bitrat | af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991 | Triage

Analysis

max time kernel
149s
max time network
141s
platform
windows7_x64
resource
win7v20201028
submitted
05-03-2021 10:10

Sharing

Report Analysis Logs

General

Target

af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
Size

3.2MB
MD5

d1a586b0b894c54dd7b075e5a9bbae85
SHA1

c77b27b7cc3bc69b867fb2527d8226030665074f
SHA256

af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991
SHA512

0adc5cf09b3d4dc0228d6dfdd46bef1b54cde2f5d533d86ba07c5970ef69e5296bf44b24daff34682a75f47e56d79da13e6927b0c220de64ef6ba4c2d71440c1

Score

10^/10

bitrat trojan

Malware Config

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

BitRAT Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1360-11-0x0000000000400000-0x00000000007CD000-memory.dmp	family_bitrat

Drops startup file 1 IoCs

Processes:

DllHost.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\igfxME.exe DllHost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe

pid	process
1360	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
1360	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
1360	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
1360	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
1360	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
1360	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe

pid	process
1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe

description	pid	process
Token: SeDebugPrivilege	1360	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
Token: SeShutdownPrivilege	1360	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe

pid	process
1360	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
1360	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe

description	pid	process	target process
PID 1724 wrote to memory of 1360	1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
PID 1724 wrote to memory of 1360	1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
PID 1724 wrote to memory of 1360	1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
PID 1724 wrote to memory of 1360	1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
PID 1724 wrote to memory of 1360	1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
PID 1724 wrote to memory of 1360	1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
PID 1724 wrote to memory of 1360	1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
PID 1724 wrote to memory of 1360	1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
PID 1724 wrote to memory of 1360	1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
PID 1724 wrote to memory of 1360	1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
PID 1724 wrote to memory of 1360	1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
PID 1724 wrote to memory of 1360	1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
PID 1724 wrote to memory of 1360	1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
PID 1724 wrote to memory of 1360	1724	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe	af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe

C:\Users\Admin\AppData\Local\Temp\af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
"C:\Users\Admin\AppData\Local\Temp\af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
"C:\Users\Admin\AppData\Local\Temp\af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1360

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:1108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1360-5-0x0000000000000000-mapping.dmp

Download
memory/1360-10-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1360-11-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1360-12-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1360-14-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1360-13-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1360-15-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1360-17-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1724-2-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/1724-3-0x0000000001FC0000-0x000000000203B000-memory.dmp

Filesize
492KB

Download
memory/1724-9-0x0000000002040000-0x00000000021C0000-memory.dmp

Filesize
1.5MB

Download