sectoprat | 0c5359f0bf2662aec517a172d5aea118face4ea4313d23a91c9e8d4a0855f3ea

Analysis

max time kernel
136s
max time network
152s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
01/04/2025, 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GmRemote.exe
Size

465.5MB
MD5

8a8dd3810500ea0c1192ad5545193355
SHA1

e0fd714e9f56d08318805fb3106a9a22baca8be7
SHA256

03666f205e2c97737a5a15f8aff965a7b3728d684927568583db28957efd6b3d
SHA512

05a882c14ae5723fcfe99379f662827d9897ef27689f82f02e323b1f9cb134ed27e0ac73faeab4c271dc9369376535e04f772edfbdb0f96d27b04e275977cafb
SSDEEP

98304:MtrXE3k1Mol2a/d3hZmSHJLJfERO4bMBX0VgKDrY7R:R3W/d3qmJNfEAAMBXl7

Score

10^/10

sectoprat discovery rat trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/3588-1386-0x0000000000400000-0x00000000004D4000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2056 created 3668	2056	CasPol.exe	57

Executes dropped EXE 1 IoCs

pid	Process
3588	CasPol.exe

Loads dropped DLL 1 IoCs

pid	Process
2056	CasPol.exe

Checks for any installed AV software in registry 1 TTPs 8 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Avira\Security\UserInterface	GmRemote.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Security\UserInterface	GmRemote.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Security	GmRemote.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira	GmRemote.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Avira\Security	GmRemote.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Avira	GmRemote.exe
Key queried	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Avira	GmRemote.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Security	GmRemote.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1332 set thread context of 2056	1332	GmRemote.exe	87
PID 1332 set thread context of 4732	1332	GmRemote.exe	89
PID 2056 set thread context of 3588	2056	CasPol.exe	92

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GmRemote.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1332	GmRemote.exe
1332	GmRemote.exe
1332	GmRemote.exe
1332	GmRemote.exe
2056	CasPol.exe
2056	CasPol.exe
2056	CasPol.exe
2056	CasPol.exe
2056	CasPol.exe
4732	gpupdate.exe
4732	gpupdate.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1332	GmRemote.exe
1332	GmRemote.exe
1332	GmRemote.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2056	CasPol.exe
Token: SeDebugPrivilege	2056	CasPol.exe
Token: SeDebugPrivilege	3588	CasPol.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1332	GmRemote.exe
1332	GmRemote.exe
1332	GmRemote.exe
1332	GmRemote.exe
1332	GmRemote.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1332	GmRemote.exe
1332	GmRemote.exe
1332	GmRemote.exe
1332	GmRemote.exe
1332	GmRemote.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 2056	1332	GmRemote.exe	87
PID 1332 wrote to memory of 2056	1332	GmRemote.exe	87
PID 1332 wrote to memory of 2056	1332	GmRemote.exe	87
PID 1332 wrote to memory of 2056	1332	GmRemote.exe	87
PID 1332 wrote to memory of 2056	1332	GmRemote.exe	87
PID 1332 wrote to memory of 4732	1332	GmRemote.exe	89
PID 1332 wrote to memory of 4732	1332	GmRemote.exe	89
PID 1332 wrote to memory of 4732	1332	GmRemote.exe	89
PID 1332 wrote to memory of 4732	1332	GmRemote.exe	89
PID 2056 wrote to memory of 3588	2056	CasPol.exe	92
PID 2056 wrote to memory of 3588	2056	CasPol.exe	92
PID 2056 wrote to memory of 3588	2056	CasPol.exe	92
PID 2056 wrote to memory of 3588	2056	CasPol.exe	92
PID 2056 wrote to memory of 3588	2056	CasPol.exe	92
PID 2056 wrote to memory of 3588	2056	CasPol.exe	92
PID 2056 wrote to memory of 3588	2056	CasPol.exe	92
PID 2056 wrote to memory of 3588	2056	CasPol.exe	92

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3668
- C:\Users\Admin\AppData\Local\Temp\GmRemote.exe
  "C:\Users\Admin\AppData\Local\Temp\GmRemote.exe"
  2⤵
  - Checks for any installed AV software in registry
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Users\Admin\AppData\Local\Temp\31081\CasPol.exe
    C:\Users\Admin\AppData\Local\Temp\31081\CasPol.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2056
- - C:\Windows\SysWOW64\gpupdate.exe
    C:\Windows\SysWOW64\gpupdate.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4732
- C:\Users\Admin\AppData\Local\Temp\31081\CasPol.exe
  "C:\Users\Admin\AppData\Local\Temp\31081\CasPol.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Software Discovery

