Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
07-01-2022 13:01
Static task
static1
Behavioral task
behavioral1
Sample
9401cf9f73dfb187bf4cef05d8cfe72b.exe
Resource
win7-en-20211208
General
-
Target
9401cf9f73dfb187bf4cef05d8cfe72b.exe
-
Size
2.2MB
-
MD5
9401cf9f73dfb187bf4cef05d8cfe72b
-
SHA1
4af6544d8c94bb673f826a0ba4d24698150b1089
-
SHA256
bb8298b28cd913814c41d7b6a878b8e2a2da7eb34083c901a5408413fed93b45
-
SHA512
8438c79aa1ac9779bdab11a3f46f174aad97a7bc2fd1f571d42ef8817dc8477b68468be7445c789d125c1b8749338e047e20301d0a11b9e52dacf947abb65dd4
Malware Config
Extracted
bitrat
1.38
severdops.ddns.net:3071
-
communication_password
29ef52e7563626a96cea7f4b4085c124
-
tor_process
tor
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Processes:
resource yara_rule behavioral1/memory/980-72-0x0000000000400000-0x00000000007E5000-memory.dmp upx behavioral1/memory/980-73-0x0000000000400000-0x00000000007E5000-memory.dmp upx behavioral1/memory/980-74-0x0000000000400000-0x00000000007E5000-memory.dmp upx behavioral1/memory/980-75-0x0000000000400000-0x00000000007E5000-memory.dmp upx behavioral1/memory/980-79-0x0000000000400000-0x00000000007E5000-memory.dmp upx behavioral1/memory/980-81-0x0000000000400000-0x00000000007E5000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
9401cf9f73dfb187bf4cef05d8cfe72b.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9401cf9f73dfb187bf4cef05d8cfe72b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9401cf9f73dfb187bf4cef05d8cfe72b.exe -
Processes:
9401cf9f73dfb187bf4cef05d8cfe72b.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths 9401cf9f73dfb187bf4cef05d8cfe72b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions 9401cf9f73dfb187bf4cef05d8cfe72b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Public\Documents\TATTOOISTSEAB\svchost.exe = "0" 9401cf9f73dfb187bf4cef05d8cfe72b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\9401cf9f73dfb187bf4cef05d8cfe72b.exe = "0" 9401cf9f73dfb187bf4cef05d8cfe72b.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9401cf9f73dfb187bf4cef05d8cfe72b.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\WAISTERSFDC = "C:\\Users\\Public\\Documents\\TATTOOISTSEAB\\svchost.exe" 9401cf9f73dfb187bf4cef05d8cfe72b.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\WAISTERSFDC = "C:\\Users\\Public\\Documents\\TATTOOISTSEAB\\svchost.exe" 9401cf9f73dfb187bf4cef05d8cfe72b.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
9401cf9f73dfb187bf4cef05d8cfe72b.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 9401cf9f73dfb187bf4cef05d8cfe72b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 9401cf9f73dfb187bf4cef05d8cfe72b.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
aspnet_wp.exepid process 980 aspnet_wp.exe 980 aspnet_wp.exe 980 aspnet_wp.exe 980 aspnet_wp.exe 980 aspnet_wp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9401cf9f73dfb187bf4cef05d8cfe72b.exedescription pid process target process PID 1636 set thread context of 980 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe aspnet_wp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
9401cf9f73dfb187bf4cef05d8cfe72b.exepowershell.exepowershell.exepowershell.exepid process 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe 400 powershell.exe 1396 powershell.exe 840 powershell.exe 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
9401cf9f73dfb187bf4cef05d8cfe72b.exepowershell.exepowershell.exepowershell.exeaspnet_wp.exedescription pid process Token: SeDebugPrivilege 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe Token: SeDebugPrivilege 400 powershell.exe Token: SeDebugPrivilege 1396 powershell.exe Token: SeDebugPrivilege 840 powershell.exe Token: SeDebugPrivilege 980 aspnet_wp.exe Token: SeShutdownPrivilege 980 aspnet_wp.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
aspnet_wp.exepid process 980 aspnet_wp.exe 980 aspnet_wp.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
9401cf9f73dfb187bf4cef05d8cfe72b.exedescription pid process target process PID 1636 wrote to memory of 840 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe powershell.exe PID 1636 wrote to memory of 840 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe powershell.exe PID 1636 wrote to memory of 840 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe powershell.exe PID 1636 wrote to memory of 840 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe powershell.exe PID 1636 wrote to memory of 1396 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe powershell.exe PID 1636 wrote to memory of 1396 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe powershell.exe PID 1636 wrote to memory of 1396 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe powershell.exe PID 1636 wrote to memory of 1396 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe powershell.exe PID 1636 wrote to memory of 400 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe powershell.exe PID 1636 wrote to memory of 400 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe powershell.exe PID 1636 wrote to memory of 400 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe powershell.exe PID 1636 wrote to memory of 400 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe powershell.exe PID 1636 wrote to memory of 1580 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe aspnet_state.exe PID 1636 wrote to memory of 1580 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe aspnet_state.exe PID 1636 wrote to memory of 1580 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe aspnet_state.exe PID 1636 wrote to memory of 1580 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe aspnet_state.exe PID 1636 wrote to memory of 980 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe aspnet_wp.exe PID 1636 wrote to memory of 980 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe aspnet_wp.exe PID 1636 wrote to memory of 980 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe aspnet_wp.exe PID 1636 wrote to memory of 980 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe aspnet_wp.exe PID 1636 wrote to memory of 980 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe aspnet_wp.exe PID 1636 wrote to memory of 980 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe aspnet_wp.exe PID 1636 wrote to memory of 980 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe aspnet_wp.exe PID 1636 wrote to memory of 980 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe aspnet_wp.exe PID 1636 wrote to memory of 980 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe aspnet_wp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9401cf9f73dfb187bf4cef05d8cfe72b.exe"C:\Users\Admin\AppData\Local\Temp\9401cf9f73dfb187bf4cef05d8cfe72b.exe"1⤵
- Checks BIOS information in registry
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\TATTOOISTSEAB\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\TATTOOISTSEAB\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9401cf9f73dfb187bf4cef05d8cfe72b.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
2aa07dcfa3a8ed243e15733dd2a5ad25
SHA13a595f0eb570341e61f7914f97077ae321d3a900
SHA256154b0852c9fa45e9de60bc793fc059d22af5a4ad307ec16bce069035cae7e304
SHA512a324103b2fcada038580dd2221813a27cfa71a60dca69f19c2fff97c1678be0a32e3d96f34b5f5bf5114ace8b6b6bdd81bbca98574e1cf980707a98f6b0086f8
-
memory/400-63-0x0000000000000000-mapping.dmp
-
memory/400-84-0x00000000022A2000-0x00000000022A4000-memory.dmpFilesize
8KB
-
memory/400-78-0x00000000022A1000-0x00000000022A2000-memory.dmpFilesize
4KB
-
memory/400-69-0x00000000022A0000-0x00000000022A1000-memory.dmpFilesize
4KB
-
memory/840-70-0x00000000024C0000-0x000000000310A000-memory.dmpFilesize
12.3MB
-
memory/840-64-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/840-61-0x0000000000000000-mapping.dmp
-
memory/840-85-0x00000000024C0000-0x000000000310A000-memory.dmpFilesize
12.3MB
-
memory/840-83-0x00000000024C0000-0x000000000310A000-memory.dmpFilesize
12.3MB
-
memory/980-79-0x0000000000400000-0x00000000007E5000-memory.dmpFilesize
3.9MB
-
memory/980-75-0x0000000000400000-0x00000000007E5000-memory.dmpFilesize
3.9MB
-
memory/980-81-0x0000000000400000-0x00000000007E5000-memory.dmpFilesize
3.9MB
-
memory/980-76-0x00000000007E2730-mapping.dmp
-
memory/980-74-0x0000000000400000-0x00000000007E5000-memory.dmpFilesize
3.9MB
-
memory/980-71-0x0000000000400000-0x00000000007E5000-memory.dmpFilesize
3.9MB
-
memory/980-72-0x0000000000400000-0x00000000007E5000-memory.dmpFilesize
3.9MB
-
memory/980-73-0x0000000000400000-0x00000000007E5000-memory.dmpFilesize
3.9MB
-
memory/1396-77-0x0000000002011000-0x0000000002012000-memory.dmpFilesize
4KB
-
memory/1396-68-0x0000000002010000-0x0000000002011000-memory.dmpFilesize
4KB
-
memory/1396-82-0x0000000002012000-0x0000000002014000-memory.dmpFilesize
8KB
-
memory/1396-62-0x0000000000000000-mapping.dmp
-
memory/1636-54-0x0000000000200000-0x000000000043C000-memory.dmpFilesize
2.2MB
-
memory/1636-58-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB
-
memory/1636-56-0x00000000004B0000-0x00000000004B8000-memory.dmpFilesize
32KB
-
memory/1636-60-0x0000000000950000-0x00000000009E4000-memory.dmpFilesize
592KB
-
memory/1636-57-0x00000000004C0000-0x00000000004C8000-memory.dmpFilesize
32KB
-
memory/1636-59-0x0000000006030000-0x000000000623C000-memory.dmpFilesize
2.0MB
-
memory/1636-55-0x0000000000460000-0x0000000000468000-memory.dmpFilesize
32KB