bitrat | 317b32811ef46a4dec52e650315c82b5a5f867f49e5844bb11ed4e1f5281e6d9

General

Target

Purchase Order NO32874287782377732 July 2021 .exe
Size

2.5MB
MD5

37b87bb801399002ce5109fa582512de
SHA1

d634ba38c689efef5c72f976b88b61e5bb78989a
SHA256

317b32811ef46a4dec52e650315c82b5a5f867f49e5844bb11ed4e1f5281e6d9
SHA512

fd066e3d8dd991dd78b0efeb09ce0bd4393dc234b82038ee3a22e6b64defa75fec6d54736fb9375a7e26773eb767f90c99b70e4f9a63c379d666a72f129823fd

Score

10^/10

bitrat suricata trojan upx

Malware Config

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

BitRAT Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1248-139-0x00000000007E2370-mapping.dmp	family_bitrat
behavioral2/memory/1248-165-0x0000000000400000-0x00000000007E4000-memory.dmp	family_bitrat

suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral2/memory/3968-122-0x00000000057F0000-0x00000000057FB000-memory.dmp	CustAttr

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1248-138-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1248-165-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

RegSvcs.exe

pid process

1248 RegSvcs.exe
1248 RegSvcs.exe
1248 RegSvcs.exe
1248 RegSvcs.exe
1248 RegSvcs.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Purchase Order NO32874287782377732 July 2021 .exe

description pid process target process

PID 3968 set thread context of 1248 3968 Purchase Order NO32874287782377732 July 2021 .exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2348 schtasks.exe

pid	process
1248	RegSvcs.exe
1248	RegSvcs.exe
1248	RegSvcs.exe
1248	RegSvcs.exe
1248	RegSvcs.exe

description	pid	process	target process
PID 3968 set thread context of 1248	3968	Purchase Order NO32874287782377732 July 2021 .exe	RegSvcs.exe

pid	process
2348	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Purchase Order NO32874287782377732 July 2021 .exepowershell.exepowershell.exepowershell.exe

pid	process
3968	Purchase Order NO32874287782377732 July 2021 .exe
3912	powershell.exe
2008	powershell.exe
4080	powershell.exe
3912	powershell.exe
2008	powershell.exe
4080	powershell.exe
4080	powershell.exe
3912	powershell.exe
2008	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Purchase Order NO32874287782377732 July 2021 .exepowershell.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	3968	Purchase Order NO32874287782377732 July 2021 .exe
Token: SeDebugPrivilege	3912	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	4080	powershell.exe
Token: SeShutdownPrivilege	1248	RegSvcs.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegSvcs.exe

pid process

1248 RegSvcs.exe
1248 RegSvcs.exe

pid	process
1248	RegSvcs.exe
1248	RegSvcs.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Purchase Order NO32874287782377732 July 2021 .exe

description	pid	process	target process
PID 3968 wrote to memory of 3912	3968	Purchase Order NO32874287782377732 July 2021 .exe	powershell.exe
PID 3968 wrote to memory of 3912	3968	Purchase Order NO32874287782377732 July 2021 .exe	powershell.exe
PID 3968 wrote to memory of 3912	3968	Purchase Order NO32874287782377732 July 2021 .exe	powershell.exe
PID 3968 wrote to memory of 2008	3968	Purchase Order NO32874287782377732 July 2021 .exe	powershell.exe
PID 3968 wrote to memory of 2008	3968	Purchase Order NO32874287782377732 July 2021 .exe	powershell.exe
PID 3968 wrote to memory of 2008	3968	Purchase Order NO32874287782377732 July 2021 .exe	powershell.exe
PID 3968 wrote to memory of 2348	3968	Purchase Order NO32874287782377732 July 2021 .exe	schtasks.exe
PID 3968 wrote to memory of 2348	3968	Purchase Order NO32874287782377732 July 2021 .exe	schtasks.exe
PID 3968 wrote to memory of 2348	3968	Purchase Order NO32874287782377732 July 2021 .exe	schtasks.exe
PID 3968 wrote to memory of 4080	3968	Purchase Order NO32874287782377732 July 2021 .exe	powershell.exe
PID 3968 wrote to memory of 4080	3968	Purchase Order NO32874287782377732 July 2021 .exe	powershell.exe
PID 3968 wrote to memory of 4080	3968	Purchase Order NO32874287782377732 July 2021 .exe	powershell.exe
PID 3968 wrote to memory of 1248	3968	Purchase Order NO32874287782377732 July 2021 .exe	RegSvcs.exe
PID 3968 wrote to memory of 1248	3968	Purchase Order NO32874287782377732 July 2021 .exe	RegSvcs.exe
PID 3968 wrote to memory of 1248	3968	Purchase Order NO32874287782377732 July 2021 .exe	RegSvcs.exe
PID 3968 wrote to memory of 1248	3968	Purchase Order NO32874287782377732 July 2021 .exe	RegSvcs.exe
PID 3968 wrote to memory of 1248	3968	Purchase Order NO32874287782377732 July 2021 .exe	RegSvcs.exe
PID 3968 wrote to memory of 1248	3968	Purchase Order NO32874287782377732 July 2021 .exe	RegSvcs.exe
PID 3968 wrote to memory of 1248	3968	Purchase Order NO32874287782377732 July 2021 .exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order NO32874287782377732 July 2021 .exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order NO32874287782377732 July 2021 .exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Purchase Order NO32874287782377732 July 2021 .exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uSZqfqgTOxUNw.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uSZqfqgTOxUNw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF070.tmp"
2⤵
- Creates scheduled task(s)
PID:2348

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uSZqfqgTOxUNw.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2cf8346d556e471168d0c12b027bcf9e

SHA1
0a2a35c7e69a742b2d15a9c8ed325f18025f74b5

SHA256
ddfb9e0fa7d34a1615875bb243a91c2bd62f67cc358c114de97c16e34b3f77cc

SHA512
396bc89fef29789fd00048cde93e960ac83cb424b0f3e640d72bf2482bae884ab659c2ebc8fecf15622950e4cd6013995b2827893bf770ba6e5e2849c7eb9900

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF070.tmp
MD5
3d9bf00cde15535e215693907b1eb9dd

SHA1
09b290e2a75e1483fdfedee6b3709ec10472f6a2

SHA256
72fbd2dfc899147faf057daf6498546fee464219dc7d91fd8e31cf191395d5fc

SHA512
b93187dd38fd66d21f5135f74a2e34324496545721f4458514f4c3390768001d74460cbb006cbac1e9844c2bd06d38b4fec12c8149e65a3b21317c39c18e1242

Download Submit
memory/1248-165-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1248-138-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1248-139-0x00000000007E2370-mapping.dmp

Download
memory/2008-246-0x00000000064C3000-0x00000000064C4000-memory.dmp

Filesize
4KB

Download
memory/2008-155-0x00000000064C2000-0x00000000064C3000-memory.dmp

Filesize
4KB

Download
memory/2008-154-0x00000000064C0000-0x00000000064C1000-memory.dmp

Filesize
4KB

Download
memory/2008-151-0x0000000007570000-0x0000000007571000-memory.dmp

Filesize
4KB

Download
memory/2008-201-0x000000007F4D0000-0x000000007F4D1000-memory.dmp

Filesize
4KB

Download
memory/2008-126-0x0000000000000000-mapping.dmp

Download
memory/2008-215-0x0000000006730000-0x0000000006731000-memory.dmp

Filesize
4KB

Download
memory/2348-127-0x0000000000000000-mapping.dmp

Download
memory/3912-146-0x0000000007B30000-0x0000000007B31000-memory.dmp

Filesize
4KB

Download
memory/3912-160-0x0000000007C60000-0x0000000007C61000-memory.dmp

Filesize
4KB

Download
memory/3912-244-0x0000000006EC3000-0x0000000006EC4000-memory.dmp

Filesize
4KB

Download
memory/3912-130-0x0000000006D90000-0x0000000006D91000-memory.dmp

Filesize
4KB

Download
memory/3912-125-0x0000000000000000-mapping.dmp

Download
memory/3912-142-0x0000000007360000-0x0000000007361000-memory.dmp

Filesize
4KB

Download
memory/3912-132-0x0000000007500000-0x0000000007501000-memory.dmp

Filesize
4KB

Download
memory/3912-148-0x0000000007E10000-0x0000000007E11000-memory.dmp

Filesize
4KB

Download
memory/3912-194-0x000000007E670000-0x000000007E671000-memory.dmp

Filesize
4KB

Download
memory/3912-150-0x0000000006EC0000-0x0000000006EC1000-memory.dmp

Filesize
4KB

Download
memory/3912-153-0x0000000006EC2000-0x0000000006EC3000-memory.dmp

Filesize
4KB

Download
memory/3912-192-0x00000000092D0000-0x0000000009303000-memory.dmp

Filesize
204KB

Download
memory/3912-169-0x0000000008500000-0x0000000008501000-memory.dmp

Filesize
4KB

Download
memory/3968-120-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/3968-124-0x0000000007F10000-0x0000000008089000-memory.dmp

Filesize
1.5MB

Download
memory/3968-116-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/3968-117-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download
memory/3968-121-0x0000000005310000-0x000000000580E000-memory.dmp

Filesize
5.0MB

Download
memory/3968-122-0x00000000057F0000-0x00000000057FB000-memory.dmp

Filesize
44KB

Download
memory/3968-123-0x0000000007D50000-0x0000000007F0E000-memory.dmp

Filesize
1.7MB

Download
memory/3968-118-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/3968-119-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/3968-114-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/4080-197-0x000000007E9C0000-0x000000007E9C1000-memory.dmp

Filesize
4KB

Download
memory/4080-137-0x0000000000000000-mapping.dmp

Download
memory/4080-245-0x0000000004623000-0x0000000004624000-memory.dmp

Filesize
4KB

Download
memory/4080-162-0x0000000008290000-0x0000000008291000-memory.dmp

Filesize
4KB

Download
memory/4080-168-0x0000000004622000-0x0000000004623000-memory.dmp

Filesize
4KB

Download
memory/4080-167-0x0000000004620000-0x0000000004621000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads