sectoprat | 2bd0a19e0727d2c719d2720e14922a93e73a0b9a1cc0ca294af4a4a49c2555d6

Analysis

max time kernel
134s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AE6FC990A0AC98C194956956411C571D.exe
Size

4.1MB
MD5

ae6fc990a0ac98c194956956411c571d
SHA1

bbf60876c477672a96ecd3b1a9e7f6887fd24ce5
SHA256

2bd0a19e0727d2c719d2720e14922a93e73a0b9a1cc0ca294af4a4a49c2555d6
SHA512

a977809154a3c3480b58ab71e5520f53de4d84730eca6de405e8d50003142c70435f1fc2ac010095245b0bd5de1273a61eb70bd1edb7b361c2959f5a7360de89
SSDEEP

98304:cKaAh0104NS7FGwCh1CTLBMtMeUjafSUYGzHa5VRX:vlaf4XCbCTLBgMeUTYmRX

Score

10^/10

sectoprat discovery rat trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/3928-92-0x0000000000800000-0x00000000008C6000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Executes dropped EXE 3 IoCs

pid	Process
2632	AE6FC990A0AC98C194956956411C571D.exe
3868	ScanDisp.exe
1620	ScanDisp.exe

Loads dropped DLL 18 IoCs

pid	Process
2632	AE6FC990A0AC98C194956956411C571D.exe
3868	ScanDisp.exe
3868	ScanDisp.exe
3868	ScanDisp.exe
3868	ScanDisp.exe
3868	ScanDisp.exe
3868	ScanDisp.exe
3868	ScanDisp.exe
3868	ScanDisp.exe
3868	ScanDisp.exe
3868	ScanDisp.exe
1620	ScanDisp.exe
1620	ScanDisp.exe
1620	ScanDisp.exe
1620	ScanDisp.exe
1620	ScanDisp.exe
1620	ScanDisp.exe
1620	ScanDisp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
39	pastebin.com
40	pastebin.com
50	pastebin.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1620 set thread context of 3020	1620	ScanDisp.exe	86
PID 3020 set thread context of 3928	3020	cmd.exe	104

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\writerUninstall.job	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AE6FC990A0AC98C194956956411C571D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AE6FC990A0AC98C194956956411C571D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScanDisp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScanDisp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3868	ScanDisp.exe
1620	ScanDisp.exe
1620	ScanDisp.exe
3020	cmd.exe
3020	cmd.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1620	ScanDisp.exe
3020	cmd.exe
3020	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3928	MSBuild.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 2632	1560	AE6FC990A0AC98C194956956411C571D.exe	83
PID 1560 wrote to memory of 2632	1560	AE6FC990A0AC98C194956956411C571D.exe	83
PID 1560 wrote to memory of 2632	1560	AE6FC990A0AC98C194956956411C571D.exe	83
PID 2632 wrote to memory of 3868	2632	AE6FC990A0AC98C194956956411C571D.exe	84
PID 2632 wrote to memory of 3868	2632	AE6FC990A0AC98C194956956411C571D.exe	84
PID 2632 wrote to memory of 3868	2632	AE6FC990A0AC98C194956956411C571D.exe	84
PID 3868 wrote to memory of 1620	3868	ScanDisp.exe	85
PID 3868 wrote to memory of 1620	3868	ScanDisp.exe	85
PID 3868 wrote to memory of 1620	3868	ScanDisp.exe	85
PID 1620 wrote to memory of 3020	1620	ScanDisp.exe	86
PID 1620 wrote to memory of 3020	1620	ScanDisp.exe	86
PID 1620 wrote to memory of 3020	1620	ScanDisp.exe	86
PID 1620 wrote to memory of 3020	1620	ScanDisp.exe	86
PID 3020 wrote to memory of 3928	3020	cmd.exe	104
PID 3020 wrote to memory of 3928	3020	cmd.exe	104
PID 3020 wrote to memory of 3928	3020	cmd.exe	104
PID 3020 wrote to memory of 3928	3020	cmd.exe	104
PID 3020 wrote to memory of 3928	3020	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\AE6FC990A0AC98C194956956411C571D.exe
"C:\Users\Admin\AppData\Local\Temp\AE6FC990A0AC98C194956956411C571D.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\TEMP\{3BC96AEC-420C-45C8-A8D1-A27476A4C32E}\.cr\AE6FC990A0AC98C194956956411C571D.exe
  "C:\Windows\TEMP\{3BC96AEC-420C-45C8-A8D1-A27476A4C32E}\.cr\AE6FC990A0AC98C194956956411C571D.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\AE6FC990A0AC98C194956956411C571D.exe" -burn.filehandle.attached=648 -burn.filehandle.self=692
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\TEMP\{2E9A20D5-99DB-4A5F-ADD3-73E9E1DFDAD1}\.ba\ScanDisp.exe
    C:\Windows\TEMP\{2E9A20D5-99DB-4A5F-ADD3-73E9E1DFDAD1}\.ba\ScanDisp.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3868
  - - C:\Users\Admin\AppData\Roaming\FastManage_v5\ScanDisp.exe
      C:\Users\Admin\AppData\Roaming\FastManage_v5\ScanDisp.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3020
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2872e53b

Filesize
1.5MB

MD5
de42cebb560998ef65fd322cdd2888c1

SHA1
a55073e5921b2fb080de628aaaafbec12fbd687d

SHA256
4447c86b9003f0727f0ccb6b0d44324fffe79cf2fe19dec56d952a867e5123e4

SHA512
f86b1f22775ee84566a8eb8fe07d94ad94f1569651df5d87fb45de823b474d5f4424e1e494558ab8c88beeb364924c0d3f3909bbfef6dcaba6a85ec07c0c8f3f

Download Submit
C:\Windows\TEMP\{2E9A20D5-99DB-4A5F-ADD3-73E9E1DFDAD1}\.ba\catecholamine.bmp

Filesize
40KB

MD5
bd76c0ee66403804c0e9608dcad83997

SHA1
65ac5b34713c00bfca50a1b33f56a2b3631e761d

SHA256
54dad6db97d72016fe1b9f24d67acea2a0150007a330512cede7770154c50bef

SHA512
3c9f70efd53d65edeaf101308b8e0deac7c21ce991e3e545cfe79cbcdef40a7200a9eb416742d8a961b3bdcd73e5523303b52cc01c42f04ee16f4fc5e2ff4a78

Download Submit
C:\Windows\TEMP\{2E9A20D5-99DB-4A5F-ADD3-73E9E1DFDAD1}\.ba\madBasic_.bpl

Filesize
211KB

MD5
641c567225e18195bc3d2d04bde7440b

SHA1
20395a482d9726ad80820c08f3a698cf227afd10

SHA256
c2df993943c87b1e0f07ddd7a807bb66c2ef518c7cf427f6aa4ba0f2543f1ea0

SHA512
1e6023d221ba16a6374cfeb939f795133130b9a71f6f57b1bc6e13e3641f879d409783cf9b1ef4b8fd79b272793ba612d679a213ff97656b3a728567588ecfb9

Download Submit
C:\Windows\TEMP\{2E9A20D5-99DB-4A5F-ADD3-73E9E1DFDAD1}\.ba\madExcept_.bpl

Filesize
437KB

MD5
e8818a6b32f06089d5b6187e658684ba

SHA1
7d4f34e3a309c04df8f60e667c058e84f92db27a

SHA256
91ee84d5ab6d3b3de72a5cd74217700eb1309959095214bd2c77d12e6af81c8e

SHA512
d00ecf234cb642c4d060d15f74e4780fc3834b489516f7925249df72747e1e668c4ac66c6cc2887efde5a9c6604b91a688ba37c2a3b13ee7cf29ed7adcfa666d

Download Submit
C:\Windows\TEMP\{2E9A20D5-99DB-4A5F-ADD3-73E9E1DFDAD1}\.ba\razoo.sql

Filesize
1.2MB

MD5
76d644d354b3ee9e7d6aa72d61da702e

SHA1
d8044aec40193e480ebec38f82f234526e33f8eb

SHA256
985bd69cf2d11c733b1864fb8e3743852973a69f7250b4649828131f6cbe2956

SHA512
a31cba3eb15e4b279b60c6668039c4dc36eb559245218375a2449cd53f0aaf3ff00665fff8a144c29f8c735e164e65fc28a4463940309cab68ef1c85fbb3b535

Download Submit
C:\Windows\TEMP\{2E9A20D5-99DB-4A5F-ADD3-73E9E1DFDAD1}\.ba\rtl120.bpl

Filesize
1.0MB

MD5
d229efd5857fade06e2578e580bace0a

SHA1
48902e82a063125021eb8a629a26efa6a1de8778

SHA256
4b2efc1d5b494a6024ac48cc760c7031b5cf19a7b70bdcb4157759d5d5afc54c

SHA512
5b646fd6a8f690f355b05cd065c0b4efff794ff0066f29d2c69a7be0af6ca7695ad3ef6e7c503d9b2e71c7fcca71174fbb2e9eda5b239a07d3618c963675fc39

Download Submit
C:\Windows\Temp\{2E9A20D5-99DB-4A5F-ADD3-73E9E1DFDAD1}\.ba\Mapleleaf.dll

Filesize
582KB

MD5
a9cdb36ae149705a8744b39318a47b13

SHA1
ae5850e5cd5f3bcdc9640e80f68db7b068091ac8

SHA256
7959b8c730040e4c9f01d258c29bcd04f43b76da014dfb06da403c55c1a86cdf

SHA512
394bffff80888151927e1d90538380f7811a05a5a3f9bbdb04f08a6fed13d2e0a6d41364ce1fe1f9c872466c2a2f00b9daf6650116d7907dfc079a88d991e2bf

Download Submit
C:\Windows\Temp\{2E9A20D5-99DB-4A5F-ADD3-73E9E1DFDAD1}\.ba\ScanDisp.exe

Filesize
108KB

MD5
fef6b0ad8eaa466105b74565b6dd140b

SHA1
71c74b0890fa75f49342f3e1e23b5cea35939bfe

SHA256
9d8ecda7731bf83b1360d14a1a556fb62145a6b4531d086a742ed3a0f4ee5e2f

SHA512
2424c42323e7d75b3ff1424f81c8a180dfd7c8f7efc1030e57b66f36ef1727d9f0788f1c380e740b68d82add778b9e0623c3da79d6eb5e089300c4d130aea366

Download Submit
C:\Windows\Temp\{2E9A20D5-99DB-4A5F-ADD3-73E9E1DFDAD1}\.ba\madDisAsm_.bpl

Filesize
64KB

MD5
3936a92320f7d4cec5fa903c200911c7

SHA1
a61602501ffebf8381e39015d1725f58938154ca

SHA256
2aec41414aca38de5aba1cab7bda2030e1e2b347e0ae77079533722c85fe4566

SHA512
747ea892f6e5e3b7500c363d40c5c2a62e9fcf898ade2648262a4277ad3b31e0bcd5f8672d79d176b4759790db688bf1a748b09cbcb1816288a44554016e46d3

Download Submit
C:\Windows\Temp\{2E9A20D5-99DB-4A5F-ADD3-73E9E1DFDAD1}\.ba\vcl120.bpl

Filesize
1.9MB

MD5
c594d746ff6c99d140b5e8da97f12fd4

SHA1
f21742707c5f3fee776f98641f36bd755e24a7b0

SHA256
572edb7d630e9b03f93bd15135d2ca360176c1232051293663ec5b75c2428aec

SHA512
33b9902b2cf1154d850779cd012c0285882e158b9d1422c54ea9400ca348686773b6bacb760171060d1a0e620f8ff4a26ecd889dea3c454e8fc5fa59b173832b

Download Submit
C:\Windows\Temp\{3BC96AEC-420C-45C8-A8D1-A27476A4C32E}\.cr\AE6FC990A0AC98C194956956411C571D.exe

Filesize
3.2MB

MD5
a1064ae0dd8ef0df01dde1d0d753fec9

SHA1
d094150b59b3355ea9fc0f9d53e262eb70cdd595

SHA256
5b72ed338df66d19c17f8068d185307f1c1e7551e384ef1602e3f4aa06a86390

SHA512
2dc8b8c343a6ddaa7f7aeb3c28aa6a7b71c5394bba906c659dc33f6e7d6fc8c2b3f639e209dc4b93925b89be78397feb6d23363d635b51d85eac5364c0191289

Download Submit
memory/1620-71-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

Filesize
2.0MB

Download
memory/1620-70-0x00000000746F0000-0x000000007486B000-memory.dmp

Filesize
1.5MB

Download
memory/1620-72-0x00000000746F0000-0x000000007486B000-memory.dmp

Filesize
1.5MB

Download
memory/3020-86-0x00000000746F0000-0x000000007486B000-memory.dmp

Filesize
1.5MB

Download
memory/3020-81-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

Filesize
2.0MB

Download
memory/3020-83-0x00000000746F0000-0x000000007486B000-memory.dmp

Filesize
1.5MB

Download
memory/3868-63-0x0000000057800000-0x0000000057812000-memory.dmp

Filesize
72KB

Download
memory/3868-37-0x00000000746F0000-0x000000007486B000-memory.dmp

Filesize
1.5MB

Download
memory/3868-62-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/3868-64-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/3868-65-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/3868-54-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3868-60-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/3868-38-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

Filesize
2.0MB

Download
memory/3928-89-0x00000000731E0000-0x0000000074434000-memory.dmp

Filesize
18.3MB

Download
memory/3928-92-0x0000000000800000-0x00000000008C6000-memory.dmp

Filesize
792KB

Download
memory/3928-93-0x0000000004F30000-0x0000000004FC2000-memory.dmp

Filesize
584KB

Download
memory/3928-94-0x0000000005580000-0x0000000005B24000-memory.dmp

Filesize
5.6MB

Download
memory/3928-95-0x00000000051A0000-0x0000000005362000-memory.dmp

Filesize
1.8MB

Download
memory/3928-96-0x0000000005050000-0x00000000050C6000-memory.dmp

Filesize
472KB

Download
memory/3928-97-0x00000000050D0000-0x0000000005120000-memory.dmp

Filesize
320KB

Download