Analysis
-
max time kernel
148s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
06-05-2021 18:32
General
-
Target
fotoadjuntajpg.exe
-
Size
2.1MB
-
MD5
1a95f16ac6f8c8c58a328d10e4263e9b
-
SHA1
12ce6530ec3c85cd2b1c5b58ab727fc2cc82217b
-
SHA256
ac84f24af4ee7638d9ee6c5d4b080130a7e1055e5f9bfbc1991dc889a03f664c
-
SHA512
f61a24cf4338e656672e76611a8b60c63da3eec4447a56c995a0b2d4662bfec8b155b67f67c7f1527feae75ccccc24c333989b3c73836ae2dbae70b5a8aaf0d1
Score
10/10
Malware Config
Signatures
-
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
-
BitRAT Payload 1 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: RenamesItself 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fotoadjuntajpg.exe"C:\Users\Admin\AppData\Local\Temp\fotoadjuntajpg.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fotoadjuntajpg.exe"C:\Users\Admin\AppData\Local\Temp\fotoadjuntajpg.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\fotoadjuntajpg.exe"C:\Users\Admin\AppData\Local\Temp\fotoadjuntajpg.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\fotoadjuntajpg.exe"C:\Users\Admin\AppData\Local\Temp\fotoadjuntajpg.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\fotoadjuntajpg.exe"C:\Users\Admin\AppData\Local\Temp\fotoadjuntajpg.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\fotoadjuntajpg.exe"C:\Users\Admin\AppData\Local\Temp\fotoadjuntajpg.exe"2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/640-114-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB
-
memory/640-116-0x0000000004DB0000-0x0000000004DB1000-memory.dmpFilesize
4KB
-
memory/640-117-0x0000000005380000-0x0000000005381000-memory.dmpFilesize
4KB
-
memory/640-118-0x0000000004F20000-0x0000000004F21000-memory.dmpFilesize
4KB
-
memory/640-119-0x0000000004E80000-0x000000000537E000-memory.dmpFilesize
5.0MB
-
memory/640-120-0x0000000004DA0000-0x0000000004DA1000-memory.dmpFilesize
4KB
-
memory/640-121-0x00000000050A0000-0x00000000050A1000-memory.dmpFilesize
4KB
-
memory/640-122-0x0000000005080000-0x000000000508E000-memory.dmpFilesize
56KB
-
memory/640-123-0x0000000006010000-0x00000000061D8000-memory.dmpFilesize
1.8MB
-
memory/640-124-0x00000000095D0000-0x0000000009749000-memory.dmpFilesize
1.5MB
-
memory/2236-125-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/2236-126-0x00000000007E23D0-mapping.dmp
-
memory/2236-127-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB