Analysis
-
max time kernel
139s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
07/04/2025, 12:21
General
-
Target
msi (5).msi
-
Size
33.4MB
-
MD5
0883973200bb9fc4d641690284d6e052
-
SHA1
50a1aa74fade4aad8dc76f264a73973d2667b17d
-
SHA256
4e7243907d83bb073b054ce1eb3508fdd234623b3570c077fa7c0c35ea7e90fc
-
SHA512
a4cb67d2d51632d29d57df9a89cb0e2e5b6fdaa3931455a8b2b66460da82dde7183b8058f910748057a2c791574e920075d32da4b11c1c71b73e7fc1f290e0d6
-
SSDEEP
393216:O/u6I9kN75OTLwxaEPnrIzIn/y+NLhxaBJ8oWhKUzLkWEKC+5ylVgTKO/fJ+rFOI:jDEPnelVFLWTUvwrp47
Malware Config
Signatures
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 1 IoCs
-
Sectoprat family
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 2 IoCs
-
Executes dropped EXE 12 IoCs
-
Loads dropped DLL 9 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\msi (5).msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5FDEEC5126D8114F88439EF1DF320383 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\{8EF33731-5212-4F8F-8B42-9DB2E47AE33A}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8EF33731-5212-4F8F-8B42-9DB2E47AE33A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0132B106-0705-49FE-90CB-4FB7A1468CC7}3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\{8EF33731-5212-4F8F-8B42-9DB2E47AE33A}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8EF33731-5212-4F8F-8B42-9DB2E47AE33A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2D34730E-05F0-4D08-AC00-A42C5B1F42CB}3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\{8EF33731-5212-4F8F-8B42-9DB2E47AE33A}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8EF33731-5212-4F8F-8B42-9DB2E47AE33A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{ECB2DEA3-3782-40CD-97CE-D730DBF47163}3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\{8EF33731-5212-4F8F-8B42-9DB2E47AE33A}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8EF33731-5212-4F8F-8B42-9DB2E47AE33A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AF933E79-1082-4952-B3E7-8D6F77772E16}3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\{8EF33731-5212-4F8F-8B42-9DB2E47AE33A}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8EF33731-5212-4F8F-8B42-9DB2E47AE33A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A917AA90-98E2-4517-9800-7195E47BBB71}3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\{8EF33731-5212-4F8F-8B42-9DB2E47AE33A}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8EF33731-5212-4F8F-8B42-9DB2E47AE33A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E5302914-0A06-41A7-8682-1B6A87F61250}3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\{8EF33731-5212-4F8F-8B42-9DB2E47AE33A}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8EF33731-5212-4F8F-8B42-9DB2E47AE33A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{03DB2932-0469-4581-A824-E107CCA42DEA}3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\{8EF33731-5212-4F8F-8B42-9DB2E47AE33A}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8EF33731-5212-4F8F-8B42-9DB2E47AE33A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B270001F-F140-429A-A468-9E67A7B1E7F3}3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\{8EF33731-5212-4F8F-8B42-9DB2E47AE33A}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8EF33731-5212-4F8F-8B42-9DB2E47AE33A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{76D18E57-3E80-477F-99CC-2F00BA6DF87B}3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\{8EF33731-5212-4F8F-8B42-9DB2E47AE33A}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8EF33731-5212-4F8F-8B42-9DB2E47AE33A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F887D0A0-C2EE-4888-BFAE-D239942230EB}3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\{DE6FC227-7852-4EF4-A49A-A23EBAFC1D69}\Ahnenblatt4.exeC:\Users\Admin\AppData\Local\Temp\{DE6FC227-7852-4EF4-A49A-A23EBAFC1D69}\Ahnenblatt4.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\MontlsIOK_v5\Ahnenblatt4.exeC:\Users\Admin\AppData\Roaming\MontlsIOK_v5\Ahnenblatt4.exe4⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe5⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe6⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
171KB
MD5a0e940a3d3c1523416675125e3b0c07e
SHA12e29eeba6da9a4023bc8071158feee3b0277fd1b
SHA256b8fa7aa425e4084ea3721780a13d11e08b8d53d1c5414b73f22faeca1bfd314f
SHA512736ea06824388372aeef1938c6b11e66f4595e0b0589d7b4a87ff4abbabe52e82dff64d916293eab47aa869cf372ced2c66755dd8a8471b2ab0d3a37ba91d0b2
-
Filesize
2.5MB
MD5340e52708d50a6f08b836ef5de19f6cf
SHA19a87841a0b9b30c3bb4db68b1bf823d801a17939
SHA2564d3fa1b2abec177748692d1261cc8906500f5760f770133e64d260f0819b2d74
SHA512b1551cd7f549bf0c278c45802de76dabe8d70c30e8e8c76a062f8a6df73d67c7530e357f2c9f1d8a34353772c7e2df973540e52328aae020b8dd2dec1451a0c4
-
Filesize
1.5MB
MD556726887343345be48768de32fd8c9c2
SHA195ff249918f99bdae13fc48bf15a4ab439f89a01
SHA256d775dcec0daaa615773495ff558709db08446cb38165d56039277dfe7a95f813
SHA51284f7a8acebe14a98ad616e13f893f4f0d8959b511a54b93dad47baf56692279ca8fe521df25016ed4cc1c5607156535ee8c65a1e90e6b4c1503f755e72b15ba3
-
Filesize
178KB
MD540f3a092744e46f3531a40b917cca81e
SHA1c73f62a44cb3a75933cecf1be73a48d0d623039b
SHA256561f14cdece85b38617403e1c525ff0b1b752303797894607a4615d0bd66f97f
SHA5121589b27db29051c772e5ba56953d9f798efbf74d75e0524fa8569df092d28960972779811a7916198d0707d35b1093d3e0dd7669a8179c412cfa7df7120733b2
-
Filesize
426KB
MD58af02bf8e358e11caec4f2e7884b43cc
SHA116badc6c610eeb08de121ab268093dd36b56bf27
SHA25658a724d23c63387a2dda27ccfdbc8ca87fd4db671bea8bb636247667f6a5a11e
SHA512d0228a8cc93ff6647c2f4ba645fa224dc9d114e2adb5b5d01670b6dafc2258b5b1be11629868748e77b346e291974325e8e8e1192042d7c04a35fc727ad4e3fd
-
Filesize
1.8MB
MD57de024bc275f9cdeaf66a865e6fd8e58
SHA15086e4a26f9b80699ea8d9f2a33cead28a1819c0
SHA256bd32468ee7e8885323f22eabbff9763a0f6ffef3cc151e0bd0481df5888f4152
SHA512191c57e22ea13d13806dd390c4039029d40c7532918618d185d8a627aabc3969c7af2e532e3c933bde8f652b4723d951bf712e9ba0cc0d172dde693012f5ef1a
-
Filesize
27.6MB
MD5950f3bebb7563ee8354b21ef9cbea4a2
SHA17b520ff8bd1b552e3de00a38a87722f21dc1c9f4
SHA2568f4f53bc02348a549f3437444aacec43eae5f90875ea3c5ec96600ba1cb4a061
SHA5126aac49f02fcfc131634864684c59c82c51208ab3191eacfd28bd1e184a8d6583565e2a57701f55c283b7297f843d4bcdd07ed7db4fc212a7b1c153e7cc4486d5
-
Filesize
1.0MB
MD58a54f704750dbb39422d194296b4befe
SHA121c8e104d5de61b092a1045569ea74c3ac48c907
SHA256c185eb816e0f5d524ceb6321124285af42bf8554a2663b281654875d228c4ff6
SHA512b2fa8e59ddbd00cda345156f190a5b0f58af057f4d9a7d6bf3c9ce2fdd35a8522e4957ada6925746ec370123fefc9f2a5b9f3f78879a364662ccaa39cad65278
-
Filesize
71KB
MD52455c75c25687f2e363f0dbef000daf3
SHA1ce4cee2bc712ecc7fac8f6ad14b7fc237ee1ebca
SHA256c36c66cffef5471d58cd81d61c9d799303fb44abc784fc75fbcc2b5c6c44aa3a
SHA51236eeb8cd14c8096707e255c356501b4ff9080d927384c4bd4db18db50821654485e81ee5a4e9af8ebe613c68fc63bfed4d3dfde6c9e0d4ff434a359cc6bb145e
-
Filesize
63KB
MD542595705c8bda44f53a62e0a997c5203
SHA1b754e6596f809e07453175cf5d925e688911a9c8
SHA256648f103313bdff4b3ecd1f190c1a9110ff79ccd4f9b3551c0564734b901adb63
SHA5129b7cbda86b58f434bea72f0be8cbffdb48980356835c16bea65d30dfc4ccdec3b3467631081bc0d9fc5d23ee1969e90ead8555e591cfb9288e8db581eb5b1853
-
Filesize
1.2MB
MD5f3e0c0bb9f30624cd96485bef594ae3c
SHA156b311cee5c242c5ab5d8182ccfd9d796da03d57
SHA2561e04c0ffac66ddedbe4d2447150dc7b79cccad0276a4f23aacffba6c615c673c
SHA512dae4865f62decaf5a1aa96a1e2c816bd5f5a81b21a16af271f6a6047971403830f1bc873edacc7c70e9b7fc86f77d1930bd586c2d22bbbabfc4ebc4d90557596
-
Filesize
29.5MB
-
Filesize
1.1MB
-
Filesize
112KB
-
Filesize
1.5MB
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
18.3MB
-
Filesize
584KB
-
Filesize
320KB
-
Filesize
5.6MB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
408KB
-
Filesize
816KB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
1.5MB
-
Filesize
29.5MB
-
Filesize
112KB
-
Filesize
2.0MB
-
Filesize
1.1MB
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
1.1MB
-
Filesize
1.8MB