Overview

overview

10

Static

static

10

target.ps1

windows7-x64

8

target.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-02-2025 16:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    target.ps1

  • Size

    76B

  • MD5

    a7719ce770225ad8fd81d6ad8ee8eec2

  • SHA1

    bf61e43b55a0c29362e4e152cc77040981a4fd17

  • SHA256

    3f7920a0497fdf8ee49a81e8c1ded39ac30610a758589086e5aad0cd3ccd26f9

  • SHA512

    9a0feb19432c689ee5edeb2438f4a2d652f10b68539968fa4ff84b17c6df5e3b2831823051994f4a45829ba78eb2c6281cb72da666769a00ca37687f6c01b6ac

Score
10/10
sectopratdiscoveryexecutionrattrojan

Malware Config

Signatures

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Sectoprat family
    sectoprat
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\target.ps1
    1⤵
    • Blocklisted process makes network request
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5008
    • C:\Users\Admin\AppData\Local\Temp\Flowers\photomap.exe
      "C:\Users\Admin\AppData\Local\Temp\Flowers\photomap.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\SysWOW64\cmd.exe
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1360

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\24fd3d9c
    Filesize

    1.4MB

    MD5

    9ca25a3d06bbccead92595e1f74923b0

    SHA1

    4b5dd4680ce1fc6029799b74e81feae5fcb5fe2f

    SHA256

    f213062205723f9ae5a34cc0da527f7bf0c9eec4ea5599e0764a1a6e5284e24e

    SHA512

    555f09bffcf7b0671c7497a7c243c7ca23fbbbd5a66e3711f34e833189b3ffef695b5c5c0f3848d91273d1dfe18849eb7179b2ecc2f2a99ba98c61cabe4c5811

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Flowers\CONCRT140.dll
    Filesize

    254KB

    MD5

    f36dae6ea00f102b60a5011af0732123

    SHA1

    06fabdbf1fa14b5a637716f9f7a28c95ea4a8661

    SHA256

    0a3894dd420ed6b4c7ebbde463dbbde69cdb032e290b1c86c21ccdaa4da95526

    SHA512

    c585e25ac9d733ca82d36d4cee0fa5f7d34a0455c359e010c501d1474c612bc73429093ba302ae14222d7e3a89d5b11777529b3005c7c0966aff06c92c7cce12

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Flowers\cpfe.dll
    Filesize

    4.9MB

    MD5

    08879cdebe058210d87d6aa49920e1d2

    SHA1

    e476835be3d56ca17cdccd5eef3f353c921368d4

    SHA256

    fe26d56dd5f84d16844bee03bd90a5a7fb00e743c64bcbaa705c2c2b1445a7fb

    SHA512

    50a06bfb0825bf6b0b889dda42cdce2dba677f681ae1ae0b6fd3365aa7c77b52601eeaeb797aed1e57c9646cbe4ccec026af86f02b8f4f4e63531754c00e96aa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Flowers\cwm.7z
    Filesize

    40KB

    MD5

    be15cfc47c332bd4248bb38c6131953f

    SHA1

    b0b8193f66473eb91360dac500b4e3bdf5a422a2

    SHA256

    7adfba90dbc8f9bfcb4f5befbe7247ccb20209e77bf027718d1ca56ac3ba80f4

    SHA512

    46ee91ddd37130c22f97e8e6b1db8c0fb5e570f75351623034e611c8de4156d20b02616febe561554b664e7c4332df3d510d7c609033b84f791f13b419635a17

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Flowers\msvcp140.dll
    Filesize

    438KB

    MD5

    cdae969102e88f6704d853f9521eedd2

    SHA1

    3d9a57652a3634cb9b5a83c973c1c77b30c60bf4

    SHA256

    4ad3de3443d7658f74c978e7eb04730e3d812bc592fee47be4e6348d1fb4814e

    SHA512

    6714f7886ed21a97a3d70e8a55637f0d0e6d2c43ffd433e7f9c38c100ada99c6aaf136135b5fa6b77483987e34f4c57086c574309b798512cd668c54f845ec49

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Flowers\photomap.exe
    Filesize

