bitrat | f10d43cfd07a986f1f3c75eb7c90af7e1d841530709f8dcac64bfbfcb53ec736

Analysis

max time kernel
150s
max time network
150s
platform
windows10_x64
resource
win10-en-20211208
submitted
07-01-2022 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a7dba172f5485536a67007bbb67f209.exe
Size

2.3MB
MD5

0a7dba172f5485536a67007bbb67f209
SHA1

7352fbbee9419e6afe958bfd34d55ffafeda0d58
SHA256

f10d43cfd07a986f1f3c75eb7c90af7e1d841530709f8dcac64bfbfcb53ec736
SHA512

6f2c94a396ed78e925c0d3dd6926498a7ba78bb5a111287b5c0b1122681e196fc526496a433e5b3b431988a5d6eb75218d0b5c814971163dbc489193454d14ba

Score

10^/10

bitrat evasion persistence trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

severdops.ddns.net:3071

Attributes

communication_password
29ef52e7563626a96cea7f4b4085c124
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2424-169-0x0000000000400000-0x00000000007E5000-memory.dmp	upx
behavioral2/memory/2424-173-0x0000000000400000-0x00000000007E5000-memory.dmp	upx
behavioral2/memory/2424-174-0x0000000000400000-0x00000000007E5000-memory.dmp	upx

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

0a7dba172f5485536a67007bbb67f209.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	0a7dba172f5485536a67007bbb67f209.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	0a7dba172f5485536a67007bbb67f209.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\GLOSSERSECC\svchost.exe = "0"	0a7dba172f5485536a67007bbb67f209.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\0a7dba172f5485536a67007bbb67f209.exe = "0"	0a7dba172f5485536a67007bbb67f209.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0a7dba172f5485536a67007bbb67f209.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\MURRINEADC = "C:\\Windows\\Microsoft.NET\\Framework\\GLOSSERSECC\\svchost.exe"	0a7dba172f5485536a67007bbb67f209.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

csc.exe

pid process

2424 csc.exe
2424 csc.exe
2424 csc.exe
2424 csc.exe
2424 csc.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

0a7dba172f5485536a67007bbb67f209.exe

description pid process target process

PID 492 set thread context of 2424 492 0a7dba172f5485536a67007bbb67f209.exe csc.exe
Drops file in Windows directory 1 IoCs

Processes:

0a7dba172f5485536a67007bbb67f209.exe

description ioc process

File created C:\Windows\Microsoft.NET\Framework\GLOSSERSECC\svchost.exe 0a7dba172f5485536a67007bbb67f209.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2424	csc.exe
2424	csc.exe
2424	csc.exe
2424	csc.exe
2424	csc.exe

description	pid	process	target process
PID 492 set thread context of 2424	492	0a7dba172f5485536a67007bbb67f209.exe	csc.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\GLOSSERSECC\svchost.exe	0a7dba172f5485536a67007bbb67f209.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

0a7dba172f5485536a67007bbb67f209.exepowershell.exepowershell.exepowershell.exe

pid	process
492	0a7dba172f5485536a67007bbb67f209.exe
492	0a7dba172f5485536a67007bbb67f209.exe
492	0a7dba172f5485536a67007bbb67f209.exe
492	0a7dba172f5485536a67007bbb67f209.exe
2320	powershell.exe
1936	powershell.exe
3796	powershell.exe
3796	powershell.exe
2320	powershell.exe
1936	powershell.exe
492	0a7dba172f5485536a67007bbb67f209.exe
492	0a7dba172f5485536a67007bbb67f209.exe
492	0a7dba172f5485536a67007bbb67f209.exe
492	0a7dba172f5485536a67007bbb67f209.exe
492	0a7dba172f5485536a67007bbb67f209.exe
492	0a7dba172f5485536a67007bbb67f209.exe
1936	powershell.exe
2320	powershell.exe
3796	powershell.exe
492	0a7dba172f5485536a67007bbb67f209.exe
492	0a7dba172f5485536a67007bbb67f209.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

