sectoprat | 6d97edcab4d3d2e18c5d321b443be7b6d21084a305413de465a4e92f6df720c5

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2025 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Manifest/SplashWin.exe
Size

446KB
MD5

4d20b83562eec3660e45027ad56fb444
SHA1

ff6134c34500a8f8e5881e6a34263e5796f83667
SHA256

c5e650b331fa5292872fdaede3a75c8167a0f1280ce0cd3d58b880d23854bdb1
SHA512

718bd66fcff80b8008a4523d88bd726cdbc95e6e7bdb3f50e337e291294505ed54e6f5995d431968b85415e96f6f7ed37381ca021401ad57fda3b08a1f0c27f4
SSDEEP

3072:unfVdw78434ei8HQbmiFp4KA+3Glxlwim2n/Xq0DdMqsxN4GnLG5N:W9dKxn/Xq082GLGX

Score

10^/10

sectoprat discovery rat trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral4/memory/1564-37-0x0000000001230000-0x00000000012F4000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3544 set thread context of 1184	3544	SplashWin.exe	86
PID 1184 set thread context of 1564	1184	cmd.exe	89

Executes dropped EXE 1 IoCs

pid	Process
3544	SplashWin.exe

Loads dropped DLL 3 IoCs

pid	Process
3544	SplashWin.exe
3544	SplashWin.exe
3544	SplashWin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SplashWin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SplashWin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2032	SplashWin.exe
3544	SplashWin.exe
3544	SplashWin.exe
1184	cmd.exe
1184	cmd.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3544	SplashWin.exe
1184	cmd.exe
1184	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1564	MSBuild.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 3544	2032	SplashWin.exe	85
PID 2032 wrote to memory of 3544	2032	SplashWin.exe	85
PID 2032 wrote to memory of 3544	2032	SplashWin.exe	85
PID 3544 wrote to memory of 1184	3544	SplashWin.exe	86
PID 3544 wrote to memory of 1184	3544	SplashWin.exe	86
PID 3544 wrote to memory of 1184	3544	SplashWin.exe	86
PID 3544 wrote to memory of 1184	3544	SplashWin.exe	86
PID 1184 wrote to memory of 1564	1184	cmd.exe	89
PID 1184 wrote to memory of 1564	1184	cmd.exe	89
PID 1184 wrote to memory of 1564	1184	cmd.exe	89
PID 1184 wrote to memory of 1564	1184	cmd.exe	89
PID 1184 wrote to memory of 1564	1184	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\Manifest\SplashWin.exe
"C:\Users\Admin\AppData\Local\Temp\Manifest\SplashWin.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Roaming\Okjcontrol_alpha\SplashWin.exe
  C:\Users\Admin\AppData\Roaming\Okjcontrol_alpha\SplashWin.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\83ef66c3

Filesize
1.4MB

MD5
757a1d8cb885e7c9d7cf8d937fcfb2fa

SHA1
ec430a94cf2b7d4984925530f48a8af96b3a17d8

SHA256
f9de910594bf234b12b5d90596f3333d5c291a1705f61d47bb8c63a959b4e912

SHA512
33af43ab03bae38f93666b4b558be658fc0d32b6f0442723f9de177618c5ed6ad59cc08a86e4b0449ff5063d794830191750df9819d1b64c35468ce826d4f4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp74EF.tmp

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7511.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Roaming\Okjcontrol_alpha\DuiLib_u.dll

Filesize
840KB

MD5
27cdf66f9b92629a7dc8109d9590efec

SHA1
fc96fa0eae6d60adea067f17e9de063597f3227e

SHA256
5919ad0385b6465801fb44c00a79ec224a14cb8655c883ba4b564449fa3dcefd

SHA512
90f9bcacab284fa91d051a73f197b17049801130cf17df5f8b7656b92c19deccbd72659d12226897f47d16da37cf05fca96be5cf3688ff8bc297630e9c2ab554

Download Submit
C:\Users\Admin\AppData\Roaming\Okjcontrol_alpha\SplashWin.exe

Filesize
446KB

MD5
4d20b83562eec3660e45027ad56fb444

SHA1
ff6134c34500a8f8e5881e6a34263e5796f83667

SHA256
c5e650b331fa5292872fdaede3a75c8167a0f1280ce0cd3d58b880d23854bdb1

SHA512
718bd66fcff80b8008a4523d88bd726cdbc95e6e7bdb3f50e337e291294505ed54e6f5995d431968b85415e96f6f7ed37381ca021401ad57fda3b08a1f0c27f4

Download Submit
C:\Users\Admin\AppData\Roaming\Okjcontrol_alpha\basinful.odp

Filesize
58KB

MD5
984e6cd075b61eb5993f0a103c37e6cd

SHA1
8ef89a1fe86c6b5e34b50962738bee7fd1f40cae

SHA256
37cfc0ece89f5b3acd99a90d56357f1bf27d35a10977bb2fac6a1d2ddc649258

SHA512
af0c3625c29e95c9693ba7f2164941453d1e0aec74eddda1f74ec412e732a697987074ca29c9d0c6b5b7571014a212f4295d19cb10be7616c1feca032bdf321c

