sectoprat | a0c867e776121ce5889f99fcd5dd3006c1c86a343a58256a9a536d116615e284

Analysis

max time kernel
147s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 04:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0c867e776121ce5889f99fcd5dd3006c1c86a343a58256a9a536d116615e284.exe
Size

4.0MB
MD5

edba5529bd552054f5409496f1d1782d
SHA1

c99315b1eae4e8b409d78022a583459540f3bf1a
SHA256

a0c867e776121ce5889f99fcd5dd3006c1c86a343a58256a9a536d116615e284
SHA512

df17280eeb911057377b809c4deaeced97fa1dd1165a80c3fadb83ece22905585c41b29acc9e90a3eccdcbd6e3fcfa0c30afd87a6cb3724f49290f6a52a12326
SSDEEP

98304:cKaAh0104NS7FGwCh1CTLBMtMeUjafSUYGzRodJ8opxQ9S:vlaf4XCbCTLBgMeUTYROJ8An

Score

10^/10

sectoprat discovery rat trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/4792-93-0x0000000000900000-0x00000000009C6000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Executes dropped EXE 4 IoCs

pid	Process
4804	a0c867e776121ce5889f99fcd5dd3006c1c86a343a58256a9a536d116615e284.exe
1532	ScanDisp.exe
2724	ScanDisp.exe
5084	ScanDisp.exe

Loads dropped DLL 26 IoCs

pid	Process
4804	a0c867e776121ce5889f99fcd5dd3006c1c86a343a58256a9a536d116615e284.exe
1532	ScanDisp.exe
1532	ScanDisp.exe
1532	ScanDisp.exe
1532	ScanDisp.exe
1532	ScanDisp.exe
1532	ScanDisp.exe
1532	ScanDisp.exe
1532	ScanDisp.exe
1532	ScanDisp.exe
2724	ScanDisp.exe
2724	ScanDisp.exe
2724	ScanDisp.exe
2724	ScanDisp.exe
2724	ScanDisp.exe
2724	ScanDisp.exe
2724	ScanDisp.exe
2724	ScanDisp.exe
2724	ScanDisp.exe
5084	ScanDisp.exe
5084	ScanDisp.exe
5084	ScanDisp.exe
5084	ScanDisp.exe
5084	ScanDisp.exe
5084	ScanDisp.exe
5084	ScanDisp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
37	pastebin.com
48	pastebin.com
50	pastebin.com
36	pastebin.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2724 set thread context of 4932	2724	ScanDisp.exe	85
PID 4932 set thread context of 4792	4932	cmd.exe	95

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\writerUninstall.job	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScanDisp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0c867e776121ce5889f99fcd5dd3006c1c86a343a58256a9a536d116615e284.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0c867e776121ce5889f99fcd5dd3006c1c86a343a58256a9a536d116615e284.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScanDisp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScanDisp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1532	ScanDisp.exe
2724	ScanDisp.exe
2724	ScanDisp.exe
4932	cmd.exe
4932	cmd.exe
5084	ScanDisp.exe
5084	ScanDisp.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2724	ScanDisp.exe
4932	cmd.exe
4932	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4792	MSBuild.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 692 wrote to memory of 4804	692	a0c867e776121ce5889f99fcd5dd3006c1c86a343a58256a9a536d116615e284.exe	82
PID 692 wrote to memory of 4804	692	a0c867e776121ce5889f99fcd5dd3006c1c86a343a58256a9a536d116615e284.exe	82
PID 692 wrote to memory of 4804	692	a0c867e776121ce5889f99fcd5dd3006c1c86a343a58256a9a536d116615e284.exe	82
PID 4804 wrote to memory of 1532	4804	a0c867e776121ce5889f99fcd5dd3006c1c86a343a58256a9a536d116615e284.exe	83
PID 4804 wrote to memory of 1532	4804	a0c867e776121ce5889f99fcd5dd3006c1c86a343a58256a9a536d116615e284.exe	83
PID 4804 wrote to memory of 1532	4804	a0c867e776121ce5889f99fcd5dd3006c1c86a343a58256a9a536d116615e284.exe	83
PID 1532 wrote to memory of 2724	1532	ScanDisp.exe	84
PID 1532 wrote to memory of 2724	1532	ScanDisp.exe	84
PID 1532 wrote to memory of 2724	1532	ScanDisp.exe	84
PID 2724 wrote to memory of 4932	2724	ScanDisp.exe	85
PID 2724 wrote to memory of 4932	2724	ScanDisp.exe	85
PID 2724 wrote to memory of 4932	2724	ScanDisp.exe	85
PID 2724 wrote to memory of 4932	2724	ScanDisp.exe	85
PID 4932 wrote to memory of 4792	4932	cmd.exe	95
PID 4932 wrote to memory of 4792	4932	cmd.exe	95
PID 4932 wrote to memory of 4792	4932	cmd.exe	95
PID 4932 wrote to memory of 4792	4932	cmd.exe	95
PID 4932 wrote to memory of 4792	4932	cmd.exe	95
PID 5084 wrote to memory of 4660	5084	ScanDisp.exe	99
PID 5084 wrote to memory of 4660	5084	ScanDisp.exe	99
PID 5084 wrote to memory of 4660	5084	ScanDisp.exe	99