T1518

Security Software Discovery

T1518.001

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\31081\CasPol.exe

Filesize
99KB

MD5
f61fa5ce25f885a9b1f549055c9911ed

SHA1
aba1c035b06017b0b0bd1c712669646e4f3765ab

SHA256
57e9675902b443085e37ead57dfed97de6bb61321682bc93aff30f16b5ca5aeb

SHA512
02e3db343037294fd3b774f954c9a617a50715e6b89d7c409f3c7dc5a1cf5ed9418158c442e9e80111994da139a9a16db33ac68a833d6d115c4a41bdf75751ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\e609b91f

Filesize
2.8MB

MD5
9f2b0e4d218442927581577f52997f8d

SHA1
ab74e08d3a230260a545036c4ab423db1e4746e8

SHA256
47d20fa8d26cd6659bdcd45bce3a2666706d1e0b52b69ee023b58ac7e61bd936

SHA512
4f7db2f85793056884876be3506710833c2bed20b0fb0d13db0e347f28b4935fa20b1d5968b63f9877ea473aed6c8bf28dc91af0cacaeee43d63f31a87e44e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9903f51

Filesize
2.7MB

MD5
bbad223de92ed8519bbebb71e7b5c1d5

SHA1
05abfd5abb3dc366a1afe35b0770de935f125fb5

SHA256
bdcd49db100facf506a508c5da8431cb833d5e090110e1795c189691a32ba324

SHA512
59eeee782abb26888b3c4ef9d60bebfbeac2e0f2f1273bdb7cb6c06799b41dbc5e43ad0534cd6da9033175a6b7a4844ce512293386d75aace899e584ed3edb9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9903f51

Filesize
2.7MB

MD5
fda77405b581a0fd65570580c9ae239b

SHA1
11de16125522c0d26582cd83051650f475d12c95

SHA256
c10a59d7c6f7603fd47987cb29da28726f7a744087c89b30a39c291952227c1d

SHA512
203a4ba031dd08cf7d42f681efbee5a9e20c046bab67600a1e1d712f369bea0f3320f86602605e44f677ffc2dd2d94dabba88edeeebd4be73f88ba7867e14cab

