Analysis
-
max time kernel
144s -
max time network
102s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25-11-2020 16:00
Static task
static1
Behavioral task
behavioral1
Sample
Sitat.exe
Resource
win7v20201028
General
-
Target
Sitat.exe
-
Size
1.1MB
-
MD5
442486bfd653a5fe61b776351df520da
-
SHA1
0c437994ff65a85e86c052badb4ddc097cfec1d4
-
SHA256
8bfe228dbd446c4a9f65d93725c39404c6b2a5d6795aa2fcb60b1d04de21f81b
-
SHA512
7ae8f4c5fcbf7cd0fab81891350cf4f62586985f8dbe24d25281ceb6e11c6faca001aab3d0dbb97e2dd464e68dbe8ed04b69b63ae6db16a55e7b9334f213b43f
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Sitat.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Sitat.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Sitat.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Sitat.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Sitat.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 Sitat.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Sitat.exedescription pid process target process PID 1144 set thread context of 832 1144 Sitat.exe Sitat.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Sitat.exeSitat.exepid process 1144 Sitat.exe 1144 Sitat.exe 1144 Sitat.exe 832 Sitat.exe 832 Sitat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Sitat.exeSitat.exedescription pid process Token: SeDebugPrivilege 1144 Sitat.exe Token: SeDebugPrivilege 832 Sitat.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Sitat.exedescription pid process target process PID 1144 wrote to memory of 456 1144 Sitat.exe schtasks.exe PID 1144 wrote to memory of 456 1144 Sitat.exe schtasks.exe PID 1144 wrote to memory of 456 1144 Sitat.exe schtasks.exe PID 1144 wrote to memory of 832 1144 Sitat.exe Sitat.exe PID 1144 wrote to memory of 832 1144 Sitat.exe Sitat.exe PID 1144 wrote to memory of 832 1144 Sitat.exe Sitat.exe PID 1144 wrote to memory of 832 1144 Sitat.exe Sitat.exe PID 1144 wrote to memory of 832 1144 Sitat.exe Sitat.exe PID 1144 wrote to memory of 832 1144 Sitat.exe Sitat.exe PID 1144 wrote to memory of 832 1144 Sitat.exe Sitat.exe PID 1144 wrote to memory of 832 1144 Sitat.exe Sitat.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sitat.exe"C:\Users\Admin\AppData\Local\Temp\Sitat.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZCkPQU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp42F5.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Sitat.exe"C:\Users\Admin\AppData\Local\Temp\Sitat.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sitat.exe.logMD5
4f5d9479f7bd34251f6d92177da0cecc
SHA1cf3910737ea0b68725c9e6b2cddff1291cbb78bb
SHA256888968fc74abeca0f1591bdff4bab967d01d8784e071cc6cd72fc63b25bfdb7f
SHA512bb0727b7a1073611698a12cb6dc308591ca0e211c6241b4014bacc27e3acf2423e30e7b9e2732a4347fd1f3fc6290e7b6725c9f8bd589987914d90981f6b318d
-
C:\Users\Admin\AppData\Local\Temp\tmp42F5.tmpMD5
136d0098ea9b244b3a346073e84feba9
SHA16bb938371505ed17ba1fe8def13f0c785d18aaa5
SHA256081a4ca610eced611c1aaae760ece1c84b1744682887bf7331bc2aebfe2d7a04
SHA512ad861c5d1780e5103dcdbce03cb234e3cd181866f69130cb8dc9eb06b424db6ee71a674eb686419723de3f1af9caa54fdddad2b00c976f9dab47bd947970416b
-
memory/456-13-0x0000000000000000-mapping.dmp
-
memory/832-23-0x0000000005800000-0x0000000005801000-memory.dmpFilesize
4KB
-
memory/832-18-0x0000000073CB0000-0x000000007439E000-memory.dmpFilesize
6.9MB
-
memory/832-16-0x0000000000436DEE-mapping.dmp
-
memory/832-15-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1144-5-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/1144-9-0x0000000006300000-0x000000000636D000-memory.dmpFilesize
436KB
-
memory/1144-10-0x0000000006130000-0x0000000006136000-memory.dmpFilesize
24KB
-
memory/1144-11-0x0000000006370000-0x00000000063A8000-memory.dmpFilesize
224KB
-
memory/1144-12-0x0000000006450000-0x0000000006451000-memory.dmpFilesize
4KB
-
memory/1144-8-0x0000000002E40000-0x0000000002E54000-memory.dmpFilesize
80KB
-
memory/1144-7-0x0000000005770000-0x0000000005771000-memory.dmpFilesize
4KB
-
memory/1144-6-0x0000000002E10000-0x0000000002E11000-memory.dmpFilesize
4KB
-
memory/1144-0-0x0000000073CB0000-0x000000007439E000-memory.dmpFilesize
6.9MB
-
memory/1144-4-0x0000000005A70000-0x0000000005A71000-memory.dmpFilesize
4KB
-
memory/1144-3-0x00000000054D0000-0x00000000054D1000-memory.dmpFilesize
4KB
-
memory/1144-1-0x00000000007A0000-0x00000000007A1000-memory.dmpFilesize
4KB