    1.4MB

    MD5

    38901633c833cba7f682472ced0dbe4b

    SHA1

    0c11a1ac834d2b270ba60f3605109933ca11a7f0

    SHA256

    a5c5487194f761dac90e178c9c1753c0f47b041f3168b5c23a587f33f69e5089

    SHA512

    70d71197c68c9a92883c482aee76978e2a01e785be6fb3b6082369e25d991d3e03d8467e11d87493e54f5a3dc4bcd59fa588f0fabe5f6fdcf3361de95cb471c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Flowers\vcruntime140.dll
    Filesize

    88KB

    MD5

    984c36e57e47581e267151aca04e9580

    SHA1

    aa54e9133ba3ed675f9b5255a515780438163ae1

    SHA256

    e0850ad7c2431f822359e129c85b708373759a1aaadb70b3740642ea44345a04

    SHA512

    9c8ce4e86173066ab8584a08aa1449f36808f0abd6de01a86f83914a44a8b07b31266c1f38ec0cd46faabf819ac6e1c74e29d5b8b2163ac5d9e1797df8282fdf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Flowers\youve.txt
    Filesize

    1.2MB

    MD5

    267bfe5602be60c238ab5588f4a1eeb2

    SHA1

    c96f50dbd0fa9bc596c3a3361184e8e8f5f0c9c2

    SHA256

    3b231073cfea74f87dbf808deeedeecbb058d05db6cb970ac50307ef9824e524

    SHA512

    01ca38e293c096b602ea60860e414fae949629c2fcd6fac5f37014ef6e9d34c5eadc1bd6d69ec5e9d3762269a8ebbef7d867e45021aefb61f0d901789032bdfb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1pisgpz4.yz2.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp27CA.tmp
    Filesize

    20KB

    MD5

    49693267e0adbcd119f9f5e02adf3a80

    SHA1

    3ba3d7f89b8ad195ca82c92737e960e1f2b349df

    SHA256

    d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

    SHA512

    b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

    Download Submit

  • memory/1360-76-0x0000000000F00000-0x0000000000FC4000-memory.dmp

    Filesize

    784KB

    Download

  • memory/1360-80-0x0000000005940000-0x0000000005B02000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1360-98-0x0000000007D20000-0x0000000007D2A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1360-85-0x0000000006390000-0x00000000063F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1360-84-0x00000000062A0000-0x00000000062BE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1360-83-0x0000000006730000-0x0000000006C5C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1360-82-0x00000000056A0000-0x00000000056F0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1360-77-0x00000000054F0000-0x0000000005582000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1360-81-0x0000000005620000-0x0000000005696000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1360-78-0x0000000005B50000-0x00000000060F4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1360-79-0x00000000054B0000-0x00000000054BA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1360-73-0x0000000072E90000-0x00000000740E4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2384-62-0x0000000074A00000-0x0000000074B7B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2384-61-0x0000000074A00000-0x0000000074B7B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2384-60-0x0000000074A13000-0x0000000074A15000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2384-53-0x00007FFED29F0000-0x00007FFED2BE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2384-52-0x0000000074A00000-0x0000000074B7B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2704-66-0x00007FFED29F0000-0x00007FFED2BE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2704-64-0x0000000074A00000-0x0000000074B7B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2704-69-0x0000000074A00000-0x0000000074B7B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2704-72-0x0000000074A00000-0x0000000074B7B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2704-70-0x0000000074A00000-0x0000000074B7B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/5008-18-0x0000020EBFC70000-0x0000020EBFC7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5008-7-0x00007FFEB4990000-0x00007FFEB5451000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5008-0-0x00007FFEB4993000-0x00007FFEB4995000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5008-41-0x00007FFEB4990000-0x00007FFEB5451000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5008-8-0x00007FFEB4990000-0x00007FFEB5451000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5008-13-0x00007FFEB4993000-0x00007FFEB4995000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5008-14-0x00007FFEB4990000-0x00007FFEB5451000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5008-16-0x00007FFEB4990000-0x00007FFEB5451000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5008-1-0x0000020EBFC30000-0x0000020EBFC52000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5008-17-0x0000020EC08C0000-0x0000020EC08D2000-memory.dmp

    Filesize

    72KB

    Download