Analysis
-
max time kernel
1147s -
max time network
1191s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
02-07-2024 18:08
Static task
static1
Behavioral task
behavioral1
Sample
pdScript.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
pdScript.exe
Resource
win10v2004-20240611-en
General
-
Target
pdScript.exe
-
Size
3.2MB
-
MD5
d464091627b9892b52f3f62fa3a03264
-
SHA1
85617122af6e94afada156fbe577bc59ca9dca8f
-
SHA256
de2b6a281000101e51a1848ea5ae9526355d749ca8095b25ce0b43b8641d4a63
-
SHA512
290bbe3de0051f9c29049fedf259cf3cb4d1b3015c468e7d5e93cbee11534f1f920b18b49363864d3f367590ec7342ba800cd988ac98db081271c3b76726e21c
-
SSDEEP
49152:NI9+2qYtQ/Rg2ECNUg2I7wUpEroPeeegawQTCIyVM8OoJNY:Sg21t0q2ECNURoPblawXIyXOoc
Malware Config
Signatures
-
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral3/memory/1888-91-0x0000000000D00000-0x0000000000DC6000-memory.dmp family_sectoprat -
Executes dropped EXE 4 IoCs
Processes:
LatencyMon.exeLatencyMon.exeRttHlp.exeRttHlp.exepid process 2936 LatencyMon.exe 3972 LatencyMon.exe 744 RttHlp.exe 1364 RttHlp.exe -
Loads dropped DLL 8 IoCs
Processes:
LatencyMon.exeRttHlp.exeRttHlp.exepid process 3972 LatencyMon.exe 744 RttHlp.exe 744 RttHlp.exe 1364 RttHlp.exe 1364 RttHlp.exe 1364 RttHlp.exe 1364 RttHlp.exe 1364 RttHlp.exe -
Blocklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 3 3768 msiexec.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
RttHlp.execmd.exedescription pid process target process PID 1364 set thread context of 3860 1364 RttHlp.exe cmd.exe PID 3860 set thread context of 1888 3860 cmd.exe MSBuild.exe -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\SystemTemp\~DF36D9C238DDF102EF.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI8463.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFDF38BF16BAC3A1D5.TMP msiexec.exe File created C:\Windows\SystemTemp\~DF048142BEFC0FE2A9.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI6B7B.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
msiexec.exeRttHlp.exeRttHlp.execmd.exepid process 3768 msiexec.exe 3768 msiexec.exe 744 RttHlp.exe 1364 RttHlp.exe 1364 RttHlp.exe 3860 cmd.exe 3860 cmd.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
RttHlp.execmd.exepid process 1364 RttHlp.exe 3860 cmd.exe 3860 cmd.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
pdScript.exemsiexec.exeMSBuild.exedescription pid process Token: SeShutdownPrivilege 236 pdScript.exe Token: SeIncreaseQuotaPrivilege 236 pdScript.exe Token: SeSecurityPrivilege 3768 msiexec.exe Token: SeCreateTokenPrivilege 236 pdScript.exe Token: SeAssignPrimaryTokenPrivilege 236 pdScript.exe Token: SeLockMemoryPrivilege 236 pdScript.exe Token: SeIncreaseQuotaPrivilege 236 pdScript.exe Token: SeMachineAccountPrivilege 236 pdScript.exe Token: SeTcbPrivilege 236 pdScript.exe Token: SeSecurityPrivilege 236 pdScript.exe Token: SeTakeOwnershipPrivilege 236 pdScript.exe Token: SeLoadDriverPrivilege 236 pdScript.exe Token: SeSystemProfilePrivilege 236 pdScript.exe Token: SeSystemtimePrivilege 236 pdScript.exe Token: SeProfSingleProcessPrivilege 236 pdScript.exe Token: SeIncBasePriorityPrivilege 236 pdScript.exe Token: SeCreatePagefilePrivilege 236 pdScript.exe Token: SeCreatePermanentPrivilege 236 pdScript.exe Token: SeBackupPrivilege 236 pdScript.exe Token: SeRestorePrivilege 236 pdScript.exe Token: SeShutdownPrivilege 236 pdScript.exe Token: SeDebugPrivilege 236 pdScript.exe Token: SeAuditPrivilege 236 pdScript.exe Token: SeSystemEnvironmentPrivilege 236 pdScript.exe Token: SeChangeNotifyPrivilege 236 pdScript.exe Token: SeRemoteShutdownPrivilege 236 pdScript.exe Token: SeUndockPrivilege 236 pdScript.exe Token: SeSyncAgentPrivilege 236 pdScript.exe Token: SeEnableDelegationPrivilege 236 pdScript.exe Token: SeManageVolumePrivilege 236 pdScript.exe Token: SeImpersonatePrivilege 236 pdScript.exe Token: SeCreateGlobalPrivilege 236 pdScript.exe Token: SeRestorePrivilege 3768 msiexec.exe Token: SeTakeOwnershipPrivilege 3768 msiexec.exe Token: SeRestorePrivilege 3768 msiexec.exe Token: SeTakeOwnershipPrivilege 3768 msiexec.exe Token: SeRestorePrivilege 3768 msiexec.exe Token: SeTakeOwnershipPrivilege 3768 msiexec.exe Token: SeRestorePrivilege 3768 msiexec.exe Token: SeTakeOwnershipPrivilege 3768 msiexec.exe Token: SeDebugPrivilege 1888 MSBuild.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
msiexec.exeLatencyMon.exeLatencyMon.exeRttHlp.exeRttHlp.execmd.exedescription pid process target process PID 3768 wrote to memory of 2936 3768 msiexec.exe LatencyMon.exe PID 3768 wrote to memory of 2936 3768 msiexec.exe LatencyMon.exe PID 3768 wrote to memory of 2936 3768 msiexec.exe LatencyMon.exe PID 2936 wrote to memory of 3972 2936 LatencyMon.exe LatencyMon.exe PID 2936 wrote to memory of 3972 2936 LatencyMon.exe LatencyMon.exe PID 2936 wrote to memory of 3972 2936 LatencyMon.exe LatencyMon.exe PID 3972 wrote to memory of 744 3972 LatencyMon.exe RttHlp.exe PID 3972 wrote to memory of 744 3972 LatencyMon.exe RttHlp.exe PID 3972 wrote to memory of 744 3972 LatencyMon.exe RttHlp.exe PID 744 wrote to memory of 1364 744 RttHlp.exe RttHlp.exe PID 744 wrote to memory of 1364 744 RttHlp.exe RttHlp.exe PID 744 wrote to memory of 1364 744 RttHlp.exe RttHlp.exe PID 1364 wrote to memory of 3860 1364 RttHlp.exe cmd.exe PID 1364 wrote to memory of 3860 1364 RttHlp.exe cmd.exe PID 1364 wrote to memory of 3860 1364 RttHlp.exe cmd.exe PID 1364 wrote to memory of 3860 1364 RttHlp.exe cmd.exe PID 3860 wrote to memory of 1888 3860 cmd.exe MSBuild.exe PID 3860 wrote to memory of 1888 3860 cmd.exe MSBuild.exe PID 3860 wrote to memory of 1888 3860 cmd.exe MSBuild.exe PID 3860 wrote to memory of 1888 3860 cmd.exe MSBuild.exe PID 3860 wrote to memory of 1888 3860 cmd.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pdScript.exe"C:\Users\Admin\AppData\Local\Temp\pdScript.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\LatencyMon\LatencyMon.exe"C:\ProgramData\LatencyMon\LatencyMon.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\TEMP\{D806FE7E-20FC-4E34-B12C-BE5A9CD97066}\.cr\LatencyMon.exe"C:\Windows\TEMP\{D806FE7E-20FC-4E34-B12C-BE5A9CD97066}\.cr\LatencyMon.exe" -burn.clean.room="C:\ProgramData\LatencyMon\LatencyMon.exe" -burn.filehandle.attached=684 -burn.filehandle.self=6803⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\TEMP\{B291F914-B2C8-4AB8-BEAD-F821CB35445A}\.ba\RttHlp.exe"C:\Windows\TEMP\{B291F914-B2C8-4AB8-BEAD-F821CB35445A}\.ba\RttHlp.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\exploreDaemonZL\RttHlp.exeC:\Users\Admin\AppData\Roaming\exploreDaemonZL\RttHlp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe7⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e578426.rbsFilesize
