sectoprat | f533a1a6bbb0202eef4218189bfece12402b1d7a3cb5ab4f60715d2e870a44e6

Analysis

max time kernel
125s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f533a1a6bbb0202eef4218189bfece12402b1d7a3cb5ab4f60715d2e870a44e6.exe
Size

3.8MB
MD5

f1acca2781c6f31989fb868af45885ab
SHA1

30a06923775f424f8449452df7755c107e8cb5d5
SHA256

f533a1a6bbb0202eef4218189bfece12402b1d7a3cb5ab4f60715d2e870a44e6
SHA512

3e10116ea0dff08901970e8cf13f249f7c614a2075c1dec59b93e002a268d897ed8f73bba328bfccc77acfee4182477734254df22a62ad2e7cdd6d3175c242b3
SSDEEP

98304:cKaAh0104NS7FGwCh1CTLBMtMeUjafSUYGzXqjTrZ1:vlaf4XCbCTLBgMeUTYav7

Score

10^/10

sectoprat discovery rat trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/4112-94-0x0000000000BA0000-0x0000000000C66000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Executes dropped EXE 3 IoCs

pid	Process
2572	f533a1a6bbb0202eef4218189bfece12402b1d7a3cb5ab4f60715d2e870a44e6.exe
3736	ScanDisp.exe
4784	ScanDisp.exe

Loads dropped DLL 20 IoCs

pid	Process
2572	f533a1a6bbb0202eef4218189bfece12402b1d7a3cb5ab4f60715d2e870a44e6.exe
3736	ScanDisp.exe
3736	ScanDisp.exe
3736	ScanDisp.exe
3736	ScanDisp.exe
3736	ScanDisp.exe
3736	ScanDisp.exe
3736	ScanDisp.exe
3736	ScanDisp.exe
3736	ScanDisp.exe
3736	ScanDisp.exe
3736	ScanDisp.exe
3736	ScanDisp.exe
4784	ScanDisp.exe
4784	ScanDisp.exe
4784	ScanDisp.exe
4784	ScanDisp.exe
4784	ScanDisp.exe
4784	ScanDisp.exe
4784	ScanDisp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
38	pastebin.com
39	pastebin.com
51	pastebin.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4784 set thread context of 928	4784	ScanDisp.exe	85
PID 928 set thread context of 4112	928	cmd.exe	95

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\writerUninstall.job	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f533a1a6bbb0202eef4218189bfece12402b1d7a3cb5ab4f60715d2e870a44e6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScanDisp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScanDisp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f533a1a6bbb0202eef4218189bfece12402b1d7a3cb5ab4f60715d2e870a44e6.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3736	ScanDisp.exe
4784	ScanDisp.exe
4784	ScanDisp.exe
928	cmd.exe
928	cmd.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4784	ScanDisp.exe
928	cmd.exe
928	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4112	MSBuild.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 2572	1912	f533a1a6bbb0202eef4218189bfece12402b1d7a3cb5ab4f60715d2e870a44e6.exe	82
PID 1912 wrote to memory of 2572	1912	f533a1a6bbb0202eef4218189bfece12402b1d7a3cb5ab4f60715d2e870a44e6.exe	82
PID 1912 wrote to memory of 2572	1912	f533a1a6bbb0202eef4218189bfece12402b1d7a3cb5ab4f60715d2e870a44e6.exe	82
PID 2572 wrote to memory of 3736	2572	f533a1a6bbb0202eef4218189bfece12402b1d7a3cb5ab4f60715d2e870a44e6.exe	83
PID 2572 wrote to memory of 3736	2572	f533a1a6bbb0202eef4218189bfece12402b1d7a3cb5ab4f60715d2e870a44e6.exe	83
PID 2572 wrote to memory of 3736	2572	f533a1a6bbb0202eef4218189bfece12402b1d7a3cb5ab4f60715d2e870a44e6.exe	83
PID 3736 wrote to memory of 4784	3736	ScanDisp.exe	84
PID 3736 wrote to memory of 4784	3736	ScanDisp.exe	84
PID 3736 wrote to memory of 4784	3736	ScanDisp.exe	84
PID 4784 wrote to memory of 928	4784	ScanDisp.exe	85
PID 4784 wrote to memory of 928	4784	ScanDisp.exe	85
PID 4784 wrote to memory of 928	4784	ScanDisp.exe	85
PID 4784 wrote to memory of 928	4784	ScanDisp.exe	85
PID 928 wrote to memory of 4112	928	cmd.exe	95
PID 928 wrote to memory of 4112	928	cmd.exe	95
PID 928 wrote to memory of 4112	928	cmd.exe	95
PID 928 wrote to memory of 4112	928	cmd.exe	95
PID 928 wrote to memory of 4112	928	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\f533a1a6bbb0202eef4218189bfece12402b1d7a3cb5ab4f60715d2e870a44e6.exe
"C:\Users\Admin\AppData\Local\Temp\f533a1a6bbb0202eef4218189bfece12402b1d7a3cb5ab4f60715d2e870a44e6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\TEMP\{DB3435A8-F8D3-4B5C-A462-E1CB39FD0A26}\.cr\f533a1a6bbb0202eef4218189bfece12402b1d7a3cb5ab4f60715d2e870a44e6.exe
  "C:\Windows\TEMP\{DB3435A8-F8D3-4B5C-A462-E1CB39FD0A26}\.cr\f533a1a6bbb0202eef4218189bfece12402b1d7a3cb5ab4f60715d2e870a44e6.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\f533a1a6bbb0202eef4218189bfece12402b1d7a3cb5ab4f60715d2e870a44e6.exe" -burn.filehandle.attached=644 -burn.filehandle.self=632
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\TEMP\{990530B6-D8E4-456C-9CE8-6F3B00DB82A2}\.ba\ScanDisp.exe
    C:\Windows\TEMP\{990530B6-D8E4-456C-9CE8-6F3B00DB82A2}\.ba\ScanDisp.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3736
  - - C:\Users\Admin\AppData\Roaming\FastManage_v5\ScanDisp.exe
      C:\Users\Admin\AppData\Roaming\FastManage_v5\ScanDisp.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4784
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:928
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dfac1b03

Filesize
1.5MB

MD5
93f094e8f9533faa5ab211426475c9c4

SHA1
60c1d5b47c12c6e8a1733e99ad1f49fd06495d0d

SHA256
bd6d675ff3bb18e965efba3db996923001c2bd01ca177889438f46400d2e3830

SHA512
bc6a410a8e75a973e5431d6fc66279b51f02d881464c3e7f7898346e37c601ea72367565c0e0df141ebb56ff73c2ccb6a7514da7e404e46aced49f8522cbef21

Download Submit
C:\Windows\TEMP\{990530B6-D8E4-456C-9CE8-6F3B00DB82A2}\.ba\catecholamine.bmp

Filesize
40KB

MD5
bd76c0ee66403804c0e9608dcad83997

SHA1
65ac5b34713c00bfca50a1b33f56a2b3631e761d

SHA256
54dad6db97d72016fe1b9f24d67acea2a0150007a330512cede7770154c50bef

SHA512
3c9f70efd53d65edeaf101308b8e0deac7c21ce991e3e545cfe79cbcdef40a7200a9eb416742d8a961b3bdcd73e5523303b52cc01c42f04ee16f4fc5e2ff4a78

Download Submit
C:\Windows\TEMP\{990530B6-D8E4-456C-9CE8-6F3B00DB82A2}\.ba\razoo.sql

Filesize
1.2MB

MD5
76d644d354b3ee9e7d6aa72d61da702e

SHA1
d8044aec40193e480ebec38f82f234526e33f8eb

SHA256
985bd69cf2d11c733b1864fb8e3743852973a69f7250b4649828131f6cbe2956

SHA512
a31cba3eb15e4b279b60c6668039c4dc36eb559245218375a2449cd53f0aaf3ff00665fff8a144c29f8c735e164e65fc28a4463940309cab68ef1c85fbb3b535

Download Submit
C:\Windows\TEMP\{990530B6-D8E4-456C-9CE8-6F3B00DB82A2}\.ba\rtl120.bpl

Filesize
1.0MB

MD5
d229efd5857fade06e2578e580bace0a

SHA1
48902e82a063125021eb8a629a26efa6a1de8778

SHA256
4b2efc1d5b494a6024ac48cc760c7031b5cf19a7b70bdcb4157759d5d5afc54c

SHA512
5b646fd6a8f690f355b05cd065c0b4efff794ff0066f29d2c69a7be0af6ca7695ad3ef6e7c503d9b2e71c7fcca71174fbb2e9eda5b239a07d3618c963675fc39

Download Submit
C:\Windows\Temp\{990530B6-D8E4-456C-9CE8-6F3B00DB82A2}\.ba\Mapleleaf.dll

Filesize
582KB

MD5
a9cdb36ae149705a8744b39318a47b13

SHA1
ae5850e5cd5f3bcdc9640e80f68db7b068091ac8

SHA256
7959b8c730040e4c9f01d258c29bcd04f43b76da014dfb06da403c55c1a86cdf

SHA512
394bffff80888151927e1d90538380f7811a05a5a3f9bbdb04f08a6fed13d2e0a6d41364ce1fe1f9c872466c2a2f00b9daf6650116d7907dfc079a88d991e2bf

Download Submit
C:\Windows\Temp\{990530B6-D8E4-456C-9CE8-6F3B00DB82A2}\.ba\ScanDisp.exe

Filesize
108KB

MD5
fef6b0ad8eaa466105b74565b6dd140b

SHA1
71c74b0890fa75f49342f3e1e23b5cea35939bfe

SHA256
9d8ecda7731bf83b1360d14a1a556fb62145a6b4531d086a742ed3a0f4ee5e2f

SHA512
2424c42323e7d75b3ff1424f81c8a180dfd7c8f7efc1030e57b66f36ef1727d9f0788f1c380e740b68d82add778b9e0623c3da79d6eb5e089300c4d130aea366

Download Submit
C:\Windows\Temp\{990530B6-D8E4-456C-9CE8-6F3B00DB82A2}\.ba\madBasic_.bpl

Filesize
211KB

MD5
641c567225e18195bc3d2d04bde7440b

SHA1
20395a482d9726ad80820c08f3a698cf227afd10

SHA256
c2df993943c87b1e0f07ddd7a807bb66c2ef518c7cf427f6aa4ba0f2543f1ea0

SHA512
1e6023d221ba16a6374cfeb939f795133130b9a71f6f57b1bc6e13e3641f879d409783cf9b1ef4b8fd79b272793ba612d679a213ff97656b3a728567588ecfb9

Download Submit
C:\Windows\Temp\{990530B6-D8E4-456C-9CE8-6F3B00DB82A2}\.ba\madDisAsm_.bpl

Filesize
64KB

MD5
3936a92320f7d4cec5fa903c200911c7

SHA1
a61602501ffebf8381e39015d1725f58938154ca

SHA256
2aec41414aca38de5aba1cab7bda2030e1e2b347e0ae77079533722c85fe4566

SHA512
747ea892f6e5e3b7500c363d40c5c2a62e9fcf898ade2648262a4277ad3b31e0bcd5f8672d79d176b4759790db688bf1a748b09cbcb1816288a44554016e46d3

Download Submit
C:\Windows\Temp\{990530B6-D8E4-456C-9CE8-6F3B00DB82A2}\.ba\madExcept_.bpl

Filesize
437KB

MD5
e8818a6b32f06089d5b6187e658684ba

SHA1
7d4f34e3a309c04df8f60e667c058e84f92db27a

SHA256
91ee84d5ab6d3b3de72a5cd74217700eb1309959095214bd2c77d12e6af81c8e

SHA512
d00ecf234cb642c4d060d15f74e4780fc3834b489516f7925249df72747e1e668c4ac66c6cc2887efde5a9c6604b91a688ba37c2a3b13ee7cf29ed7adcfa666d

Download Submit
C:\Windows\Temp\{990530B6-D8E4-456C-9CE8-6F3B00DB82A2}\.ba\vcl120.bpl

Filesize
1.9MB

MD5
c594d746ff6c99d140b5e8da97f12fd4

SHA1
f21742707c5f3fee776f98641f36bd755e24a7b0

SHA256
572edb7d630e9b03f93bd15135d2ca360176c1232051293663ec5b75c2428aec

SHA512
33b9902b2cf1154d850779cd012c0285882e158b9d1422c54ea9400ca348686773b6bacb760171060d1a0e620f8ff4a26ecd889dea3c454e8fc5fa59b173832b

Download Submit
C:\Windows\Temp\{DB3435A8-F8D3-4B5C-A462-E1CB39FD0A26}\.cr\f533a1a6bbb0202eef4218189bfece12402b1d7a3cb5ab4f60715d2e870a44e6.exe

Filesize
3.2MB

MD5
a1064ae0dd8ef0df01dde1d0d753fec9

SHA1
d094150b59b3355ea9fc0f9d53e262eb70cdd595

SHA256
5b72ed338df66d19c17f8068d185307f1c1e7551e384ef1602e3f4aa06a86390

SHA512
2dc8b8c343a6ddaa7f7aeb3c28aa6a7b71c5394bba906c659dc33f6e7d6fc8c2b3f639e209dc4b93925b89be78397feb6d23363d635b51d85eac5364c0191289

Download Submit
memory/928-88-0x0000000074140000-0x00000000742BB000-memory.dmp

Filesize
1.5MB

Download
memory/928-83-0x00007FF949D50000-0x00007FF949F45000-memory.dmp

Filesize
2.0MB

Download
memory/928-85-0x0000000074140000-0x00000000742BB000-memory.dmp

Filesize
1.5MB

Download
memory/3736-57-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/3736-66-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/3736-58-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/3736-65-0x0000000057800000-0x0000000057812000-memory.dmp

Filesize
72KB

Download
memory/3736-56-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3736-39-0x0000000074140000-0x00000000742BB000-memory.dmp

Filesize
1.5MB

Download
memory/3736-67-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/3736-40-0x00007FF949D50000-0x00007FF949F45000-memory.dmp

Filesize
2.0MB

Download
memory/4112-95-0x0000000005280000-0x0000000005312000-memory.dmp

Filesize
584KB

Download
memory/4112-91-0x0000000072C30000-0x0000000073E84000-memory.dmp

Filesize
18.3MB

Download
memory/4112-94-0x0000000000BA0000-0x0000000000C66000-memory.dmp

Filesize
792KB

Download
memory/4112-96-0x00000000058D0000-0x0000000005E74000-memory.dmp

Filesize
5.6MB

Download
memory/4112-97-0x00000000055B0000-0x0000000005772000-memory.dmp

Filesize
1.8MB

Download
memory/4112-98-0x00000000053E0000-0x0000000005456000-memory.dmp

Filesize
472KB

Download
memory/4112-99-0x0000000005460000-0x00000000054B0000-memory.dmp

Filesize
320KB

Download
memory/4784-74-0x0000000074140000-0x00000000742BB000-memory.dmp

Filesize
1.5MB

Download
memory/4784-73-0x00007FF949D50000-0x00007FF949F45000-memory.dmp

Filesize
2.0MB

Download
memory/4784-72-0x0000000074140000-0x00000000742BB000-memory.dmp

Filesize
1.5MB

Download