD56ab2af20157d2f440e8b22982f6247c5
SHA153c0da8de2ee2c50b79913a876edcd7078897566
SHA256c95f668ab97a0c6650381e0fc1a93aa043e3f899eef09dd7a3b0837a4298838e
SHA5125ed8b96a65c44f7cab604440f21b5e2f331c38d2e7ca3ebb26a9c1750ae5e5690225ec0f6530e6c65589dc639fcbcbf9afa80e85881b6f731118d0089559cb6d
-
Filesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
Filesize
9.6MB
MD5a439025e40533f6e78c74fe8e9ce9875
SHA16ae40c35d089fd05b521affda29c205effdf9928
SHA256a15ddd90e6ad35fc8896d7d613d0d178bdc29a9353128e6b5b4e177abcb8195f
SHA512a2e22c32a1b6c50cfef234a7fe9581df516d3b7129645d64ffb16652a4dc757294aa5ccdae2a3c1a530c71251abeeb73356ca4f6b33b73fdd7cac2161a16d84b
-
Filesize
2.0MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
7.2MB
-
Filesize
9.8MB
-
Filesize
7.2MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
672KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
408KB
-
Filesize
600KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
652KB
-
Filesize
120KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
6.5MB
-
Filesize
40KB
-
Filesize
68KB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
4KB
-
Filesize
216KB
-
Filesize
792KB
-
Filesize
584KB
-
Filesize
1.8MB
-
Filesize
472KB
-
Filesize
320KB
-
Filesize
5.2MB
-
Filesize
120KB
-
Filesize
80KB
-
Filesize
40KB