0a7dba172f5485536a67007bbb67f209.exepowershell.exepowershell.exepowershell.execsc.exe

description	pid	process
Token: SeDebugPrivilege	492	0a7dba172f5485536a67007bbb67f209.exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeShutdownPrivilege	2424	csc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

csc.exe

pid process

2424 csc.exe
2424 csc.exe

pid	process
2424	csc.exe
2424	csc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

0a7dba172f5485536a67007bbb67f209.exe

description	pid	process	target process
PID 492 wrote to memory of 1936	492	0a7dba172f5485536a67007bbb67f209.exe	powershell.exe
PID 492 wrote to memory of 1936	492	0a7dba172f5485536a67007bbb67f209.exe	powershell.exe
PID 492 wrote to memory of 1936	492	0a7dba172f5485536a67007bbb67f209.exe	powershell.exe
PID 492 wrote to memory of 2320	492	0a7dba172f5485536a67007bbb67f209.exe	powershell.exe
PID 492 wrote to memory of 2320	492	0a7dba172f5485536a67007bbb67f209.exe	powershell.exe
PID 492 wrote to memory of 2320	492	0a7dba172f5485536a67007bbb67f209.exe	powershell.exe
PID 492 wrote to memory of 3796	492	0a7dba172f5485536a67007bbb67f209.exe	powershell.exe
PID 492 wrote to memory of 3796	492	0a7dba172f5485536a67007bbb67f209.exe	powershell.exe
PID 492 wrote to memory of 3796	492	0a7dba172f5485536a67007bbb67f209.exe	powershell.exe
PID 492 wrote to memory of 956	492	0a7dba172f5485536a67007bbb67f209.exe	ServiceModelReg.exe
PID 492 wrote to memory of 956	492	0a7dba172f5485536a67007bbb67f209.exe	ServiceModelReg.exe
PID 492 wrote to memory of 956	492	0a7dba172f5485536a67007bbb67f209.exe	ServiceModelReg.exe
PID 492 wrote to memory of 2424	492	0a7dba172f5485536a67007bbb67f209.exe	csc.exe
PID 492 wrote to memory of 2424	492	0a7dba172f5485536a67007bbb67f209.exe	csc.exe
PID 492 wrote to memory of 2424	492	0a7dba172f5485536a67007bbb67f209.exe	csc.exe
PID 492 wrote to memory of 2424	492	0a7dba172f5485536a67007bbb67f209.exe	csc.exe
PID 492 wrote to memory of 2424	492	0a7dba172f5485536a67007bbb67f209.exe	csc.exe
PID 492 wrote to memory of 2424	492	0a7dba172f5485536a67007bbb67f209.exe	csc.exe
PID 492 wrote to memory of 2424	492	0a7dba172f5485536a67007bbb67f209.exe	csc.exe
PID 492 wrote to memory of 2424	492	0a7dba172f5485536a67007bbb67f209.exe	csc.exe

C:\Users\Admin\AppData\Local\Temp\0a7dba172f5485536a67007bbb67f209.exe
"C:\Users\Admin\AppData\Local\Temp\0a7dba172f5485536a67007bbb67f209.exe"
1⤵
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\GLOSSERSECC\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\GLOSSERSECC\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0a7dba172f5485536a67007bbb67f209.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"
2⤵
PID:956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
96b4c1d8349ad5a5c9a153ba04cec4b6

SHA1
061f5f499a67ad19afe69ca78ea0b56c38709404

SHA256
273d5205fd719e9166fa995e55f99547fbfd87f91ed259a00531ed6467313077

SHA512
f75a34e58ad1956b8fe3c7da60af31485d3c0d8ce2af77029624f16c0977f7bd07550d3b1d69a423ccf104f08e8cad9b17b814b43b8a7bb3f9942c3d6a8bc95b

Download Submit
memory/492-123-0x0000000006900000-0x00000000069CA000-memory.dmp

Filesize
808KB

Download
memory/492-124-0x0000000005AB0000-0x0000000005FAE000-memory.dmp

Filesize
5.0MB

Download
memory/492-119-0x0000000005380000-0x0000000005388000-memory.dmp

Filesize
32KB

Download
memory/492-147-0x00000000058B0000-0x00000000058BA000-memory.dmp

Filesize
40KB

Download
memory/492-121-0x00000000053B0000-0x00000000053B8000-memory.dmp

Filesize
32KB

Download
memory/492-122-0x00000000066E0000-0x00000000068EE000-memory.dmp

Filesize
2.1MB

Download
memory/492-118-0x0000000005370000-0x0000000005378000-memory.dmp

Filesize
32KB

Download
memory/492-120-0x00000000053A0000-0x00000000053A8000-memory.dmp

Filesize
32KB

Download
memory/492-132-0x0000000005910000-0x00000000059A2000-memory.dmp

Filesize
584KB

Download
memory/492-115-0x00000000009E0000-0x0000000000C38000-memory.dmp

Filesize
2.3MB

Download
memory/492-117-0x0000000005370000-0x000000000540C000-memory.dmp

Filesize
624KB

Download
memory/492-116-0x0000000005410000-0x00000000054AC000-memory.dmp

Filesize
624KB

Download
memory/1936-199-0x0000000006E20000-0x0000000007448000-memory.dmp

Filesize
6.2MB

Download
memory/1936-215-0x0000000007630000-0x0000000007696000-memory.dmp

Filesize
408KB

Download
memory/1936-128-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/1936-157-0x00000000076E0000-0x0000000007A30000-memory.dmp

Filesize
3.3MB

Download
memory/1936-163-0x0000000007AF0000-0x0000000007B3B000-memory.dmp

Filesize
300KB

Download
memory/1936-151-0x0000000006DA0000-0x0000000006E06000-memory.dmp

Filesize
408KB

Download
memory/1936-176-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/1936-209-0x0000000006C00000-0x0000000006C22000-memory.dmp

Filesize
136KB

Download
memory/1936-136-0x0000000000E20000-0x0000000000E56000-memory.dmp

Filesize
216KB

Download
memory/1936-203-0x0000000008EB0000-0x0000000008EE3000-memory.dmp

Filesize
204KB

Download
memory/1936-166-0x0000000007E20000-0x0000000007E96000-memory.dmp

Filesize
472KB

Download
memory/1936-139-0x00000000067E0000-0x00000000067E1000-memory.dmp

Filesize
4KB

Download
memory/1936-125-0x0000000000000000-mapping.dmp

Download
memory/1936-206-0x0000000008EB0000-0x0000000008EE3000-memory.dmp

Filesize
204KB

Download
memory/1936-143-0x00000000067E2000-0x00000000067E3000-memory.dmp

Filesize
4KB

Download
memory/1936-212-0x0000000006DA0000-0x0000000006E06000-memory.dmp

Filesize
408KB

Download
memory/1936-156-0x0000000007630000-0x0000000007696000-memory.dmp

Filesize
408KB

Download
memory/1936-145-0x0000000006E20000-0x0000000007448000-memory.dmp

Filesize
6.2MB

Download
memory/1936-131-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/1936-149-0x0000000006C00000-0x0000000006C22000-memory.dmp

Filesize
136KB

Download
memory/1936-161-0x0000000007510000-0x000000000752C000-memory.dmp

Filesize
112KB

Download
memory/2320-129-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/2320-148-0x0000000007570000-0x0000000007592000-memory.dmp