Download Submit
memory/1332-0-0x00000000009E0000-0x0000000000E59000-memory.dmp

Filesize
4.5MB

Download
memory/1332-6-0x0000000074EC0000-0x0000000074F0F000-memory.dmp

Filesize
316KB

Download
memory/1332-7-0x00007FF844A30000-0x00007FF844C28000-memory.dmp

Filesize
2.0MB

Download
memory/1332-10-0x0000000074ED4000-0x0000000074ED6000-memory.dmp

Filesize
8KB

Download
memory/1332-12-0x0000000074EC0000-0x0000000074F0F000-memory.dmp

Filesize
316KB

Download
memory/1332-17-0x0000000074EC0000-0x0000000074F0F000-memory.dmp

Filesize
316KB

Download
memory/1332-293-0x0000000074ED4000-0x0000000074ED6000-memory.dmp

Filesize
8KB

Download
memory/2056-69-0x0000000006280000-0x00000000063EB000-memory.dmp

Filesize
1.4MB

Download
memory/2056-47-0x0000000006280000-0x00000000063EB000-memory.dmp

Filesize
1.4MB

Download
memory/2056-19-0x000000007423E000-0x000000007423F000-memory.dmp

Filesize
4KB

Download
memory/2056-20-0x0000000005C20000-0x0000000005DBC000-memory.dmp

Filesize
1.6MB

Download
memory/2056-21-0x0000000074230000-0x00000000749E1000-memory.dmp

Filesize
7.7MB

Download
memory/2056-23-0x0000000006280000-0x00000000063F0000-memory.dmp

Filesize
1.4MB

Download
memory/2056-22-0x0000000074230000-0x00000000749E1000-memory.dmp

Filesize
7.7MB

Download
memory/2056-24-0x0000000074230000-0x00000000749E1000-memory.dmp

Filesize
7.7MB

Download
memory/2056-25-0x0000000074230000-0x00000000749E1000-memory.dmp

Filesize
7.7MB

Download
memory/2056-26-0x00000000069A0000-0x0000000006F46000-memory.dmp

Filesize
5.6MB

Download
memory/2056-27-0x00000000064D0000-0x0000000006562000-memory.dmp

Filesize
584KB

Download
memory/2056-31-0x0000000006280000-0x00000000063EB000-memory.dmp

Filesize
1.4MB

Download
memory/2056-33-0x0000000006280000-0x00000000063EB000-memory.dmp

Filesize
1.4MB

Download
memory/2056-59-0x0000000006280000-0x00000000063EB000-memory.dmp

Filesize
1.4MB

Download
memory/2056-61-0x0000000006280000-0x00000000063EB000-memory.dmp

Filesize
1.4MB

Download
memory/2056-79-0x0000000006280000-0x00000000063EB000-memory.dmp

Filesize
1.4MB

Download
memory/2056-77-0x0000000006280000-0x00000000063EB000-memory.dmp

Filesize
1.4MB

Download
memory/2056-73-0x0000000006280000-0x00000000063EB000-memory.dmp

Filesize
1.4MB

Download
memory/2056-71-0x0000000006280000-0x00000000063EB000-memory.dmp

Filesize
1.4MB

Download
memory/2056-67-0x0000000006280000-0x00000000063EB000-memory.dmp

Filesize
1.4MB

Download
memory/2056-63-0x0000000006280000-0x00000000063EB000-memory.dmp

Filesize
1.4MB

Download
memory/2056-75-0x0000000006280000-0x00000000063EB000-memory.dmp

Filesize
1.4MB

Download
memory/2056-57-0x0000000006280000-0x00000000063EB000-memory.dmp

Filesize
1.4MB

Download
memory/2056-13-0x0000000074B50000-0x0000000074DEA000-memory.dmp

Filesize
2.6MB

Download
memory/2056-55-0x0000000006280000-0x00000000063EB000-memory.dmp

Filesize
1.4MB

Download
memory/2056-65-0x0000000006280000-0x00000000063EB000-memory.dmp

Filesize
1.4MB

Download
memory/2056-53-0x0000000006280000-0x00000000063EB000-memory.dmp

Filesize
1.4MB

Download
memory/2056-51-0x0000000006280000-0x00000000063EB000-memory.dmp

Filesize
1.4MB

Download
memory/2056-49-0x0000000006280000-0x00000000063EB000-memory.dmp

Filesize
1.4MB

Download
memory/2056-18-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/2056-45-0x0000000006280000-0x00000000063EB000-memory.dmp

Filesize
1.4MB

Download
memory/2056-43-0x0000000006280000-0x00000000063EB000-memory.dmp

Filesize
1.4MB

Download
memory/2056-41-0x0000000006280000-0x00000000063EB000-memory.dmp

Filesize
1.4MB

Download
memory/2056-39-0x0000000006280000-0x00000000063EB000-memory.dmp

Filesize
1.4MB

Download
memory/2056-37-0x0000000006280000-0x00000000063EB000-memory.dmp

Filesize
1.4MB

Download
memory/2056-35-0x0000000006280000-0x00000000063EB000-memory.dmp

Filesize
1.4MB

Download
memory/2056-29-0x0000000006280000-0x00000000063EB000-memory.dmp

Filesize
1.4MB

Download
memory/2056-28-0x0000000006280000-0x00000000063EB000-memory.dmp

Filesize
1.4MB

Download
memory/2056-85-0x0000000006280000-0x00000000063EB000-memory.dmp

Filesize
1.4MB

Download
memory/2056-83-0x0000000006280000-0x00000000063EB000-memory.dmp

Filesize
1.4MB

Download
memory/2056-81-0x0000000006280000-0x00000000063EB000-memory.dmp

Filesize
1.4MB

Download
memory/2056-1368-0x0000000074230000-0x00000000749E1000-memory.dmp

Filesize
7.7MB

Download
memory/2056-1369-0x0000000006620000-0x00000000066E8000-memory.dmp

Filesize
800KB

Download
memory/2056-1370-0x0000000006840000-0x0000000006906000-memory.dmp

Filesize
792KB

Download
memory/2056-1371-0x0000000006570000-0x00000000065BC000-memory.dmp

Filesize
304KB

Download
memory/2056-1372-0x0000000007100000-0x0000000007154000-memory.dmp

Filesize
336KB

Download
memory/2056-1373-0x0000000074230000-0x00000000749E1000-memory.dmp

Filesize
7.7MB

Download
memory/2056-1375-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/2056-1379-0x0000000074230000-0x00000000749E1000-memory.dmp

Filesize
7.7MB

Download
memory/2056-1384-0x0000000074230000-0x00000000749E1000-memory.dmp

Filesize
7.7MB

Download
memory/2056-1383-0x0000000074230000-0x00000000749E1000-memory.dmp

Filesize
7.7MB

Download
memory/2056-1385-0x0000000074230000-0x00000000749E1000-memory.dmp

Filesize
7.7MB

Download
memory/3588-1387-0x0000000074230000-0x00000000749E1000-memory.dmp

Filesize
7.7MB

Download
memory/3588-1386-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3588-1388-0x0000000074230000-0x00000000749E1000-memory.dmp

Filesize
7.7MB

Download
memory/3588-1389-0x00000000056B0000-0x0000000005700000-memory.dmp

Filesize
320KB

Download
memory/3588-1390-0x0000000005960000-0x0000000005B22000-memory.dmp

Filesize
1.8MB

Download
memory/3588-1394-0x0000000074230000-0x00000000749E1000-memory.dmp

Filesize
7.7MB

Download
memory/4732-1391-0x0000000074EC1000-0x0000000074ED0000-memory.dmp

Filesize
60KB

Download
memory/4732-1397-0x0000000074EC1000-0x0000000074ED0000-memory.dmp

Filesize
60KB

Download