Analysis
-
max time kernel
148s -
max time network
9s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
25-11-2020 16:00
Static task
static1
Behavioral task
behavioral1
Sample
Sitat.exe
Resource
win7v20201028
General
-
Target
Sitat.exe
-
Size
1.1MB
-
MD5
442486bfd653a5fe61b776351df520da
-
SHA1
0c437994ff65a85e86c052badb4ddc097cfec1d4
-
SHA256
8bfe228dbd446c4a9f65d93725c39404c6b2a5d6795aa2fcb60b1d04de21f81b
-
SHA512
7ae8f4c5fcbf7cd0fab81891350cf4f62586985f8dbe24d25281ceb6e11c6faca001aab3d0dbb97e2dd464e68dbe8ed04b69b63ae6db16a55e7b9334f213b43f
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Sitat.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Sitat.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Sitat.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Sitat.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Sitat.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Sitat.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Sitat.exedescription pid process target process PID 1640 set thread context of 840 1640 Sitat.exe Sitat.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Sitat.exeSitat.exepid process 1640 Sitat.exe 1640 Sitat.exe 840 Sitat.exe 840 Sitat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Sitat.exeSitat.exedescription pid process Token: SeDebugPrivilege 1640 Sitat.exe Token: SeDebugPrivilege 840 Sitat.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Sitat.exedescription pid process target process PID 1640 wrote to memory of 272 1640 Sitat.exe schtasks.exe PID 1640 wrote to memory of 272 1640 Sitat.exe schtasks.exe PID 1640 wrote to memory of 272 1640 Sitat.exe schtasks.exe PID 1640 wrote to memory of 272 1640 Sitat.exe schtasks.exe PID 1640 wrote to memory of 840 1640 Sitat.exe Sitat.exe PID 1640 wrote to memory of 840 1640 Sitat.exe Sitat.exe PID 1640 wrote to memory of 840 1640 Sitat.exe Sitat.exe PID 1640 wrote to memory of 840 1640 Sitat.exe Sitat.exe PID 1640 wrote to memory of 840 1640 Sitat.exe Sitat.exe PID 1640 wrote to memory of 840 1640 Sitat.exe Sitat.exe PID 1640 wrote to memory of 840 1640 Sitat.exe Sitat.exe PID 1640 wrote to memory of 840 1640 Sitat.exe Sitat.exe PID 1640 wrote to memory of 840 1640 Sitat.exe Sitat.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sitat.exe"C:\Users\Admin\AppData\Local\Temp\Sitat.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZCkPQU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF863.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Sitat.exe"C:\Users\Admin\AppData\Local\Temp\Sitat.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpF863.tmpMD5
3e7175705c47df113485efdb6a55f9b4
SHA106f6fade770eed12d6be7f049e556478582e5d30
SHA2560f16540973acfce13e36f493a3425b935165d9880cd0710b5e34945b3ebd9fda
SHA5120b82500c1a9d64c2105ac9ea33c1cc3d9594eb5f3420489ec46977b018eea09f57a13fca6ede70a60c0567b7994af937260c998e19deca525f103c7d909ecbc3
-
memory/272-7-0x0000000000000000-mapping.dmp
-
memory/840-11-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/840-9-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/840-10-0x0000000000436DEE-mapping.dmp
-
memory/840-12-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/840-13-0x00000000745C0000-0x0000000074CAE000-memory.dmpFilesize
6.9MB
-
memory/1640-4-0x00000000051A0000-0x000000000520D000-memory.dmpFilesize
436KB
-
memory/1640-5-0x0000000000640000-0x0000000000646000-memory.dmpFilesize
24KB
-
memory/1640-6-0x0000000004D30000-0x0000000004D68000-memory.dmpFilesize
224KB
-
memory/1640-3-0x0000000000500000-0x0000000000514000-memory.dmpFilesize
80KB
-
memory/1640-1-0x00000000008E0000-0x00000000008E1000-memory.dmpFilesize
4KB
-
memory/1640-0-0x00000000745C0000-0x0000000074CAE000-memory.dmpFilesize
6.9MB