Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20-12-2021 20:13
Static task
static1
Behavioral task
behavioral1
Sample
43e0eed9a47f0eb655af50a9aacd02b1.exe
Resource
win7-en-20211208
General
-
Target
43e0eed9a47f0eb655af50a9aacd02b1.exe
-
Size
2.0MB
-
MD5
43e0eed9a47f0eb655af50a9aacd02b1
-
SHA1
6dbc00b84c23fc44857bd81cc69fe62430bf9c82
-
SHA256
b67e1dc98007c0bf5afa9ca1f840de158cb01eedbce373d791b80059de98b011
-
SHA512
12c160f00b6a50ed84d4e3d90971cad17d67048e291210bef2e8bff8bb8acbfc18f0de26284e1f5289f9612c3efcd1659068f886404cd0e21487a9a109207f75
Malware Config
Extracted
bitrat
1.38
107.172.44.141:2030
-
communication_password
5f4dcc3b5aa765d61d8327deb882cf99
-
tor_process
tor
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
resource yara_rule behavioral1/memory/1552-65-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1552-66-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1552-67-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1552-69-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1552-71-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 1552 RegSvcs.exe 1552 RegSvcs.exe 1552 RegSvcs.exe 1552 RegSvcs.exe 1552 RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 544 set thread context of 1552 544 43e0eed9a47f0eb655af50a9aacd02b1.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 568 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 632 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 632 powershell.exe Token: SeDebugPrivilege 1552 RegSvcs.exe Token: SeShutdownPrivilege 1552 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1552 RegSvcs.exe 1552 RegSvcs.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 544 wrote to memory of 632 544 43e0eed9a47f0eb655af50a9aacd02b1.exe 27 PID 544 wrote to memory of 632 544 43e0eed9a47f0eb655af50a9aacd02b1.exe 27 PID 544 wrote to memory of 632 544 43e0eed9a47f0eb655af50a9aacd02b1.exe 27 PID 544 wrote to memory of 632 544 43e0eed9a47f0eb655af50a9aacd02b1.exe 27 PID 544 wrote to memory of 568 544 43e0eed9a47f0eb655af50a9aacd02b1.exe 29 PID 544 wrote to memory of 568 544 43e0eed9a47f0eb655af50a9aacd02b1.exe 29 PID 544 wrote to memory of 568 544 43e0eed9a47f0eb655af50a9aacd02b1.exe 29 PID 544 wrote to memory of 568 544 43e0eed9a47f0eb655af50a9aacd02b1.exe 29 PID 544 wrote to memory of 1552 544 43e0eed9a47f0eb655af50a9aacd02b1.exe 31 PID 544 wrote to memory of 1552 544 43e0eed9a47f0eb655af50a9aacd02b1.exe 31 PID 544 wrote to memory of 1552 544 43e0eed9a47f0eb655af50a9aacd02b1.exe 31 PID 544 wrote to memory of 1552 544 43e0eed9a47f0eb655af50a9aacd02b1.exe 31 PID 544 wrote to memory of 1552 544 43e0eed9a47f0eb655af50a9aacd02b1.exe 31 PID 544 wrote to memory of 1552 544 43e0eed9a47f0eb655af50a9aacd02b1.exe 31 PID 544 wrote to memory of 1552 544 43e0eed9a47f0eb655af50a9aacd02b1.exe 31 PID 544 wrote to memory of 1552 544 43e0eed9a47f0eb655af50a9aacd02b1.exe 31 PID 544 wrote to memory of 1552 544 43e0eed9a47f0eb655af50a9aacd02b1.exe 31 PID 544 wrote to memory of 1552 544 43e0eed9a47f0eb655af50a9aacd02b1.exe 31 PID 544 wrote to memory of 1552 544 43e0eed9a47f0eb655af50a9aacd02b1.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\43e0eed9a47f0eb655af50a9aacd02b1.exe"C:\Users\Admin\AppData\Local\Temp\43e0eed9a47f0eb655af50a9aacd02b1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aDqFLFeDN.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aDqFLFeDN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp77DE.tmp"2⤵
- Creates scheduled task(s)
PID:568
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1552
-