Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
07-02-2025 09:19
General
-
Target
saleforce_offline_installer.exe
-
Size
8.9MB
-
MD5
aa1ec7571a7e45ee718fd35136abb2cc
-
SHA1
354b52630cd08560aefe7b78efe5e0c0e9cc12a5
-
SHA256
645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a
-
SHA512
c00bce637b1d2f5e28d34da816b0d0d3f1d81cc9fe59c953514b65c70c0e3f8b79c9677d4b928447b14829f884e8524b7966df5fd9d6d18bb87e580026e909c7
-
SSDEEP
196608:9hjidJFvglcIAtzyRxJugLjygdnyYQ8X+uPOStz73vK:9QdJ1glxAFyRFjycnJnPt73vK
Malware Config
Signatures
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 1 IoCs
-
Sectoprat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 12 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 19 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\saleforce_offline_installer.exe"C:\Users\Admin\AppData\Local\Temp\saleforce_offline_installer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-AOM8A.tmp\saleforce_offline_installer.tmp"C:\Users\Admin\AppData\Local\Temp\is-AOM8A.tmp\saleforce_offline_installer.tmp" /SL5="$6006C,1997786,793600,C:\Users\Admin\AppData\Local\Temp\saleforce_offline_installer.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\is-AH0TC.tmp\Content.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\A9sQ\ISDbg.exe"C:\Users\Admin\AppData\Roaming\A9sQ\ISDbg.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\vkt_secure\ISDbg.exeC:\Users\Admin\AppData\Roaming\vkt_secure\ISDbg.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe6⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.4MB
MD5109644564460f17ff9b38dfc922a26e3
SHA126bd3e0d717f7d7e82b829ed793510501abacc55
SHA256ec82a58e36f298a756bb4e99218b4bce23e042196b132ca055877ae6c07c1976
SHA5123df43b6267629d977f5d105bcf9409b814f969dd1f2c71b13ff10b07aad709022eb269a1b6814720b08a91e159b858f85822dba33e9f9ed2301c96438dcb7e1d
-
Filesize
7.7MB
MD5e9b8abe35cac28d8b49782c5c8eceac9
SHA1b01460a1d72b4cf02460a4756431f0c048e44b52
SHA256efd04c82dd0838cf7cb22ac8081bc0dafcf8bc34e778795a7ca608a9ab02148b
SHA5128ed1be382d9e4d624e524640739aa67ae7aa4c14c52f30a87d88b82c30bdf580560f1736e009583318b056a719f8040bc9774d9342e9eebc9798e811c8733b6c
-
Filesize
3.3MB
MD51fe979e33257ace3388bc7e809e24379
SHA1b3971ba1930fa75335d82c72e19939bbbad8a342
SHA2567b7aaf4dd5e9bb0a3e18a1d948e5283953122da43ea6a42244d3550ffffac3a0
SHA5127533a960dfb56977955ac2d0521ef5ba8642ec0e6f1a3e18c0e19c75498a113bbd2f4dc97b56250d98aac53cc27176b912afc8435bf0792e91007e913a993135
-
Filesize
3.2MB
MD5818abbbd3717505c01e4e8277406af8f
SHA14374b855c5a37e89daa37791d1a4f2c635bf66e7
SHA256bc0acdfb672ad01ad3b658ee51e2ee6523d56ea4bc4c066b390cf9b494e2aa69
SHA5127c73ec9b15e82964573db1b7d3996677b244b6efa64cab60cefff6d995d3ea3e6e89c1578c5b5a266b964a19336ce5b956a4a4f37be12b4907dbee827b6613b9
-
Filesize
3.6MB
MD57ca79f128adaf85ba662d15af223acac
SHA1af6d8587efe0fa22b38e623b0358e4636ac7ea65
SHA256af2f747f6daa4b949ee7e418e36aee0e40de8abd3cbd4dccc26105dbfa8211d6
SHA5123ac8fd62d6f4143d0704233664d19271f00bc9322239975d3403272cb9f2b4836d8329431507543f973deb353ddb80ea26befe6217a400d3c6fb5e43bc7652fd
-
Filesize
7.1MB
MD5a7339e5a1ffc622095a0320d21cb0cf6
SHA132151c80dc4c6008d07fb607e9f17251fd4082d4
SHA256f9a203f8dc6eca92b47c5cff489baadcefad93af234773e7c2a71c8744e3625f
SHA5125f7158ae048e04f641adc94341638d262863ae6cf7d004dc0a8385b05e910349546aca45cbb8db598ba2e75784b9834e9ddbc312555cfb041ee6a08c10a34d39
-
Filesize
3KB
MD5ae2fb3295fd4bee1e651b7b6639d7bfe
SHA14ac939d67002aabccf7a5878302a37b8079dda12
SHA256c1f88d099af72cae6f6baaf7473da78279dc50b112f7fb68f93b5c3f29051c45
SHA51290c2adc288547a2fec7bf6865b1341f2708ecf1e9ca78e0e440de008c5b032192998a42de0359f267e51d7ed8ee6a8e3ecc007d002d394cc5629cb81d94e9db9
-
Filesize
1.2MB
MD50d797316bd487c5e3fc756a2bb9c661f
SHA1ddda0ea9bf18ab2f0354dc9e48bf80a67f027758
SHA25655968c420227a244c2fb0c2642c560ab8b76839ef9df31ced94f2be3c260ddbf
SHA512573c56acd1d09f9358dc9e6172c64f19ffde40ef6f2a61a349a43065134a545f31e75b81ea4e41480a33b0e083887c403229fa67d89255634afd975fc113e609
-
Filesize
437KB
MD5dc739066c9d0ca961cba2f320cade28e
SHA181ed5f7861e748b90c7ae2d18da80d1409d1fa05
SHA25674e9268a68118bb1ac5154f8f327887715960ccc37ba9dabbe31ecd82dcbaa55
SHA5124eb181984d989156b8703fd8bb8963d7a5a3b7f981fe747c6992993b7a1395a21f45dbedf08c1483d523e772bdf41330753e1771243b53da36d2539c01171cf1
-
Filesize
88KB
MD51d4ff3cf64ab08c66ae9a4013c89a3ac
SHA1f9ee15d0e9b0b7e04ff4c8a5de5afcffe8b2527b
SHA25665f620bc588d95fe2ed236d1602e49f89077b434c83102549eed137c7fdc7220
SHA51265fbd68843280e933620c470e524fba993ab4c48ede4bc0917b4ebe25da0408d02daec3f5afcd44a3ff8aba676d2eff2dda3f354029d27932ef39c9fdea51c26
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.5MB
-
Filesize
2.0MB
-
Filesize
7.2MB
-
Filesize
1.5MB
-
Filesize
408KB
-
Filesize
216KB
-
Filesize
600KB
-
Filesize
5.6MB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
200KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
652KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
6.5MB
-
Filesize
40KB
-
Filesize
68KB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
104KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
4KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
18.3MB
-
Filesize
320KB
-
Filesize
472KB
-
Filesize
1.8MB
-
Filesize
584KB
-
Filesize
784KB
-
Filesize
672KB
-
Filesize
832KB
-
Filesize
832KB
-
Filesize
832KB
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
2.0MB
-
Filesize
7.2MB
-
Filesize
1.5MB