1KB
MD56dac205b1be2b0a3498000162ac2772e
SHA170b2ccde6df1c41b1c559ca85742ff1ee05aa422
SHA256c0c5ac8fb42acf9638ca5030de069ddc8eb598ecc102c01de5a353f1441a5a77
SHA5124d6f4e32d4a3f9a226fe4c68e0eec83852c98362a5742e66200ed50ea809a7157aad2ce4bfce8924bd6641f20a994b95582cc3b30567cdca9ac94384e2048798
-
C:\ProgramData\LatencyMon\LatencyMon.exeFilesize
3.8MB
MD5b5934aadb33c3458d522c40be73b2c05
SHA1f484499f7ee91897a7e51743c17c173c409333a4
SHA25684e1dc5203b40434e0bfa3320ce622bc3e14d3846a5447a1533ed6fabfffb6f6
SHA512a91251797be880e95b953909a9d687a54b99eb624a4c3091ca3e1bd6a03948fe7cb8f0a8f72a525cca28c579a8ec1a2c9a8076ad8c403a9da770ab2f8a4bc41b
-
C:\Users\Admin\AppData\Local\Temp\7dfbec69Filesize
1.4MB
MD5f529cd8fe0b0cf5b2a87413882566dd0
SHA14020c62c44c83b240c46afa6f6419707195d9b96
SHA256afb8ae3bd37b35f6f31a23be9c8ca1a56f29b13e5d009bf1955d80c490651ebb
SHA51297d38eb751b6696ca2f51808d27f2c90ae902673ca4e742510c69d8cbe48c71afc142aaee6e4a270b1f7575ffd0c6a63e173078b2c5acccf9c7dd9a5dbeb4119
-
C:\Windows\Installer\MSI6B7B.tmpFilesize
3.5MB
MD5383a14eaed6396778e34e61e52362e1c
SHA1d5d8ac79930d42ca4e15ec25f4c46df30e270239
SHA2560921af5cbfca81c039df07f74ff8be44d6104cefbd3b36a893e018d17a26cfe6
SHA51294e9dd1a99686459a83075ad322d6feabd7c782e68313c20a665bfaf409c6d19c1412f9d251f3ef8a446a11e447dcaf225fa27d00cc029eed6650f2c9de22fb1
-
C:\Windows\TEMP\{B291F914-B2C8-4AB8-BEAD-F821CB35445A}\.ba\Register.dllFilesize
1.0MB
MD540b9628354ef4e6ef3c87934575545f4
SHA18fb5da182dea64c842953bf72fc573a74adaa155
SHA256372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12
SHA51202b0ea82efbfbe2e7308f86bfbec7a5109f3fe91d42731812d2e46aebedce50aabc565d2da9d3fbcd0f46febbff49c534419d1a91e0c14d5a80f06b74888c641
-
C:\Windows\TEMP\{B291F914-B2C8-4AB8-BEAD-F821CB35445A}\.ba\buoyage.dmgFilesize
57KB
MD53db1ea342242328adb0fb8273818adca
SHA13f77d4daa288b43e68cc2c7516b3a1ce6ab1daf2
SHA256901c8417b895ff41e9370ff1b98ffe01a4cdc2d064802cf7bd6927e15fa42130
SHA5123389dd71d87fb32c970f8eef7125156a01c6d9c36c2c5685a38a885172b1f0a9a107a0d9c873a13f29f9e934817635edb77f76871dae760042e1ca345df24e39
-
C:\Windows\TEMP\{B291F914-B2C8-4AB8-BEAD-F821CB35445A}\.ba\sanicle.iniFilesize
1.2MB
MD5a3f856336a62843ff630f5ed9379f76a
SHA12577ce4f212beb1523686a1661b617d16ee95820
SHA25698381b504cf5878f5a833a578ba91b219c7e132e366589ffa5c12c2397b0a1ea
SHA5125bbdbad5712869ebbbc0f496553481d033885c7ef08b11e286bdf53042d458633f1794c04488d3ee2d6cc1a616768c0314d26a51a7b0f5f85c7ce79bf7d7b241
-
C:\Windows\Temp\{B291F914-B2C8-4AB8-BEAD-F821CB35445A}\.ba\Dietary.dllFilesize
958KB
MD5652e1a8e8faa840cb70f36f8bb4caff2
SHA1abe2c3505e100a5002be7ff887fadd3002b5c6bd
SHA256c18439f2289a9272d7f059309cd8fd70af6386433d6da20f6cdca1fcaf34d51f
SHA512030ac302d84edd5825c35fa44412cc124df9ea05746c811350889e9a9237e2119e7f2ff3b0bc377d772c89f076dbc1c5bf0256ea3932f768b7d558d42467fb6b
-
C:\Windows\Temp\{B291F914-B2C8-4AB8-BEAD-F821CB35445A}\.ba\RttHlp.exeFilesize
135KB
MD5a2d70fbab5181a509369d96b682fc641
SHA122afcdc180400c4d2b9e5a6db2b8a26bff54dd38
SHA2568aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473
SHA512219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83
-
C:\Windows\Temp\{B291F914-B2C8-4AB8-BEAD-F821CB35445A}\.ba\rtl120.bplFilesize
1.1MB
MD5adf82ed333fb5567f8097c7235b0e17f
SHA1e6ccaf016fc45edcdadeb40da64c207ddb33859f
SHA256d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50
SHA5122253c7b51317a3b5734025b6c7639105dbc81c340703718d679a00c13d40dd74ccaba1f6d04b21ee440f19e82ba680aa4b2a6a75c618aed91bd85a132be9fc92
-
C:\Windows\Temp\{B291F914-B2C8-4AB8-BEAD-F821CB35445A}\.ba\vcl120.bplFilesize
1.9MB
MD50184d10198c4c49f16c859add01f1f0c
SHA1758f87da7b9b5d6bef999f80b1792daaf4a4f6f1
SHA256ecd2e6bf1a52d0173cfdf5216c0484519a7d09da23667d31525f51b58908ee9b
SHA51255c6d7a2e38990257f9edef710d23f0550f0f8e6f010020a09f22d81a80f92ea9330c9a835131513a467e9ed889a400500a186478dc9b2d5c55fed9b858a6ff7
-
C:\Windows\Temp\{D806FE7E-20FC-4E34-B12C-BE5A9CD97066}\.cr\LatencyMon.exeFilesize
3.5MB
MD5ef3ab0d0dd34828d3705c01ee262328d
SHA1a2bbeaff63737ed57224344c0f175cb0dcb1eaaa
SHA256eb5dde75d692a5968cbef7eeeff57aaac5b1992855c2dd27091ef432d681097c
SHA512e31d4d94cce19f9bfdb19ca88493a60846aec5341b4145c216df14491652079448c993f66960ce56638cc5b38087de5259490c0ed784c85488bb56b4e86ec39b
-
memory/236-26-0x0000000000400000-0x0000000000744000-memory.dmpFilesize
3.3MB
-
memory/236-0-0x0000000002610000-0x0000000002611000-memory.dmpFilesize
4KB
-
memory/744-50-0x0000000074360000-0x00000000744DD000-memory.dmpFilesize
1.5MB
-
memory/744-51-0x00007FFE8C040000-0x00007FFE8C249000-memory.dmpFilesize
2.0MB
-
memory/744-62-0x0000000050000000-0x0000000050116000-memory.dmpFilesize
1.1MB
-
memory/744-63-0x0000000050120000-0x000000005030D000-memory.dmpFilesize
1.9MB
-
memory/744-61-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1364-74-0x0000000075920000-0x0000000075A9D000-memory.dmpFilesize
1.5MB
-
memory/1364-77-0x0000000075920000-0x0000000075A9D000-memory.dmpFilesize
1.5MB
-
memory/1364-81-0x0000000050120000-0x000000005030D000-memory.dmpFilesize
1.9MB
-
memory/1364-80-0x0000000050000000-0x0000000050116000-memory.dmpFilesize
1.1MB
-
memory/1364-76-0x00007FFE8C040000-0x00007FFE8C249000-memory.dmpFilesize
2.0MB
-
memory/1888-88-0x0000000073C30000-0x0000000074F47000-memory.dmpFilesize
19.1MB
-
memory/1888-91-0x0000000000D00000-0x0000000000DC6000-memory.dmpFilesize
792KB
-
memory/1888-92-0x0000000005410000-0x00000000054A2000-memory.dmpFilesize
584KB
-
memory/1888-93-0x0000000005B00000-0x00000000060A6000-memory.dmpFilesize
5.6MB
-
memory/1888-94-0x0000000005840000-0x0000000005A02000-memory.dmpFilesize
1.8MB
-
memory/1888-95-0x0000000005550000-0x00000000055A0000-memory.dmpFilesize
320KB
-
memory/1888-96-0x0000000005670000-0x00000000056E6000-memory.dmpFilesize
472KB
-
memory/3860-86-0x0000000075920000-0x0000000075A9D000-memory.dmpFilesize
1.5MB
-
memory/3860-83-0x00007FFE8C040000-0x00007FFE8C249000-memory.dmpFilesize
2.0MB