Resubmissions
23-12-2021 18:20
211223-wyzqqsccdl 1023-12-2021 14:03
211223-rc7f8shhg2 1023-12-2021 11:13
211223-nbh6gaader 1015-08-2021 20:58
210815-ycewjd1mge 10Analysis
-
max time kernel
148s -
max time network
173s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
15-08-2021 20:58
Static task
static1
Behavioral task
behavioral1
Sample
4594A8618274C5732C58BCB6F246919A.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
4594A8618274C5732C58BCB6F246919A.exe
Resource
win10v20210410
General
-
Target
4594A8618274C5732C58BCB6F246919A.exe
-
Size
2.1MB
-
MD5
4594a8618274c5732c58bcb6f246919a
-
SHA1
4f8713c078388eb8d06f24d4549a8175e8135b65
-
SHA256
93dd445822c1c5b30270fc5552a71a02eab536a80ba51e345632d2be18aded49
-
SHA512
6615279fa9e7f72a3c42eeb01e96ae00ed3804e71456e044c574e1a732c43b04df9b42258099326f23d0bc6d4356995f2ee3b192e9b0f246cdf75af43f5e7fe3
Malware Config
Signatures
-
BitRAT Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/268-69-0x0000000000400000-0x00000000007E4000-memory.dmp family_bitrat -
Processes:
resource yara_rule behavioral1/memory/268-66-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/268-69-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
4594A8618274C5732C58BCB6F246919A.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogomwindefender = "C:\\Users\\Admin\\AppData\\Local\\winlogomwindefenders\\winlogomwindefender.exe" 4594A8618274C5732C58BCB6F246919A.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
4594A8618274C5732C58BCB6F246919A.exepid process 268 4594A8618274C5732C58BCB6F246919A.exe 268 4594A8618274C5732C58BCB6F246919A.exe 268 4594A8618274C5732C58BCB6F246919A.exe 268 4594A8618274C5732C58BCB6F246919A.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4594A8618274C5732C58BCB6F246919A.exedescription pid process target process PID 1652 set thread context of 268 1652 4594A8618274C5732C58BCB6F246919A.exe 4594A8618274C5732C58BCB6F246919A.exe -
Suspicious behavior: RenamesItself 20 IoCs
Processes:
4594A8618274C5732C58BCB6F246919A.exepid process 268 4594A8618274C5732C58BCB6F246919A.exe 268 4594A8618274C5732C58BCB6F246919A.exe 268 4594A8618274C5732C58BCB6F246919A.exe 268 4594A8618274C5732C58BCB6F246919A.exe 268 4594A8618274C5732C58BCB6F246919A.exe 268 4594A8618274C5732C58BCB6F246919A.exe 268 4594A8618274C5732C58BCB6F246919A.exe 268 4594A8618274C5732C58BCB6F246919A.exe 268 4594A8618274C5732C58BCB6F246919A.exe 268 4594A8618274C5732C58BCB6F246919A.exe 268 4594A8618274C5732C58BCB6F246919A.exe 268 4594A8618274C5732C58BCB6F246919A.exe 268 4594A8618274C5732C58BCB6F246919A.exe 268 4594A8618274C5732C58BCB6F246919A.exe 268 4594A8618274C5732C58BCB6F246919A.exe 268 4594A8618274C5732C58BCB6F246919A.exe 268 4594A8618274C5732C58BCB6F246919A.exe 268 4594A8618274C5732C58BCB6F246919A.exe 268 4594A8618274C5732C58BCB6F246919A.exe 268 4594A8618274C5732C58BCB6F246919A.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
4594A8618274C5732C58BCB6F246919A.exedescription pid process Token: SeDebugPrivilege 268 4594A8618274C5732C58BCB6F246919A.exe Token: SeShutdownPrivilege 268 4594A8618274C5732C58BCB6F246919A.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
4594A8618274C5732C58BCB6F246919A.exepid process 268 4594A8618274C5732C58BCB6F246919A.exe 268 4594A8618274C5732C58BCB6F246919A.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
4594A8618274C5732C58BCB6F246919A.exedescription pid process target process PID 1652 wrote to memory of 268 1652 4594A8618274C5732C58BCB6F246919A.exe 4594A8618274C5732C58BCB6F246919A.exe PID 1652 wrote to memory of 268 1652 4594A8618274C5732C58BCB6F246919A.exe 4594A8618274C5732C58BCB6F246919A.exe PID 1652 wrote to memory of 268 1652 4594A8618274C5732C58BCB6F246919A.exe 4594A8618274C5732C58BCB6F246919A.exe PID 1652 wrote to memory of 268 1652 4594A8618274C5732C58BCB6F246919A.exe 4594A8618274C5732C58BCB6F246919A.exe PID 1652 wrote to memory of 268 1652 4594A8618274C5732C58BCB6F246919A.exe 4594A8618274C5732C58BCB6F246919A.exe PID 1652 wrote to memory of 268 1652 4594A8618274C5732C58BCB6F246919A.exe 4594A8618274C5732C58BCB6F246919A.exe PID 1652 wrote to memory of 268 1652 4594A8618274C5732C58BCB6F246919A.exe 4594A8618274C5732C58BCB6F246919A.exe PID 1652 wrote to memory of 268 1652 4594A8618274C5732C58BCB6F246919A.exe 4594A8618274C5732C58BCB6F246919A.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4594A8618274C5732C58BCB6F246919A.exe"C:\Users\Admin\AppData\Local\Temp\4594A8618274C5732C58BCB6F246919A.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\4594A8618274C5732C58BCB6F246919A.exe"C:\Users\Admin\AppData\Local\Temp\4594A8618274C5732C58BCB6F246919A.exe"2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:268
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/268-66-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/268-67-0x00000000007E2780-mapping.dmp
-
memory/268-68-0x0000000076E11000-0x0000000076E13000-memory.dmpFilesize
8KB
-
memory/268-69-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1652-60-0x0000000000D30000-0x0000000000D31000-memory.dmpFilesize
4KB
-
memory/1652-62-0x0000000004B70000-0x0000000004B71000-memory.dmpFilesize
4KB
-
memory/1652-63-0x00000000004D0000-0x00000000004E1000-memory.dmpFilesize
68KB
-
memory/1652-64-0x0000000007E10000-0x0000000007FFA000-memory.dmpFilesize
1.9MB
-
memory/1652-65-0x0000000005E80000-0x0000000005FF3000-memory.dmpFilesize
1.4MB