Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
20-04-2021 18:22
Static task
static1
Behavioral task
behavioral1
Sample
comparendopicoycedula365215999runtcomco.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
comparendopicoycedula365215999runtcomco.exe
Resource
win10v20210410
General
-
Target
comparendopicoycedula365215999runtcomco.exe
-
Size
2.3MB
-
MD5
44bc0732e9c6deb1f912ddbd055efac3
-
SHA1
99f1c521d68f068c735c842504f01f5678ddb157
-
SHA256
368e9e3d450bae08f20e5ab0937dcd47a03835daabe900ddf87c746fb99a50fb
-
SHA512
a4a7077d06b2c1059c48abb2ea9ce1c669214e4621e3bf9cfc35b67a4411a22d60d4019588c47e0b9a2b3d2d5e06a427417598cd5183a9a8be0bb33a227d7d2a
Malware Config
Signatures
-
BitRAT Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1940-126-0x00000000007E23C0-mapping.dmp family_bitrat -
Executes dropped EXE 3 IoCs
Processes:
0TEyr8Qv5FOTXx2l.exeantimalawareserviceexecutablee.exeantimalawareserviceexecutablee.exepid process 2288 0TEyr8Qv5FOTXx2l.exe 2792 antimalawareserviceexecutablee.exe 1912 antimalawareserviceexecutablee.exe -
Processes:
resource yara_rule behavioral2/memory/1940-125-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/1940-127-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/2792-140-0x0000000000400000-0x00000000008DC000-memory.dmp upx behavioral2/memory/2792-143-0x0000000000400000-0x00000000008DC000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
comparendopicoycedula365215999runtcomco.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\antimalawareserviceexecutablee = "C:\\Users\\Admin\\AppData\\Local\\windowsdefenderlogsini\\antimalawareserviceexecutablee.exe팀" comparendopicoycedula365215999runtcomco.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\antimalawareserviceexecutablee = "C:\\Users\\Admin\\AppData\\Local\\windowsdefenderlogsini\\antimalawareserviceexecutablee.exe" comparendopicoycedula365215999runtcomco.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
comparendopicoycedula365215999runtcomco.exepid process 1940 comparendopicoycedula365215999runtcomco.exe 1940 comparendopicoycedula365215999runtcomco.exe 1940 comparendopicoycedula365215999runtcomco.exe 1940 comparendopicoycedula365215999runtcomco.exe 1940 comparendopicoycedula365215999runtcomco.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
comparendopicoycedula365215999runtcomco.execomparendopicoycedula365215999runtcomco.exedescription pid process target process PID 3540 set thread context of 1940 3540 comparendopicoycedula365215999runtcomco.exe comparendopicoycedula365215999runtcomco.exe PID 1940 set thread context of 2792 1940 comparendopicoycedula365215999runtcomco.exe antimalawareserviceexecutablee.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
comparendopicoycedula365215999runtcomco.exepid process 3540 comparendopicoycedula365215999runtcomco.exe 3540 comparendopicoycedula365215999runtcomco.exe 3540 comparendopicoycedula365215999runtcomco.exe -
Suspicious behavior: RenamesItself 8 IoCs
Processes:
comparendopicoycedula365215999runtcomco.exepid process 1940 comparendopicoycedula365215999runtcomco.exe 1940 comparendopicoycedula365215999runtcomco.exe 1940 comparendopicoycedula365215999runtcomco.exe 1940 comparendopicoycedula365215999runtcomco.exe 1940 comparendopicoycedula365215999runtcomco.exe 1940 comparendopicoycedula365215999runtcomco.exe 1940 comparendopicoycedula365215999runtcomco.exe 1940 comparendopicoycedula365215999runtcomco.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
comparendopicoycedula365215999runtcomco.execomparendopicoycedula365215999runtcomco.exedescription pid process Token: SeDebugPrivilege 3540 comparendopicoycedula365215999runtcomco.exe Token: SeShutdownPrivilege 1940 comparendopicoycedula365215999runtcomco.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
comparendopicoycedula365215999runtcomco.exepid process 1940 comparendopicoycedula365215999runtcomco.exe 1940 comparendopicoycedula365215999runtcomco.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
comparendopicoycedula365215999runtcomco.execomparendopicoycedula365215999runtcomco.exeantimalawareserviceexecutablee.exedescription pid process target process PID 3540 wrote to memory of 1940 3540 comparendopicoycedula365215999runtcomco.exe comparendopicoycedula365215999runtcomco.exe PID 3540 wrote to memory of 1940 3540 comparendopicoycedula365215999runtcomco.exe comparendopicoycedula365215999runtcomco.exe PID 3540 wrote to memory of 1940 3540 comparendopicoycedula365215999runtcomco.exe comparendopicoycedula365215999runtcomco.exe PID 3540 wrote to memory of 1940 3540 comparendopicoycedula365215999runtcomco.exe comparendopicoycedula365215999runtcomco.exe PID 3540 wrote to memory of 1940 3540 comparendopicoycedula365215999runtcomco.exe comparendopicoycedula365215999runtcomco.exe PID 3540 wrote to memory of 1940 3540 comparendopicoycedula365215999runtcomco.exe comparendopicoycedula365215999runtcomco.exe PID 3540 wrote to memory of 1940 3540 comparendopicoycedula365215999runtcomco.exe comparendopicoycedula365215999runtcomco.exe PID 1940 wrote to memory of 2288 1940 comparendopicoycedula365215999runtcomco.exe 0TEyr8Qv5FOTXx2l.exe PID 1940 wrote to memory of 2288 1940 comparendopicoycedula365215999runtcomco.exe 0TEyr8Qv5FOTXx2l.exe PID 1940 wrote to memory of 2288 1940 comparendopicoycedula365215999runtcomco.exe 0TEyr8Qv5FOTXx2l.exe PID 1940 wrote to memory of 2792 1940 comparendopicoycedula365215999runtcomco.exe antimalawareserviceexecutablee.exe PID 1940 wrote to memory of 2792 1940 comparendopicoycedula365215999runtcomco.exe antimalawareserviceexecutablee.exe PID 1940 wrote to memory of 2792 1940 comparendopicoycedula365215999runtcomco.exe antimalawareserviceexecutablee.exe PID 1940 wrote to memory of 2792 1940 comparendopicoycedula365215999runtcomco.exe antimalawareserviceexecutablee.exe PID 1940 wrote to memory of 2792 1940 comparendopicoycedula365215999runtcomco.exe antimalawareserviceexecutablee.exe PID 1940 wrote to memory of 2792 1940 comparendopicoycedula365215999runtcomco.exe antimalawareserviceexecutablee.exe PID 1940 wrote to memory of 2792 1940 comparendopicoycedula365215999runtcomco.exe antimalawareserviceexecutablee.exe PID 1940 wrote to memory of 2792 1940 comparendopicoycedula365215999runtcomco.exe antimalawareserviceexecutablee.exe PID 2792 wrote to memory of 1912 2792 antimalawareserviceexecutablee.exe antimalawareserviceexecutablee.exe PID 2792 wrote to memory of 1912 2792 antimalawareserviceexecutablee.exe antimalawareserviceexecutablee.exe PID 2792 wrote to memory of 1912 2792 antimalawareserviceexecutablee.exe antimalawareserviceexecutablee.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\comparendopicoycedula365215999runtcomco.exe"C:\Users\Admin\AppData\Local\Temp\comparendopicoycedula365215999runtcomco.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Users\Admin\AppData\Local\Temp\comparendopicoycedula365215999runtcomco.exe"C:\Users\Admin\AppData\Local\Temp\comparendopicoycedula365215999runtcomco.exe"2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\0TEyr8Qv5FOTXx2l.exe"C:\Users\Admin\AppData\Local\Temp\0TEyr8Qv5FOTXx2l.exe"3⤵
- Executes dropped EXE
PID:2288 -
C:\Users\Admin\AppData\Local\windowsdefenderlogsini\antimalawareserviceexecutablee.exe-a "C:\Users\Admin\AppData\Local\cf00793c\plg\45Ca2nPg.json"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Local\windowsdefenderlogsini\antimalawareserviceexecutablee.exe-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"4⤵
- Executes dropped EXE
PID:1912
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0TEyr8Qv5FOTXx2l.exeMD5
f7c885d6f42ff01b7342c40a2a7395d1
SHA1bc377c87cb73ebf6c74bd70006adcbf76f160610
SHA256b01390a550c3528a01ea4c6708d395226e4f4d3693c2dd5d304c6a83e6b6013e
SHA512d3cf3e5229d92d34873c8600a55c5541563e47621166414e0a1e9474601daad0e57db2d9623020f51cc57ad9f3bdbc1bd389a9e7e3ecb3541dcec594448cf8ec
-
C:\Users\Admin\AppData\Local\Temp\0TEyr8Qv5FOTXx2l.exeMD5
f7c885d6f42ff01b7342c40a2a7395d1
SHA1bc377c87cb73ebf6c74bd70006adcbf76f160610
SHA256b01390a550c3528a01ea4c6708d395226e4f4d3693c2dd5d304c6a83e6b6013e
SHA512d3cf3e5229d92d34873c8600a55c5541563e47621166414e0a1e9474601daad0e57db2d9623020f51cc57ad9f3bdbc1bd389a9e7e3ecb3541dcec594448cf8ec
-
C:\Users\Admin\AppData\Local\cf00793c\plg\45Ca2nPg.jsonMD5
cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\windowsdefenderlogsini\antimalawareserviceexecutablee.exeMD5
44bc0732e9c6deb1f912ddbd055efac3
SHA199f1c521d68f068c735c842504f01f5678ddb157
SHA256368e9e3d450bae08f20e5ab0937dcd47a03835daabe900ddf87c746fb99a50fb
SHA512a4a7077d06b2c1059c48abb2ea9ce1c669214e4621e3bf9cfc35b67a4411a22d60d4019588c47e0b9a2b3d2d5e06a427417598cd5183a9a8be0bb33a227d7d2a
-
C:\Users\Admin\AppData\Local\windowsdefenderlogsini\antimalawareserviceexecutablee.exeMD5
44bc0732e9c6deb1f912ddbd055efac3
SHA199f1c521d68f068c735c842504f01f5678ddb157
SHA256368e9e3d450bae08f20e5ab0937dcd47a03835daabe900ddf87c746fb99a50fb
SHA512a4a7077d06b2c1059c48abb2ea9ce1c669214e4621e3bf9cfc35b67a4411a22d60d4019588c47e0b9a2b3d2d5e06a427417598cd5183a9a8be0bb33a227d7d2a
-
memory/1940-126-0x00000000007E23C0-mapping.dmp
-
memory/1940-127-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1940-125-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/2288-139-0x0000000005470000-0x000000000550C000-memory.dmpFilesize
624KB
-
memory/2288-131-0x0000000000C50000-0x0000000000C51000-memory.dmpFilesize
4KB
-
memory/2288-128-0x0000000000000000-mapping.dmp
-
memory/2792-140-0x0000000000400000-0x00000000008DC000-memory.dmpFilesize
4.9MB
-
memory/2792-141-0x00000000008D9FE0-mapping.dmp
-
memory/2792-143-0x0000000000400000-0x00000000008DC000-memory.dmpFilesize
4.9MB
-
memory/3540-124-0x000000000B810000-0x000000000B999000-memory.dmpFilesize
1.5MB
-
memory/3540-123-0x0000000008130000-0x0000000008306000-memory.dmpFilesize
1.8MB
-
memory/3540-122-0x00000000075A0000-0x00000000075A9000-memory.dmpFilesize
36KB
-
memory/3540-121-0x0000000005A00000-0x0000000005A01000-memory.dmpFilesize
4KB
-
memory/3540-120-0x0000000005CB0000-0x0000000005CB1000-memory.dmpFilesize
4KB
-
memory/3540-119-0x00000000059C0000-0x00000000059C1000-memory.dmpFilesize
4KB
-
memory/3540-114-0x0000000000F60000-0x0000000000F61000-memory.dmpFilesize
4KB
-
memory/3540-118-0x0000000005AF0000-0x0000000005AF1000-memory.dmpFilesize
4KB
-
memory/3540-117-0x0000000005FF0000-0x0000000005FF1000-memory.dmpFilesize
4KB
-
memory/3540-116-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB