Overview

overview

10

Static

static

1

SFHgtxFGtB.ps1

windows7-x64

3

SFHgtxFGtB.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-12-2024 07:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SFHgtxFGtB.ps1

  • Size

    35KB

  • MD5

    6a34a3dbed524eed6d73c72188418d80

  • SHA1

    6a6ee1aa6ad9d9fbd7b7112df3a5c92b83c18667

  • SHA256

    45ab4ca2483759d89bc446e6797e86489eb08cfeb3f740440a83ff6d83eb5503

  • SHA512

    6fd7dc31836db3062aea0ab2bf0c7b0c45ee188fa9f2a872de968db2635aefc404d057444ec15ffea66585f6aa8e18acf2088e9523ac9138680ef6061465db30

  • SSDEEP

    96:YdgXCdz1ArDw1DQXZB08+uFk0WK49Ms00IYY+blwIAAwIYmEYsR0KkMEIIAAYwwP:EZu

Score
10/10
sectopratdiscoveryexecutionpersistenceratspywaretrojan

Malware Config

Signatures

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Sectoprat family
    sectoprat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\SFHgtxFGtB.ps1
    1⤵
    • Blocklisted process makes network request
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Users\Admin\AppData\Local\Temp\62650356\updater.exe
      "C:\Users\Admin\AppData\Local\Temp\62650356\updater.exe" C:\Users\Admin\AppData\Local\Temp\62650356\XCBjmNiG.dll
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        3⤵
          PID:4272
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4832

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\62650356\XCBjmNiG.dll
      Filesize

      1.9MB

      MD5

      bcc04f3c8f29b9533c8aff0681d4eb4f

      SHA1

      2edb98e832959106bc3e6110dfb0a20a549bdcb1

      SHA256

      d0e19b9fed36046a80ca84c68624eeed3fac491962fc121d1d7b6433006990dc

      SHA512

      dcd54ae36962e5072be4b31e20bc7d42a4ff9d90e95930f09a0cbdb6e0f7495a38409defcacf072c8c452188dbbf4863f5f8e21a24f50d36ffdae61959176cf1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\62650356\updater.exe
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4l0ndww4.ehb.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpF9D4.tmp
      Filesize

      20KB

      MD5

      49693267e0adbcd119f9f5e02adf3a80

      SHA1

      3ba3d7f89b8ad195ca82c92737e960e1f2b349df

      SHA256

      d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

      SHA512

      b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

      Download Submit

    • memory/1900-11-0x00007FFD31400000-0x00007FFD31EC1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1900-13-0x00007FFD31400000-0x00007FFD31EC1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1900-15-0x00007FFD31403000-0x00007FFD31405000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1900-16-0x00007FFD31400000-0x00007FFD31EC1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1900-17-0x00007FFD31400000-0x00007FFD31EC1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1900-12-0x00007FFD31400000-0x00007FFD31EC1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1900-0-0x00007FFD31403000-0x00007FFD31405000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1900-22-0x00007FFD31400000-0x00007FFD31EC1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1900-1-0x000001854A830000-0x000001854A852000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1992-24-0x0000000001640000-0x0000000001A40000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4832-31-0x0000000005070000-0x0000000005102000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4832-38-0x00000000062B0000-0x00000000067DC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4832-29-0x00000000747BE000-0x00000000747BF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4832-32-0x00000000056D0000-0x0000000005C74000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4832-33-0x00000000054A0000-0x0000000005662000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4832-34-0x00000000051A0000-0x0000000005216000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4832-35-0x0000000005230000-0x0000000005280000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4832-37-0x00000000747B0000-0x0000000074F60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4832-36-0x0000000005150000-0x000000000515A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4832-30-0x0000000000400000-0x00000000004C6000-memory.dmp

      Filesize

      792KB

      Download

    • memory/4832-39-0x0000000005E40000-0x0000000005E5E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4832-40-0x0000000005F30000-0x0000000005F96000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4832-28-0x0000000000400000-0x00000000004C6000-memory.dmp

      Filesize

      792KB

      Download

    • memory/4832-58-0x0000000007C00000-0x0000000007C0A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4832-60-0x00000000747BE000-0x00000000747BF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4832-61-0x00000000747B0000-0x0000000074F60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4832-62-0x00000000052F0000-0x0000000005302000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4832-63-0x0000000005350000-0x000000000538C000-memory.dmp

      Filesize

      240KB

      Download