Overview

overview

10

Static

static

Terms and ...df.exe

windows7_x64

10

Terms and ...df.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    24-06-2021 12:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Terms and Conditions pdf.exe

  • Size

    1.1MB

  • MD5

    07d781828a2e31ae1748f114c5fe9fd5

  • SHA1

    e46c87bddf2227c583a2c9e30ee9984db82b32a2

  • SHA256

    e6df0473885248cf7c449ac57120d90c000ee847f27452a426d4bb3e7e0fee7a

  • SHA512

    43f14fb5d51f7e56a1469af96adfb7df3de06a06b58a225f020623f97d44e36f864a5b755c79dad9322edf1da3d557cc271742b77b0e5df46b3796d2003da951

Score
10/10
bitratxenarmorpasswordrecoveryspywarestealertrojanupx

Malware Config

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • BitRAT Payload 4 IoCs
  • XenArmor Suite

    XenArmor is as suite of password recovery tools for various application.

    recoverypasswordxenarmor
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Terms and Conditions pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Terms and Conditions pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:904
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zJAQFbftkdPi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8AAD.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4056
    • C:\Users\Admin\AppData\Local\Temp\Terms and Conditions pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Terms and Conditions pdf.exe"
      2⤵
      • Modifies system certificate store
      • Suspicious use of WriteProcessMemory
      PID:2188
      • C:\Users\Admin\AppData\Local\Temp\5OOrb3GuK1FV7yti.exe
        "C:\Users\Admin\AppData\Local\Temp\5OOrb3GuK1FV7yti.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:384
        • C:\Users\Admin\AppData\Local\Temp\5OOrb3GuK1FV7yti.exe
          -a "C:\Users\Admin\AppData\Local\aa8437ce\plg\MifvYrpF.json"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2544
          • C:\Users\Admin\AppData\Local\Temp\5OOrb3GuK1FV7yti.exe
            -a "C:\Users\Admin\AppData\Local\Temp\unk.xml"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

4
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\5OOrb3GuK1FV7yti.exe
    MD5

    e39f404f193bd1e12fac9307a43adbed

    SHA1

    fb2e759fcb30b6e7299922e0e362f9b677162c94

    SHA256

    6c127e6dbd6095f50768a04c8c7edab47b372cdb4672b9c5ff2c14a44b19582a

    SHA512

    cb79c094cf29c29e113fc017a51b6f170d40f6110eb90ffade8655ac5a3dc1af4003f805bae80c52c66c9c3c70ce7652dfa34b2a3f7d5c61bd0cb196008d115b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\5OOrb3GuK1FV7yti.exe
    MD5

    e39f404f193bd1e12fac9307a43adbed

    SHA1

    fb2e759fcb30b6e7299922e0e362f9b677162c94

    SHA256

    6c127e6dbd6095f50768a04c8c7edab47b372cdb4672b9c5ff2c14a44b19582a

    SHA512

    cb79c094cf29c29e113fc017a51b6f170d40f6110eb90ffade8655ac5a3dc1af4003f805bae80c52c66c9c3c70ce7652dfa34b2a3f7d5c61bd0cb196008d115b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\5OOrb3GuK1FV7yti.exe
    MD5

    e39f404f193bd1e12fac9307a43adbed

    SHA1

    fb2e759fcb30b6e7299922e0e362f9b677162c94

    SHA256

    6c127e6dbd6095f50768a04c8c7edab47b372cdb4672b9c5ff2c14a44b19582a

    SHA512

    cb79c094cf29c29e113fc017a51b6f170d40f6110eb90ffade8655ac5a3dc1af4003f805bae80c52c66c9c3c70ce7652dfa34b2a3f7d5c61bd0cb196008d115b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\5OOrb3GuK1FV7yti.exe
    MD5

    e39f404f193bd1e12fac9307a43adbed

    SHA1

    fb2e759fcb30b6e7299922e0e362f9b677162c94

    SHA256

    6c127e6dbd6095f50768a04c8c7edab47b372cdb4672b9c5ff2c14a44b19582a

    SHA512

    cb79c094cf29c29e113fc017a51b6f170d40f6110eb90ffade8655ac5a3dc1af4003f805bae80c52c66c9c3c70ce7652dfa34b2a3f7d5c61bd0cb196008d115b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\License.XenArmor
    MD5

