Analysis
-
max time kernel
105s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
-
submitted
02/04/2025, 20:16
General
-
Target
55.msi
-
Size
5.0MB
-
MD5
e58d905d9e1529e987c9a82a74ce29c9
-
SHA1
b305eef82dc620e836ada7b56de9e98b077bf118
-
SHA256
87f7e5081a34770f1277d101c4ae40126623195cbce621196bde10e46df704b1
-
SHA512
ff0d482d98676b1ffdfdb82ce7ba1327bde0d92deee583335ea5d93e7e8aa81aeae9b59753646fc4d12ee553e7254f654caffaee28d3756030912c7ce729ccfb
-
SSDEEP
98304:3Yqd1A4isy2+mnoWNO6wM8UBc9XzAwC2PBpQrkLa8:pZi6+LWNHwZUBcZzvPBpek
Malware Config
Signatures
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 1 IoCs
-
Sectoprat family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 12 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 5 IoCs
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\55.msi2⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Users\Admin\AppData\Local\Temp\31084\CasPol.exe"C:\Users\Admin\AppData\Local\Temp\31084\CasPol.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8F7C263F3EA392CFDAF366F449B784012⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\Cruse\vmnetdhcp.exe"C:\Users\Admin\AppData\Roaming\Cruse\vmnetdhcp.exe"2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\31084\CasPol.exeC:\Users\Admin\AppData\Local\Temp\31084\CasPol.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\gpupdate.exeC:\Windows\SysWOW64\gpupdate.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD522ba5724805f607ef23c445f960d408d
SHA13d66dc1811713721cd60981c313e80f5243af16b
SHA25659953de8de570bd65daf695eb36468ae96a8e30a0699b4ea583f8853f65abc40
SHA512df12a80afdf52a8b3c7a89a55edaef4b785d307ef63554b649394b51874bb8f84314ad1b55b58f570c18493067595045ca7837a4e38524e9940a4a6b00c02018
-
Filesize
99KB
MD5f61fa5ce25f885a9b1f549055c9911ed
SHA1aba1c035b06017b0b0bd1c712669646e4f3765ab
SHA25657e9675902b443085e37ead57dfed97de6bb61321682bc93aff30f16b5ca5aeb
SHA51202e3db343037294fd3b774f954c9a617a50715e6b89d7c409f3c7dc5a1cf5ed9418158c442e9e80111994da139a9a16db33ac68a833d6d115c4a41bdf75751ac
-
Filesize
2.9MB
MD51c016531f2b109e3c8e06895188c3c79
SHA10f56fc7890cadb94a1029474912dab7b146a7376
SHA2563e4dd65697cca5eae6361ea44145249a0978c945529d45015e4ede084977b99c
SHA51287dba3edec8951052b21230ce69c1d948d93268c86ed3d7e579d2c3341b9d03803ba8d76b5079f74590f41196eb15efebfb8530a0a646419500eef0cce83cc42
-
Filesize
2.7MB
MD50d39159811dec9412031a92816ac44b2
SHA1ae4c591b2c33a27499a86063be288000306007b6
SHA2562771a1a197aefe31af95625a77db8ae6f3bcc5b537236135a1456071b1eb1f6e
SHA512bb5e125dea8bceadc212243df2bbb6899b4cd2a900bb7e9d9799c559f380ecb22c4726ceec47155c6149450848879fcc32a17db68ace513192d8023f1d1baeda
-
Filesize
2.7MB
MD55c00a937bde3335dfb6366166a733217
SHA1929811910055f95454487344a7774f6094fd1c28
SHA2560563185a2aa68b76deb6a9021696ebfa6e6cadbd641c942ac26483671979f952
SHA51297b1ad970351d5a6202860e4d82d99bf14db49d92f50f4a8143c3e14496bb60c2d39147821a12b9b21b76985d5a833e42707dc7cf477ab8bba210247827ff67e
-
Filesize
386KB
MD572b1c6699ddc2baab105d32761285df2
SHA1fc85e9fb190f205e6752624a5231515c4ee4e155
SHA256bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97
SHA512cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170
-
Filesize
5.0MB
MD5e58d905d9e1529e987c9a82a74ce29c9
SHA1b305eef82dc620e836ada7b56de9e98b077bf118
SHA25687f7e5081a34770f1277d101c4ae40126623195cbce621196bde10e46df704b1
SHA512ff0d482d98676b1ffdfdb82ce7ba1327bde0d92deee583335ea5d93e7e8aa81aeae9b59753646fc4d12ee553e7254f654caffaee28d3756030912c7ce729ccfb
-
Filesize
24.1MB
MD577959008b8294a192f52e9003570645d
SHA1780e9e42eab0bee317ead1cd21524a0aaa5d96ad
SHA256f6032bee53be7e13905ac3c459f0e75e27d35033ab4f718c70c65242dcec9be8
SHA51210247117303ed99af89814b07bc478889bbe332f04c1839c0060d382497251a63a8c57a4b27ad25307e4f80086655fb27794b6f0626a2f7d3d815a399ca41bae
-
Filesize
6KB
MD5cc296c14cd3deac18599ba0780012d99
SHA19b4af22689b5dba65e3fcea3c3c5f7dc0f64e4ce
SHA2568f9bdab3c17928a15d4aa3da88fcb5df62f5f705ba2d00b419902e5af9a734cd
SHA5127795b7ba3195912626b4c0f57c655e239cd3bbf6a7302072cccde27caf733f7108726b6b073b476065f1deca13bdb2125a157a0824388dd16d6e48764f2d089a
-
Filesize
1.8MB
-
Filesize
320KB
-
Filesize
848KB
-
Filesize
584KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
792KB
-
Filesize
800KB
-
Filesize
304KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
336KB
-
Filesize
5.6MB
-
Filesize
1.6MB
-
Filesize
1.8MB
-
Filesize
1.4MB
-
Filesize
2.6MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
4.8MB
-
Filesize
316KB
-
Filesize
2.0MB
-
Filesize
316KB