sectoprat | daca202f3d10de0328c83f7a7f65344d51233fb18397a644f62139ce4d05903e

General

Target

Mind/content.exe
Size

27.6MB
MD5

950f3bebb7563ee8354b21ef9cbea4a2
SHA1

7b520ff8bd1b552e3de00a38a87722f21dc1c9f4
SHA256

8f4f53bc02348a549f3437444aacec43eae5f90875ea3c5ec96600ba1cb4a061
SHA512

6aac49f02fcfc131634864684c59c82c51208ab3191eacfd28bd1e184a8d6583565e2a57701f55c283b7297f843d4bcdd07ed7db4fc212a7b1c153e7cc4486d5
SSDEEP

393216:QM7KPSvINzNgF7kiPF7Ijs1vg+NLh3wBRoQWhKUzLkWEgC+24lRTSRAyGrR2FhHS:dGiPF+lvFNjXE9wpS

Score

10^/10

sectoprat discovery rat trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral5/memory/2288-68-0x0000000000400000-0x00000000004C4000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2280 set thread context of 3068	2280	content.exe	29
PID 3068 set thread context of 2288	3068	cmd.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	content.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2280	content.exe
2280	content.exe
3068	cmd.exe
3068	cmd.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2280	content.exe
3068	cmd.exe
3068	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2288	MSBuild.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 3068	2280	content.exe	29
PID 2280 wrote to memory of 3068	2280	content.exe	29
PID 2280 wrote to memory of 3068	2280	content.exe	29
PID 2280 wrote to memory of 3068	2280	content.exe	29
PID 2280 wrote to memory of 3068	2280	content.exe	29
PID 3068 wrote to memory of 2288	3068	cmd.exe	31
PID 3068 wrote to memory of 2288	3068	cmd.exe	31
PID 3068 wrote to memory of 2288	3068	cmd.exe	31
PID 3068 wrote to memory of 2288	3068	cmd.exe	31
PID 3068 wrote to memory of 2288	3068	cmd.exe	31
PID 3068 wrote to memory of 2288	3068	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\Mind\content.exe
"C:\Users\Admin\AppData\Local\Temp\Mind\content.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2ae12b96

Filesize
1.4MB

MD5
da1853c1b6b3c82ae05d48149d3ca376

SHA1
5cb18aa636144e90a75bc50b82a9259021bc97cd

SHA256
68cd89c14ae2e8c54b11afc56ba9eb54375ee17b3ad0a0d4f70a5fb2ecb7d4b6

SHA512
ded33ef84bfc50eaae24c9d5f31599019192bc976940fb88024a74c6f841971dc3cead6c768acda08b40a2a4d39ac495e7dc8e95120767618e00cfe786451179

Download Submit
memory/2280-12-0x0000000050030000-0x000000005004C000-memory.dmp

Filesize
112KB

Download
memory/2280-2-0x00000000779B0000-0x0000000077B59000-memory.dmp

Filesize
1.7MB

Download
memory/2280-7-0x0000000074D13000-0x0000000074D15000-memory.dmp

Filesize
8KB

Download
memory/2280-8-0x0000000074D00000-0x0000000074E74000-memory.dmp

Filesize
1.5MB

Download
memory/2280-9-0x0000000074D00000-0x0000000074E74000-memory.dmp

Filesize
1.5MB

Download
memory/2280-1-0x0000000074D00000-0x0000000074E74000-memory.dmp

Filesize
1.5MB

Download
memory/2280-0-0x0000000000B80000-0x00000000028F7000-memory.dmp

Filesize
29.5MB

Download
memory/2280-13-0x0000000074F70000-0x0000000075088000-memory.dmp

Filesize
1.1MB

Download
memory/2288-66-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2288-68-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2288-64-0x0000000072FE0000-0x0000000074042000-memory.dmp

Filesize
16.4MB

Download
memory/2288-67-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3068-14-0x0000000074D00000-0x0000000074E74000-memory.dmp

Filesize
1.5MB

Download
memory/3068-65-0x0000000074D00000-0x0000000074E74000-memory.dmp

Filesize
1.5MB

Download
memory/3068-61-0x0000000074D00000-0x0000000074E74000-memory.dmp

Filesize
1.5MB

Download
memory/3068-62-0x0000000074D00000-0x0000000074E74000-memory.dmp

Filesize
1.5MB

Download
memory/3068-16-0x00000000779B0000-0x0000000077B59000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing