sectoprat | 6d97edcab4d3d2e18c5d321b443be7b6d21084a305413de465a4e92f6df720c5

General

Target

Manifest/SplashWin.exe
Size

446KB
MD5

4d20b83562eec3660e45027ad56fb444
SHA1

ff6134c34500a8f8e5881e6a34263e5796f83667
SHA256

c5e650b331fa5292872fdaede3a75c8167a0f1280ce0cd3d58b880d23854bdb1
SHA512

718bd66fcff80b8008a4523d88bd726cdbc95e6e7bdb3f50e337e291294505ed54e6f5995d431968b85415e96f6f7ed37381ca021401ad57fda3b08a1f0c27f4
SSDEEP

3072:unfVdw78434ei8HQbmiFp4KA+3Glxlwim2n/Xq0DdMqsxN4GnLG5N:W9dKxn/Xq082GLGX

Score

10^/10

sectoprat discovery rat trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral4/memory/1004-37-0x0000000000B00000-0x0000000000BC4000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1540 set thread context of 3508	1540	SplashWin.exe	84
PID 3508 set thread context of 1004	3508	cmd.exe	87

Executes dropped EXE 1 IoCs

pid	Process
1540	SplashWin.exe

Loads dropped DLL 3 IoCs

pid	Process
1540	SplashWin.exe
1540	SplashWin.exe
1540	SplashWin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SplashWin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SplashWin.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
432	SplashWin.exe
1540	SplashWin.exe
1540	SplashWin.exe
3508	cmd.exe
3508	cmd.exe
1004	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1540	SplashWin.exe
3508	cmd.exe
3508	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1004	MSBuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1004	MSBuild.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 1540	432	SplashWin.exe	83
PID 432 wrote to memory of 1540	432	SplashWin.exe	83
PID 432 wrote to memory of 1540	432	SplashWin.exe	83
PID 1540 wrote to memory of 3508	1540	SplashWin.exe	84
PID 1540 wrote to memory of 3508	1540	SplashWin.exe	84
PID 1540 wrote to memory of 3508	1540	SplashWin.exe	84
PID 1540 wrote to memory of 3508	1540	SplashWin.exe	84
PID 3508 wrote to memory of 1004	3508	cmd.exe	87
PID 3508 wrote to memory of 1004	3508	cmd.exe	87
PID 3508 wrote to memory of 1004	3508	cmd.exe	87
PID 3508 wrote to memory of 1004	3508	cmd.exe	87
PID 3508 wrote to memory of 1004	3508	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\Manifest\SplashWin.exe
"C:\Users\Admin\AppData\Local\Temp\Manifest\SplashWin.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:432
- C:\Users\Admin\AppData\Roaming\Okjcontrol_alpha\SplashWin.exe
  C:\Users\Admin\AppData\Roaming\Okjcontrol_alpha\SplashWin.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\544911bc

Filesize
1.4MB

MD5
386e417ed596e9965c5fa1d9fabb882f

SHA1
12723e2d61fa4e4dca16e85ca12c7c35c0f6661a

SHA256
746c8533fdc00963d8a6e6aab6e0f5b2889dcfa27018cca5335a3af50730735b

SHA512
924b2655d6505119985ad63371f6f89f0ff152b88d2b4552e2ce3502410299ce2a5fa16ecc13ea0d27a2f8d112ac343f7cb6a1dbee55e1cc190a26b93c33d9c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4C49.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Roaming\Okjcontrol_alpha\DuiLib_u.dll

Filesize
840KB

MD5
27cdf66f9b92629a7dc8109d9590efec

SHA1
fc96fa0eae6d60adea067f17e9de063597f3227e

SHA256
5919ad0385b6465801fb44c00a79ec224a14cb8655c883ba4b564449fa3dcefd

SHA512
90f9bcacab284fa91d051a73f197b17049801130cf17df5f8b7656b92c19deccbd72659d12226897f47d16da37cf05fca96be5cf3688ff8bc297630e9c2ab554

Download Submit
C:\Users\Admin\AppData\Roaming\Okjcontrol_alpha\SplashWin.exe

Filesize
446KB

MD5
4d20b83562eec3660e45027ad56fb444

SHA1
ff6134c34500a8f8e5881e6a34263e5796f83667

SHA256
c5e650b331fa5292872fdaede3a75c8167a0f1280ce0cd3d58b880d23854bdb1

SHA512
718bd66fcff80b8008a4523d88bd726cdbc95e6e7bdb3f50e337e291294505ed54e6f5995d431968b85415e96f6f7ed37381ca021401ad57fda3b08a1f0c27f4

Download Submit
C:\Users\Admin\AppData\Roaming\Okjcontrol_alpha\VCRUNTIME140.dll

Filesize
74KB

MD5
a554e4f1addc0c2c4ebb93d66b790796

SHA1
9fbd1d222da47240db92cd6c50625eb0cf650f61

SHA256
e610cdac0a37147919032d0d723b967276c217ff06ea402f098696ab4112512a

SHA512
5f3253f071da3e0110def888682d255186f2e2a30a8480791c0cad74029420033b5c90f818ae845b5f041ee4005f6de174a687aca8f858371026423f017902cc

Download Submit
C:\Users\Admin\AppData\Roaming\Okjcontrol_alpha\basinful.odp

Filesize
58KB

MD5
984e6cd075b61eb5993f0a103c37e6cd

SHA1
8ef89a1fe86c6b5e34b50962738bee7fd1f40cae

SHA256
37cfc0ece89f5b3acd99a90d56357f1bf27d35a10977bb2fac6a1d2ddc649258

SHA512
af0c3625c29e95c9693ba7f2164941453d1e0aec74eddda1f74ec412e732a697987074ca29c9d0c6b5b7571014a212f4295d19cb10be7616c1feca032bdf321c

Download Submit
C:\Users\Admin\AppData\Roaming\Okjcontrol_alpha\fief.jpeg

Filesize
1.2MB

MD5
776dfb2df48b4b0f7c61e479947eff09

SHA1
ab5d027e709454744415a4c0ea784ae3c5c4b7b3

SHA256
72dfeecd64ba9b22a268040dc5af779b13e450712b1067f7a501be82bf5aad88

SHA512
f6fbca8845de0910e2db49ce71c8c57222a8c3a036685d9d1b8a6fb2d072047228671bc55a477074e20e5e8d3e4218699ebcdb0d0f9533e2d3ee6861407e014e

Download Submit
C:\Users\Admin\AppData\Roaming\Okjcontrol_alpha\msvcp140.dll

Filesize
437KB

MD5
e9f00dd8746712610706cbeffd8df0bd

SHA1
5004d98c89a40ebf35f51407553e38e5ca16fb98

SHA256
4cb882621a3d1c6283570447f842801b396db1b3dcd2e01c2f7002efd66a0a97

SHA512
4d1ce1fc92cea60859b27ca95ca1d1a7c2bec4e2356f87659a69bab9c1befa7a94a2c64669cef1c9dadf9d38ab77e836fe69acdda0f95fa1b32cba9e8c6bb554

Download Submit
memory/432-0-0x0000000075410000-0x000000007558B000-memory.dmp

Filesize
1.5MB

Download
memory/432-1-0x00007FFC61E70000-0x00007FFC62065000-memory.dmp

Filesize
2.0MB

Download
memory/1004-44-0x00000000063D0000-0x00000000068FC000-memory.dmp

Filesize
5.2MB

Download
memory/1004-46-0x0000000005FB0000-0x0000000006016000-memory.dmp

Filesize
408KB

Download
memory/1004-45-0x0000000005ED0000-0x0000000005EEE000-memory.dmp

Filesize
120KB

Download
memory/1004-39-0x00000000057F0000-0x0000000005D94000-memory.dmp

Filesize
5.6MB

Download
memory/1004-59-0x0000000007890000-0x000000000789A000-memory.dmp

Filesize
40KB

Download
memory/1004-43-0x00000000052C0000-0x0000000005310000-memory.dmp

Filesize
320KB

Download
memory/1004-42-0x0000000005240000-0x00000000052B6000-memory.dmp

Filesize
472KB

Download
memory/1004-41-0x00000000055B0000-0x0000000005772000-memory.dmp

Filesize
1.8MB

Download
memory/1004-40-0x00000000050E0000-0x00000000050EA000-memory.dmp

Filesize
40KB

Download
memory/1004-34-0x0000000073BA0000-0x0000000074DF4000-memory.dmp

Filesize
18.3MB

Download
memory/1004-37-0x0000000000B00000-0x0000000000BC4000-memory.dmp

Filesize
784KB

Download
memory/1004-38-0x00000000051A0000-0x0000000005232000-memory.dmp

Filesize
584KB

Download
memory/1540-19-0x0000000075410000-0x000000007558B000-memory.dmp

Filesize
1.5MB

Download
memory/1540-23-0x0000000075410000-0x000000007558B000-memory.dmp

Filesize
1.5MB

Download
memory/1540-22-0x0000000075410000-0x000000007558B000-memory.dmp

Filesize
1.5MB

Download
memory/1540-21-0x0000000075423000-0x0000000075425000-memory.dmp

Filesize
8KB

Download
memory/1540-20-0x00007FFC61E70000-0x00007FFC62065000-memory.dmp

Filesize
2.0MB

Download
memory/3508-33-0x0000000075410000-0x000000007558B000-memory.dmp

Filesize
1.5MB

Download
memory/3508-30-0x0000000075410000-0x000000007558B000-memory.dmp

Filesize
1.5MB

Download
memory/3508-31-0x0000000075410000-0x000000007558B000-memory.dmp

Filesize
1.5MB

Download
memory/3508-27-0x00007FFC61E70000-0x00007FFC62065000-memory.dmp

Filesize
2.0MB

Download
memory/3508-25-0x0000000075410000-0x000000007558B000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing