Overview

overview

10

Static

static

3

babc536d20...9N.exe

windows7-x64

10

babc536d20...9N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    96s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-01-2025 19:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    babc536d2015b19e0944f5c61778c0e6c7c8643720123914dd4cc97ae2e6e7d9N.exe

  • Size

    3.4MB

  • MD5

    e81e5f0016aae2d4f9b2ed1126a24030

  • SHA1

    369b87b75020cd152b97427c85e8c8a89fe0c1e9

  • SHA256

    babc536d2015b19e0944f5c61778c0e6c7c8643720123914dd4cc97ae2e6e7d9

  • SHA512

    88c0d4c677e5e3b94b159933e7e60aa87c064ba6df98450265a4b092c07ef75f15297fc7582a1b50ff9bfa9c3a57752ebf19aac41268d60b7efdfcb73f6d2e65

  • SSDEEP

    98304:SwRElZ33Li0XUU3FMi9+Q4m1PQKqdiCanFQyRnNlz:ufnGcUU0xm1PsMjXrz

Score
10/10
sectopratdiscoverypersistencerattrojan

Malware Config

Signatures

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Sectoprat family
    sectoprat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 6 IoCs
    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\babc536d2015b19e0944f5c61778c0e6c7c8643720123914dd4cc97ae2e6e7d9N.exe
    "C:\Users\Admin\AppData\Local\Temp\babc536d2015b19e0944f5c61778c0e6c7c8643720123914dd4cc97ae2e6e7d9N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4880
    • C:\Users\Admin\AppData\Local\Temp\is-26MPI.tmp\babc536d2015b19e0944f5c61778c0e6c7c8643720123914dd4cc97ae2e6e7d9N.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-26MPI.tmp\babc536d2015b19e0944f5c61778c0e6c7c8643720123914dd4cc97ae2e6e7d9N.tmp" /SL5="$90116,1931507,845824,C:\Users\Admin\AppData\Local\Temp\babc536d2015b19e0944f5c61778c0e6c7c8643720123914dd4cc97ae2e6e7d9N.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4404
      • C:\Users\Admin\AppData\Local\Temp\babc536d2015b19e0944f5c61778c0e6c7c8643720123914dd4cc97ae2e6e7d9N.exe
        "C:\Users\Admin\AppData\Local\Temp\babc536d2015b19e0944f5c61778c0e6c7c8643720123914dd4cc97ae2e6e7d9N.exe" /VERYSILENT
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4712
        • C:\Users\Admin\AppData\Local\Temp\is-OGD2R.tmp\babc536d2015b19e0944f5c61778c0e6c7c8643720123914dd4cc97ae2e6e7d9N.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-OGD2R.tmp\babc536d2015b19e0944f5c61778c0e6c7c8643720123914dd4cc97ae2e6e7d9N.tmp" /SL5="$C005E,1931507,845824,C:\Users\Admin\AppData\Local\Temp\babc536d2015b19e0944f5c61778c0e6c7c8643720123914dd4cc97ae2e6e7d9N.exe" /VERYSILENT
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4304
          • C:\Windows\system32\cmd.exe
            "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2372
            • C:\Windows\system32\tasklist.exe
              tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
              6⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:1988
            • C:\Windows\system32\find.exe
              find /I "wrsa.exe"
              6⤵
                PID:3420
            • C:\Windows\system32\cmd.exe
              "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4656
              • C:\Windows\system32\tasklist.exe
                tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
                6⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:2300
              • C:\Windows\system32\find.exe
                find /I "opssvc.exe"
                6⤵
                  PID:4136
              • C:\Windows\system32\cmd.exe
                "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:4196
                • C:\Windows\system32\tasklist.exe
                  tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
                  6⤵
                  • Enumerates processes with tasklist
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4392
                • C:\Windows\system32\find.exe
                  find /I "avastui.exe"
                  6⤵
                    PID:4124
                • C:\Windows\system32\cmd.exe
                  "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4752
                  • C:\Windows\system32\tasklist.exe
                    tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
                    6⤵
                    • Enumerates processes with tasklist
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3408
                  • C:\Windows\system32\find.exe
                    find /I "avgui.exe"
                    6⤵
                      PID:2320
                  • C:\Windows\system32\cmd.exe
                    "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1244
                    • C:\Windows\system32\tasklist.exe
                      tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
                      6⤵
                      • Enumerates processes with tasklist
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3572
                    • C:\Windows\system32\find.exe
                      find /I "nswscsvc.exe"
                      6⤵
                        PID:2632
                    • C:\Windows\system32\cmd.exe
                      "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2408
                      • C:\Windows\system32\tasklist.exe
                        tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
                        6⤵
                        • Enumerates processes with tasklist
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3596
                      • C:\Windows\system32\find.exe
                        find /I "sophoshealth.exe"
                        6⤵
                          PID:1876
                      • C:\Users\Admin\AppData\Roaming\Partition\electronics.exe
                        "C:\Users\Admin\AppData\Roaming\Partition\\electronics.exe" "C:\Users\Admin\AppData\Roaming\Partition\\expulsionist.eml"
                        5⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:3980
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && electronics.exe C:\ProgramData\\xJCkHk.a3x && del C:\ProgramData\\xJCkHk.a3x
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • System Network Configuration Discovery: Internet Connection Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:4864
                          • C:\Windows\SysWOW64\PING.EXE
                            ping -n 5 127.0.0.1
                            7⤵
                            • System Location Discovery: System Language Discovery
                            • System Network Configuration Discovery: Internet Connection Discovery
                            • Runs ping.exe
                            PID:4484
                          • C:\Users\Admin\AppData\Roaming\Partition\electronics.exe
                            electronics.exe C:\ProgramData\\xJCkHk.a3x
                            7⤵
                            • Executes dropped EXE
                            • Adds Run key to start application
                            • Suspicious use of SetThreadContext
                            • System Location Discovery: System Language Discovery
                            • Checks processor information in registry
                            • Suspicious use of WriteProcessMemory
                            PID:4776
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                              C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                              8⤵
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2472

