8bfe228dbd446c4a9f65d93725c39404c6b2a5d6795aa2fcb60b1d04de21f81b

General

Target

Sitat.exe
Size

1.1MB
MD5

442486bfd653a5fe61b776351df520da
SHA1

0c437994ff65a85e86c052badb4ddc097cfec1d4
SHA256

8bfe228dbd446c4a9f65d93725c39404c6b2a5d6795aa2fcb60b1d04de21f81b
SHA512

7ae8f4c5fcbf7cd0fab81891350cf4f62586985f8dbe24d25281ceb6e11c6faca001aab3d0dbb97e2dd464e68dbe8ed04b69b63ae6db16a55e7b9334f213b43f

Score

9^/10

evasion spyware

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Sitat.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Sitat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Sitat.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Sitat.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Sitat.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	Sitat.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Sitat.exe

description pid process target process

PID 1144 set thread context of 832 1144 Sitat.exe Sitat.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

456 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Sitat.exeSitat.exe

pid process

1144 Sitat.exe
1144 Sitat.exe
1144 Sitat.exe
832 Sitat.exe
832 Sitat.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Sitat.exeSitat.exe

description pid process

Token: SeDebugPrivilege 1144 Sitat.exe
Token: SeDebugPrivilege 832 Sitat.exe

description	pid	process	target process
PID 1144 set thread context of 832	1144	Sitat.exe	Sitat.exe

pid	process
456	schtasks.exe

pid	process
1144	Sitat.exe
1144	Sitat.exe
1144	Sitat.exe
832	Sitat.exe
832	Sitat.exe

description	pid	process
Token: SeDebugPrivilege	1144	Sitat.exe
Token: SeDebugPrivilege	832	Sitat.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Sitat.exe

description	pid	process	target process
PID 1144 wrote to memory of 456	1144	Sitat.exe	schtasks.exe
PID 1144 wrote to memory of 456	1144	Sitat.exe	schtasks.exe
PID 1144 wrote to memory of 456	1144	Sitat.exe	schtasks.exe
PID 1144 wrote to memory of 832	1144	Sitat.exe	Sitat.exe
PID 1144 wrote to memory of 832	1144	Sitat.exe	Sitat.exe
PID 1144 wrote to memory of 832	1144	Sitat.exe	Sitat.exe
PID 1144 wrote to memory of 832	1144	Sitat.exe	Sitat.exe
PID 1144 wrote to memory of 832	1144	Sitat.exe	Sitat.exe
PID 1144 wrote to memory of 832	1144	Sitat.exe	Sitat.exe
PID 1144 wrote to memory of 832	1144	Sitat.exe	Sitat.exe
PID 1144 wrote to memory of 832	1144	Sitat.exe	Sitat.exe

C:\Users\Admin\AppData\Local\Temp\Sitat.exe
"C:\Users\Admin\AppData\Local\Temp\Sitat.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZCkPQU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp42F5.tmp"
2⤵
- Creates scheduled task(s)
PID:456

C:\Users\Admin\AppData\Local\Temp\Sitat.exe
"C:\Users\Admin\AppData\Local\Temp\Sitat.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:832

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sitat.exe.log
MD5
4f5d9479f7bd34251f6d92177da0cecc

SHA1
cf3910737ea0b68725c9e6b2cddff1291cbb78bb

SHA256
888968fc74abeca0f1591bdff4bab967d01d8784e071cc6cd72fc63b25bfdb7f

SHA512
bb0727b7a1073611698a12cb6dc308591ca0e211c6241b4014bacc27e3acf2423e30e7b9e2732a4347fd1f3fc6290e7b6725c9f8bd589987914d90981f6b318d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp42F5.tmp
MD5
136d0098ea9b244b3a346073e84feba9

SHA1
6bb938371505ed17ba1fe8def13f0c785d18aaa5

SHA256
081a4ca610eced611c1aaae760ece1c84b1744682887bf7331bc2aebfe2d7a04

SHA512
ad861c5d1780e5103dcdbce03cb234e3cd181866f69130cb8dc9eb06b424db6ee71a674eb686419723de3f1af9caa54fdddad2b00c976f9dab47bd947970416b

Download Submit
memory/456-13-0x0000000000000000-mapping.dmp

Download
memory/832-23-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/832-18-0x0000000073CB0000-0x000000007439E000-memory.dmp

Filesize
6.9MB

Download
memory/832-16-0x0000000000436DEE-mapping.dmp

Download
memory/832-15-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1144-5-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/1144-9-0x0000000006300000-0x000000000636D000-memory.dmp

Filesize
436KB

Download
memory/1144-10-0x0000000006130000-0x0000000006136000-memory.dmp

Filesize
24KB

Download
memory/1144-11-0x0000000006370000-0x00000000063A8000-memory.dmp

Filesize
224KB

Download
memory/1144-12-0x0000000006450000-0x0000000006451000-memory.dmp

Filesize
4KB

Download
memory/1144-8-0x0000000002E40000-0x0000000002E54000-memory.dmp

Filesize
80KB

Download
memory/1144-7-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/1144-6-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download
memory/1144-0-0x0000000073CB0000-0x000000007439E000-memory.dmp

Filesize
6.9MB

Download
memory/1144-4-0x0000000005A70000-0x0000000005A71000-memory.dmp

Filesize
4KB

Download
memory/1144-3-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/1144-1-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads