Overview

overview

10

Static

static

1

383af7126e...6c.exe

windows7-x64

10

383af7126e...6c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/03/2025, 20:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    383af7126e2e28748b4b75c66cc3406933a935931185d37b672a033cb193a26c.exe

  • Size

    1.9MB

  • MD5

    538aeeefac0c750a2f506a6f3815c7ae

  • SHA1

    4ae1eb347e7f73618824d1c5e58dd7f0eab31848

  • SHA256

    383af7126e2e28748b4b75c66cc3406933a935931185d37b672a033cb193a26c

  • SHA512

    ae7eb66f9e2e83442a72b9b837e3ab0d36fa16cf8b45609055d569d2d1e63c63190eb93079450a60fb3b908844144b186c6e180a0c586a7c82fd0f2290890c81

  • SSDEEP

    24576:RMjhoB0NyTZsOtuzkYSDmzfTDIas2Mko9DTTQjrChAkBIsamQFrj0p/C2Y:oRy1sOLDMaRkUTQfkBIS0D7

Score
10/10
sectopratdiscoveryexecutionrattrojan

Malware Config

Signatures

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Sectoprat family
    sectoprat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 10 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to execute payload.

    execution
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\383af7126e2e28748b4b75c66cc3406933a935931185d37b672a033cb193a26c.exe
    "C:\Users\Admin\AppData\Local\Temp\383af7126e2e28748b4b75c66cc3406933a935931185d37b672a033cb193a26c.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1232
    • C:\Users\Admin\AppData\Local\Temp\is-N7VSR.tmp\383af7126e2e28748b4b75c66cc3406933a935931185d37b672a033cb193a26c.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-N7VSR.tmp\383af7126e2e28748b4b75c66cc3406933a935931185d37b672a033cb193a26c.tmp" /SL5="$4014E,1592193,247808,C:\Users\Admin\AppData\Local\Temp\383af7126e2e28748b4b75c66cc3406933a935931185d37b672a033cb193a26c.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1536
      • C:\Users\Admin\AppData\Local\Temp\383af7126e2e28748b4b75c66cc3406933a935931185d37b672a033cb193a26c.exe
        "C:\Users\Admin\AppData\Local\Temp\383af7126e2e28748b4b75c66cc3406933a935931185d37b672a033cb193a26c.exe" /VERYSILENT
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2892
        • C:\Users\Admin\AppData\Local\Temp\is-ID2JQ.tmp\383af7126e2e28748b4b75c66cc3406933a935931185d37b672a033cb193a26c.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-ID2JQ.tmp\383af7126e2e28748b4b75c66cc3406933a935931185d37b672a033cb193a26c.tmp" /SL5="$7015A,1592193,247808,C:\Users\Admin\AppData\Local\Temp\383af7126e2e28748b4b75c66cc3406933a935931185d37b672a033cb193a26c.exe" /VERYSILENT
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2996
          • C:\Windows\SysWOW64\regsvr32.exe
            "regsvr32.exe" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\6fwpuclnt_9.drv"
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2736
            • C:\Windows\system32\regsvr32.exe
              /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\6fwpuclnt_9.drv"
              6⤵
              • Loads dropped DLL
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2636
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\6fwpuclnt_9.drv' }) { exit 0 } else { exit 1 }"
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2788
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\Admin\AppData\Roaming\6fwpuclnt_9.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{9E858CBF-7D1C-4EA4-C44E-63236DDACBD7}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-N7VSR.tmp\383af7126e2e28748b4b75c66cc3406933a935931185d37b672a033cb193a26c.tmp
    Filesize

    1.2MB

    MD5

    f4e0d271d78d0ab6f8eb7764c0c761f7

    SHA1

    59e01bf27764127d8772c804ddce134819c819e9

    SHA256

    a1885560cb6679cb42a6e992266ab8fdcf7e30ca5167f7c62ecf913501939869

    SHA512

    6e34e80b634a6274230f8e3682d8e6df7067ba5e2327461a280502298cb3a74d4afb8af69168ceff7e5ef44b1d664af87d153416b8c1fc8bc69fa2d44a633ee7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpD8F3.tmp
    Filesize

    20KB

    MD5

    c9ff7748d8fcef4cf84a5501e996a641

    SHA1

    02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

    SHA256

    4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

    SHA512

    d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

    Download Submit

  • C:\Users\Admin\AppData\Roaming\6fwpuclnt_9.drv
    Filesize

    3.4MB

    MD5

    499b7a906e7a12a4468195ffced35a1a

    SHA1

    4426c0e68ac85a5f2fa12367983191de110f5963

    SHA256

    653b829de89240b1fd1e6e850c8ba52741e1dd8aeb04baf946608bb00e0a558a

    SHA512

    247c9689aed0b0e069df128a1ea3c6337449e56b428f0f46e79bf7e77ebaaf1c9e449aa142bbeffe0f5218f4ad4a4985786a4537bac0b66cbb661f410d146893

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q4RW14VJAWWICWS432AC.temp
    Filesize

    7KB

    MD5

    e0a9af638b8085937bcee6e037b5447c

    SHA1

    cb82d7303f6632c1a799a722abef0eb433a439cf

    SHA256

    1f5f877cc402d13416d209222f1ec1bee4b71fe07df018da1b4472e1dc9758a7

    SHA512

    e46778c3601e4aa691d2f44be85db05f950e5321db667796fd36fdd6850e1e7986480d4e9492ecc947e44617f7049100901e8eee5280068d491ba91329bf3d71

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-04SNT.tmp\_isetup\_isdecmp.dll
    Filesize

    13KB

    MD5

    a813d18268affd4763dde940246dc7e5

    SHA1

    c7366e1fd925c17cc6068001bd38eaef5b42852f

    SHA256

    e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

    SHA512

    b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-04SNT.tmp\_isetup\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit

  • memory/1232-3-0x0000000000401000-0x0000000000417000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1232-50-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/1232-0-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/1536-10-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1536-24-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2636-82-0x000007FEF5F20000-0x000007FEF627F000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/2636-72-0x000000001B240000-0x000000001B306000-memory.dmp

    Filesize

    792KB

    Download

  • memory/2640-70-0x0000000001D90000-0x0000000001D98000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2640-69-0x000000001B720000-0x000000001BA02000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2788-61-0x000000001B780000-0x000000001BA62000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2788-62-0x0000000001F70000-0x0000000001F78000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2892-53-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/2892-22-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/2892-25-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/2996-51-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

    Download