sectoprat | 6d97edcab4d3d2e18c5d321b443be7b6d21084a305413de465a4e92f6df720c5

General

Target

Manifest/SplashWin.exe
Size

446KB
MD5

4d20b83562eec3660e45027ad56fb444
SHA1

ff6134c34500a8f8e5881e6a34263e5796f83667
SHA256

c5e650b331fa5292872fdaede3a75c8167a0f1280ce0cd3d58b880d23854bdb1
SHA512

718bd66fcff80b8008a4523d88bd726cdbc95e6e7bdb3f50e337e291294505ed54e6f5995d431968b85415e96f6f7ed37381ca021401ad57fda3b08a1f0c27f4
SSDEEP

3072:unfVdw78434ei8HQbmiFp4KA+3Glxlwim2n/Xq0DdMqsxN4GnLG5N:W9dKxn/Xq082GLGX

Score

10^/10

sectoprat discovery rat trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral3/memory/1388-81-0x0000000000400000-0x00000000004C4000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2176 set thread context of 2148	2176	SplashWin.exe	30
PID 2148 set thread context of 1388	2148	cmd.exe	32

Executes dropped EXE 1 IoCs

pid	Process
2176	SplashWin.exe

Loads dropped DLL 4 IoCs

pid	Process
2604	SplashWin.exe
2176	SplashWin.exe
2176	SplashWin.exe
2176	SplashWin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SplashWin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SplashWin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2604	SplashWin.exe
2176	SplashWin.exe
2176	SplashWin.exe
2148	cmd.exe
2148	cmd.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2176	SplashWin.exe
2148	cmd.exe
2148	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1388	MSBuild.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2176	2604	SplashWin.exe	29
PID 2604 wrote to memory of 2176	2604	SplashWin.exe	29
PID 2604 wrote to memory of 2176	2604	SplashWin.exe	29
PID 2604 wrote to memory of 2176	2604	SplashWin.exe	29
PID 2176 wrote to memory of 2148	2176	SplashWin.exe	30
PID 2176 wrote to memory of 2148	2176	SplashWin.exe	30
PID 2176 wrote to memory of 2148	2176	SplashWin.exe	30
PID 2176 wrote to memory of 2148	2176	SplashWin.exe	30
PID 2176 wrote to memory of 2148	2176	SplashWin.exe	30
PID 2148 wrote to memory of 1388	2148	cmd.exe	32
PID 2148 wrote to memory of 1388	2148	cmd.exe	32
PID 2148 wrote to memory of 1388	2148	cmd.exe	32
PID 2148 wrote to memory of 1388	2148	cmd.exe	32
PID 2148 wrote to memory of 1388	2148	cmd.exe	32
PID 2148 wrote to memory of 1388	2148	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\Manifest\SplashWin.exe
"C:\Users\Admin\AppData\Local\Temp\Manifest\SplashWin.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Users\Admin\AppData\Roaming\Okjcontrol_alpha\SplashWin.exe
  C:\Users\Admin\AppData\Roaming\Okjcontrol_alpha\SplashWin.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2db5d430

Filesize
1.4MB

MD5
e6555bbbe93b13e0d346749b8e5366ec

SHA1
100de7181098251c9cb00741879adecf544643fa

SHA256
49d2572510c1072b4b0e57a036c149193e2fd408d1ca7f63ba9583aaeb5ded98

SHA512
dfdc244c5f3fc14dcd7c26c731b7550593a81b2716e8afaa4bbe99c0afbe64f6aefe0fc8e89579694c56c84d4eb21d7036c534598b08703931070a19ffff257d

Download Submit
C:\Users\Admin\AppData\Roaming\Okjcontrol_alpha\DuiLib_u.dll

Filesize
840KB

MD5
27cdf66f9b92629a7dc8109d9590efec

SHA1
fc96fa0eae6d60adea067f17e9de063597f3227e

SHA256
5919ad0385b6465801fb44c00a79ec224a14cb8655c883ba4b564449fa3dcefd

SHA512
90f9bcacab284fa91d051a73f197b17049801130cf17df5f8b7656b92c19deccbd72659d12226897f47d16da37cf05fca96be5cf3688ff8bc297630e9c2ab554

