sectoprat | ef0fc4d1fd71b53bc88e2a2347195385f1a25b42254de683011fc4388ca796ec

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef0fc4d1fd71b53bc88e2a2347195385f1a25b42254de683011fc4388ca796ec.exe
Size

4.2MB
MD5

499eba0173a1c75ee669125b067f5b2c
SHA1

667747f8bb3451f56acc2a618c1f91be806a680f
SHA256

ef0fc4d1fd71b53bc88e2a2347195385f1a25b42254de683011fc4388ca796ec
SHA512

5b15fa3740a56fdadbbe7af067bb2f5aab86a314dacf080bca4aaef0d86bc42955ef915b603876c5feee4b51c5f01db8e4564144239ad25c6dbe2561656141de
SSDEEP

98304:cKaAh0104NS7FGwCh1CTLBMtMeUjafSUYGzSxYcM/Ep:vlaf4XCbCTLBgMeUTYSScQEp

Score

10^/10

sectoprat discovery rat trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/1496-94-0x0000000000D00000-0x0000000000DC6000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Executes dropped EXE 3 IoCs

pid	Process
1124	ef0fc4d1fd71b53bc88e2a2347195385f1a25b42254de683011fc4388ca796ec.exe
2200	ScanDisp.exe
216	ScanDisp.exe

Loads dropped DLL 20 IoCs

pid	Process
1124	ef0fc4d1fd71b53bc88e2a2347195385f1a25b42254de683011fc4388ca796ec.exe
2200	ScanDisp.exe
2200	ScanDisp.exe
2200	ScanDisp.exe
2200	ScanDisp.exe
2200	ScanDisp.exe
2200	ScanDisp.exe
2200	ScanDisp.exe
2200	ScanDisp.exe
2200	ScanDisp.exe
2200	ScanDisp.exe
2200	ScanDisp.exe
2200	ScanDisp.exe
216	ScanDisp.exe
216	ScanDisp.exe
216	ScanDisp.exe
216	ScanDisp.exe
216	ScanDisp.exe
216	ScanDisp.exe
216	ScanDisp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
39	pastebin.com
40	pastebin.com
46	pastebin.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 216 set thread context of 4424	216	ScanDisp.exe	86
PID 4424 set thread context of 1496	4424	cmd.exe	107

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\writerUninstall.job	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef0fc4d1fd71b53bc88e2a2347195385f1a25b42254de683011fc4388ca796ec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef0fc4d1fd71b53bc88e2a2347195385f1a25b42254de683011fc4388ca796ec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScanDisp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScanDisp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2200	ScanDisp.exe
216	ScanDisp.exe
216	ScanDisp.exe
4424	cmd.exe
4424	cmd.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
216	ScanDisp.exe
4424	cmd.exe
4424	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1496	MSBuild.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 1124	1296	ef0fc4d1fd71b53bc88e2a2347195385f1a25b42254de683011fc4388ca796ec.exe	83
PID 1296 wrote to memory of 1124	1296	ef0fc4d1fd71b53bc88e2a2347195385f1a25b42254de683011fc4388ca796ec.exe	83
PID 1296 wrote to memory of 1124	1296	ef0fc4d1fd71b53bc88e2a2347195385f1a25b42254de683011fc4388ca796ec.exe	83
PID 1124 wrote to memory of 2200	1124	ef0fc4d1fd71b53bc88e2a2347195385f1a25b42254de683011fc4388ca796ec.exe	84
PID 1124 wrote to memory of 2200	1124	ef0fc4d1fd71b53bc88e2a2347195385f1a25b42254de683011fc4388ca796ec.exe	84
PID 1124 wrote to memory of 2200	1124	ef0fc4d1fd71b53bc88e2a2347195385f1a25b42254de683011fc4388ca796ec.exe	84
PID 2200 wrote to memory of 216	2200	ScanDisp.exe	85
PID 2200 wrote to memory of 216	2200	ScanDisp.exe	85
PID 2200 wrote to memory of 216	2200	ScanDisp.exe	85
PID 216 wrote to memory of 4424	216	ScanDisp.exe	86
PID 216 wrote to memory of 4424	216	ScanDisp.exe	86
PID 216 wrote to memory of 4424	216	ScanDisp.exe	86
PID 216 wrote to memory of 4424	216	ScanDisp.exe	86
PID 4424 wrote to memory of 1496	4424	cmd.exe	107
PID 4424 wrote to memory of 1496	4424	cmd.exe	107
PID 4424 wrote to memory of 1496	4424	cmd.exe	107
PID 4424 wrote to memory of 1496	4424	cmd.exe	107
PID 4424 wrote to memory of 1496	4424	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\ef0fc4d1fd71b53bc88e2a2347195385f1a25b42254de683011fc4388ca796ec.exe
"C:\Users\Admin\AppData\Local\Temp\ef0fc4d1fd71b53bc88e2a2347195385f1a25b42254de683011fc4388ca796ec.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\TEMP\{48B3C165-1AC7-4CBD-BC81-DA6DAD764F48}\.cr\ef0fc4d1fd71b53bc88e2a2347195385f1a25b42254de683011fc4388ca796ec.exe
  "C:\Windows\TEMP\{48B3C165-1AC7-4CBD-BC81-DA6DAD764F48}\.cr\ef0fc4d1fd71b53bc88e2a2347195385f1a25b42254de683011fc4388ca796ec.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\ef0fc4d1fd71b53bc88e2a2347195385f1a25b42254de683011fc4388ca796ec.exe" -burn.filehandle.attached=660 -burn.filehandle.self=668
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\TEMP\{90B73FE3-FBD8-42B4-9FEC-81936161A5D7}\.ba\ScanDisp.exe
    C:\Windows\TEMP\{90B73FE3-FBD8-42B4-9FEC-81936161A5D7}\.ba\ScanDisp.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Users\Admin\AppData\Roaming\FastManage_v5\ScanDisp.exe
      C:\Users\Admin\AppData\Roaming\FastManage_v5\ScanDisp.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4424
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3bdcf024

Filesize
1.5MB

MD5
77feb5828495c863b053e988873c31d4

SHA1
89f23161259c11d584e70bbbf0eb30286dcd30b2

SHA256
2d288ff55f2536661343593bf455b4fb22f769c4f907ebccc81623d4fc49e90b

SHA512
1e091cf261fb137c1ad0d4bfa414c9f7aa35b10bc275db0643e95115281740572821db7afbc1e1aec2a4df0ec0c94e3e7fc53fd92dc95b8b9d85a5baf4394b60

Download Submit
C:\Users\Admin\AppData\Roaming\FastManage_v5\madBasic_.bpl

Filesize
211KB

MD5
641c567225e18195bc3d2d04bde7440b

SHA1
20395a482d9726ad80820c08f3a698cf227afd10

SHA256
c2df993943c87b1e0f07ddd7a807bb66c2ef518c7cf427f6aa4ba0f2543f1ea0

SHA512
1e6023d221ba16a6374cfeb939f795133130b9a71f6f57b1bc6e13e3641f879d409783cf9b1ef4b8fd79b272793ba612d679a213ff97656b3a728567588ecfb9

Download Submit
C:\Windows\TEMP\{90B73FE3-FBD8-42B4-9FEC-81936161A5D7}\.ba\catecholamine.bmp

Filesize
40KB

MD5
bd76c0ee66403804c0e9608dcad83997

SHA1
65ac5b34713c00bfca50a1b33f56a2b3631e761d

SHA256
54dad6db97d72016fe1b9f24d67acea2a0150007a330512cede7770154c50bef

SHA512
3c9f70efd53d65edeaf101308b8e0deac7c21ce991e3e545cfe79cbcdef40a7200a9eb416742d8a961b3bdcd73e5523303b52cc01c42f04ee16f4fc5e2ff4a78

Download Submit
C:\Windows\TEMP\{90B73FE3-FBD8-42B4-9FEC-81936161A5D7}\.ba\madDisAsm_.bpl

Filesize
64KB

MD5
3936a92320f7d4cec5fa903c200911c7

SHA1
a61602501ffebf8381e39015d1725f58938154ca

SHA256
2aec41414aca38de5aba1cab7bda2030e1e2b347e0ae77079533722c85fe4566

SHA512
747ea892f6e5e3b7500c363d40c5c2a62e9fcf898ade2648262a4277ad3b31e0bcd5f8672d79d176b4759790db688bf1a748b09cbcb1816288a44554016e46d3

Download Submit
C:\Windows\TEMP\{90B73FE3-FBD8-42B4-9FEC-81936161A5D7}\.ba\madExcept_.bpl

Filesize
437KB

MD5
e8818a6b32f06089d5b6187e658684ba

SHA1
7d4f34e3a309c04df8f60e667c058e84f92db27a

SHA256
91ee84d5ab6d3b3de72a5cd74217700eb1309959095214bd2c77d12e6af81c8e

SHA512
d00ecf234cb642c4d060d15f74e4780fc3834b489516f7925249df72747e1e668c4ac66c6cc2887efde5a9c6604b91a688ba37c2a3b13ee7cf29ed7adcfa666d

Download Submit
C:\Windows\TEMP\{90B73FE3-FBD8-42B4-9FEC-81936161A5D7}\.ba\razoo.sql

Filesize
1.2MB

MD5
76d644d354b3ee9e7d6aa72d61da702e

SHA1
d8044aec40193e480ebec38f82f234526e33f8eb

SHA256
985bd69cf2d11c733b1864fb8e3743852973a69f7250b4649828131f6cbe2956

SHA512
a31cba3eb15e4b279b60c6668039c4dc36eb559245218375a2449cd53f0aaf3ff00665fff8a144c29f8c735e164e65fc28a4463940309cab68ef1c85fbb3b535

Download Submit
C:\Windows\TEMP\{90B73FE3-FBD8-42B4-9FEC-81936161A5D7}\.ba\rtl120.bpl

Filesize
1.0MB

MD5
d229efd5857fade06e2578e580bace0a

SHA1
48902e82a063125021eb8a629a26efa6a1de8778

SHA256
4b2efc1d5b494a6024ac48cc760c7031b5cf19a7b70bdcb4157759d5d5afc54c

SHA512
5b646fd6a8f690f355b05cd065c0b4efff794ff0066f29d2c69a7be0af6ca7695ad3ef6e7c503d9b2e71c7fcca71174fbb2e9eda5b239a07d3618c963675fc39

Download Submit
C:\Windows\Temp\{48B3C165-1AC7-4CBD-BC81-DA6DAD764F48}\.cr\ef0fc4d1fd71b53bc88e2a2347195385f1a25b42254de683011fc4388ca796ec.exe

Filesize
3.2MB

MD5
a1064ae0dd8ef0df01dde1d0d753fec9

SHA1
d094150b59b3355ea9fc0f9d53e262eb70cdd595

SHA256
5b72ed338df66d19c17f8068d185307f1c1e7551e384ef1602e3f4aa06a86390

SHA512
2dc8b8c343a6ddaa7f7aeb3c28aa6a7b71c5394bba906c659dc33f6e7d6fc8c2b3f639e209dc4b93925b89be78397feb6d23363d635b51d85eac5364c0191289

Download Submit
C:\Windows\Temp\{90B73FE3-FBD8-42B4-9FEC-81936161A5D7}\.ba\Mapleleaf.dll

Filesize
582KB

MD5
a9cdb36ae149705a8744b39318a47b13

SHA1
ae5850e5cd5f3bcdc9640e80f68db7b068091ac8

SHA256
7959b8c730040e4c9f01d258c29bcd04f43b76da014dfb06da403c55c1a86cdf

SHA512
394bffff80888151927e1d90538380f7811a05a5a3f9bbdb04f08a6fed13d2e0a6d41364ce1fe1f9c872466c2a2f00b9daf6650116d7907dfc079a88d991e2bf

Download Submit
C:\Windows\Temp\{90B73FE3-FBD8-42B4-9FEC-81936161A5D7}\.ba\ScanDisp.exe

Filesize
108KB

MD5
fef6b0ad8eaa466105b74565b6dd140b

SHA1
71c74b0890fa75f49342f3e1e23b5cea35939bfe

SHA256
9d8ecda7731bf83b1360d14a1a556fb62145a6b4531d086a742ed3a0f4ee5e2f

SHA512
2424c42323e7d75b3ff1424f81c8a180dfd7c8f7efc1030e57b66f36ef1727d9f0788f1c380e740b68d82add778b9e0623c3da79d6eb5e089300c4d130aea366

Download Submit
C:\Windows\Temp\{90B73FE3-FBD8-42B4-9FEC-81936161A5D7}\.ba\vcl120.bpl

Filesize
1.9MB

MD5
c594d746ff6c99d140b5e8da97f12fd4

SHA1
f21742707c5f3fee776f98641f36bd755e24a7b0

SHA256
572edb7d630e9b03f93bd15135d2ca360176c1232051293663ec5b75c2428aec

SHA512
33b9902b2cf1154d850779cd012c0285882e158b9d1422c54ea9400ca348686773b6bacb760171060d1a0e620f8ff4a26ecd889dea3c454e8fc5fa59b173832b

Download Submit
memory/216-73-0x00007FFAB5150000-0x00007FFAB5345000-memory.dmp

Filesize
2.0MB

Download
memory/216-72-0x00000000737E0000-0x000000007395B000-memory.dmp

Filesize
1.5MB

Download
memory/216-74-0x00000000737E0000-0x000000007395B000-memory.dmp

Filesize
1.5MB

Download
memory/1496-91-0x00000000722D0000-0x0000000073524000-memory.dmp

Filesize
18.3MB

Download
memory/1496-99-0x00000000053B0000-0x0000000005400000-memory.dmp

Filesize
320KB

Download
memory/1496-98-0x0000000005330000-0x00000000053A6000-memory.dmp

Filesize
472KB

Download
memory/1496-97-0x0000000005690000-0x0000000005852000-memory.dmp

Filesize
1.8MB

Download
memory/1496-96-0x00000000058E0000-0x0000000005E84000-memory.dmp

Filesize
5.6MB

Download
memory/1496-95-0x0000000005290000-0x0000000005322000-memory.dmp

Filesize
584KB

Download
memory/1496-94-0x0000000000D00000-0x0000000000DC6000-memory.dmp

Filesize
792KB

Download
memory/2200-70-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/2200-39-0x00000000737E0000-0x000000007395B000-memory.dmp

Filesize
1.5MB

Download
memory/2200-40-0x00007FFAB5150000-0x00007FFAB5345000-memory.dmp

Filesize
2.0MB

Download
memory/2200-57-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2200-68-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/2200-69-0x0000000057800000-0x0000000057812000-memory.dmp

Filesize
72KB

Download
memory/2200-63-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/2200-67-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/4424-83-0x00007FFAB5150000-0x00007FFAB5345000-memory.dmp

Filesize
2.0MB

Download
memory/4424-85-0x00000000737E0000-0x000000007395B000-memory.dmp

Filesize
1.5MB

Download
memory/4424-88-0x00000000737E0000-0x000000007395B000-memory.dmp

Filesize
1.5MB

Download