Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
06-01-2022 09:15
General
-
Target
2.1.exe
-
Size
2.1MB
-
MD5
8725525b3969fc1c1e01f8ec7eab1ed9
-
SHA1
0672c99376928faba1db5add67833606e0d73529
-
SHA256
58004218b37d36f47da2c5946cac4693e9aea741a0b3a02b823862aec085454b
-
SHA512
5f7b18430aee1e18ecf32eec5d825f7473258a715143df64c19ed703e011a7cf9da40815c4e2b4ea8677c1e6b97dfe0fd74079eaedd102ec2f801776c851cb85
Score
10/10
Malware Config
Extracted
Family
bitrat
Version
1.38
C2
severdops.ddns.net:3071
Attributes
-
communication_password
29ef52e7563626a96cea7f4b4085c124
-
tor_process
tor
Signatures
-
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
-
Windows security bypass 2 TTPs
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 4 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2.1.exe"C:\Users\Admin\AppData\Local\Temp\2.1.exe"1⤵
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\SHININESSESAAC\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\SHININESSESAAC\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2.1.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
c6c81bd26d1cfa92dcf6ece6efac0af9
SHA128fc42f45163401ff0c2b0798094f1437efa00a7
SHA256b7f2bf5b5d884a238e6f6446f359196ac7e1daa5ba87d717b424bb52037ba684
SHA5126f7b17e7be7d8599ff701549918058a3e5ef9ab51069819ae3695c187b4bbfb3ae050a9c97dcf90ec3597cf49bf0f803aadda88ab592c2a0aeef4508516f3c62
-
memory/632-81-0x0000000002082000-0x0000000002084000-memory.dmpFilesize
8KB
-
memory/632-71-0x0000000002081000-0x0000000002082000-memory.dmpFilesize
4KB
-
memory/632-68-0x0000000002080000-0x0000000002081000-memory.dmpFilesize
4KB
-
memory/632-64-0x0000000000000000-mapping.dmp
-
memory/908-62-0x0000000000000000-mapping.dmp
-
memory/908-82-0x00000000025B0000-0x00000000031FA000-memory.dmpFilesize
12.3MB
-
memory/908-69-0x00000000025B0000-0x00000000031FA000-memory.dmpFilesize
12.3MB
-
memory/1016-73-0x0000000000400000-0x00000000007E5000-memory.dmpFilesize
3.9MB
-
memory/1016-77-0x0000000000400000-0x00000000007E5000-memory.dmpFilesize
3.9MB
-
memory/1016-83-0x0000000000400000-0x00000000007E5000-memory.dmpFilesize
3.9MB
-
memory/1016-78-0x00000000007E2730-mapping.dmp
-
memory/1016-79-0x0000000000400000-0x00000000007E5000-memory.dmpFilesize
3.9MB
-
memory/1016-76-0x0000000000400000-0x00000000007E5000-memory.dmpFilesize
3.9MB
-
memory/1016-75-0x0000000000400000-0x00000000007E5000-memory.dmpFilesize
3.9MB
-
memory/1016-74-0x0000000000400000-0x00000000007E5000-memory.dmpFilesize
3.9MB
-
memory/1064-72-0x00000000026E0000-0x000000000332A000-memory.dmpFilesize
12.3MB
-
memory/1064-70-0x00000000026E0000-0x000000000332A000-memory.dmpFilesize
12.3MB
-
memory/1064-61-0x0000000000000000-mapping.dmp
-
memory/1064-63-0x00000000760F1000-0x00000000760F3000-memory.dmpFilesize
8KB
-
memory/1900-54-0x00000000012C0000-0x00000000014E6000-memory.dmpFilesize
2.1MB
-
memory/1900-57-0x0000000000320000-0x0000000000328000-memory.dmpFilesize
32KB
-
memory/1900-58-0x0000000006160000-0x000000000636A000-memory.dmpFilesize
2.0MB
-
memory/1900-59-0x0000000000F00000-0x0000000000F01000-memory.dmpFilesize
4KB
-
memory/1900-60-0x0000000000940000-0x0000000000996000-memory.dmpFilesize
344KB
-
memory/1900-56-0x0000000000310000-0x0000000000318000-memory.dmpFilesize
32KB
-
memory/1900-55-0x0000000000300000-0x0000000000308000-memory.dmpFilesize
32KB