C:\Users\Admin\AppData\Local\Temp\a0c867e776121ce5889f99fcd5dd3006c1c86a343a58256a9a536d116615e284.exe
"C:\Users\Admin\AppData\Local\Temp\a0c867e776121ce5889f99fcd5dd3006c1c86a343a58256a9a536d116615e284.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:692
- C:\Windows\TEMP\{2EF96BBC-F3C9-4565-B718-CFFB37081FD5}\.cr\a0c867e776121ce5889f99fcd5dd3006c1c86a343a58256a9a536d116615e284.exe
  "C:\Windows\TEMP\{2EF96BBC-F3C9-4565-B718-CFFB37081FD5}\.cr\a0c867e776121ce5889f99fcd5dd3006c1c86a343a58256a9a536d116615e284.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\a0c867e776121ce5889f99fcd5dd3006c1c86a343a58256a9a536d116615e284.exe" -burn.filehandle.attached=644 -burn.filehandle.self=640
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Windows\TEMP\{0DA59788-6720-4E71-8015-724483D8CBA4}\.ba\ScanDisp.exe
    C:\Windows\TEMP\{0DA59788-6720-4E71-8015-724483D8CBA4}\.ba\ScanDisp.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Users\Admin\AppData\Roaming\FastManage_v5\ScanDisp.exe
      C:\Users\Admin\AppData\Roaming\FastManage_v5\ScanDisp.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4932
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4792

C:\Users\Admin\AppData\Roaming\FastManage_v5\ScanDisp.exe
C:\Users\Admin\AppData\Roaming\FastManage_v5\ScanDisp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ffe6f41e

Filesize
1.5MB

MD5
c13b4c918efbb5b9ae5f8434501dd26e

SHA1
d9b46662e3a6b9c85a2b0ccfbef50d1bf777e41b

SHA256
2ff175f351cdf744119d77eaccb0ef29675a731495df4c41fc1833d184a38640

SHA512
02aea3b780b6207b74cf41d8c8735482b3a87dd87bdfa7205afd25f268550f653ac3a28f6fc1e84fbf040dc95f4df257ceb9efe8278dca5422a8b6614d3a81dc

Download Submit
C:\Windows\TEMP\{0DA59788-6720-4E71-8015-724483D8CBA4}\.ba\catecholamine.bmp

Filesize
40KB

MD5
bd76c0ee66403804c0e9608dcad83997

SHA1
65ac5b34713c00bfca50a1b33f56a2b3631e761d

SHA256
54dad6db97d72016fe1b9f24d67acea2a0150007a330512cede7770154c50bef

SHA512
3c9f70efd53d65edeaf101308b8e0deac7c21ce991e3e545cfe79cbcdef40a7200a9eb416742d8a961b3bdcd73e5523303b52cc01c42f04ee16f4fc5e2ff4a78

Download Submit
C:\Windows\TEMP\{0DA59788-6720-4E71-8015-724483D8CBA4}\.ba\madBasic_.bpl

