Analysis

  • max time kernel
    142s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    29-01-2025 02:09

General

  • Target

    1002b5f38bce8988215ebfb62452d5f19279053573c0faf071f651861ca4ad28.exe

  • Size

    55.0MB

  • MD5

    5653ea2576b83a727ad2de3a95cb0150

  • SHA1

    89fc6e98adcb3fe597db6315460180b3812fa439

  • SHA256

    1002b5f38bce8988215ebfb62452d5f19279053573c0faf071f651861ca4ad28

  • SHA512

    e0b4a11a4105eb917a2479704430d77e6dd87714e66fc7ea8500e4d40d63cef071d6aca1c0d3f73ae79f2006beec08ff1cb6d5d80546260ea74bcdc42f59d928

  • SSDEEP

    1572864:k1jtZHyiLYnqk/tir8sBrDRDZhazK7tDboe0+:4jvHydqk5cn7hazO5b0+

Malware Config

Signatures

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 2 IoCs
  • Sectoprat family
  • Drops startup file 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 13 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1002b5f38bce8988215ebfb62452d5f19279053573c0faf071f651861ca4ad28.exe
    "C:\Users\Admin\AppData\Local\Temp\1002b5f38bce8988215ebfb62452d5f19279053573c0faf071f651861ca4ad28.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Users\Public\Pictures\08.part01.exe
      "C:\Users\Public\Pictures\08.part01.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2564
      • C:\Users\Public\Pictures\04.exe
        "C:\Users\Public\Pictures\04.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2920
        • C:\Users\Admin\AppData\Local\Temp\is-L539B.tmp\04.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-L539B.tmp\04.tmp" /SL5="$801F6,14420606,121344,C:\Users\Public\Pictures\04.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2492
          • C:\Users\Public\Pictures\04.exe
            "C:\Users\Public\Pictures\04.exe" /VERYSILENT
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1584
            • C:\Users\Admin\AppData\Local\Temp\is-7IAIR.tmp\04.tmp
              "C:\Users\Admin\AppData\Local\Temp\is-7IAIR.tmp\04.tmp" /SL5="$901F6,14420606,121344,C:\Users\Public\Pictures\04.exe" /VERYSILENT
              6⤵
              • Drops startup file
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of WriteProcessMemory
              PID:2480
              • C:\Users\Admin\AppData\Local\reclosable\flyvpn.exe
                "C:\Users\Admin\AppData\Local\reclosable\flyvpn.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2304

Network

  • flag-us
    DNS
    pastebin.com
    flyvpn.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
    Response
    pastebin.com
    IN A
    104.20.3.235
    pastebin.com
    IN A
    104.20.4.235
    pastebin.com
    IN A
    172.67.19.24
  • flag-us
    GET
    https://pastebin.com/raw/WQwfZTNB
    flyvpn.exe
    Remote address:
    104.20.3.235:443
    Request
    GET /raw/WQwfZTNB HTTP/1.1
    Host: pastebin.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 403 Forbidden
    Date: Wed, 29 Jan 2025 02:11:06 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 6773
    Connection: close
    accept-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
    critical-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
    cross-origin-embedder-policy: require-corp
    cross-origin-opener-policy: same-origin
    cross-origin-resource-policy: same-origin
    origin-agent-cluster: ?1
    permissions-policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
    referrer-policy: same-origin
    x-content-options: nosniff
    x-frame-options: SAMEORIGIN
    cf-mitigated: challenge
    cf-chl-out: ZqsSaV6UkGW2XQYI1Ql+tbddajdKIfugeq9zl3VzCVWPaybg8Gebb1CufcHnbVs+YLfgsrO0oqfEjguortcQi/XOz4HhICKTYzWEuML9BZY=$k42wb6J59J5Ov6CoiC+PQQ==
    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Server: cloudflare
    CF-RAY: 9095b08ced86632e-LHR
  • flag-us
    GET
    https://pastebin.com/raw/WQwfZTNB
    flyvpn.exe
    Remote address:
    104.20.3.235:443
    Request
    GET /raw/WQwfZTNB HTTP/1.1
    Host: pastebin.com
    Response
    HTTP/1.1 403 Forbidden
    Date: Wed, 29 Jan 2025 02:11:55 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 6795
    Connection: close
    accept-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
    critical-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
    cross-origin-embedder-policy: require-corp
    cross-origin-opener-policy: same-origin
    cross-origin-resource-policy: same-origin
    origin-agent-cluster: ?1
    permissions-policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
    referrer-policy: same-origin
    x-content-options: nosniff
    x-frame-options: SAMEORIGIN
    cf-mitigated: challenge
    cf-chl-out: ONf1uClWM9dWPAa7dU+mZenO1NljZwnDOjekqGF8eSbE44VrcjLNiPEjWiGDi/erhWHqbcDCgBlK9t3BkrYxYEtDNhQsOeMYe572ahfCc4M=$nLXjQhT5w4ML/HHtS2g+xg==
    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Server: cloudflare
    CF-RAY: 9095b1c209be9455-LHR
  • 194.26.29.44:15647
    flyvpn.exe
    152 B
    3
  • 104.20.3.235:443
    https://pastebin.com/raw/WQwfZTNB
    tls, http
    flyvpn.exe
    923 B
    12.1kB
    12
    16

    HTTP Request

    GET https://pastebin.com/raw/WQwfZTNB

    HTTP Response

    403
  • 194.26.29.44:15647
    flyvpn.exe
    152 B
    3
  • 104.20.3.235:443
    https://pastebin.com/raw/WQwfZTNB
    tls, http
    flyvpn.exe
    931 B
    12.1kB
    12
    16

    HTTP Request

    GET https://pastebin.com/raw/WQwfZTNB

    HTTP Response

    403
  • 8.8.8.8:53
    pastebin.com
    dns
    flyvpn.exe
    58 B
    106 B
    1
    1

    DNS Request

    pastebin.com

    DNS Response

    104.20.3.235
    104.20.4.235
    172.67.19.24

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Pictures\08.part02.rar

    Filesize

    5.0MB

    MD5

    f8b39d3da4719f12e9ae431f00d737d6

    SHA1

    bb0e0b77506f5dbadf83b8f6ea554884e75065f0

    SHA256

    6a2ffc997171843869c3e02a7402839524765ccf6bf39f5c2ee61a7cbe99a343

    SHA512

    fb2bc7e7e51e72e38790d375c342f908deb058d69d8e5c8bfb8dafbb3aae6afecbce688cc304cc84eda0e02794362b70efca1b4832f13180550e0f7ecb933b6c

  • C:\Users\Public\Pictures\08.part03.rar

    Filesize

    5.0MB

    MD5

    744d16aa110dec53c3c452b2ceca46e0

    SHA1

    0a6b0829213ae16c36daad98dc2b9402bd0c3f4e

    SHA256

    f447b4e62a00b5929b415379e3e4ba0b30d45c50675e0e4436ca3134cb12c39a

    SHA512

    484359e591edd06f9f01b6d6f9273780bd5115aeab8847020f898ceb5f2c8508127943c199550d03906c15cc2a2dc141fbd549968cd7c4135bc1fb2e4bda4dfd

  • C:\Users\Public\Pictures\08.part04.rar

    Filesize

    5.0MB

    MD5

    e81fbd4c0f7a1f0706d264a81f9d9566

    SHA1

    e1f6514fff4faacfbb65ab7cf098f22eb79a6ba7

    SHA256

    66b1d46e712cb95292dba4fa81fb1d28877893d6d1f5305501b29d33a9de5274

    SHA512

    069ad24dbba2feda06d7b7459f9c660307f88be36f894601c7821f5d19d92bb2082d1a0efdb5d6bddae71b295a05fff3e792f09fa260b8cb684f72d883dc5ebf

  • C:\Users\Public\Pictures\08.part05.rar

    Filesize

    5.0MB

    MD5

    18257b2de13c3c0d0b363de09d1fd952

    SHA1

    78cd7d301e8a9ba5eaa2dba1c037704053076774

    SHA256

    286a3678facd4b0ffef5c4ed4f51be39d89646ababe0451cbf1e22e81f7784a5

    SHA512

    9ff87c4bad5acbcdb294eba59a299ac894c1c45c49684a0876bd279ba2f61a71a1fe34e82df0a71c0b0e41d1fa7cb54a2fd8bfbdd1f0e3711097b1dd41502afd

  • C:\Users\Public\Pictures\08.part06.rar

    Filesize

    5.0MB

    MD5

    d89f90a138e01ce9c3d95912cc5ba475

    SHA1

    14e15406cc37beaeed180de71c766a56dac44f27

    SHA256

    a57af80c71db3e88a6375327dd11664be4b314cec893100b7d1e1daeddba045c

    SHA512

    2a1bf61d26f7e28b4bf01aa54fe0c8eaefcbecb5cddd9de10cdbcb800cd542beaccb2a0f3c852008247f4cb8efe59927e2bd761d6a025a4ab98f2049798d65c5

  • C:\Users\Public\Pictures\08.part07.rar

    Filesize

    5.0MB

    MD5

    ac5e21979b1cd48617f009c92ce28e4a

    SHA1

    9780727b8a79da37dfc5adc839254597f1252a4e

    SHA256

    f5992855d2dcfd4095dc5ac68935be96a5a266783705d6da562b14e148cc25a8

    SHA512

    a47a885bbd8c49335d2e43d746efb3445b84915b14c637e08dc9a2f81447d607b26f1d714fa4fb7a52a3c20399fc8175c01341e1bc88572d2f61f3558c368f29

  • C:\Users\Public\Pictures\08.part08.rar

    Filesize

    5.0MB

    MD5

    867337871bdf34ca6269afb069ee1218

    SHA1

    31b924f4f589b32f0c920c71c60e3a3c41085d4e

    SHA256

    5ecc451dce4c1ca7e6ec115c1dc6a307011e3ff7716d54af86f3e1acc73b6ede

    SHA512

    ada35b74a186458b361f5a1e7d360d99394d89302af38781bc4df4c47bed27843a644e75dac40a155ff39c2afcaaafa56765fe8fe389bef0bc4134d21e7bcf1f

  • C:\Users\Public\Pictures\08.part09.rar

    Filesize

    5.0MB

    MD5

    316985932dd9b118c90dacba28ba9502

    SHA1

    9bc7253b5cfb9f9a51fb6b89ba58d3ef940c9b10

    SHA256

    2c8dfb90ebf24fd0354694074948c4ad9263b8ef9407ad3bb73d81eb7296335a

    SHA512

    aa0e2bfa48d16a7d0a66c45d359d982e6dc966cfd4e94472f7c642a1f8eb33067d1785990ed6e17d0fca3560dd114e437db35b9c1013ac11aae4fdd41c3e24d5

  • C:\Users\Public\Pictures\08.part10.rar

    Filesize

    5.0MB

    MD5

    151317c6466c52eaa47cf3d591024436

    SHA1

    ed41fd6e61ad5c8312ad2fc2f3a83cda3d1ee590

    SHA256

    d0428f3c138bea9cb1547d88e81c7bf2f1e017f1e2b0191865a5b1ff5580dc50

    SHA512

    4436001f7a9ddf5a9cfd21a1a5bfd62943e83cdceba4cc98c5a04be608dfe7387940f6934a0a572e56975e0d291f7ad97f9bf59c602489f025c443685b56d413

  • C:\Users\Public\Pictures\08.part11.rar

    Filesize

    4.9MB

    MD5

    9c18d1fe7b0a7caad6140b473618f1c2

    SHA1

    5e96a27f9241745db61110cda119c77987fd3b97

    SHA256

    df8fe0e30eacfa2f2089d146088cdeff71317094c6f9d4e0f29e9c9279160804

    SHA512

    cd946ee424203f4f26f48632a737c4e28ba42109c823c3a66065731b3a1c17ae480ff3e251aee935c18719a0dd60e1ed05a0ebdf0984a7dea02ea1f00594645f

  • \Users\Admin\AppData\Local\Temp\is-8NSOF.tmp\_isetup\_isdecmp.dll

    Filesize

    29KB

    MD5

    fd4743e2a51dd8e0d44f96eae1853226

    SHA1

    646cef384e949aaf61e6d0b243d8d84ab04e79b7

    SHA256

    6535ba91fcca7174c3974b19d9ab471f322c2bf49506ef03424517310080be1b

    SHA512

    4587c853871624414e957f083713ec62d50c46b7041f83faa45dbf99b99b8399fc08d586d240e4bccee5eb0d09e1cdcb3fd013f07878adf4defcc312712e468d

  • \Users\Admin\AppData\Local\Temp\is-L539B.tmp\04.tmp

    Filesize

    1.1MB

    MD5

    90fc739c83cd19766acb562c66a7d0e2

    SHA1

    451f385a53d5fed15e7649e7891e05f231ef549a

    SHA256

    821bd11693bf4b4b2b9f3c196036e1f4902abd95fb26873ea6c43e123b8c9431

    SHA512

    4cb11ad48b7585ef1b70fac9e3c25610b2f64a16358cd51e32adcb0b17a6ab1c934aeb10adaa8e9ddf69b2e2f1d18fe2e87b49b39f89b05ea13aa3205e41296c

  • \Users\Admin\AppData\Local\reclosable\flyvpn.exe

    Filesize

    13.9MB

    MD5

    4d8e624f384094c048f779b9bb94a3bb

    SHA1

    d81dca9f8165c915d88c9cc4c645f296198dc95e

    SHA256

    1d40788ce56c4cafdd19ae5f2b567e51234a32fa179ec8fba45452dd46b4fab1

    SHA512

    ae0294b02a073cff03d0272c74da2157807305d38993b91285a29b7ae000600324ae822fe6ee1e5986a87fdd7838979d84eda9d6b2499b28000f5d7586d34c47

  • \Users\Public\Pictures\04.exe

    Filesize

    17.3MB

    MD5

    2d5f24f25ed215dcd5b36a471f443633

    SHA1

    647c48f00951f83a0df41473898aeb703f044b53

    SHA256

    8777be6a537392b72fae3846d7f249cc64caa5ca9eff09f096270c0b6479dc63

    SHA512

    2e3869728d6922beacc1f8ca76afe530416942b084e6618f87bc38ecedb1154096e7c1b039c569d8f530372ac26b33f955960e1aa32914db3ac3539f20531ca1

  • \Users\Public\Pictures\08.part01.exe

    Filesize

    5.0MB

    MD5

    9507592f75450f7cda251c5cd1978d0f

    SHA1

    c0afa3fd5448b769b3dc7eb5ae8f6b2f5b5f4c36

    SHA256

    4ed0eebe48b90ae8906a2a618e536359f23c8e5aac0acfb65399f448db18c747

    SHA512

    6d39f0809a92dcff9ea515e12f24b48259c9da173588b1e618f59517aad53ab0941f9d03eab160ba577934ca43407b1aff88073e33d0b74c9de148bc4709206d

  • memory/1584-256-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/1584-236-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/2304-261-0x0000000000230000-0x00000000002FA000-memory.dmp

    Filesize

    808KB

  • memory/2304-262-0x0000000004B80000-0x0000000004C46000-memory.dmp

    Filesize

    792KB

  • memory/2480-259-0x0000000000400000-0x000000000052D000-memory.dmp

    Filesize

    1.2MB

  • memory/2492-235-0x0000000000400000-0x000000000052D000-memory.dmp

    Filesize

    1.2MB

  • memory/2920-239-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/2920-219-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.