bitrat | 368e9e3d450bae08f20e5ab0937dcd47a03835daabe900ddf87c746fb99a50fb

General

Target

comparendopicoycedula365215999runtcomco.exe
Size

2.3MB
MD5

44bc0732e9c6deb1f912ddbd055efac3
SHA1

99f1c521d68f068c735c842504f01f5678ddb157
SHA256

368e9e3d450bae08f20e5ab0937dcd47a03835daabe900ddf87c746fb99a50fb
SHA512

a4a7077d06b2c1059c48abb2ea9ce1c669214e4621e3bf9cfc35b67a4411a22d60d4019588c47e0b9a2b3d2d5e06a427417598cd5183a9a8be0bb33a227d7d2a

Score

10^/10

bitrat persistence trojan upx

Malware Config

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

BitRAT Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1940-126-0x00000000007E23C0-mapping.dmp	family_bitrat

Executes dropped EXE 3 IoCs

Processes:

0TEyr8Qv5FOTXx2l.exeantimalawareserviceexecutablee.exeantimalawareserviceexecutablee.exe

pid process

2288 0TEyr8Qv5FOTXx2l.exe
2792 antimalawareserviceexecutablee.exe
1912 antimalawareserviceexecutablee.exe

pid	process
2288	0TEyr8Qv5FOTXx2l.exe
2792	antimalawareserviceexecutablee.exe
1912	antimalawareserviceexecutablee.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1940-125-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1940-127-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2792-140-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/2792-143-0x0000000000400000-0x00000000008DC000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

comparendopicoycedula365215999runtcomco.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\antimalawareserviceexecutablee = "C:\\Users\\Admin\\AppData\\Local\\windowsdefenderlogsini\\antimalawareserviceexecutablee.exe팀"	comparendopicoycedula365215999runtcomco.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\antimalawareserviceexecutablee = "C:\\Users\\Admin\\AppData\\Local\\windowsdefenderlogsini\\antimalawareserviceexecutablee.exe"	comparendopicoycedula365215999runtcomco.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

comparendopicoycedula365215999runtcomco.exe

pid	process
1940	comparendopicoycedula365215999runtcomco.exe
1940	comparendopicoycedula365215999runtcomco.exe
1940	comparendopicoycedula365215999runtcomco.exe
1940	comparendopicoycedula365215999runtcomco.exe
1940	comparendopicoycedula365215999runtcomco.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

comparendopicoycedula365215999runtcomco.execomparendopicoycedula365215999runtcomco.exe

description	pid	process	target process
PID 3540 set thread context of 1940	3540	comparendopicoycedula365215999runtcomco.exe	comparendopicoycedula365215999runtcomco.exe
PID 1940 set thread context of 2792	1940	comparendopicoycedula365215999runtcomco.exe	antimalawareserviceexecutablee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

comparendopicoycedula365215999runtcomco.exe

pid	process
3540	comparendopicoycedula365215999runtcomco.exe
3540	comparendopicoycedula365215999runtcomco.exe
3540	comparendopicoycedula365215999runtcomco.exe

Suspicious behavior: RenamesItself 8 IoCs

Processes:

comparendopicoycedula365215999runtcomco.exe

pid	process
1940	comparendopicoycedula365215999runtcomco.exe
1940	comparendopicoycedula365215999runtcomco.exe
1940	comparendopicoycedula365215999runtcomco.exe
1940	comparendopicoycedula365215999runtcomco.exe
1940	comparendopicoycedula365215999runtcomco.exe
1940	comparendopicoycedula365215999runtcomco.exe
1940	comparendopicoycedula365215999runtcomco.exe
1940	comparendopicoycedula365215999runtcomco.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

comparendopicoycedula365215999runtcomco.execomparendopicoycedula365215999runtcomco.exe

description	pid	process
Token: SeDebugPrivilege	3540	comparendopicoycedula365215999runtcomco.exe
Token: SeShutdownPrivilege	1940	comparendopicoycedula365215999runtcomco.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

comparendopicoycedula365215999runtcomco.exe

pid process

1940 comparendopicoycedula365215999runtcomco.exe
1940 comparendopicoycedula365215999runtcomco.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

comparendopicoycedula365215999runtcomco.execomparendopicoycedula365215999runtcomco.exeantimalawareserviceexecutablee.exe

description	pid	process	target process
PID 3540 wrote to memory of 1940	3540	comparendopicoycedula365215999runtcomco.exe	comparendopicoycedula365215999runtcomco.exe
PID 3540 wrote to memory of 1940	3540	comparendopicoycedula365215999runtcomco.exe	comparendopicoycedula365215999runtcomco.exe
PID 3540 wrote to memory of 1940	3540	comparendopicoycedula365215999runtcomco.exe	comparendopicoycedula365215999runtcomco.exe
PID 3540 wrote to memory of 1940	3540	comparendopicoycedula365215999runtcomco.exe	comparendopicoycedula365215999runtcomco.exe
PID 3540 wrote to memory of 1940	3540	comparendopicoycedula365215999runtcomco.exe	comparendopicoycedula365215999runtcomco.exe
PID 3540 wrote to memory of 1940	3540	comparendopicoycedula365215999runtcomco.exe	comparendopicoycedula365215999runtcomco.exe
PID 3540 wrote to memory of 1940	3540	comparendopicoycedula365215999runtcomco.exe	comparendopicoycedula365215999runtcomco.exe
PID 1940 wrote to memory of 2288	1940	comparendopicoycedula365215999runtcomco.exe	0TEyr8Qv5FOTXx2l.exe
PID 1940 wrote to memory of 2288	1940	comparendopicoycedula365215999runtcomco.exe	0TEyr8Qv5FOTXx2l.exe
PID 1940 wrote to memory of 2288	1940	comparendopicoycedula365215999runtcomco.exe	0TEyr8Qv5FOTXx2l.exe
PID 1940 wrote to memory of 2792	1940	comparendopicoycedula365215999runtcomco.exe	antimalawareserviceexecutablee.exe
PID 1940 wrote to memory of 2792	1940	comparendopicoycedula365215999runtcomco.exe	antimalawareserviceexecutablee.exe
PID 1940 wrote to memory of 2792	1940	comparendopicoycedula365215999runtcomco.exe	antimalawareserviceexecutablee.exe
PID 1940 wrote to memory of 2792	1940	comparendopicoycedula365215999runtcomco.exe	antimalawareserviceexecutablee.exe
PID 1940 wrote to memory of 2792	1940	comparendopicoycedula365215999runtcomco.exe	antimalawareserviceexecutablee.exe
PID 1940 wrote to memory of 2792	1940	comparendopicoycedula365215999runtcomco.exe	antimalawareserviceexecutablee.exe
PID 1940 wrote to memory of 2792	1940	comparendopicoycedula365215999runtcomco.exe	antimalawareserviceexecutablee.exe
PID 1940 wrote to memory of 2792	1940	comparendopicoycedula365215999runtcomco.exe	antimalawareserviceexecutablee.exe
PID 2792 wrote to memory of 1912	2792	antimalawareserviceexecutablee.exe	antimalawareserviceexecutablee.exe
PID 2792 wrote to memory of 1912	2792	antimalawareserviceexecutablee.exe	antimalawareserviceexecutablee.exe
PID 2792 wrote to memory of 1912	2792	antimalawareserviceexecutablee.exe	antimalawareserviceexecutablee.exe

C:\Users\Admin\AppData\Local\Temp\comparendopicoycedula365215999runtcomco.exe
"C:\Users\Admin\AppData\Local\Temp\comparendopicoycedula365215999runtcomco.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540

C:\Users\Admin\AppData\Local\Temp\comparendopicoycedula365215999runtcomco.exe
"C:\Users\Admin\AppData\Local\Temp\comparendopicoycedula365215999runtcomco.exe"
2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\AppData\Local\Temp\0TEyr8Qv5FOTXx2l.exe
"C:\Users\Admin\AppData\Local\Temp\0TEyr8Qv5FOTXx2l.exe"
3⤵
- Executes dropped EXE
PID:2288

C:\Users\Admin\AppData\Local\windowsdefenderlogsini\antimalawareserviceexecutablee.exe
-a "C:\Users\Admin\AppData\Local\cf00793c\plg\45Ca2nPg.json"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792

C:\Users\Admin\AppData\Local\windowsdefenderlogsini\antimalawareserviceexecutablee.exe
-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"
4⤵
- Executes dropped EXE
PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0TEyr8Qv5FOTXx2l.exe
MD5
f7c885d6f42ff01b7342c40a2a7395d1

SHA1
bc377c87cb73ebf6c74bd70006adcbf76f160610

SHA256
b01390a550c3528a01ea4c6708d395226e4f4d3693c2dd5d304c6a83e6b6013e

SHA512
d3cf3e5229d92d34873c8600a55c5541563e47621166414e0a1e9474601daad0e57db2d9623020f51cc57ad9f3bdbc1bd389a9e7e3ecb3541dcec594448cf8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\0TEyr8Qv5FOTXx2l.exe
MD5
f7c885d6f42ff01b7342c40a2a7395d1

SHA1
bc377c87cb73ebf6c74bd70006adcbf76f160610

SHA256
b01390a550c3528a01ea4c6708d395226e4f4d3693c2dd5d304c6a83e6b6013e

SHA512
d3cf3e5229d92d34873c8600a55c5541563e47621166414e0a1e9474601daad0e57db2d9623020f51cc57ad9f3bdbc1bd389a9e7e3ecb3541dcec594448cf8ec

Download Submit
C:\Users\Admin\AppData\Local\cf00793c\plg\45Ca2nPg.json
MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\windowsdefenderlogsini\antimalawareserviceexecutablee.exe
MD5
44bc0732e9c6deb1f912ddbd055efac3

SHA1
99f1c521d68f068c735c842504f01f5678ddb157

SHA256
368e9e3d450bae08f20e5ab0937dcd47a03835daabe900ddf87c746fb99a50fb

SHA512
a4a7077d06b2c1059c48abb2ea9ce1c669214e4621e3bf9cfc35b67a4411a22d60d4019588c47e0b9a2b3d2d5e06a427417598cd5183a9a8be0bb33a227d7d2a

Download Submit
C:\Users\Admin\AppData\Local\windowsdefenderlogsini\antimalawareserviceexecutablee.exe
MD5
44bc0732e9c6deb1f912ddbd055efac3

SHA1
99f1c521d68f068c735c842504f01f5678ddb157

SHA256
368e9e3d450bae08f20e5ab0937dcd47a03835daabe900ddf87c746fb99a50fb

SHA512
a4a7077d06b2c1059c48abb2ea9ce1c669214e4621e3bf9cfc35b67a4411a22d60d4019588c47e0b9a2b3d2d5e06a427417598cd5183a9a8be0bb33a227d7d2a

Download Submit
memory/1940-126-0x00000000007E23C0-mapping.dmp

Download
memory/1940-127-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1940-125-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2288-139-0x0000000005470000-0x000000000550C000-memory.dmp

Filesize
624KB

Download
memory/2288-131-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/2288-128-0x0000000000000000-mapping.dmp

Download
memory/2792-140-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/2792-141-0x00000000008D9FE0-mapping.dmp

Download
memory/2792-143-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/3540-124-0x000000000B810000-0x000000000B999000-memory.dmp

Filesize
1.5MB

Download
memory/3540-123-0x0000000008130000-0x0000000008306000-memory.dmp

Filesize
1.8MB

Download
memory/3540-122-0x00000000075A0000-0x00000000075A9000-memory.dmp

Filesize
36KB

Download
memory/3540-121-0x0000000005A00000-0x0000000005A01000-memory.dmp

Filesize
4KB

Download
memory/3540-120-0x0000000005CB0000-0x0000000005CB1000-memory.dmp

Filesize
4KB

Download
memory/3540-119-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/3540-114-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/3540-118-0x0000000005AF0000-0x0000000005AF1000-memory.dmp

Filesize
4KB

Download
memory/3540-117-0x0000000005FF0000-0x0000000005FF1000-memory.dmp

Filesize
4KB

Download
memory/3540-116-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads