sectoprat | a0c867e776121ce5889f99fcd5dd3006c1c86a343a58256a9a536d116615e284

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edba5529bd552054f5409496f1d1782d.exe
Size

4.0MB
MD5

edba5529bd552054f5409496f1d1782d
SHA1

c99315b1eae4e8b409d78022a583459540f3bf1a
SHA256

a0c867e776121ce5889f99fcd5dd3006c1c86a343a58256a9a536d116615e284
SHA512

df17280eeb911057377b809c4deaeced97fa1dd1165a80c3fadb83ece22905585c41b29acc9e90a3eccdcbd6e3fcfa0c30afd87a6cb3724f49290f6a52a12326
SSDEEP

98304:cKaAh0104NS7FGwCh1CTLBMtMeUjafSUYGzRodJ8opxQ9S:vlaf4XCbCTLBgMeUTYROJ8An

Score

10^/10

sectoprat discovery rat trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/2352-94-0x0000000001380000-0x0000000001446000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Executes dropped EXE 3 IoCs

pid	Process
3256	edba5529bd552054f5409496f1d1782d.exe
2624	ScanDisp.exe
1028	ScanDisp.exe

Loads dropped DLL 20 IoCs

pid	Process
3256	edba5529bd552054f5409496f1d1782d.exe
2624	ScanDisp.exe
2624	ScanDisp.exe
2624	ScanDisp.exe
2624	ScanDisp.exe
2624	ScanDisp.exe
2624	ScanDisp.exe
2624	ScanDisp.exe
2624	ScanDisp.exe
2624	ScanDisp.exe
2624	ScanDisp.exe
1028	ScanDisp.exe
1028	ScanDisp.exe
1028	ScanDisp.exe
1028	ScanDisp.exe
1028	ScanDisp.exe
1028	ScanDisp.exe
1028	ScanDisp.exe
1028	ScanDisp.exe
1028	ScanDisp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
54	pastebin.com
41	pastebin.com
42	pastebin.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1028 set thread context of 4808	1028	ScanDisp.exe	85
PID 4808 set thread context of 2352	4808	cmd.exe	95

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\writerUninstall.job	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edba5529bd552054f5409496f1d1782d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edba5529bd552054f5409496f1d1782d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScanDisp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScanDisp.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2624	ScanDisp.exe
1028	ScanDisp.exe
1028	ScanDisp.exe
4808	cmd.exe
4808	cmd.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1028	ScanDisp.exe
4808	cmd.exe
4808	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2352	MSBuild.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 3256	2068	edba5529bd552054f5409496f1d1782d.exe	82
PID 2068 wrote to memory of 3256	2068	edba5529bd552054f5409496f1d1782d.exe	82
PID 2068 wrote to memory of 3256	2068	edba5529bd552054f5409496f1d1782d.exe	82
PID 3256 wrote to memory of 2624	3256	edba5529bd552054f5409496f1d1782d.exe	83
PID 3256 wrote to memory of 2624	3256	edba5529bd552054f5409496f1d1782d.exe	83
PID 3256 wrote to memory of 2624	3256	edba5529bd552054f5409496f1d1782d.exe	83
PID 2624 wrote to memory of 1028	2624	ScanDisp.exe	84
PID 2624 wrote to memory of 1028	2624	ScanDisp.exe	84
PID 2624 wrote to memory of 1028	2624	ScanDisp.exe	84
PID 1028 wrote to memory of 4808	1028	ScanDisp.exe	85
PID 1028 wrote to memory of 4808	1028	ScanDisp.exe	85
PID 1028 wrote to memory of 4808	1028	ScanDisp.exe	85
PID 1028 wrote to memory of 4808	1028	ScanDisp.exe	85
PID 4808 wrote to memory of 2352	4808	cmd.exe	95
PID 4808 wrote to memory of 2352	4808	cmd.exe	95
PID 4808 wrote to memory of 2352	4808	cmd.exe	95
PID 4808 wrote to memory of 2352	4808	cmd.exe	95
PID 4808 wrote to memory of 2352	4808	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\edba5529bd552054f5409496f1d1782d.exe
"C:\Users\Admin\AppData\Local\Temp\edba5529bd552054f5409496f1d1782d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\TEMP\{069F4FE6-DB37-4120-B575-94AF3CCC733E}\.cr\edba5529bd552054f5409496f1d1782d.exe
  "C:\Windows\TEMP\{069F4FE6-DB37-4120-B575-94AF3CCC733E}\.cr\edba5529bd552054f5409496f1d1782d.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\edba5529bd552054f5409496f1d1782d.exe" -burn.filehandle.attached=692 -burn.filehandle.self=640
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3256
- - C:\Windows\TEMP\{2448C627-C173-4C48-A7E7-1B42AE4402BC}\.ba\ScanDisp.exe
    C:\Windows\TEMP\{2448C627-C173-4C48-A7E7-1B42AE4402BC}\.ba\ScanDisp.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Users\Admin\AppData\Roaming\FastManage_v5\ScanDisp.exe
      C:\Users\Admin\AppData\Roaming\FastManage_v5\ScanDisp.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1028
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4808
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8e4b2bb

Filesize
1.5MB

MD5
35ebc6787b430646997e6321a5ca0271

SHA1
a86d3629f56d8e2b61e0c15b04f39dfd5dc98cf4

SHA256
c06c3b96bdb657961c4a3e392535319866105a9752b855063293c205a4c1bc2e

SHA512
113de325a3d28a9f16247377793697f2fc1dbfba4cc07022b24b8b6b7a831a8b08342ecb9cfc24c11598daacc9d098974520f21b9cd975dbc78d3a8f63f9f1db

Download Submit
C:\Windows\TEMP\{2448C627-C173-4C48-A7E7-1B42AE4402BC}\.ba\ScanDisp.exe

Filesize
108KB

MD5
fef6b0ad8eaa466105b74565b6dd140b

SHA1
71c74b0890fa75f49342f3e1e23b5cea35939bfe

SHA256
9d8ecda7731bf83b1360d14a1a556fb62145a6b4531d086a742ed3a0f4ee5e2f

SHA512
2424c42323e7d75b3ff1424f81c8a180dfd7c8f7efc1030e57b66f36ef1727d9f0788f1c380e740b68d82add778b9e0623c3da79d6eb5e089300c4d130aea366

Download Submit
C:\Windows\TEMP\{2448C627-C173-4C48-A7E7-1B42AE4402BC}\.ba\catecholamine.bmp

Filesize
40KB

MD5
bd76c0ee66403804c0e9608dcad83997

SHA1
65ac5b34713c00bfca50a1b33f56a2b3631e761d

SHA256
54dad6db97d72016fe1b9f24d67acea2a0150007a330512cede7770154c50bef

SHA512
3c9f70efd53d65edeaf101308b8e0deac7c21ce991e3e545cfe79cbcdef40a7200a9eb416742d8a961b3bdcd73e5523303b52cc01c42f04ee16f4fc5e2ff4a78

Download Submit
C:\Windows\TEMP\{2448C627-C173-4C48-A7E7-1B42AE4402BC}\.ba\razoo.sql

Filesize
1.2MB

MD5
76d644d354b3ee9e7d6aa72d61da702e

SHA1
d8044aec40193e480ebec38f82f234526e33f8eb

SHA256
985bd69cf2d11c733b1864fb8e3743852973a69f7250b4649828131f6cbe2956

SHA512
a31cba3eb15e4b279b60c6668039c4dc36eb559245218375a2449cd53f0aaf3ff00665fff8a144c29f8c735e164e65fc28a4463940309cab68ef1c85fbb3b535

Download Submit
C:\Windows\Temp\{069F4FE6-DB37-4120-B575-94AF3CCC733E}\.cr\edba5529bd552054f5409496f1d1782d.exe

Filesize
3.2MB

MD5
a1064ae0dd8ef0df01dde1d0d753fec9

SHA1
d094150b59b3355ea9fc0f9d53e262eb70cdd595

SHA256
5b72ed338df66d19c17f8068d185307f1c1e7551e384ef1602e3f4aa06a86390

SHA512
2dc8b8c343a6ddaa7f7aeb3c28aa6a7b71c5394bba906c659dc33f6e7d6fc8c2b3f639e209dc4b93925b89be78397feb6d23363d635b51d85eac5364c0191289

Download Submit
C:\Windows\Temp\{2448C627-C173-4C48-A7E7-1B42AE4402BC}\.ba\Mapleleaf.dll

Filesize
582KB

MD5
a9cdb36ae149705a8744b39318a47b13

SHA1
ae5850e5cd5f3bcdc9640e80f68db7b068091ac8

SHA256
7959b8c730040e4c9f01d258c29bcd04f43b76da014dfb06da403c55c1a86cdf

SHA512
394bffff80888151927e1d90538380f7811a05a5a3f9bbdb04f08a6fed13d2e0a6d41364ce1fe1f9c872466c2a2f00b9daf6650116d7907dfc079a88d991e2bf

Download Submit
C:\Windows\Temp\{2448C627-C173-4C48-A7E7-1B42AE4402BC}\.ba\madBasic_.bpl

Filesize
211KB

MD5
641c567225e18195bc3d2d04bde7440b

SHA1
20395a482d9726ad80820c08f3a698cf227afd10

SHA256
c2df993943c87b1e0f07ddd7a807bb66c2ef518c7cf427f6aa4ba0f2543f1ea0

SHA512
1e6023d221ba16a6374cfeb939f795133130b9a71f6f57b1bc6e13e3641f879d409783cf9b1ef4b8fd79b272793ba612d679a213ff97656b3a728567588ecfb9

Download Submit
C:\Windows\Temp\{2448C627-C173-4C48-A7E7-1B42AE4402BC}\.ba\madDisAsm_.bpl

Filesize
64KB

MD5
3936a92320f7d4cec5fa903c200911c7

SHA1
a61602501ffebf8381e39015d1725f58938154ca

SHA256
2aec41414aca38de5aba1cab7bda2030e1e2b347e0ae77079533722c85fe4566

SHA512
747ea892f6e5e3b7500c363d40c5c2a62e9fcf898ade2648262a4277ad3b31e0bcd5f8672d79d176b4759790db688bf1a748b09cbcb1816288a44554016e46d3

Download Submit
C:\Windows\Temp\{2448C627-C173-4C48-A7E7-1B42AE4402BC}\.ba\madExcept_.bpl

Filesize
437KB

MD5
e8818a6b32f06089d5b6187e658684ba

SHA1
7d4f34e3a309c04df8f60e667c058e84f92db27a

SHA256
91ee84d5ab6d3b3de72a5cd74217700eb1309959095214bd2c77d12e6af81c8e

SHA512
d00ecf234cb642c4d060d15f74e4780fc3834b489516f7925249df72747e1e668c4ac66c6cc2887efde5a9c6604b91a688ba37c2a3b13ee7cf29ed7adcfa666d

Download Submit
C:\Windows\Temp\{2448C627-C173-4C48-A7E7-1B42AE4402BC}\.ba\rtl120.bpl

Filesize
1.0MB

MD5
d229efd5857fade06e2578e580bace0a

SHA1
48902e82a063125021eb8a629a26efa6a1de8778

SHA256
4b2efc1d5b494a6024ac48cc760c7031b5cf19a7b70bdcb4157759d5d5afc54c

SHA512
5b646fd6a8f690f355b05cd065c0b4efff794ff0066f29d2c69a7be0af6ca7695ad3ef6e7c503d9b2e71c7fcca71174fbb2e9eda5b239a07d3618c963675fc39

Download Submit
C:\Windows\Temp\{2448C627-C173-4C48-A7E7-1B42AE4402BC}\.ba\vcl120.bpl

Filesize
1.9MB

MD5
c594d746ff6c99d140b5e8da97f12fd4

SHA1
f21742707c5f3fee776f98641f36bd755e24a7b0

SHA256
572edb7d630e9b03f93bd15135d2ca360176c1232051293663ec5b75c2428aec

SHA512
33b9902b2cf1154d850779cd012c0285882e158b9d1422c54ea9400ca348686773b6bacb760171060d1a0e620f8ff4a26ecd889dea3c454e8fc5fa59b173832b

Download Submit
memory/1028-77-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/1028-79-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/1028-72-0x0000000074090000-0x000000007420B000-memory.dmp

Filesize
1.5MB

Download
memory/1028-73-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

Filesize
2.0MB

Download
memory/1028-81-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/1028-78-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/1028-74-0x0000000074090000-0x000000007420B000-memory.dmp

Filesize
1.5MB

Download
memory/2352-96-0x0000000006070000-0x0000000006614000-memory.dmp

Filesize
5.6MB

Download
memory/2352-90-0x0000000072B80000-0x0000000073DD4000-memory.dmp

Filesize
18.3MB

Download
memory/2352-94-0x0000000001380000-0x0000000001446000-memory.dmp

Filesize
792KB

Download
memory/2352-95-0x0000000005A20000-0x0000000005AB2000-memory.dmp

Filesize
584KB

Download
memory/2352-97-0x0000000005CF0000-0x0000000005EB2000-memory.dmp

Filesize
1.8MB

Download
memory/2352-98-0x0000000005BA0000-0x0000000005C16000-memory.dmp

Filesize
472KB

Download
memory/2352-99-0x0000000005C20000-0x0000000005C70000-memory.dmp

Filesize
320KB

Download
memory/2624-53-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/2624-51-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/2624-49-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2624-50-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/2624-52-0x0000000057800000-0x0000000057812000-memory.dmp

Filesize
72KB

Download
memory/2624-54-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/2624-38-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

Filesize
2.0MB

Download
memory/2624-37-0x0000000074090000-0x000000007420B000-memory.dmp

Filesize
1.5MB

Download
memory/4808-83-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

Filesize
2.0MB

Download
memory/4808-85-0x0000000074090000-0x000000007420B000-memory.dmp

Filesize
1.5MB

Download
memory/4808-88-0x0000000074090000-0x000000007420B000-memory.dmp

Filesize
1.5MB

Download