Overview

overview

10

Static

static

10

SLAGGGLX.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/04/2025, 12:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SLAGGGLX.msi

  • Size

    6.2MB

  • MD5

    e1b11ab17b672dc15339a4eea17d3be7

  • SHA1

    7dd1111c168f544929caf7e1ba8b2d790aa5ce77

  • SHA256

    7a79c311f24811999c14cef556da34f933dfd82b1a568b064034634941314369

  • SHA512

    37e2a1d26a6386e25fff7cd6e23742565f96fdcf6967e953d5767a3d4378a26bf9959c4ab4c38401f79812ff395ee9b907eea93917b8d2035971869db17fffc1

  • SSDEEP

    98304:TRJYyhT6Sug1IPY2hiLOORwc3xyoZMEHGgS6y4wi36gZByUBXGo7FQ3:t9GjoKo/S6y4ZdZsUBXGYQ3

Score
10/10
sectopratdiscoverypersistenceprivilege_escalationrattrojan

Malware Config

Signatures

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Sectoprat family
    sectoprat
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SLAGGGLX.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1580
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3684
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 2EEDE541E6B5039A3F143FBA8CCA9777 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1604
      • C:\Users\Admin\AppData\Local\Temp\{1318CFE0-8AA1-4EF7-A12C-08C50617D2C8}\ISBEW64.exe
        C:\Users\Admin\AppData\Local\Temp\{1318CFE0-8AA1-4EF7-A12C-08C50617D2C8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FE5D5C68-B4E5-4495-B381-7710215C469F}
        3⤵
        • Executes dropped EXE
        PID:2784
      • C:\Users\Admin\AppData\Local\Temp\{1318CFE0-8AA1-4EF7-A12C-08C50617D2C8}\ISBEW64.exe
        C:\Users\Admin\AppData\Local\Temp\{1318CFE0-8AA1-4EF7-A12C-08C50617D2C8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{671D77A7-9895-4EFE-B67E-9A1B97844399}
        3⤵
        • Executes dropped EXE
        PID:1004
      • C:\Users\Admin\AppData\Local\Temp\{1318CFE0-8AA1-4EF7-A12C-08C50617D2C8}\ISBEW64.exe
        C:\Users\Admin\AppData\Local\Temp\{1318CFE0-8AA1-4EF7-A12C-08C50617D2C8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{197A1AC1-5E2D-4F07-81A8-4A12FFA3EEC8}
        3⤵
        • Executes dropped EXE
        PID:2992
      • C:\Users\Admin\AppData\Local\Temp\{1318CFE0-8AA1-4EF7-A12C-08C50617D2C8}\ISBEW64.exe
        C:\Users\Admin\AppData\Local\Temp\{1318CFE0-8AA1-4EF7-A12C-08C50617D2C8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1E0ADEC0-018D-4C68-BCBB-76C4BD2DF2C5}
        3⤵
        • Executes dropped EXE
        PID:1372
      • C:\Users\Admin\AppData\Local\Temp\{1318CFE0-8AA1-4EF7-A12C-08C50617D2C8}\ISBEW64.exe
        C:\Users\Admin\AppData\Local\Temp\{1318CFE0-8AA1-4EF7-A12C-08C50617D2C8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FA0EF0AD-88C8-4DEB-929A-5B63295D7B3C}
        3⤵
        • Executes dropped EXE
        PID:4916
      • C:\Users\Admin\AppData\Local\Temp\{1318CFE0-8AA1-4EF7-A12C-08C50617D2C8}\ISBEW64.exe
        C:\Users\Admin\AppData\Local\Temp\{1318CFE0-8AA1-4EF7-A12C-08C50617D2C8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D52931A5-B24E-4990-896C-2168CF4ACC9D}
        3⤵
        • Executes dropped EXE
        PID:3760
      • C:\Users\Admin\AppData\Local\Temp\{1318CFE0-8AA1-4EF7-A12C-08C50617D2C8}\ISBEW64.exe
        C:\Users\Admin\AppData\Local\Temp\{1318CFE0-8AA1-4EF7-A12C-08C50617D2C8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A6AFE46F-7026-4317-9D87-108A7AC03C34}
        3⤵
        • Executes dropped EXE
        PID:1784
      • C:\Users\Admin\AppData\Local\Temp\{1318CFE0-8AA1-4EF7-A12C-08C50617D2C8}\ISBEW64.exe
        C:\Users\Admin\AppData\Local\Temp\{1318CFE0-8AA1-4EF7-A12C-08C50617D2C8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{206733EE-FDB2-415F-B706-A5EADBD3E746}
        3⤵
        • Executes dropped EXE
        PID:2028
      • C:\Users\Admin\AppData\Local\Temp\{1318CFE0-8AA1-4EF7-A12C-08C50617D2C8}\ISBEW64.exe
        C:\Users\Admin\AppData\Local\Temp\{1318CFE0-8AA1-4EF7-A12C-08C50617D2C8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{345CBCF9-A21F-4E4E-BF74-4F00C3B5542F}
        3⤵
        • Executes dropped EXE
        PID:4264
      • C:\Users\Admin\AppData\Local\Temp\{1318CFE0-8AA1-4EF7-A12C-08C50617D2C8}\ISBEW64.exe
        C:\Users\Admin\AppData\Local\Temp\{1318CFE0-8AA1-4EF7-A12C-08C50617D2C8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0919C186-932C-4D9E-98C7-F4D995941EB6}
        3⤵
        • Executes dropped EXE
        PID:3552
      • C:\Users\Admin\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exe
        C:\Users\Admin\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3336
        • C:\Users\Admin\AppData\Roaming\Protectchrome_beta\SplashWin.exe
          C:\Users\Admin\AppData\Roaming\Protectchrome_beta\SplashWin.exe
          4⤵
          • Suspicious use of SetThreadContext
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1900
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\SysWOW64\cmd.exe
            5⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:2124
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              PID:1192

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\9848afed
    Filesize

    1.5MB

    MD5

    3014016c60d0fac93efd0294ef170a68

    SHA1

    fa5952244772be412eec31f6d939ed9509dc5546

    SHA256

    ec654860405da3239d2a627db7a68cb0a3f1c6048ff36e25cd640f065be53274

    SHA512

    f53c40f0bcb83912ec7a72156fbadbd3a1efab6c088a73d730bfe9dd25487a51931a2aff0974f7c9150d9f51d2756bad1ceb29dc5f6cd7ae078a3444dc180e15

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSIE30D.tmp
    Filesize

    171KB

    MD5

    a0e940a3d3c1523416675125e3b0c07e

    SHA1

    2e29eeba6da9a4023bc8071158feee3b0277fd1b

    SHA256

    b8fa7aa425e4084ea3721780a13d11e08b8d53d1c5414b73f22faeca1bfd314f

    SHA512

    736ea06824388372aeef1938c6b11e66f4595e0b0589d7b4a87ff4abbabe52e82dff64d916293eab47aa869cf372ced2c66755dd8a8471b2ab0d3a37ba91d0b2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSIE4D3.tmp
    Filesize

    2.5MB

    MD5

    8ef0166db3891637809a4ce2c1aa4482

    SHA1

    14d19d5e1a64faf349bfcdcb0f50c5d0a2701bed

    SHA256

    fdca52ae3ded7176a8e02c5429f5ad36df2943190b7c592a23cc35394655876d

    SHA512

    ad368f242899e8a9fc3a4bdd871a3f4af029f0ebd26c618278ddfe2d33e1ad41080993a949756640b0cd915c2c88d3114ebe8563b0d31b3e1a01e79e70b7bdd6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{1318CFE0-8AA1-4EF7-A12C-08C50617D2C8}\ISBEW64.exe
    Filesize

    178KB

    MD5

    40f3a092744e46f3531a40b917cca81e

    SHA1

    c73f62a44cb3a75933cecf1be73a48d0d623039b

    SHA256

    561f14cdece85b38617403e1c525ff0b1b752303797894607a4615d0bd66f97f

    SHA512

    1589b27db29051c772e5ba56953d9f798efbf74d75e0524fa8569df092d28960972779811a7916198d0707d35b1093d3e0dd7669a8179c412cfa7df7120733b2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{1318CFE0-8AA1-4EF7-A12C-08C50617D2C8}\ISRT.dll
    Filesize

    426KB

    MD5

    8af02bf8e358e11caec4f2e7884b43cc

    SHA1

    16badc6c610eeb08de121ab268093dd36b56bf27

    SHA256

    58a724d23c63387a2dda27ccfdbc8ca87fd4db671bea8bb636247667f6a5a11e

    SHA512

    d0228a8cc93ff6647c2f4ba645fa224dc9d114e2adb5b5d01670b6dafc2258b5b1be11629868748e77b346e291974325e8e8e1192042d7c04a35fc727ad4e3fd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{1318CFE0-8AA1-4EF7-A12C-08C50617D2C8}\_isres_0x0409.dll
    Filesize

    1.8MB

    MD5

    7de024bc275f9cdeaf66a865e6fd8e58

    SHA1

    5086e4a26f9b80699ea8d9f2a33cead28a1819c0

    SHA256

    bd32468ee7e8885323f22eabbff9763a0f6ffef3cc151e0bd0481df5888f4152

    SHA512

    191c57e22ea13d13806dd390c4039029d40c7532918618d185d8a627aabc3969c7af2e532e3c933bde8f652b4723d951bf712e9ba0cc0d172dde693012f5ef1a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\DuiLib_u.dll
    Filesize

    860KB

    MD5

    83495e5db2654bcec3948ee486424599

    SHA1

    8a86af21864f565567cc4cc1f021f08b2e9febaa

    SHA256

    e770be8fba337cc01e24c7f059368526a804d2af64136a39bb84adeebcf9cfbc

    SHA512

    b4dbdfff0501fb3ba912556a25a64da38d3872bc31c94cc2395d6567b786cbbe104fd6178f019f8efba08dc5abcd964616a99d886b74aa80014b1c09ba7e9c41

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\MSVCP140.dll
    Filesize

    437KB

    MD5

    e9f00dd8746712610706cbeffd8df0bd

    SHA1

    5004d98c89a40ebf35f51407553e38e5ca16fb98

    SHA256

    4cb882621a3d1c6283570447f842801b396db1b3dcd2e01c2f7002efd66a0a97

    SHA512

    4d1ce1fc92cea60859b27ca95ca1d1a7c2bec4e2356f87659a69bab9c1befa7a94a2c64669cef1c9dadf9d38ab77e836fe69acdda0f95fa1b32cba9e8c6bb554

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exe
    Filesize

    446KB

    MD5

    4d20b83562eec3660e45027ad56fb444

    SHA1

    ff6134c34500a8f8e5881e6a34263e5796f83667

    SHA256

    c5e650b331fa5292872fdaede3a75c8167a0f1280ce0cd3d58b880d23854bdb1

    SHA512

    718bd66fcff80b8008a4523d88bd726cdbc95e6e7bdb3f50e337e291294505ed54e6f5995d431968b85415e96f6f7ed37381ca021401ad57fda3b08a1f0c27f4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\VCRUNTIME140.dll
    Filesize

    74KB

    MD5

    a554e4f1addc0c2c4ebb93d66b790796

    SHA1

    9fbd1d222da47240db92cd6c50625eb0cf650f61

    SHA256

    e610cdac0a37147919032d0d723b967276c217ff06ea402f098696ab4112512a

    SHA512

    5f3253f071da3e0110def888682d255186f2e2a30a8480791c0cad74029420033b5c90f818ae845b5f041ee4005f6de174a687aca8f858371026423f017902cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\diorama.json
    Filesize

    55KB

    MD5

    61947293abc79f5e003ac42d9b7489f4

    SHA1

    9386c10a6441a395385007130f1aa6916b22881a

    SHA256

    57414bda77d468f6573672aaa7b1b68e38ae511ab5be187c227232a054c257bb

    SHA512

    6c90d23c9ce0a3d2880c7e0bf056df32de9701ce5e3c210967e04a67c7730fc9b341ed46641390cd49a645c49c6c6ab7a63710df0814ae75cfb32d7fef43903f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\fizgig.avi
    Filesize

    1.2MB

    MD5

    8d9c4ece45c257a48932b83edf0691b0

    SHA1

    6b047cd45ff1648fb37d6b9f7b41507980682999

    SHA256

    c3bc9f3ecc43a5ac5fc069c74f71b69e4cc62a1e48a6412af183a25e7d2eca94

    SHA512

    58f3e0b839a324ff7e3fe5c5416cb77a35595075d89ae48bca099e7fe94be598822cebf183cc7049d96f638217efefb7fd65cd62ad6624d471236c4dd33df503

    Download Submit

  • memory/1192-103-0x0000000004E00000-0x0000000004E76000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1192-104-0x00000000054F0000-0x0000000005A94000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1192-110-0x0000000007480000-0x000000000748A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1192-109-0x0000000005C20000-0x0000000005C86000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1192-108-0x00000000054A0000-0x00000000054BE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1192-107-0x00000000060D0000-0x00000000065FC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1192-106-0x00000000051C0000-0x0000000005382000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1192-105-0x0000000004FA0000-0x0000000004FF0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1192-102-0x0000000004EA0000-0x0000000004F32000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1192-98-0x00000000724C0000-0x0000000073714000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1192-101-0x0000000000720000-0x00000000007EC000-memory.dmp

    Filesize

    816KB

    Download

  • memory/1604-39-0x0000000002E70000-0x0000000003037000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1604-34-0x0000000010000000-0x0000000010114000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1900-91-0x0000000073720000-0x000000007389B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1900-90-0x00007FF99AF50000-0x00007FF99B145000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1900-87-0x0000000073720000-0x000000007389B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2124-96-0x0000000073720000-0x000000007389B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2124-94-0x00007FF99AF50000-0x00007FF99B145000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3336-60-0x0000000073680000-0x00000000737FB000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3336-61-0x00007FF99AF50000-0x00007FF99B145000-memory.dmp

    Filesize

    2.0MB

    Download