Filesize
136KB

Download
memory/2320-213-0x0000000007E20000-0x0000000007E86000-memory.dmp

Filesize
408KB

Download
memory/2320-154-0x00000000080F0000-0x0000000008156000-memory.dmp

Filesize
408KB

Download
memory/2320-144-0x00000000076A0000-0x0000000007CC8000-memory.dmp

Filesize
6.2MB

Download
memory/2320-207-0x00000000097F0000-0x0000000009823000-memory.dmp

Filesize
204KB

Download
memory/2320-152-0x0000000007E20000-0x0000000007E86000-memory.dmp

Filesize
408KB

Download
memory/2320-210-0x0000000007570000-0x0000000007592000-memory.dmp

Filesize
136KB

Download
memory/2320-158-0x0000000008160000-0x00000000084B0000-memory.dmp

Filesize
3.3MB

Download
memory/2320-141-0x0000000007062000-0x0000000007063000-memory.dmp

Filesize
4KB

Download
memory/2320-204-0x00000000097F0000-0x0000000009823000-memory.dmp

Filesize
204KB

Download
memory/2320-138-0x0000000007060000-0x0000000007061000-memory.dmp

Filesize
4KB

Download
memory/2320-160-0x0000000007DF0000-0x0000000007E0C000-memory.dmp

Filesize
112KB

Download
memory/2320-216-0x00000000080F0000-0x0000000008156000-memory.dmp

Filesize
408KB

Download
memory/2320-165-0x00000000084B0000-0x00000000084FB000-memory.dmp

Filesize
300KB

Download
memory/2320-135-0x0000000006F90000-0x0000000006FC6000-memory.dmp

Filesize
216KB

Download
memory/2320-200-0x00000000076A0000-0x0000000007CC8000-memory.dmp

Filesize
6.2MB

Download
memory/2320-133-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/2320-177-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/2320-126-0x0000000000000000-mapping.dmp

Download
memory/2320-168-0x00000000087B0000-0x0000000008826000-memory.dmp

Filesize
472KB

Download
memory/2424-174-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/2424-169-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/2424-172-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/2424-171-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/2424-170-0x00000000007E2730-mapping.dmp

Download
memory/2424-173-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/3796-208-0x00000000072E0000-0x0000000007302000-memory.dmp

Filesize
136KB

Download
memory/3796-211-0x0000000007A10000-0x0000000007A76000-memory.dmp

Filesize
408KB

Download
memory/3796-201-0x00000000073E0000-0x0000000007A08000-memory.dmp

Filesize
6.2MB

Download
memory/3796-164-0x00000000085B0000-0x00000000085FB000-memory.dmp

Filesize
300KB

Download
memory/3796-162-0x0000000007B10000-0x0000000007B2C000-memory.dmp

Filesize
112KB

Download
memory/3796-159-0x0000000007DA0000-0x00000000080F0000-memory.dmp

Filesize
3.3MB

Download
memory/3796-205-0x0000000009260000-0x0000000009293000-memory.dmp

Filesize
204KB

Download
memory/3796-175-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/3796-153-0x0000000007A10000-0x0000000007A76000-memory.dmp

Filesize
408KB

Download
memory/3796-202-0x0000000009260000-0x0000000009293000-memory.dmp

Filesize
204KB

Download
memory/3796-155-0x0000000007A80000-0x0000000007AE6000-memory.dmp

Filesize
408KB

Download
memory/3796-167-0x00000000083A0000-0x0000000008416000-memory.dmp

Filesize
472KB

Download
memory/3796-150-0x00000000072E0000-0x0000000007302000-memory.dmp

Filesize
136KB

Download
memory/3796-146-0x00000000073E0000-0x0000000007A08000-memory.dmp

Filesize
6.2MB

Download
memory/3796-142-0x00000000049B2000-0x00000000049B3000-memory.dmp

Filesize
4KB

Download
memory/3796-140-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/3796-137-0x00000000048A0000-0x00000000048D6000-memory.dmp

Filesize
216KB

Download
memory/3796-130-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/3796-214-0x0000000007A80000-0x0000000007AE6000-memory.dmp

Filesize
408KB

Download
memory/3796-134-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/3796-127-0x0000000000000000-mapping.dmp

Download