Filesize
211KB

MD5
641c567225e18195bc3d2d04bde7440b

SHA1
20395a482d9726ad80820c08f3a698cf227afd10

SHA256
c2df993943c87b1e0f07ddd7a807bb66c2ef518c7cf427f6aa4ba0f2543f1ea0

SHA512
1e6023d221ba16a6374cfeb939f795133130b9a71f6f57b1bc6e13e3641f879d409783cf9b1ef4b8fd79b272793ba612d679a213ff97656b3a728567588ecfb9

Download Submit
C:\Windows\TEMP\{0DA59788-6720-4E71-8015-724483D8CBA4}\.ba\madExcept_.bpl

Filesize
437KB

MD5
e8818a6b32f06089d5b6187e658684ba

SHA1
7d4f34e3a309c04df8f60e667c058e84f92db27a

SHA256
91ee84d5ab6d3b3de72a5cd74217700eb1309959095214bd2c77d12e6af81c8e

SHA512
d00ecf234cb642c4d060d15f74e4780fc3834b489516f7925249df72747e1e668c4ac66c6cc2887efde5a9c6604b91a688ba37c2a3b13ee7cf29ed7adcfa666d

Download Submit
C:\Windows\TEMP\{0DA59788-6720-4E71-8015-724483D8CBA4}\.ba\razoo.sql

Filesize
1.2MB

MD5
76d644d354b3ee9e7d6aa72d61da702e

SHA1
d8044aec40193e480ebec38f82f234526e33f8eb

SHA256
985bd69cf2d11c733b1864fb8e3743852973a69f7250b4649828131f6cbe2956

SHA512
a31cba3eb15e4b279b60c6668039c4dc36eb559245218375a2449cd53f0aaf3ff00665fff8a144c29f8c735e164e65fc28a4463940309cab68ef1c85fbb3b535

Download Submit
C:\Windows\TEMP\{0DA59788-6720-4E71-8015-724483D8CBA4}\.ba\rtl120.bpl

Filesize
1.0MB

MD5
d229efd5857fade06e2578e580bace0a

SHA1
48902e82a063125021eb8a629a26efa6a1de8778

SHA256
4b2efc1d5b494a6024ac48cc760c7031b5cf19a7b70bdcb4157759d5d5afc54c

SHA512
5b646fd6a8f690f355b05cd065c0b4efff794ff0066f29d2c69a7be0af6ca7695ad3ef6e7c503d9b2e71c7fcca71174fbb2e9eda5b239a07d3618c963675fc39

Download Submit
C:\Windows\TEMP\{0DA59788-6720-4E71-8015-724483D8CBA4}\.ba\vcl120.bpl

Filesize
1.9MB

MD5
c594d746ff6c99d140b5e8da97f12fd4

SHA1
f21742707c5f3fee776f98641f36bd755e24a7b0

SHA256
572edb7d630e9b03f93bd15135d2ca360176c1232051293663ec5b75c2428aec

SHA512
33b9902b2cf1154d850779cd012c0285882e158b9d1422c54ea9400ca348686773b6bacb760171060d1a0e620f8ff4a26ecd889dea3c454e8fc5fa59b173832b

Download Submit
C:\Windows\Temp\{0DA59788-6720-4E71-8015-724483D8CBA4}\.ba\Mapleleaf.dll

Filesize
582KB

MD5
a9cdb36ae149705a8744b39318a47b13

SHA1
ae5850e5cd5f3bcdc9640e80f68db7b068091ac8

SHA256
7959b8c730040e4c9f01d258c29bcd04f43b76da014dfb06da403c55c1a86cdf

SHA512
394bffff80888151927e1d90538380f7811a05a5a3f9bbdb04f08a6fed13d2e0a6d41364ce1fe1f9c872466c2a2f00b9daf6650116d7907dfc079a88d991e2bf

Download Submit
C:\Windows\Temp\{0DA59788-6720-4E71-8015-724483D8CBA4}\.ba\ScanDisp.exe