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\is-26MPI.tmp\babc536d2015b19e0944f5c61778c0e6c7c8643720123914dd4cc97ae2e6e7d9N.tmp
                Filesize

                3.2MB

                MD5

                60aeeeda4d416077aaa5c9b21e336c5a

                SHA1

                2d5e9ecec78620e6664d4828b7ee3576a660a306

                SHA256

                c4df89c1ee343740c7a54a9afbb28c47f3cef86ad53c505553c680bc8c58b569

                SHA512

                46c8d197635cbbdd7089a27579b6dadda1c2598aa70aad9966cfa92a57d07dc2ce91dd585270ac6d2dfac9417e2d98f486ca409cec226731784e17a4115e3c59

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Partition\electronics.exe
                Filesize

                921KB

                MD5

                3f58a517f1f4796225137e7659ad2adb

                SHA1

                e264ba0e9987b0ad0812e5dd4dd3075531cfe269

                SHA256

                1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

                SHA512

                acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Partition\expulsionist.eml
                Filesize

                48KB

                MD5

                105b3c4033a1a5b36b0d897d64d2dbc5

                SHA1

                02df0cba5c7e52e160747023b523ba511a13eca4

                SHA256

                6871177291918fadb13bb2092c134ec849ca0fbb79289959ddfcc0857872936d

                SHA512

                f0f915618efb70effcbe20897a67001766a74ceacee8b53234d98051c16b7b54a72e78ed1c06b4924725049301f1189f9923b919769dfa7ce48295580751748f

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Partition\expulsionist.rtf
                Filesize

                940KB

                MD5

                0577137e38bb6ac64d302158d97e3309

                SHA1

                cd1d921efc0d6749f1c613e6b3f58b5c1cb6d229

                SHA256

                70bb7249d401b402c5e2a095ffc8832b36a3318f66218189ae49d072daee7208

                SHA512

                7eda8e96d0c10eb0c21a29522d2a9d2012fc78788d5a209e9fb9ce10dc9125da6e9678e12675310c33a5dedb7973e5f04fb2e38634f51e57d72ea59fc0a8197b

                Download Submit

              • memory/2472-61-0x0000000005990000-0x0000000005A06000-memory.dmp

                Filesize

                472KB

                Download

              • memory/2472-60-0x0000000005AE0000-0x0000000005CA2000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/2472-59-0x0000000005E50000-0x00000000063F4000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/2472-57-0x0000000000400000-0x00000000004C6000-memory.dmp

                Filesize

                792KB

                Download

              • memory/2472-62-0x0000000005920000-0x0000000005970000-memory.dmp

                Filesize

                320KB

                Download

              • memory/2472-58-0x00000000057D0000-0x0000000005862000-memory.dmp

                Filesize

                584KB

                Download

              • memory/2472-56-0x0000000000400000-0x00000000004C6000-memory.dmp

                Filesize

                792KB

                Download

              • memory/4304-17-0x0000000000A80000-0x0000000000A81000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4304-35-0x0000000000A80000-0x0000000000A81000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4304-34-0x00000000001E0000-0x0000000000523000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/4304-44-0x00000000001E0000-0x0000000000523000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/4404-11-0x00000000001C0000-0x0000000000503000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/4404-6-0x0000000002D30000-0x0000000002D31000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4712-33-0x0000000000940000-0x0000000000A1C000-memory.dmp

                Filesize

                880KB

                Download

              • memory/4712-47-0x0000000000940000-0x0000000000A1C000-memory.dmp

                Filesize

                880KB

                Download

              • memory/4712-9-0x0000000000940000-0x0000000000A1C000-memory.dmp

                Filesize

                880KB

                Download

              • memory/4880-0-0x0000000000940000-0x0000000000A1C000-memory.dmp

                Filesize

                880KB

                Download

              • memory/4880-13-0x0000000000940000-0x0000000000A1C000-memory.dmp

                Filesize

                880KB

                Download

              • memory/4880-2-0x0000000000941000-0x00000000009E9000-memory.dmp

                Filesize

                672KB

                Download