Overview

overview

10

Static

static

3

pdScript.exe

windows7-x64

6

pdScript.exe

windows10-2004-x64

10

pdScript.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1147s
  • max time network
    1191s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240419-en
  • resource tags

    arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02-07-2024 18:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pdScript.exe

  • Size

    3.2MB

  • MD5

    d464091627b9892b52f3f62fa3a03264

  • SHA1

    85617122af6e94afada156fbe577bc59ca9dca8f

  • SHA256

    de2b6a281000101e51a1848ea5ae9526355d749ca8095b25ce0b43b8641d4a63

  • SHA512

    290bbe3de0051f9c29049fedf259cf3cb4d1b3015c468e7d5e93cbee11534f1f920b18b49363864d3f367590ec7342ba800cd988ac98db081271c3b76726e21c

  • SSDEEP

    49152:NI9+2qYtQ/Rg2ECNUg2I7wUpEroPeeegawQTCIyVM8OoJNY:Sg21t0q2ECNURoPblawXIyXOoc

Score
10/10
sectopratrattrojan

Malware Config

Signatures

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pdScript.exe
    "C:\Users\Admin\AppData\Local\Temp\pdScript.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:236
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3768
    • C:\ProgramData\LatencyMon\LatencyMon.exe
      "C:\ProgramData\LatencyMon\LatencyMon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2936
      • C:\Windows\TEMP\{D806FE7E-20FC-4E34-B12C-BE5A9CD97066}\.cr\LatencyMon.exe
        "C:\Windows\TEMP\{D806FE7E-20FC-4E34-B12C-BE5A9CD97066}\.cr\LatencyMon.exe" -burn.clean.room="C:\ProgramData\LatencyMon\LatencyMon.exe" -burn.filehandle.attached=684 -burn.filehandle.self=680
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3972
        • C:\Windows\TEMP\{B291F914-B2C8-4AB8-BEAD-F821CB35445A}\.ba\RttHlp.exe
          "C:\Windows\TEMP\{B291F914-B2C8-4AB8-BEAD-F821CB35445A}\.ba\RttHlp.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:744
          • C:\Users\Admin\AppData\Roaming\exploreDaemonZL\RttHlp.exe
            C:\Users\Admin\AppData\Roaming\exploreDaemonZL\RttHlp.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:1364
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\SysWOW64\cmd.exe
              6⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:3860
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                7⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1888

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e578426.rbs
    Filesize

    1KB

    MD5

    6dac205b1be2b0a3498000162ac2772e

    SHA1

    70b2ccde6df1c41b1c559ca85742ff1ee05aa422

    SHA256

    c0c5ac8fb42acf9638ca5030de069ddc8eb598ecc102c01de5a353f1441a5a77

    SHA512

    4d6f4e32d4a3f9a226fe4c68e0eec83852c98362a5742e66200ed50ea809a7157aad2ce4bfce8924bd6641f20a994b95582cc3b30567cdca9ac94384e2048798

    Download Submit
  • C:\ProgramData\LatencyMon\LatencyMon.exe
    Filesize

    3.8MB

    MD5

    b5934aadb33c3458d522c40be73b2c05

    SHA1

    f484499f7ee91897a7e51743c17c173c409333a4

    SHA256

    84e1dc5203b40434e0bfa3320ce622bc3e14d3846a5447a1533ed6fabfffb6f6

    SHA512

    a91251797be880e95b953909a9d687a54b99eb624a4c3091ca3e1bd6a03948fe7cb8f0a8f72a525cca28c579a8ec1a2c9a8076ad8c403a9da770ab2f8a4bc41b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\7dfbec69
    Filesize

    1.4MB

    MD5

    f529cd8fe0b0cf5b2a87413882566dd0

    SHA1

    4020c62c44c83b240c46afa6f6419707195d9b96

    SHA256

    afb8ae3bd37b35f6f31a23be9c8ca1a56f29b13e5d009bf1955d80c490651ebb

    SHA512

    97d38eb751b6696ca2f51808d27f2c90ae902673ca4e742510c69d8cbe48c71afc142aaee6e4a270b1f7575ffd0c6a63e173078b2c5acccf9c7dd9a5dbeb4119

    Download Submit
  • C:\Windows\Installer\MSI6B7B.tmp
    Filesize

    3.5MB

    MD5

    383a14eaed6396778e34e61e52362e1c

    SHA1

    d5d8ac79930d42ca4e15ec25f4c46df30e270239

    SHA256

    0921af5cbfca81c039df07f74ff8be44d6104cefbd3b36a893e018d17a26cfe6

    SHA512

    94e9dd1a99686459a83075ad322d6feabd7c782e68313c20a665bfaf409c6d19c1412f9d251f3ef8a446a11e447dcaf225fa27d00cc029eed6650f2c9de22fb1

    Download Submit
  • C:\Windows\TEMP\{B291F914-B2C8-4AB8-BEAD-F821CB35445A}\.ba\Register.dll
    Filesize

    1.0MB

    MD5

    40b9628354ef4e6ef3c87934575545f4

    SHA1

    8fb5da182dea64c842953bf72fc573a74adaa155

    SHA256

    372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12

    SHA512

    02b0ea82efbfbe2e7308f86bfbec7a5109f3fe91d42731812d2e46aebedce50aabc565d2da9d3fbcd0f46febbff49c534419d1a91e0c14d5a80f06b74888c641

    Download Submit
  • C:\Windows\TEMP\{B291F914-B2C8-4AB8-BEAD-F821CB35445A}\.ba\buoyage.dmg
    Filesize

    57KB

    MD5

    3db1ea342242328adb0fb8273818adca

    SHA1

    3f77d4daa288b43e68cc2c7516b3a1ce6ab1daf2

    SHA256

    901c8417b895ff41e9370ff1b98ffe01a4cdc2d064802cf7bd6927e15fa42130

    SHA512

    3389dd71d87fb32c970f8eef7125156a01c6d9c36c2c5685a38a885172b1f0a9a107a0d9c873a13f29f9e934817635edb77f76871dae760042e1ca345df24e39

    Download Submit
  • C:\Windows\TEMP\{B291F914-B2C8-4AB8-BEAD-F821CB35445A}\.ba\sanicle.ini
    Filesize

    1.2MB

    MD5

    a3f856336a62843ff630f5ed9379f76a

    SHA1

    2577ce4f212beb1523686a1661b617d16ee95820

    SHA256

    98381b504cf5878f5a833a578ba91b219c7e132e366589ffa5c12c2397b0a1ea

    SHA512

    5bbdbad5712869ebbbc0f496553481d033885c7ef08b11e286bdf53042d458633f1794c04488d3ee2d6cc1a616768c0314d26a51a7b0f5f85c7ce79bf7d7b241

    Download Submit
  • C:\Windows\Temp\{B291F914-B2C8-4AB8-BEAD-F821CB35445A}\.ba\Dietary.dll
    Filesize

    958KB

    MD5

    652e1a8e8faa840cb70f36f8bb4caff2

    SHA1

    abe2c3505e100a5002be7ff887fadd3002b5c6bd

    SHA256

    c18439f2289a9272d7f059309cd8fd70af6386433d6da20f6cdca1fcaf34d51f

    SHA512

    030ac302d84edd5825c35fa44412cc124df9ea05746c811350889e9a9237e2119e7f2ff3b0bc377d772c89f076dbc1c5bf0256ea3932f768b7d558d42467fb6b

    Download Submit
  • C:\Windows\Temp\{B291F914-B2C8-4AB8-BEAD-F821CB35445A}\.ba\RttHlp.exe
    Filesize

    135KB

    MD5

    a2d70fbab5181a509369d96b682fc641

    SHA1

    22afcdc180400c4d2b9e5a6db2b8a26bff54dd38

    SHA256

    8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473

    SHA512

    219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83

    Download Submit
  • C:\Windows\Temp\{B291F914-B2C8-4AB8-BEAD-F821CB35445A}\.ba\rtl120.bpl
    Filesize

    1.1MB

    MD5

    adf82ed333fb5567f8097c7235b0e17f

    SHA1

    e6ccaf016fc45edcdadeb40da64c207ddb33859f

    SHA256

    d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50

    SHA512

    2253c7b51317a3b5734025b6c7639105dbc81c340703718d679a00c13d40dd74ccaba1f6d04b21ee440f19e82ba680aa4b2a6a75c618aed91bd85a132be9fc92

    Download Submit
  • C:\Windows\Temp\{B291F914-B2C8-4AB8-BEAD-F821CB35445A}\.ba\vcl120.bpl
    Filesize

    1.9MB

    MD5

    0184d10198c4c49f16c859add01f1f0c

    SHA1

    758f87da7b9b5d6bef999f80b1792daaf4a4f6f1

    SHA256

    ecd2e6bf1a52d0173cfdf5216c0484519a7d09da23667d31525f51b58908ee9b

    SHA512

    55c6d7a2e38990257f9edef710d23f0550f0f8e6f010020a09f22d81a80f92ea9330c9a835131513a467e9ed889a400500a186478dc9b2d5c55fed9b858a6ff7

    Download Submit
  • C:\Windows\Temp\{D806FE7E-20FC-4E34-B12C-BE5A9CD97066}\.cr\LatencyMon.exe
    Filesize

    3.5MB

    MD5

    ef3ab0d0dd34828d3705c01ee262328d

    SHA1

    a2bbeaff63737ed57224344c0f175cb0dcb1eaaa

    SHA256

    eb5dde75d692a5968cbef7eeeff57aaac5b1992855c2dd27091ef432d681097c

    SHA512

    e31d4d94cce19f9bfdb19ca88493a60846aec5341b4145c216df14491652079448c993f66960ce56638cc5b38087de5259490c0ed784c85488bb56b4e86ec39b

    Download Submit
  • memory/236-26-0x0000000000400000-0x0000000000744000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/236-0-0x0000000002610000-0x0000000002611000-memory.dmp
    Filesize

    4KB

    Download
  • memory/744-50-0x0000000074360000-0x00000000744DD000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/744-51-0x00007FFE8C040000-0x00007FFE8C249000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/744-62-0x0000000050000000-0x0000000050116000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/744-63-0x0000000050120000-0x000000005030D000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/744-61-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

    Download
  • memory/1364-74-0x0000000075920000-0x0000000075A9D000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1364-77-0x0000000075920000-0x0000000075A9D000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1364-81-0x0000000050120000-0x000000005030D000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1364-80-0x0000000050000000-0x0000000050116000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1364-76-0x00007FFE8C040000-0x00007FFE8C249000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/1888-88-0x0000000073C30000-0x0000000074F47000-memory.dmp
    Filesize

    19.1MB

    Download
  • memory/1888-91-0x0000000000D00000-0x0000000000DC6000-memory.dmp
    Filesize

    792KB

    Download
  • memory/1888-92-0x0000000005410000-0x00000000054A2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1888-93-0x0000000005B00000-0x00000000060A6000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/1888-94-0x0000000005840000-0x0000000005A02000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1888-95-0x0000000005550000-0x00000000055A0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/1888-96-0x0000000005670000-0x00000000056E6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/3860-86-0x0000000075920000-0x0000000075A9D000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/3860-83-0x00007FFE8C040000-0x00007FFE8C249000-memory.dmp
    Filesize

    2.0MB

    Download