8bfe228dbd446c4a9f65d93725c39404c6b2a5d6795aa2fcb60b1d04de21f81b

General

Target

Sitat.exe
Size

1.1MB
MD5

442486bfd653a5fe61b776351df520da
SHA1

0c437994ff65a85e86c052badb4ddc097cfec1d4
SHA256

8bfe228dbd446c4a9f65d93725c39404c6b2a5d6795aa2fcb60b1d04de21f81b
SHA512

7ae8f4c5fcbf7cd0fab81891350cf4f62586985f8dbe24d25281ceb6e11c6faca001aab3d0dbb97e2dd464e68dbe8ed04b69b63ae6db16a55e7b9334f213b43f

Score

9^/10

evasion spyware

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Sitat.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Sitat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Sitat.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Sitat.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Sitat.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Sitat.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Sitat.exe

description pid process target process

PID 1640 set thread context of 840 1640 Sitat.exe Sitat.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

272 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Sitat.exeSitat.exe

pid process

1640 Sitat.exe
1640 Sitat.exe
840 Sitat.exe
840 Sitat.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Sitat.exeSitat.exe

description pid process

Token: SeDebugPrivilege 1640 Sitat.exe
Token: SeDebugPrivilege 840 Sitat.exe

description	pid	process	target process
PID 1640 set thread context of 840	1640	Sitat.exe	Sitat.exe

pid	process
272	schtasks.exe

pid	process
1640	Sitat.exe
1640	Sitat.exe
840	Sitat.exe
840	Sitat.exe

description	pid	process
Token: SeDebugPrivilege	1640	Sitat.exe
Token: SeDebugPrivilege	840	Sitat.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Sitat.exe

description	pid	process	target process
PID 1640 wrote to memory of 272	1640	Sitat.exe	schtasks.exe
PID 1640 wrote to memory of 272	1640	Sitat.exe	schtasks.exe
PID 1640 wrote to memory of 272	1640	Sitat.exe	schtasks.exe
PID 1640 wrote to memory of 272	1640	Sitat.exe	schtasks.exe
PID 1640 wrote to memory of 840	1640	Sitat.exe	Sitat.exe
PID 1640 wrote to memory of 840	1640	Sitat.exe	Sitat.exe
PID 1640 wrote to memory of 840	1640	Sitat.exe	Sitat.exe
PID 1640 wrote to memory of 840	1640	Sitat.exe	Sitat.exe
PID 1640 wrote to memory of 840	1640	Sitat.exe	Sitat.exe
PID 1640 wrote to memory of 840	1640	Sitat.exe	Sitat.exe
PID 1640 wrote to memory of 840	1640	Sitat.exe	Sitat.exe
PID 1640 wrote to memory of 840	1640	Sitat.exe	Sitat.exe
PID 1640 wrote to memory of 840	1640	Sitat.exe	Sitat.exe

C:\Users\Admin\AppData\Local\Temp\Sitat.exe
"C:\Users\Admin\AppData\Local\Temp\Sitat.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZCkPQU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF863.tmp"
2⤵
- Creates scheduled task(s)
PID:272

C:\Users\Admin\AppData\Local\Temp\Sitat.exe
"C:\Users\Admin\AppData\Local\Temp\Sitat.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF863.tmp
MD5
3e7175705c47df113485efdb6a55f9b4

SHA1
06f6fade770eed12d6be7f049e556478582e5d30

SHA256
0f16540973acfce13e36f493a3425b935165d9880cd0710b5e34945b3ebd9fda

SHA512
0b82500c1a9d64c2105ac9ea33c1cc3d9594eb5f3420489ec46977b018eea09f57a13fca6ede70a60c0567b7994af937260c998e19deca525f103c7d909ecbc3

Download Submit
memory/272-7-0x0000000000000000-mapping.dmp

Download
memory/840-11-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/840-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/840-10-0x0000000000436DEE-mapping.dmp

Download
memory/840-12-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/840-13-0x00000000745C0000-0x0000000074CAE000-memory.dmp

Filesize
6.9MB

Download
memory/1640-4-0x00000000051A0000-0x000000000520D000-memory.dmp

Filesize
436KB

Download
memory/1640-5-0x0000000000640000-0x0000000000646000-memory.dmp

Filesize
24KB

Download
memory/1640-6-0x0000000004D30000-0x0000000004D68000-memory.dmp

Filesize
224KB

Download
memory/1640-3-0x0000000000500000-0x0000000000514000-memory.dmp

Filesize
80KB

Download
memory/1640-1-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/1640-0-0x00000000745C0000-0x0000000074CAE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads