Overview

overview

10

Static

static

1

556608.zip

windows7-x64

10

556608.zip

windows10-2004-x64

10

Analysis

  • max time kernel
    249s
  • max time network
    251s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2024 14:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    556608.zip

  • Size

    1.5MB

  • MD5

    41eba955dd47961daa9ccd1ad26cf47c

  • SHA1

    1f282ec7791cb076387b4402ea231fc36dc79fc4

  • SHA256

    57f8db0ed487432436fb954a5bd13004751fe23eaa55c4148f22567a4b7dc43a

  • SHA512

    b351bd097c59878310896af18bc37ba3b74b8d4809dc786a086c3cf6c601d912e778b418e4da1d8fa015ee6a0aa4efcb97d8bf4d3d1d88208844327a861a3a5e

  • SSDEEP

    24576:9YlLzil+C4I5AC0OerLmmWTq79ODsJl1UwGQQ/TrGiDQm7rJinKAfLgp7gR:9Yo+w2xNzF8DclNGnyvCwKAfMtM

Score
10/10
sectopratdefense_evasiondiscoveryratspywarestealertrojan

Malware Config

Signatures

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Sectoprat family
    sectoprat
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • System Binary Proxy Execution: Regsvcs/Regasm 1 TTPs 2 IoCs

    Abuse Regasm to proxy execution of malicious code.

    defense_evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 54 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3476
      • C:\Program Files\7-Zip\7zFM.exe
        "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\556608.zip"
        2⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:1064
      • C:\Users\Admin\AppData\Local\Temp\Agreements.com
        "C:\Users\Admin\AppData\Local\Temp\Agreements.com"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • System Binary Proxy Execution: Regsvcs/Regasm
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2408
        • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
          C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3932
      • C:\Windows\SysWOW64\cmd.exe
        cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CogniFlow.url" & echo URL="C:\Users\Admin\AppData\Local\NeuralTech Dynamics\CogniFlow.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CogniFlow.url" & exit
        2⤵
        • Drops startup file
        • System Location Discovery: System Language Discovery
        PID:4192
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4768

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\0.au3
        Filesize

        1.0MB

        MD5

        00bf62da631b2a91afa1d4149f9e98fa

        SHA1

        c3857cfe2370c2bff28c5ecf61eb25e36cb73929

        SHA256

        d2ac35070b06503465cfb3acaab376176db3e6116efa065f3305c504c130be85

        SHA512

        b4bc553970b608915e442db4e36fae87b12a2169c25ceff8d9d8a572ad6a17cd6742466f6d64d59057f44ad55948b536f59d668d979c533e60c9e3412fef489b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Agreements.com
        Filesize

        872KB

        MD5

        6ee7ddebff0a2b78c7ac30f6e00d1d11

        SHA1

        f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

        SHA256

        865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

        SHA512

        57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
        Filesize

        63KB

        MD5

        0d5df43af2916f47d00c1573797c1a13

        SHA1

        230ab5559e806574d26b4c20847c368ed55483b0

        SHA256

        c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

        SHA512

        f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpBDD0.tmp
        Filesize

        20KB

        MD5

        49693267e0adbcd119f9f5e02adf3a80

        SHA1

        3ba3d7f89b8ad195ca82c92737e960e1f2b349df

        SHA256

        d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

        SHA512

        b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

        Download Submit

      • memory/3932-19-0x0000000004F80000-0x0000000005142000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/3932-18-0x0000000005360000-0x0000000005904000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3932-17-0x0000000004D10000-0x0000000004DA2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3932-20-0x0000000004E30000-0x0000000004EA6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/3932-21-0x0000000004EB0000-0x0000000004F00000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3932-22-0x0000000004CA0000-0x0000000004CAA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3932-23-0x0000000005F40000-0x000000000646C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3932-24-0x0000000005A40000-0x0000000005A5E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3932-25-0x0000000005B30000-0x0000000005B96000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3932-14-0x0000000000600000-0x00000000006C6000-memory.dmp

        Filesize

        792KB

        Download

      • memory/3932-43-0x0000000007270000-0x000000000727A000-memory.dmp

        Filesize

        40KB

        Download