Analysis
-
max time kernel
103s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
07/04/2025, 12:23
General
-
Target
SLAGGGLX.msi
-
Size
6.2MB
-
MD5
e1b11ab17b672dc15339a4eea17d3be7
-
SHA1
7dd1111c168f544929caf7e1ba8b2d790aa5ce77
-
SHA256
7a79c311f24811999c14cef556da34f933dfd82b1a568b064034634941314369
-
SHA512
37e2a1d26a6386e25fff7cd6e23742565f96fdcf6967e953d5767a3d4378a26bf9959c4ab4c38401f79812ff395ee9b907eea93917b8d2035971869db17fffc1
-
SSDEEP
98304:TRJYyhT6Sug1IPY2hiLOORwc3xyoZMEHGgS6y4wi36gZByUBXGo7FQ3:t9GjoKo/S6y4ZdZsUBXGYQ3
Malware Config
Signatures
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 1 IoCs
-
Sectoprat family
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 2 IoCs
-
Executes dropped EXE 12 IoCs
-
Loads dropped DLL 11 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SLAGGGLX.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 17D041CE1484B25ABDA49D8B3FD7623D C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\{2B4FFF10-E0CF-4CBE-B833-C0D65906057C}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{2B4FFF10-E0CF-4CBE-B833-C0D65906057C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{261CEBE2-4770-456A-95B9-6C2FA441EA79}3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\{2B4FFF10-E0CF-4CBE-B833-C0D65906057C}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{2B4FFF10-E0CF-4CBE-B833-C0D65906057C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CA910BE3-5B14-4C01-A388-C2FA572D3CA2}3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\{2B4FFF10-E0CF-4CBE-B833-C0D65906057C}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{2B4FFF10-E0CF-4CBE-B833-C0D65906057C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{36ED7199-F60B-42F6-830D-F233A8CDF2CC}3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\{2B4FFF10-E0CF-4CBE-B833-C0D65906057C}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{2B4FFF10-E0CF-4CBE-B833-C0D65906057C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CDF20A3A-1B2A-4752-8508-2EEB7A92E6CA}3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\{2B4FFF10-E0CF-4CBE-B833-C0D65906057C}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{2B4FFF10-E0CF-4CBE-B833-C0D65906057C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6FF3ACCE-1637-462B-8F1E-D0C0FC574E07}3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\{2B4FFF10-E0CF-4CBE-B833-C0D65906057C}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{2B4FFF10-E0CF-4CBE-B833-C0D65906057C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6824D873-9E8A-4E39-BBB1-26F27DDDACA0}3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\{2B4FFF10-E0CF-4CBE-B833-C0D65906057C}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{2B4FFF10-E0CF-4CBE-B833-C0D65906057C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6037CF08-745A-42E2-A621-A77178F20297}3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\{2B4FFF10-E0CF-4CBE-B833-C0D65906057C}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{2B4FFF10-E0CF-4CBE-B833-C0D65906057C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{50450156-5EDB-4C55-A2EB-8C0CFB4B6987}3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\{2B4FFF10-E0CF-4CBE-B833-C0D65906057C}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{2B4FFF10-E0CF-4CBE-B833-C0D65906057C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4E18DB20-6105-4D45-BF4C-5C7BF1810B45}3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\{2B4FFF10-E0CF-4CBE-B833-C0D65906057C}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{2B4FFF10-E0CF-4CBE-B833-C0D65906057C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D8FADB01-DDCD-479A-B2D7-438F4ECAD1B8}3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exeC:\Users\Admin\AppData\Local\Temp\{863FABF4-DA7E-4BC5-89EA-A2CAC9E6821B}\SplashWin.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Protectchrome_beta\SplashWin.exeC:\Users\Admin\AppData\Roaming\Protectchrome_beta\SplashWin.exe4⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe5⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe6⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD57402075846408ad4e7b1283914250fa9
SHA1570604e09bbbbab92d438d286a672e46b29daed0
SHA256b1840f1abab02223b605325f4f27d4830b9609d0be0eb1c88c8ceaf3c44e15f6
SHA5129f8ceb13bb1729b16ae5477fc92ffd2a4d1dd79f3732a4096cb945c7042c2153dc015bc996a14d60ca04a2cce9c12af59a3182432497ac16801201646de31987
-
Filesize
171KB
MD5a0e940a3d3c1523416675125e3b0c07e
SHA12e29eeba6da9a4023bc8071158feee3b0277fd1b
SHA256b8fa7aa425e4084ea3721780a13d11e08b8d53d1c5414b73f22faeca1bfd314f
SHA512736ea06824388372aeef1938c6b11e66f4595e0b0589d7b4a87ff4abbabe52e82dff64d916293eab47aa869cf372ced2c66755dd8a8471b2ab0d3a37ba91d0b2
-
Filesize
2.5MB
MD58ef0166db3891637809a4ce2c1aa4482
SHA114d19d5e1a64faf349bfcdcb0f50c5d0a2701bed
SHA256fdca52ae3ded7176a8e02c5429f5ad36df2943190b7c592a23cc35394655876d
SHA512ad368f242899e8a9fc3a4bdd871a3f4af029f0ebd26c618278ddfe2d33e1ad41080993a949756640b0cd915c2c88d3114ebe8563b0d31b3e1a01e79e70b7bdd6
-
Filesize
178KB
MD540f3a092744e46f3531a40b917cca81e
SHA1c73f62a44cb3a75933cecf1be73a48d0d623039b
SHA256561f14cdece85b38617403e1c525ff0b1b752303797894607a4615d0bd66f97f
SHA5121589b27db29051c772e5ba56953d9f798efbf74d75e0524fa8569df092d28960972779811a7916198d0707d35b1093d3e0dd7669a8179c412cfa7df7120733b2
-
Filesize
426KB
MD58af02bf8e358e11caec4f2e7884b43cc
SHA116badc6c610eeb08de121ab268093dd36b56bf27
SHA25658a724d23c63387a2dda27ccfdbc8ca87fd4db671bea8bb636247667f6a5a11e
SHA512d0228a8cc93ff6647c2f4ba645fa224dc9d114e2adb5b5d01670b6dafc2258b5b1be11629868748e77b346e291974325e8e8e1192042d7c04a35fc727ad4e3fd
-
Filesize
1.8MB
MD57de024bc275f9cdeaf66a865e6fd8e58
SHA15086e4a26f9b80699ea8d9f2a33cead28a1819c0
SHA256bd32468ee7e8885323f22eabbff9763a0f6ffef3cc151e0bd0481df5888f4152
SHA512191c57e22ea13d13806dd390c4039029d40c7532918618d185d8a627aabc3969c7af2e532e3c933bde8f652b4723d951bf712e9ba0cc0d172dde693012f5ef1a
-
Filesize
860KB
MD583495e5db2654bcec3948ee486424599
SHA18a86af21864f565567cc4cc1f021f08b2e9febaa
SHA256e770be8fba337cc01e24c7f059368526a804d2af64136a39bb84adeebcf9cfbc
SHA512b4dbdfff0501fb3ba912556a25a64da38d3872bc31c94cc2395d6567b786cbbe104fd6178f019f8efba08dc5abcd964616a99d886b74aa80014b1c09ba7e9c41
-
Filesize
437KB
MD5e9f00dd8746712610706cbeffd8df0bd
SHA15004d98c89a40ebf35f51407553e38e5ca16fb98
SHA2564cb882621a3d1c6283570447f842801b396db1b3dcd2e01c2f7002efd66a0a97
SHA5124d1ce1fc92cea60859b27ca95ca1d1a7c2bec4e2356f87659a69bab9c1befa7a94a2c64669cef1c9dadf9d38ab77e836fe69acdda0f95fa1b32cba9e8c6bb554
-
Filesize
446KB
MD54d20b83562eec3660e45027ad56fb444
SHA1ff6134c34500a8f8e5881e6a34263e5796f83667
SHA256c5e650b331fa5292872fdaede3a75c8167a0f1280ce0cd3d58b880d23854bdb1
SHA512718bd66fcff80b8008a4523d88bd726cdbc95e6e7bdb3f50e337e291294505ed54e6f5995d431968b85415e96f6f7ed37381ca021401ad57fda3b08a1f0c27f4
-
Filesize
74KB
MD5a554e4f1addc0c2c4ebb93d66b790796
SHA19fbd1d222da47240db92cd6c50625eb0cf650f61
SHA256e610cdac0a37147919032d0d723b967276c217ff06ea402f098696ab4112512a
SHA5125f3253f071da3e0110def888682d255186f2e2a30a8480791c0cad74029420033b5c90f818ae845b5f041ee4005f6de174a687aca8f858371026423f017902cc
-
Filesize
55KB
MD561947293abc79f5e003ac42d9b7489f4
SHA19386c10a6441a395385007130f1aa6916b22881a
SHA25657414bda77d468f6573672aaa7b1b68e38ae511ab5be187c227232a054c257bb
SHA5126c90d23c9ce0a3d2880c7e0bf056df32de9701ce5e3c210967e04a67c7730fc9b341ed46641390cd49a645c49c6c6ab7a63710df0814ae75cfb32d7fef43903f
-
Filesize
1.2MB
MD58d9c4ece45c257a48932b83edf0691b0
SHA16b047cd45ff1648fb37d6b9f7b41507980682999
SHA256c3bc9f3ecc43a5ac5fc069c74f71b69e4cc62a1e48a6412af183a25e7d2eca94
SHA51258f3e0b839a324ff7e3fe5c5416cb77a35595075d89ae48bca099e7fe94be598822cebf183cc7049d96f638217efefb7fd65cd62ad6624d471236c4dd33df503
-
Filesize
1.5MB
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
1.8MB
-
Filesize
1.1MB
-
Filesize
5.6MB
-
Filesize
18.3MB
-
Filesize
816KB
-
Filesize
584KB
-
Filesize
472KB
-
Filesize
320KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
120KB
-
Filesize
408KB
-
Filesize
1.5MB
-
Filesize
2.0MB