sectoprat | 3f7920a0497fdf8ee49a81e8c1ded39ac30610a758589086e5aad0cd3ccd26f9

Analysis

max time kernel
131s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
20-02-2025 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

target.ps1
Size

76B
MD5

a7719ce770225ad8fd81d6ad8ee8eec2
SHA1

bf61e43b55a0c29362e4e152cc77040981a4fd17
SHA256

3f7920a0497fdf8ee49a81e8c1ded39ac30610a758589086e5aad0cd3ccd26f9
SHA512

9a0feb19432c689ee5edeb2438f4a2d652f10b68539968fa4ff84b17c6df5e3b2831823051994f4a45829ba78eb2c6281cb72da666769a00ca37687f6c01b6ac

Score

10^/10

sectoprat discovery execution rat trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/3888-78-0x0000000000B60000-0x0000000000C24000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
1	1884	powershell.exe
3	1884	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3496	photomap.exe

Loads dropped DLL 7 IoCs

pid	Process
3496	photomap.exe
3496	photomap.exe
3496	photomap.exe
3496	photomap.exe
3496	photomap.exe
3496	photomap.exe
3496	photomap.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3496 set thread context of 556	3496	photomap.exe	91
PID 556 set thread context of 3888	556	cmd.exe	96

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1884	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	photomap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1884	powershell.exe
1884	powershell.exe
3496	photomap.exe
3496	photomap.exe
556	cmd.exe
556	cmd.exe
3888	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3496	photomap.exe
556	cmd.exe
556	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	3888	MSBuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3888	MSBuild.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 3496	1884	powershell.exe	90
PID 1884 wrote to memory of 3496	1884	powershell.exe	90
PID 1884 wrote to memory of 3496	1884	powershell.exe	90
PID 3496 wrote to memory of 556	3496	photomap.exe	91
PID 3496 wrote to memory of 556	3496	photomap.exe	91
PID 3496 wrote to memory of 556	3496	photomap.exe	91
PID 3496 wrote to memory of 556	3496	photomap.exe	91
PID 556 wrote to memory of 3888	556	cmd.exe	96
PID 556 wrote to memory of 3888	556	cmd.exe	96
PID 556 wrote to memory of 3888	556	cmd.exe	96
PID 556 wrote to memory of 3888	556	cmd.exe	96
PID 556 wrote to memory of 3888	556	cmd.exe	96

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\target.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Users\Admin\AppData\Local\Temp\Flowers\photomap.exe
  "C:\Users\Admin\AppData\Local\Temp\Flowers\photomap.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:556
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\79c3727e

Filesize
1.4MB

MD5
d9a4662c01a807e28c69e6215761b52c

SHA1
a02d7e1a22378e3bdef2219067ca6560e20e2c78

SHA256
e0ef6abab3c9d78aadd4125bcdf8415c7e78e4dc84df5809cc79b242f56f9822

SHA512
c0eb81d7d892ce8c9bd019b92325f539ea6b59c7b3a9e87eae40dd35a5de008cd645a19aa2423e513e8d094e86bc617543998567ae8c60fc21222fd26888931c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flowers\MSVCP140.dll

Filesize
438KB

MD5
cdae969102e88f6704d853f9521eedd2

SHA1
3d9a57652a3634cb9b5a83c973c1c77b30c60bf4

SHA256
4ad3de3443d7658f74c978e7eb04730e3d812bc592fee47be4e6348d1fb4814e

SHA512
6714f7886ed21a97a3d70e8a55637f0d0e6d2c43ffd433e7f9c38c100ada99c6aaf136135b5fa6b77483987e34f4c57086c574309b798512cd668c54f845ec49

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flowers\concrt140.dll

Filesize
254KB

MD5
f36dae6ea00f102b60a5011af0732123

SHA1
06fabdbf1fa14b5a637716f9f7a28c95ea4a8661

SHA256
0a3894dd420ed6b4c7ebbde463dbbde69cdb032e290b1c86c21ccdaa4da95526

SHA512
c585e25ac9d733ca82d36d4cee0fa5f7d34a0455c359e010c501d1474c612bc73429093ba302ae14222d7e3a89d5b11777529b3005c7c0966aff06c92c7cce12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flowers\cpfe.dll

Filesize
4.9MB

MD5
08879cdebe058210d87d6aa49920e1d2

SHA1
e476835be3d56ca17cdccd5eef3f353c921368d4

SHA256
fe26d56dd5f84d16844bee03bd90a5a7fb00e743c64bcbaa705c2c2b1445a7fb

SHA512
50a06bfb0825bf6b0b889dda42cdce2dba677f681ae1ae0b6fd3365aa7c77b52601eeaeb797aed1e57c9646cbe4ccec026af86f02b8f4f4e63531754c00e96aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flowers\cwm.7z

Filesize
40KB

MD5
be15cfc47c332bd4248bb38c6131953f

SHA1
b0b8193f66473eb91360dac500b4e3bdf5a422a2

SHA256
7adfba90dbc8f9bfcb4f5befbe7247ccb20209e77bf027718d1ca56ac3ba80f4

SHA512
46ee91ddd37130c22f97e8e6b1db8c0fb5e570f75351623034e611c8de4156d20b02616febe561554b664e7c4332df3d510d7c609033b84f791f13b419635a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flowers\photomap.exe

Filesize
1.4MB

MD5
38901633c833cba7f682472ced0dbe4b

SHA1
0c11a1ac834d2b270ba60f3605109933ca11a7f0

SHA256
a5c5487194f761dac90e178c9c1753c0f47b041f3168b5c23a587f33f69e5089

SHA512
70d71197c68c9a92883c482aee76978e2a01e785be6fb3b6082369e25d991d3e03d8467e11d87493e54f5a3dc4bcd59fa588f0fabe5f6fdcf3361de95cb471c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flowers\vcruntime140.dll

Filesize
88KB

MD5
984c36e57e47581e267151aca04e9580

SHA1
aa54e9133ba3ed675f9b5255a515780438163ae1

SHA256
e0850ad7c2431f822359e129c85b708373759a1aaadb70b3740642ea44345a04

SHA512
9c8ce4e86173066ab8584a08aa1449f36808f0abd6de01a86f83914a44a8b07b31266c1f38ec0cd46faabf819ac6e1c74e29d5b8b2163ac5d9e1797df8282fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flowers\youve.txt

Filesize
1.2MB

MD5
267bfe5602be60c238ab5588f4a1eeb2

SHA1
c96f50dbd0fa9bc596c3a3361184e8e8f5f0c9c2

SHA256
3b231073cfea74f87dbf808deeedeecbb058d05db6cb970ac50307ef9824e524

SHA512
01ca38e293c096b602ea60860e414fae949629c2fcd6fac5f37014ef6e9d34c5eadc1bd6d69ec5e9d3762269a8ebbef7d867e45021aefb61f0d901789032bdfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tn5fag0d.54k.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5E6A.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
memory/556-67-0x0000000075480000-0x00000000755FB000-memory.dmp

Filesize
1.5MB

Download
memory/556-74-0x0000000075480000-0x00000000755FB000-memory.dmp

Filesize
1.5MB

Download
memory/556-69-0x00007FF835B10000-0x00007FF835D05000-memory.dmp

Filesize
2.0MB

Download
memory/556-72-0x0000000075480000-0x00000000755FB000-memory.dmp

Filesize
1.5MB

Download
memory/556-71-0x0000000075480000-0x00000000755FB000-memory.dmp

Filesize
1.5MB

Download
memory/1884-14-0x00007FF817AC0000-0x00007FF818581000-memory.dmp

Filesize
10.8MB

Download
memory/1884-17-0x000001F5B8B80000-0x000001F5B8B92000-memory.dmp

Filesize
72KB

Download
memory/1884-18-0x000001F59F940000-0x000001F59F94A000-memory.dmp

Filesize
40KB

Download
memory/1884-55-0x00007FF817AC0000-0x00007FF818581000-memory.dmp

Filesize
10.8MB

Download
memory/1884-16-0x00007FF817AC0000-0x00007FF818581000-memory.dmp

Filesize
10.8MB

Download
memory/1884-0-0x00007FF817AC3000-0x00007FF817AC5000-memory.dmp

Filesize
8KB

Download
memory/1884-13-0x00007FF817AC3000-0x00007FF817AC5000-memory.dmp

Filesize
8KB

Download
memory/1884-12-0x00007FF817AC0000-0x00007FF818581000-memory.dmp

Filesize
10.8MB

Download
memory/1884-11-0x00007FF817AC0000-0x00007FF818581000-memory.dmp

Filesize
10.8MB

Download
memory/1884-1-0x000001F5B86D0000-0x000001F5B86F2000-memory.dmp

Filesize
136KB

Download
memory/3496-63-0x0000000075493000-0x0000000075495000-memory.dmp

Filesize
8KB

Download
memory/3496-65-0x0000000075480000-0x00000000755FB000-memory.dmp

Filesize
1.5MB

Download
memory/3496-64-0x0000000075480000-0x00000000755FB000-memory.dmp

Filesize
1.5MB

Download
memory/3496-56-0x00007FF835B10000-0x00007FF835D05000-memory.dmp

Filesize
2.0MB

Download
memory/3496-54-0x0000000075480000-0x00000000755FB000-memory.dmp

Filesize
1.5MB

Download
memory/3888-82-0x0000000005400000-0x00000000055C2000-memory.dmp

Filesize
1.8MB

Download
memory/3888-79-0x0000000005090000-0x0000000005122000-memory.dmp

Filesize
584KB

Download
memory/3888-80-0x00000000057E0000-0x0000000005D84000-memory.dmp

Filesize
5.6MB

Download
memory/3888-81-0x0000000002CE0000-0x0000000002CEA000-memory.dmp

Filesize
40KB

Download
memory/3888-78-0x0000000000B60000-0x0000000000C24000-memory.dmp

Filesize
784KB

Download
memory/3888-83-0x00000000052B0000-0x0000000005326000-memory.dmp

Filesize
472KB

Download
memory/3888-84-0x00000000051B0000-0x0000000005200000-memory.dmp

Filesize
320KB

Download
memory/3888-85-0x00000000062C0000-0x00000000067EC000-memory.dmp

Filesize
5.2MB

Download
memory/3888-86-0x0000000005E20000-0x0000000005E3E000-memory.dmp

Filesize
120KB

Download
memory/3888-87-0x0000000005F00000-0x0000000005F66000-memory.dmp

Filesize
408KB

Download
memory/3888-75-0x0000000073910000-0x0000000074B64000-memory.dmp

Filesize
18.3MB

Download
memory/3888-100-0x00000000077B0000-0x00000000077BA000-memory.dmp

Filesize
40KB

Download