Filesize
108KB

MD5
fef6b0ad8eaa466105b74565b6dd140b

SHA1
71c74b0890fa75f49342f3e1e23b5cea35939bfe

SHA256
9d8ecda7731bf83b1360d14a1a556fb62145a6b4531d086a742ed3a0f4ee5e2f

SHA512
2424c42323e7d75b3ff1424f81c8a180dfd7c8f7efc1030e57b66f36ef1727d9f0788f1c380e740b68d82add778b9e0623c3da79d6eb5e089300c4d130aea366

Download Submit
C:\Windows\Temp\{0DA59788-6720-4E71-8015-724483D8CBA4}\.ba\madDisAsm_.bpl

Filesize
64KB

MD5
3936a92320f7d4cec5fa903c200911c7

SHA1
a61602501ffebf8381e39015d1725f58938154ca

SHA256
2aec41414aca38de5aba1cab7bda2030e1e2b347e0ae77079533722c85fe4566

SHA512
747ea892f6e5e3b7500c363d40c5c2a62e9fcf898ade2648262a4277ad3b31e0bcd5f8672d79d176b4759790db688bf1a748b09cbcb1816288a44554016e46d3

Download Submit
C:\Windows\Temp\{2EF96BBC-F3C9-4565-B718-CFFB37081FD5}\.cr\a0c867e776121ce5889f99fcd5dd3006c1c86a343a58256a9a536d116615e284.exe

Filesize
3.2MB

MD5
a1064ae0dd8ef0df01dde1d0d753fec9

SHA1
d094150b59b3355ea9fc0f9d53e262eb70cdd595

SHA256
5b72ed338df66d19c17f8068d185307f1c1e7551e384ef1602e3f4aa06a86390

SHA512
2dc8b8c343a6ddaa7f7aeb3c28aa6a7b71c5394bba906c659dc33f6e7d6fc8c2b3f639e209dc4b93925b89be78397feb6d23363d635b51d85eac5364c0191289

Download Submit
memory/1532-37-0x00007FFD73DD0000-0x00007FFD73FC5000-memory.dmp

Filesize
2.0MB

Download
memory/1532-48-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/1532-52-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/1532-51-0x0000000057800000-0x0000000057812000-memory.dmp

Filesize
72KB

Download
memory/1532-50-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/1532-49-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/1532-47-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1532-36-0x00000000742B0000-0x000000007442B000-memory.dmp

Filesize
1.5MB

Download
memory/2724-71-0x00000000742B0000-0x000000007442B000-memory.dmp

Filesize
1.5MB

Download
memory/2724-73-0x00000000742B0000-0x000000007442B000-memory.dmp

Filesize
1.5MB

Download
memory/2724-80-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/2724-78-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/2724-77-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/2724-76-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/2724-72-0x00007FFD73DD0000-0x00007FFD73FC5000-memory.dmp

Filesize
2.0MB

Download
memory/4792-95-0x0000000005590000-0x0000000005B34000-memory.dmp

Filesize
5.6MB

Download
memory/4792-90-0x0000000072DA0000-0x0000000073FF4000-memory.dmp

Filesize
18.3MB

Download
memory/4792-93-0x0000000000900000-0x00000000009C6000-memory.dmp

Filesize
792KB

Download
memory/4792-94-0x0000000004F00000-0x0000000004F92000-memory.dmp

Filesize
584KB

Download
memory/4792-96-0x00000000052C0000-0x0000000005482000-memory.dmp

Filesize
1.8MB

Download
memory/4792-97-0x0000000005060000-0x00000000050D6000-memory.dmp

Filesize
472KB

Download
memory/4792-98-0x00000000050F0000-0x0000000005140000-memory.dmp

Filesize
320KB

Download
memory/4932-84-0x00000000742B0000-0x000000007442B000-memory.dmp

Filesize
1.5MB

Download
memory/4932-87-0x00000000742B0000-0x000000007442B000-memory.dmp

Filesize
1.5MB

Download
memory/4932-82-0x00007FFD73DD0000-0x00007FFD73FC5000-memory.dmp

Filesize
2.0MB

Download
memory/5084-107-0x000000006FAE0000-0x000000006FC5B000-memory.dmp

Filesize
1.5MB

Download
memory/5084-108-0x00007FFD73DD0000-0x00007FFD73FC5000-memory.dmp

Filesize
2.0MB

Download