Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system -
submitted
08-02-2025 03:35
Static task
static1
Behavioral task
behavioral1
Sample
645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.exe
Resource
win7-20241010-en
General
-
Target
645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.exe
-
Size
8.9MB
-
MD5
aa1ec7571a7e45ee718fd35136abb2cc
-
SHA1
354b52630cd08560aefe7b78efe5e0c0e9cc12a5
-
SHA256
645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a
-
SHA512
c00bce637b1d2f5e28d34da816b0d0d3f1d81cc9fe59c953514b65c70c0e3f8b79c9677d4b928447b14829f884e8524b7966df5fd9d6d18bb87e580026e909c7
-
SSDEEP
196608:9hjidJFvglcIAtzyRxJugLjygdnyYQ8X+uPOStz73vK:9QdJ1glxAFyRFjycnJnPt73vK
Malware Config
Signatures
-
SectopRAT payload 1 IoCs
resource yara_rule behavioral2/memory/1728-189-0x0000000000800000-0x00000000008C4000-memory.dmp family_sectoprat -
Sectoprat family
-
Downloads MZ/PE file 1 IoCs
flow pid Process 45 1392 Process not Found -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1290774215-692483676-1419523182-1000\Control Panel\International\Geo\Nation 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.tmp -
Executes dropped EXE 3 IoCs
pid Process 3012 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.tmp 1864 ISDbg.exe 5116 ISDbg.exe -
Loads dropped DLL 12 IoCs
pid Process 1864 ISDbg.exe 1864 ISDbg.exe 1864 ISDbg.exe 1864 ISDbg.exe 1864 ISDbg.exe 1864 ISDbg.exe 5116 ISDbg.exe 5116 ISDbg.exe 5116 ISDbg.exe 5116 ISDbg.exe 5116 ISDbg.exe 5116 ISDbg.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5116 set thread context of 3720 5116 ISDbg.exe 101 PID 3720 set thread context of 1728 3720 cmd.exe 107 -
Drops file in Program Files directory 19 IoCs
description ioc Process File created C:\Program Files (x86)\salesforce.com\unins000.dat 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.tmp File created C:\Program Files (x86)\salesforce.com\is-1BP5R.tmp 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.tmp File created C:\Program Files (x86)\salesforce.com\3rd Party\is-LLNGB.tmp 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.tmp File created C:\Program Files (x86)\salesforce.com\Offline2\bin\is-2279D.tmp 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.tmp File created C:\Program Files (x86)\salesforce.com\Offline2\conf\is-APQOQ.tmp 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.tmp File created C:\Program Files (x86)\salesforce.com\common\is-31M1K.tmp 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.tmp File created C:\Program Files (x86)\salesforce.com\Offline2\bin\is-D47LU.tmp 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.tmp File created C:\Program Files (x86)\salesforce.com\Offline2\res\is-EV0RU.tmp 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.tmp File opened for modification C:\Program Files (x86)\salesforce.com\unins000.dat 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.tmp File created C:\Program Files (x86)\salesforce.com\3rd Party\is-C06FC.tmp 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.tmp File created C:\Program Files (x86)\salesforce.com\OfficeToolkit\3.0\is-SH95S.tmp 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.tmp File created C:\Program Files (x86)\salesforce.com\Offline2\res\is-OBNSG.tmp 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.tmp File created C:\Program Files (x86)\salesforce.com\Offline2\res\is-105P6.tmp 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.tmp File created C:\Program Files (x86)\salesforce.com\common\is-07TBB.tmp 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.tmp File created C:\Program Files (x86)\salesforce.com\common\is-LK2TA.tmp 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.tmp File created C:\Program Files (x86)\salesforce.com\common\is-AS24U.tmp 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.tmp File created C:\Program Files (x86)\salesforce.com\common\is-V50TC.tmp 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.tmp File created C:\Program Files (x86)\salesforce.com\common\is-FHFIO.tmp 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.tmp File created C:\Program Files (x86)\salesforce.com\Offline2\bin\is-182EO.tmp 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.tmp -
pid Process 3532 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ISDbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ISDbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4584 MicrosoftEdgeUpdate.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3532 powershell.exe 3532 powershell.exe 5116 ISDbg.exe 3720 cmd.exe 3720 cmd.exe 1728 MSBuild.exe 1728 MSBuild.exe 1728 MSBuild.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 5116 ISDbg.exe 3720 cmd.exe 3720 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3532 powershell.exe Token: SeDebugPrivilege 1728 MSBuild.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3012 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1728 MSBuild.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3508 wrote to memory of 3012 3508 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.exe 89 PID 3508 wrote to memory of 3012 3508 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.exe 89 PID 3508 wrote to memory of 3012 3508 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.exe 89 PID 3012 wrote to memory of 3532 3012 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.tmp 96 PID 3012 wrote to memory of 3532 3012 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.tmp 96 PID 3012 wrote to memory of 3532 3012 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.tmp 96 PID 3532 wrote to memory of 1864 3532 powershell.exe 99 PID 3532 wrote to memory of 1864 3532 powershell.exe 99 PID 3532 wrote to memory of 1864 3532 powershell.exe 99 PID 1864 wrote to memory of 5116 1864 ISDbg.exe 100 PID 1864 wrote to memory of 5116 1864 ISDbg.exe 100 PID 1864 wrote to memory of 5116 1864 ISDbg.exe 100 PID 5116 wrote to memory of 3720 5116 ISDbg.exe 101 PID 5116 wrote to memory of 3720 5116 ISDbg.exe 101 PID 5116 wrote to memory of 3720 5116 ISDbg.exe 101 PID 5116 wrote to memory of 3720 5116 ISDbg.exe 101 PID 3720 wrote to memory of 1728 3720 cmd.exe 107 PID 3720 wrote to memory of 1728 3720 cmd.exe 107 PID 3720 wrote to memory of 1728 3720 cmd.exe 107 PID 3720 wrote to memory of 1728 3720 cmd.exe 107 PID 3720 wrote to memory of 1728 3720 cmd.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.exe"C:\Users\Admin\AppData\Local\Temp\645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Users\Admin\AppData\Local\Temp\is-MD2AM.tmp\645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.tmp"C:\Users\Admin\AppData\Local\Temp\is-MD2AM.tmp\645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.tmp" /SL5="$80052,1997786,793600,C:\Users\Admin\AppData\Local\Temp\645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\is-F27DJ.tmp\Content.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Users\Admin\AppData\Roaming\A9sQ\ISDbg.exe"C:\Users\Admin\AppData\Roaming\A9sQ\ISDbg.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Users\Admin\AppData\Roaming\vkt_secure\ISDbg.exeC:\Users\Admin\AppData\Roaming\vkt_secure\ISDbg.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe6⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1728