Download Submit
C:\Users\Admin\AppData\Roaming\Okjcontrol_alpha\fief.jpeg

Filesize
1.2MB

MD5
776dfb2df48b4b0f7c61e479947eff09

SHA1
ab5d027e709454744415a4c0ea784ae3c5c4b7b3

SHA256
72dfeecd64ba9b22a268040dc5af779b13e450712b1067f7a501be82bf5aad88

SHA512
f6fbca8845de0910e2db49ce71c8c57222a8c3a036685d9d1b8a6fb2d072047228671bc55a477074e20e5e8d3e4218699ebcdb0d0f9533e2d3ee6861407e014e

Download Submit
C:\Users\Admin\AppData\Roaming\Okjcontrol_alpha\msvcp140.dll

Filesize
437KB

MD5
e9f00dd8746712610706cbeffd8df0bd

SHA1
5004d98c89a40ebf35f51407553e38e5ca16fb98

SHA256
4cb882621a3d1c6283570447f842801b396db1b3dcd2e01c2f7002efd66a0a97

SHA512
4d1ce1fc92cea60859b27ca95ca1d1a7c2bec4e2356f87659a69bab9c1befa7a94a2c64669cef1c9dadf9d38ab77e836fe69acdda0f95fa1b32cba9e8c6bb554

Download Submit
C:\Users\Admin\AppData\Roaming\Okjcontrol_alpha\vcruntime140.dll

Filesize
74KB

MD5
a554e4f1addc0c2c4ebb93d66b790796

SHA1
9fbd1d222da47240db92cd6c50625eb0cf650f61

SHA256
e610cdac0a37147919032d0d723b967276c217ff06ea402f098696ab4112512a

SHA512
5f3253f071da3e0110def888682d255186f2e2a30a8480791c0cad74029420033b5c90f818ae845b5f041ee4005f6de174a687aca8f858371026423f017902cc

Download Submit
memory/1184-33-0x0000000074C20000-0x0000000074D9B000-memory.dmp

Filesize
1.5MB

Download
memory/1184-30-0x0000000074C20000-0x0000000074D9B000-memory.dmp

Filesize
1.5MB

Download
memory/1184-31-0x0000000074C20000-0x0000000074D9B000-memory.dmp

Filesize
1.5MB

Download
memory/1184-27-0x00007FFC0CD50000-0x00007FFC0CF45000-memory.dmp

Filesize
2.0MB

Download
memory/1184-25-0x0000000074C20000-0x0000000074D9B000-memory.dmp

Filesize
1.5MB

Download
memory/1564-41-0x0000000005D30000-0x0000000005EF2000-memory.dmp

Filesize
1.8MB

Download
memory/1564-40-0x0000000005880000-0x000000000588A000-memory.dmp

Filesize
40KB

Download
memory/1564-46-0x0000000006750000-0x00000000067B6000-memory.dmp

Filesize
408KB

Download
memory/1564-45-0x0000000006670000-0x000000000668E000-memory.dmp

Filesize
120KB

Download
memory/1564-44-0x0000000006B80000-0x00000000070AC000-memory.dmp

Filesize
5.2MB

Download
memory/1564-34-0x00000000731E0000-0x0000000074434000-memory.dmp

Filesize
18.3MB

Download
memory/1564-37-0x0000000001230000-0x00000000012F4000-memory.dmp

Filesize
784KB

Download
memory/1564-38-0x0000000005950000-0x00000000059E2000-memory.dmp

Filesize
584KB

Download
memory/1564-39-0x0000000005FA0000-0x0000000006544000-memory.dmp

Filesize
5.6MB

Download
memory/1564-43-0x0000000005A70000-0x0000000005AC0000-memory.dmp

Filesize
320KB

Download
memory/1564-42-0x00000000059F0000-0x0000000005A66000-memory.dmp

Filesize
472KB

Download
memory/2032-0-0x0000000074590000-0x000000007470B000-memory.dmp

Filesize
1.5MB

Download
memory/2032-1-0x00007FFC0CD50000-0x00007FFC0CF45000-memory.dmp

Filesize
2.0MB

Download
memory/3544-23-0x0000000074C20000-0x0000000074D9B000-memory.dmp

Filesize
1.5MB

Download
memory/3544-20-0x00007FFC0CD50000-0x00007FFC0CF45000-memory.dmp

Filesize
2.0MB

Download
memory/3544-22-0x0000000074C20000-0x0000000074D9B000-memory.dmp

Filesize
1.5MB

Download
memory/3544-21-0x0000000074C33000-0x0000000074C35000-memory.dmp

Filesize
8KB

Download
memory/3544-19-0x0000000074C20000-0x0000000074D9B000-memory.dmp

Filesize
1.5MB

Download