    4f3bde9212e17ef18226866d6ac739b6

    SHA1

    732733bec8314beb81437e60876ffa75e72ae6cd

    SHA256

    212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174

    SHA512

    10b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\License.XenArmor
    MD5

    bf5da170f7c9a8eae88d1cb1a191ff80

    SHA1

    dd1b991a1b03587a5d1edc94e919a2070e325610

    SHA256

    e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd

    SHA512

    9e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Unknown.dll
    MD5

    86114faba7e1ec4a667d2bcb2e23f024

    SHA1

    670df6e1ba1dc6bece046e8b2e573dd36748245e

    SHA256

    568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d

    SHA512

    d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp8AAD.tmp
    MD5

    9af1878cb1afa82319424816ede47c6e

    SHA1

    e2ed9a7ee9069cff8ca9bb498d823e884ddc9365

    SHA256

    8ab0ed4f6131606c2f636a5ae4152e1ba001822e73c56eb1bbbabab05db84581

    SHA512

    16a126c998d9e90d3327650f90059f3833096308c42c0a0ba33e71904387cd6d56aeb8228ee3734ae48a6952f7e37653220ca0fa6b1fe171a5daa4a7755a941e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\unk.xml
    MD5

    77e6621fd939338d3f19f3dd948ecf43

    SHA1

    53df8b3a76c5d6c35a99aa7759ff3bd7ec46588c

    SHA256

    9cb90c1d5c31396519b1f6c73899c062b6ccbd9a8cfc7c0bb054fe88c7825867

    SHA512

    6e812be4c3b958f0497f91e0eb2e8b77d4a13e2b7af750a30ec9bff3dde09a233b5510ee6333a9ab3182c11ab6c3d38789921d517449c6a03164e216cee43c4f

    Download Submit
  • C:\Users\Admin\AppData\Local\aa8437ce\plg\MifvYrpF.json
    MD5

    77e6621fd939338d3f19f3dd948ecf43

    SHA1

    53df8b3a76c5d6c35a99aa7759ff3bd7ec46588c

    SHA256

    9cb90c1d5c31396519b1f6c73899c062b6ccbd9a8cfc7c0bb054fe88c7825867

    SHA512

    6e812be4c3b958f0497f91e0eb2e8b77d4a13e2b7af750a30ec9bff3dde09a233b5510ee6333a9ab3182c11ab6c3d38789921d517449c6a03164e216cee43c4f

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Unknown.dll
    MD5

    86114faba7e1ec4a667d2bcb2e23f024

    SHA1

    670df6e1ba1dc6bece046e8b2e573dd36748245e

    SHA256

    568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d

    SHA512

    d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

    Download Submit
  • memory/384-130-0x0000000000000000-mapping.dmp
    Download
  • memory/904-121-0x0000000002AE0000-0x0000000002AE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/904-114-0x0000000000560000-0x0000000000561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/904-124-0x00000000082F0000-0x0000000008340000-memory.dmp
    Filesize

    320KB

    Download
  • memory/904-119-0x0000000002CC0000-0x0000000002CC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/904-118-0x0000000005040000-0x0000000005041000-memory.dmp
    Filesize

    4KB

    Download
  • memory/904-120-0x0000000005150000-0x0000000005151000-memory.dmp
    Filesize

    4KB

    Download
  • memory/904-122-0x0000000005440000-0x0000000005450000-memory.dmp
    Filesize

    64KB

    Download
  • memory/904-123-0x0000000005DD0000-0x0000000005E52000-memory.dmp
    Filesize

    520KB

    Download
  • memory/904-116-0x0000000002BF0000-0x0000000002BF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/904-117-0x0000000005540000-0x0000000005541000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2188-129-0x0000000000400000-0x000000000043F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2188-128-0x000000000040AE9E-mapping.dmp
    Download
  • memory/2188-127-0x0000000000400000-0x000000000043F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2208-137-0x0000000000400000-0x00000000006FE000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/2208-138-0x00000000006FC1D0-mapping.dmp
    Download
  • memory/2208-143-0x0000000000400000-0x00000000006FE000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/2544-136-0x0000000000400000-0x00000000008DC000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/2544-133-0x0000000000400000-0x00000000008DC000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/2544-134-0x00000000008D9FE0-mapping.dmp
    Download
  • memory/4056-125-0x0000000000000000-mapping.dmp
    Download