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDhFOUM5MTItQjNDMS00NkI2LUI5RTgtMEFDMjc5MjczOTlFfSIgdXNlcmlkPSJ7RDk4NTJBRTMtMjgxQi00NDE2LUEyRUItOUZDMURCMjQ3RjYxfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QTY2MkY4QzctRkQ2OS00NDBFLTkwQUItODU2NjdENkZDMUQ2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDQ5MjgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxNzQzMjM4OTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1Mjk5OTc1NTgwIi8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.4MB
MD56ec06f04aac07104fdac1d2a0810395a
SHA15ce5f96df301a6c617885fa26babfe3e647b72cc
SHA2567556fa611a07b2ef874d53b822dd969433fa2f4669be4a68f736fc21970479f1
SHA5126334d8507d906c32f4f5a37630e72fb42e96c38814ffad81b0096e6826d9c4aeaf94f521288bc97a9a953453ef1a11b20d0ad510a4e73a2c406d6428e90896fe
-
Filesize
7.7MB
MD5e9b8abe35cac28d8b49782c5c8eceac9
SHA1b01460a1d72b4cf02460a4756431f0c048e44b52
SHA256efd04c82dd0838cf7cb22ac8081bc0dafcf8bc34e778795a7ca608a9ab02148b
SHA5128ed1be382d9e4d624e524640739aa67ae7aa4c14c52f30a87d88b82c30bdf580560f1736e009583318b056a719f8040bc9774d9342e9eebc9798e811c8733b6c
-
C:\Users\Admin\AppData\Local\Temp\is-MD2AM.tmp\645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a.tmp
Filesize3.3MB
MD51fe979e33257ace3388bc7e809e24379
SHA1b3971ba1930fa75335d82c72e19939bbbad8a342
SHA2567b7aaf4dd5e9bb0a3e18a1d948e5283953122da43ea6a42244d3550ffffac3a0
SHA5127533a960dfb56977955ac2d0521ef5ba8642ec0e6f1a3e18c0e19c75498a113bbd2f4dc97b56250d98aac53cc27176b912afc8435bf0792e91007e913a993135
-
Filesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
Filesize
3.2MB
MD5818abbbd3717505c01e4e8277406af8f
SHA14374b855c5a37e89daa37791d1a4f2c635bf66e7
SHA256bc0acdfb672ad01ad3b658ee51e2ee6523d56ea4bc4c066b390cf9b494e2aa69
SHA5127c73ec9b15e82964573db1b7d3996677b244b6efa64cab60cefff6d995d3ea3e6e89c1578c5b5a266b964a19336ce5b956a4a4f37be12b4907dbee827b6613b9
-
Filesize
3.6MB
MD57ca79f128adaf85ba662d15af223acac
SHA1af6d8587efe0fa22b38e623b0358e4636ac7ea65
SHA256af2f747f6daa4b949ee7e418e36aee0e40de8abd3cbd4dccc26105dbfa8211d6
SHA5123ac8fd62d6f4143d0704233664d19271f00bc9322239975d3403272cb9f2b4836d8329431507543f973deb353ddb80ea26befe6217a400d3c6fb5e43bc7652fd
-
Filesize
7.1MB
MD5a7339e5a1ffc622095a0320d21cb0cf6
SHA132151c80dc4c6008d07fb607e9f17251fd4082d4
SHA256f9a203f8dc6eca92b47c5cff489baadcefad93af234773e7c2a71c8744e3625f
SHA5125f7158ae048e04f641adc94341638d262863ae6cf7d004dc0a8385b05e910349546aca45cbb8db598ba2e75784b9834e9ddbc312555cfb041ee6a08c10a34d39
-
Filesize
3KB
MD5ae2fb3295fd4bee1e651b7b6639d7bfe
SHA14ac939d67002aabccf7a5878302a37b8079dda12
SHA256c1f88d099af72cae6f6baaf7473da78279dc50b112f7fb68f93b5c3f29051c45
SHA51290c2adc288547a2fec7bf6865b1341f2708ecf1e9ca78e0e440de008c5b032192998a42de0359f267e51d7ed8ee6a8e3ecc007d002d394cc5629cb81d94e9db9
-
Filesize
437KB
MD5dc739066c9d0ca961cba2f320cade28e
SHA181ed5f7861e748b90c7ae2d18da80d1409d1fa05
SHA25674e9268a68118bb1ac5154f8f327887715960ccc37ba9dabbe31ecd82dcbaa55
SHA5124eb181984d989156b8703fd8bb8963d7a5a3b7f981fe747c6992993b7a1395a21f45dbedf08c1483d523e772bdf41330753e1771243b53da36d2539c01171cf1
-
Filesize
1.2MB
MD50d797316bd487c5e3fc756a2bb9c661f
SHA1ddda0ea9bf18ab2f0354dc9e48bf80a67f027758
SHA25655968c420227a244c2fb0c2642c560ab8b76839ef9df31ced94f2be3c260ddbf
SHA512573c56acd1d09f9358dc9e6172c64f19ffde40ef6f2a61a349a43065134a545f31e75b81ea4e41480a33b0e083887c403229fa67d89255634afd975fc113e609
-
Filesize
88KB
MD51d4ff3cf64ab08c66ae9a4013c89a3ac
SHA1f9ee15d0e9b0b7e04ff4c8a5de5afcffe8b2527b
SHA25665f620bc588d95fe2ed236d1602e49f89077b434c83102549eed137c7fdc7220
SHA51265fbd68843280e933620c470e524fba993ab4c48ede4bc0917b4ebe25da0408d02daec3f5afcd44a3ff8aba676d2eff2dda3f354029d27932ef39c9fdea51c26