Analysis
-
max time kernel
137s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
-
submitted
02/04/2025, 19:55
General
-
Target
55.msi
-
Size
5.0MB
-
MD5
e58d905d9e1529e987c9a82a74ce29c9
-
SHA1
b305eef82dc620e836ada7b56de9e98b077bf118
-
SHA256
87f7e5081a34770f1277d101c4ae40126623195cbce621196bde10e46df704b1
-
SHA512
ff0d482d98676b1ffdfdb82ce7ba1327bde0d92deee583335ea5d93e7e8aa81aeae9b59753646fc4d12ee553e7254f654caffaee28d3756030912c7ce729ccfb
-
SSDEEP
98304:3Yqd1A4isy2+mnoWNO6wM8UBc9XzAwC2PBpQrkLa8:pZi6+LWNHwZUBcZzvPBpek
Malware Config
Signatures
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 1 IoCs
-
Sectoprat family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 12 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 5 IoCs
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\55.msi2⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Users\Admin\AppData\Local\Temp\31084\CasPol.exe"C:\Users\Admin\AppData\Local\Temp\31084\CasPol.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2F1E3C82BBAC484A1568BAA2E42F65162⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\Cruse\vmnetdhcp.exe"C:\Users\Admin\AppData\Roaming\Cruse\vmnetdhcp.exe"2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\31084\CasPol.exeC:\Users\Admin\AppData\Local\Temp\31084\CasPol.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\gpupdate.exeC:\Windows\SysWOW64\gpupdate.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5834eee26bf0f70bb3d2c0994c7832b2a
SHA1c7d5cd171ce0a45420e567f28071e6555f353f3f
SHA256222d9799f831a96e01fe3b099dda5230af67fc30b04634610c66f8fb701810fc
SHA512cc4855c29429309a1ade08003ef7d7551c4daa07be64fac7373bb61b8207a67b1146af90625dd559f0f94986acf66e1cbd23296f2d39071f799450904d15b471
-
Filesize
99KB
MD5f61fa5ce25f885a9b1f549055c9911ed
SHA1aba1c035b06017b0b0bd1c712669646e4f3765ab
SHA25657e9675902b443085e37ead57dfed97de6bb61321682bc93aff30f16b5ca5aeb
SHA51202e3db343037294fd3b774f954c9a617a50715e6b89d7c409f3c7dc5a1cf5ed9418158c442e9e80111994da139a9a16db33ac68a833d6d115c4a41bdf75751ac
-
Filesize
2.9MB
MD51c016531f2b109e3c8e06895188c3c79
SHA10f56fc7890cadb94a1029474912dab7b146a7376
SHA2563e4dd65697cca5eae6361ea44145249a0978c945529d45015e4ede084977b99c
SHA51287dba3edec8951052b21230ce69c1d948d93268c86ed3d7e579d2c3341b9d03803ba8d76b5079f74590f41196eb15efebfb8530a0a646419500eef0cce83cc42
-
Filesize
2.7MB
MD56175c90b900916be2ad6586f60642b78
SHA1f45f724c60ff0ae22e043d37bcdd3da766ba8972
SHA256816c6921085cd6c45f09fd9cc8221a08633b1a3dd11a79f7a97411ca0e4e10b5
SHA51289e36cab7f37b70af98c4bfc2400d2c5d1e3a508b54f768ded6323a93726ec5070c309951524949359b6a8c6384b19671f4b5f68990c56c9e8ea9e826d8071d8
-
Filesize
2.7MB
MD59c81f7f9b89fc3f85b48134b270cea87
SHA188d15871eb7581ff8e6e4a79e2e235a07fcc4f66
SHA256535f5ffd688c2076155f3b9e270bdf8c6eabca53656443e620ff023f328860c5
SHA51224f52f2a4935d58a28ba9b5c250e3dd5b1b644e5f9f4be4ad250c1059eafb78b4c430a9d245641a868ce21e0ea5dc29b5ae06bc82f8427d41a7f18e69f1a0719
-
Filesize
386KB
MD572b1c6699ddc2baab105d32761285df2
SHA1fc85e9fb190f205e6752624a5231515c4ee4e155
SHA256bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97
SHA512cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170
-
Filesize
5.0MB
MD5e58d905d9e1529e987c9a82a74ce29c9
SHA1b305eef82dc620e836ada7b56de9e98b077bf118
SHA25687f7e5081a34770f1277d101c4ae40126623195cbce621196bde10e46df704b1
SHA512ff0d482d98676b1ffdfdb82ce7ba1327bde0d92deee583335ea5d93e7e8aa81aeae9b59753646fc4d12ee553e7254f654caffaee28d3756030912c7ce729ccfb
-
Filesize
24.1MB
MD545802cbaf3d088b85e451462d2b9b98a
SHA10457562c69a7c061eb26ec9dac733cbe665d7c64
SHA256a05cbc3b12c6f9a1581ba4c05fb4096b233d0d007f0a6bbc2fe0054338a1a412
SHA51229feef3f35a91592f28b532056812d1a3cddf59b24cdfcc5ab5b1d2808bbddedb0033f30d3ce034741b3e7ff242140b49579091cafac3f537a25afd0b402833f
-
Filesize
6KB
MD5411c8bdf5109cb08e932d7ff00dfb861
SHA1e2ae93fb86402ac2821358b5e8673bc49eff2df3
SHA25626713b67c24deae095f9396077eac052a806a844ca8af71026a481296aa45d34
SHA5127404f7156ffc14d9d53a70e850ab182af859591ca87939ead3e5d60183f6a309af5c0871888a29dd70f681ef36665843e5ad5f5016bedc5e5d685f6affa13149
-
Filesize
4.8MB
-
Filesize
2.0MB
-
Filesize
316KB
-
Filesize
316KB
-
Filesize
1.8MB
-
Filesize
320KB
-
Filesize
584KB
-
Filesize
848KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
800KB
-
Filesize
792KB
-
Filesize
304KB
-
Filesize
5.6MB
-
Filesize
336KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.6MB
-
Filesize
2.6MB