Download Submit
C:\Users\Admin\AppData\Roaming\Okjcontrol_alpha\SplashWin.exe

Filesize
446KB

MD5
4d20b83562eec3660e45027ad56fb444

SHA1
ff6134c34500a8f8e5881e6a34263e5796f83667

SHA256
c5e650b331fa5292872fdaede3a75c8167a0f1280ce0cd3d58b880d23854bdb1

SHA512
718bd66fcff80b8008a4523d88bd726cdbc95e6e7bdb3f50e337e291294505ed54e6f5995d431968b85415e96f6f7ed37381ca021401ad57fda3b08a1f0c27f4

Download Submit
C:\Users\Admin\AppData\Roaming\Okjcontrol_alpha\basinful.odp

Filesize
58KB

MD5
984e6cd075b61eb5993f0a103c37e6cd

SHA1
8ef89a1fe86c6b5e34b50962738bee7fd1f40cae

SHA256
37cfc0ece89f5b3acd99a90d56357f1bf27d35a10977bb2fac6a1d2ddc649258

SHA512
af0c3625c29e95c9693ba7f2164941453d1e0aec74eddda1f74ec412e732a697987074ca29c9d0c6b5b7571014a212f4295d19cb10be7616c1feca032bdf321c

Download Submit
C:\Users\Admin\AppData\Roaming\Okjcontrol_alpha\fief.jpeg

Filesize
1.2MB

MD5
776dfb2df48b4b0f7c61e479947eff09

SHA1
ab5d027e709454744415a4c0ea784ae3c5c4b7b3

SHA256
72dfeecd64ba9b22a268040dc5af779b13e450712b1067f7a501be82bf5aad88

SHA512
f6fbca8845de0910e2db49ce71c8c57222a8c3a036685d9d1b8a6fb2d072047228671bc55a477074e20e5e8d3e4218699ebcdb0d0f9533e2d3ee6861407e014e

Download Submit
\Users\Admin\AppData\Roaming\Okjcontrol_alpha\msvcp140.dll

Filesize
437KB

MD5
e9f00dd8746712610706cbeffd8df0bd

SHA1
5004d98c89a40ebf35f51407553e38e5ca16fb98

SHA256
4cb882621a3d1c6283570447f842801b396db1b3dcd2e01c2f7002efd66a0a97

SHA512
4d1ce1fc92cea60859b27ca95ca1d1a7c2bec4e2356f87659a69bab9c1befa7a94a2c64669cef1c9dadf9d38ab77e836fe69acdda0f95fa1b32cba9e8c6bb554

Download Submit
\Users\Admin\AppData\Roaming\Okjcontrol_alpha\vcruntime140.dll

Filesize
74KB

MD5
a554e4f1addc0c2c4ebb93d66b790796

SHA1
9fbd1d222da47240db92cd6c50625eb0cf650f61

SHA256
e610cdac0a37147919032d0d723b967276c217ff06ea402f098696ab4112512a

SHA512
5f3253f071da3e0110def888682d255186f2e2a30a8480791c0cad74029420033b5c90f818ae845b5f041ee4005f6de174a687aca8f858371026423f017902cc

Download Submit
memory/1388-81-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1388-77-0x00000000727F0000-0x0000000073852000-memory.dmp

Filesize
16.4MB

Download
memory/1388-79-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1388-80-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2148-28-0x0000000077270000-0x0000000077419000-memory.dmp

Filesize
1.7MB

Download
memory/2148-26-0x0000000074440000-0x00000000745B4000-memory.dmp

Filesize
1.5MB

Download
memory/2148-74-0x0000000074440000-0x00000000745B4000-memory.dmp

Filesize
1.5MB

Download
memory/2148-75-0x0000000074440000-0x00000000745B4000-memory.dmp

Filesize
1.5MB

Download
memory/2148-78-0x0000000074440000-0x00000000745B4000-memory.dmp

Filesize
1.5MB

Download
memory/2176-24-0x0000000074440000-0x00000000745B4000-memory.dmp

Filesize
1.5MB

Download
memory/2176-21-0x0000000077270000-0x0000000077419000-memory.dmp

Filesize
1.7MB

Download
memory/2176-22-0x0000000074453000-0x0000000074455000-memory.dmp

Filesize
8KB

Download
memory/2176-23-0x0000000074440000-0x00000000745B4000-memory.dmp

Filesize
1.5MB

Download
memory/2176-20-0x0000000074440000-0x00000000745B4000-memory.dmp

Filesize
1.5MB

Download
memory/2604-0-0x0000000074450000-0x00000000745C4000-memory.dmp

Filesize
1.5MB

Download
memory/2604-1-0x0000000077270000-0x0000000077419000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing