Overview

overview

10

Static

static

0a7dba172f...09.exe

windows7_x64

10

0a7dba172f...09.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    07-01-2022 01:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a7dba172f5485536a67007bbb67f209.exe

  • Size

    2.3MB

  • MD5

    0a7dba172f5485536a67007bbb67f209

  • SHA1

    7352fbbee9419e6afe958bfd34d55ffafeda0d58

  • SHA256

    f10d43cfd07a986f1f3c75eb7c90af7e1d841530709f8dcac64bfbfcb53ec736

  • SHA512

    6f2c94a396ed78e925c0d3dd6926498a7ba78bb5a111287b5c0b1122681e196fc526496a433e5b3b431988a5d6eb75218d0b5c814971163dbc489193454d14ba

Score
10/10
bitratevasionpersistencetrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

severdops.ddns.net:3071

Attributes
  • communication_password

    29ef52e7563626a96cea7f4b4085c124

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Windows security bypass 2 TTPs
    evasiontrojan
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a7dba172f5485536a67007bbb67f209.exe
    "C:\Users\Admin\AppData\Local\Temp\0a7dba172f5485536a67007bbb67f209.exe"
    1⤵
    • Windows security modification
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1592
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\GLOSSERSECC\svchost.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:432
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\GLOSSERSECC\svchost.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:584
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0a7dba172f5485536a67007bbb67f209.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:820
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1440

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

2
T1089

Modify Registry

3
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    MD5

    3955dca7bcaa31f96829bc55a8b583c3

    SHA1

    d3d7069d2b8e599e9d0aa479190d1d3d943ebb5f

    SHA256

    b0bd4e460d83fed257bb11e52f1f750315a5fd2f45f3cbf507a763f431b1ef8e

    SHA512

    d351ec0d4016223fd5b256d49e17beeccedb90200167e254cbb1073500680638f3cda08a909b18450c51fdeffcd4e84ef47a49ce6747716a41ab8acff7a3c910

    Download Submit
  • memory/432-82-0x0000000002580000-0x00000000031CA000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/432-78-0x0000000002580000-0x00000000031CA000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/432-61-0x0000000000000000-mapping.dmp
    Download
  • memory/432-64-0x0000000075471000-0x0000000075473000-memory.dmp
    Filesize

    8KB

    Download
  • memory/584-81-0x0000000002412000-0x0000000002414000-memory.dmp
    Filesize

    8KB

    Download
  • memory/584-79-0x0000000002411000-0x0000000002412000-memory.dmp
    Filesize

    4KB

    Download
  • memory/584-74-0x0000000002410000-0x0000000002411000-memory.dmp
    Filesize

    4KB

    Download
  • memory/584-62-0x0000000000000000-mapping.dmp
    Download
  • memory/820-80-0x0000000002520000-0x000000000316A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/820-63-0x0000000000000000-mapping.dmp
    Download
  • memory/1440-68-0x0000000000400000-0x00000000007E5000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1440-75-0x0000000000400000-0x00000000007E5000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1440-69-0x0000000000400000-0x00000000007E5000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1440-70-0x0000000000400000-0x00000000007E5000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1440-71-0x0000000000400000-0x00000000007E5000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1440-72-0x0000000000400000-0x00000000007E5000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1440-73-0x00000000007E2730-mapping.dmp
    Download
  • memory/1440-77-0x0000000000400000-0x00000000007E5000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1592-60-0x0000000000A90000-0x0000000000B5A000-memory.dmp
    Filesize

    808KB

    Download
  • memory/1592-54-0x00000000010F0000-0x0000000001348000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/1592-59-0x0000000004EB0000-0x0000000004EB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1592-58-0x0000000005EF0000-0x00000000060FE000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/1592-57-0x0000000000380000-0x0000000000388000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1592-56-0x0000000000370000-0x0000000000378000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1592-55-0x0000000000360000-0x0000000000368000-memory.dmp
    Filesize

    32KB

    Download