Overview

overview

10

Static

static

3

pdScript.exe

windows7-x64

6

pdScript.exe

windows10-2004-x64

10

pdScript.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1106s
  • max time network
    1193s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-07-2024 18:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pdScript.exe

  • Size

    3.2MB

  • MD5

    d464091627b9892b52f3f62fa3a03264

  • SHA1

    85617122af6e94afada156fbe577bc59ca9dca8f

  • SHA256

    de2b6a281000101e51a1848ea5ae9526355d749ca8095b25ce0b43b8641d4a63

  • SHA512

    290bbe3de0051f9c29049fedf259cf3cb4d1b3015c468e7d5e93cbee11534f1f920b18b49363864d3f367590ec7342ba800cd988ac98db081271c3b76726e21c

  • SSDEEP

    49152:NI9+2qYtQ/Rg2ECNUg2I7wUpEroPeeegawQTCIyVM8OoJNY:Sg21t0q2ECNURoPblawXIyXOoc

Score
10/10
sectopratrattrojan

Malware Config

Signatures

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 9 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pdScript.exe
    "C:\Users\Admin\AppData\Local\Temp\pdScript.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1668
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3544
    • C:\ProgramData\LatencyMon\LatencyMon.exe
      "C:\ProgramData\LatencyMon\LatencyMon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4944
      • C:\Windows\TEMP\{D277B956-EE75-4837-BF08-4DEF4688BB03}\.cr\LatencyMon.exe
        "C:\Windows\TEMP\{D277B956-EE75-4837-BF08-4DEF4688BB03}\.cr\LatencyMon.exe" -burn.clean.room="C:\ProgramData\LatencyMon\LatencyMon.exe" -burn.filehandle.attached=656 -burn.filehandle.self=652
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:552
        • C:\Windows\TEMP\{5FB5DC63-5777-4E49-886F-BC9D955D00F9}\.ba\RttHlp.exe
          "C:\Windows\TEMP\{5FB5DC63-5777-4E49-886F-BC9D955D00F9}\.ba\RttHlp.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:5076
          • C:\Users\Admin\AppData\Roaming\exploreDaemonZL\RttHlp.exe
            C:\Users\Admin\AppData\Roaming\exploreDaemonZL\RttHlp.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:228
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\SysWOW64\cmd.exe
              6⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:3504
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                7⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3328

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e57571b.rbs
    Filesize

    1KB

    MD5

    6c467c93a17074f7c399d60752e89ec0

    SHA1

    55b9abdad6901505f37899b4fad3bd0048c43e00

    SHA256

    ab5c8f30f0832548ea14fd7162c4b0c2eb173da03703f7ab9c275a8584aebe94

    SHA512

    f282bc2f118cf644108035ad425f7245b0dd996cc0d1edd2642f1c6f65f228f218d653d5c1984decc31796bd9274db8af54299f309f87df14b873261a15812be

    Download Submit
  • C:\ProgramData\LatencyMon\LatencyMon.exe
    Filesize

    3.8MB

    MD5

    b5934aadb33c3458d522c40be73b2c05

    SHA1

    f484499f7ee91897a7e51743c17c173c409333a4

    SHA256

    84e1dc5203b40434e0bfa3320ce622bc3e14d3846a5447a1533ed6fabfffb6f6

    SHA512

    a91251797be880e95b953909a9d687a54b99eb624a4c3091ca3e1bd6a03948fe7cb8f0a8f72a525cca28c579a8ec1a2c9a8076ad8c403a9da770ab2f8a4bc41b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\745f71bd
    Filesize

    1.4MB

    MD5

    e7e3cc7c983b5834d6b9929e9d1f3a7e

    SHA1

    e57e58871aeac12bdb131d9b637433025709e49c

    SHA256

    23e43027ecdb3cf068b8fc7212306fe4e6592729d406c3fe2dfa67c36025cbb6

    SHA512

    7d49352bc42f4586bfcff67c6b76eb0e4b4c543854fe41ae2ecef6f0052910cd00c5b04f3a295ba0e6c091b37c0df273835bacd8cc432a386ad4dc39298ae670

    Download Submit
  • C:\Windows\Installer\MSI447B.tmp
    Filesize

    3.5MB

    MD5

    383a14eaed6396778e34e61e52362e1c

    SHA1

    d5d8ac79930d42ca4e15ec25f4c46df30e270239

    SHA256

    0921af5cbfca81c039df07f74ff8be44d6104cefbd3b36a893e018d17a26cfe6

    SHA512

    94e9dd1a99686459a83075ad322d6feabd7c782e68313c20a665bfaf409c6d19c1412f9d251f3ef8a446a11e447dcaf225fa27d00cc029eed6650f2c9de22fb1

    Download Submit
  • C:\Windows\TEMP\{5FB5DC63-5777-4E49-886F-BC9D955D00F9}\.ba\Register.dll
    Filesize

    1.0MB

    MD5

    40b9628354ef4e6ef3c87934575545f4

    SHA1

    8fb5da182dea64c842953bf72fc573a74adaa155

    SHA256

    372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12

    SHA512

    02b0ea82efbfbe2e7308f86bfbec7a5109f3fe91d42731812d2e46aebedce50aabc565d2da9d3fbcd0f46febbff49c534419d1a91e0c14d5a80f06b74888c641

    Download Submit
  • C:\Windows\TEMP\{5FB5DC63-5777-4E49-886F-BC9D955D00F9}\.ba\buoyage.dmg
    Filesize

    57KB

    MD5

    3db1ea342242328adb0fb8273818adca

    SHA1

    3f77d4daa288b43e68cc2c7516b3a1ce6ab1daf2

    SHA256

    901c8417b895ff41e9370ff1b98ffe01a4cdc2d064802cf7bd6927e15fa42130

    SHA512

    3389dd71d87fb32c970f8eef7125156a01c6d9c36c2c5685a38a885172b1f0a9a107a0d9c873a13f29f9e934817635edb77f76871dae760042e1ca345df24e39

    Download Submit
  • C:\Windows\TEMP\{5FB5DC63-5777-4E49-886F-BC9D955D00F9}\.ba\sanicle.ini
    Filesize

    1.2MB

    MD5

    a3f856336a62843ff630f5ed9379f76a

    SHA1

    2577ce4f212beb1523686a1661b617d16ee95820

    SHA256

    98381b504cf5878f5a833a578ba91b219c7e132e366589ffa5c12c2397b0a1ea

    SHA512

    5bbdbad5712869ebbbc0f496553481d033885c7ef08b11e286bdf53042d458633f1794c04488d3ee2d6cc1a616768c0314d26a51a7b0f5f85c7ce79bf7d7b241

    Download Submit
  • C:\Windows\Temp\{5FB5DC63-5777-4E49-886F-BC9D955D00F9}\.ba\Dietary.dll
    Filesize

    958KB

    MD5

    652e1a8e8faa840cb70f36f8bb4caff2

    SHA1

    abe2c3505e100a5002be7ff887fadd3002b5c6bd

    SHA256

    c18439f2289a9272d7f059309cd8fd70af6386433d6da20f6cdca1fcaf34d51f

    SHA512

    030ac302d84edd5825c35fa44412cc124df9ea05746c811350889e9a9237e2119e7f2ff3b0bc377d772c89f076dbc1c5bf0256ea3932f768b7d558d42467fb6b

    Download Submit
  • C:\Windows\Temp\{5FB5DC63-5777-4E49-886F-BC9D955D00F9}\.ba\RttHlp.exe
    Filesize

    135KB

    MD5

    a2d70fbab5181a509369d96b682fc641

    SHA1

    22afcdc180400c4d2b9e5a6db2b8a26bff54dd38

    SHA256

    8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473

    SHA512

    219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83

    Download Submit
  • C:\Windows\Temp\{5FB5DC63-5777-4E49-886F-BC9D955D00F9}\.ba\rtl120.bpl
    Filesize

    1.1MB

    MD5

    adf82ed333fb5567f8097c7235b0e17f

    SHA1

    e6ccaf016fc45edcdadeb40da64c207ddb33859f

    SHA256

    d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50

    SHA512

    2253c7b51317a3b5734025b6c7639105dbc81c340703718d679a00c13d40dd74ccaba1f6d04b21ee440f19e82ba680aa4b2a6a75c618aed91bd85a132be9fc92

    Download Submit
  • C:\Windows\Temp\{5FB5DC63-5777-4E49-886F-BC9D955D00F9}\.ba\vcl120.bpl
    Filesize

    1.9MB

    MD5

    0184d10198c4c49f16c859add01f1f0c

    SHA1

    758f87da7b9b5d6bef999f80b1792daaf4a4f6f1

    SHA256

    ecd2e6bf1a52d0173cfdf5216c0484519a7d09da23667d31525f51b58908ee9b

    SHA512

    55c6d7a2e38990257f9edef710d23f0550f0f8e6f010020a09f22d81a80f92ea9330c9a835131513a467e9ed889a400500a186478dc9b2d5c55fed9b858a6ff7

    Download Submit
  • C:\Windows\Temp\{D277B956-EE75-4837-BF08-4DEF4688BB03}\.cr\LatencyMon.exe
    Filesize

    3.5MB

    MD5

    ef3ab0d0dd34828d3705c01ee262328d

    SHA1

    a2bbeaff63737ed57224344c0f175cb0dcb1eaaa

    SHA256

    eb5dde75d692a5968cbef7eeeff57aaac5b1992855c2dd27091ef432d681097c

    SHA512

    e31d4d94cce19f9bfdb19ca88493a60846aec5341b4145c216df14491652079448c993f66960ce56638cc5b38087de5259490c0ed784c85488bb56b4e86ec39b

    Download Submit
  • memory/228-76-0x0000000074BC0000-0x0000000074D3B000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/228-81-0x0000000050000000-0x0000000050116000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/228-82-0x0000000050120000-0x000000005030D000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/228-78-0x0000000074BC0000-0x0000000074D3B000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/228-77-0x00007FF8E08B0000-0x00007FF8E0AA5000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/1668-29-0x0000000000400000-0x0000000000744000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/1668-0-0x0000000002990000-0x0000000002991000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3328-93-0x0000000005990000-0x0000000005A22000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3328-89-0x0000000073080000-0x00000000742D4000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/3328-94-0x0000000006000000-0x00000000065A4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3328-95-0x0000000005C20000-0x0000000005DE2000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/3328-97-0x0000000005DF0000-0x0000000005E66000-memory.dmp
    Filesize

    472KB

    Download
  • memory/3328-96-0x0000000005AE0000-0x0000000005B30000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3328-92-0x0000000001300000-0x00000000013C6000-memory.dmp
    Filesize

    792KB

    Download
  • memory/3504-84-0x00007FF8E08B0000-0x00007FF8E0AA5000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/3504-87-0x0000000074BC0000-0x0000000074D3B000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/5076-62-0x0000000050120000-0x000000005030D000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/5076-61-0x0000000050000000-0x0000000050116000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/5076-60-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

    Download
  • memory/5076-51-0x00007FF8E08B0000-0x00007FF8E0AA5000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/5076-50-0x0000000073C00000-0x0000000073D7B000-memory.dmp
    Filesize

    1.5MB

    Download