cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9

General
Target

cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe

Filesize

1MB

Completed

07-01-2022 12:15

Score
10/10
MD5

a65b75567794b4d9f2558c672bd07dd5

SHA1

e217c9fde4b32680a11adf2200e673519f595bd3

SHA256

cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9

Malware Config

Extracted

Family bitrat
Version 1.38
C2

severdops.ddns.net:3071

Attributes
communication_password
29ef52e7563626a96cea7f4b4085c124
install_dir
msWORLD
install_file
excel.exe
tor_process
tor
Signatures 8

Filter: none

Defense Evasion
Persistence
  • BitRAT

    Description

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/2760-120-0x0000000000400000-0x00000000007E4000-memory.dmpupx
    behavioral1/memory/2760-122-0x0000000000400000-0x00000000007E4000-memory.dmpupx
    behavioral1/memory/2760-123-0x0000000000400000-0x00000000007E4000-memory.dmpupx
  • Adds Run key to start application
    aspnet_compiler.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\excel = "C:\\Users\\Admin\\AppData\\Local\\msWORLD\\excel.exe\uff00"aspnet_compiler.exe
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    aspnet_compiler.exe

    Reported IOCs

    pidprocess
    2760aspnet_compiler.exe
    2760aspnet_compiler.exe
    2760aspnet_compiler.exe
    2760aspnet_compiler.exe
    2760aspnet_compiler.exe
  • Suspicious use of SetThreadContext
    cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2340 set thread context of 27602340cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exeaspnet_compiler.exe
  • Suspicious use of AdjustPrivilegeToken
    cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exeaspnet_compiler.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege2340cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe
    Token: SeShutdownPrivilege2760aspnet_compiler.exe
  • Suspicious use of SetWindowsHookEx
    aspnet_compiler.exe

    Reported IOCs

    pidprocess
    2760aspnet_compiler.exe
    2760aspnet_compiler.exe
  • Suspicious use of WriteProcessMemory
    cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2340 wrote to memory of 27602340cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exeaspnet_compiler.exe
    PID 2340 wrote to memory of 27602340cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exeaspnet_compiler.exe
    PID 2340 wrote to memory of 27602340cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exeaspnet_compiler.exe
    PID 2340 wrote to memory of 27602340cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exeaspnet_compiler.exe
    PID 2340 wrote to memory of 27602340cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exeaspnet_compiler.exe
    PID 2340 wrote to memory of 27602340cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exeaspnet_compiler.exe
    PID 2340 wrote to memory of 27602340cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exeaspnet_compiler.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe
    "C:\Users\Admin\AppData\Local\Temp\cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe"
    Suspicious use of SetThreadContext
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2760
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/2340-115-0x00000000008F0000-0x0000000000AE2000-memory.dmp

                      • memory/2340-116-0x00000000008F0000-0x0000000000AE2000-memory.dmp

                      • memory/2340-117-0x000000001B820000-0x000000001B822000-memory.dmp

                      • memory/2340-118-0x000000001B830000-0x000000001BA1E000-memory.dmp

                      • memory/2340-119-0x0000000000F10000-0x0000000000F1E000-memory.dmp

                      • memory/2760-120-0x0000000000400000-0x00000000007E4000-memory.dmp

                      • memory/2760-121-0x00000000007E2750-mapping.dmp

                      • memory/2760-122-0x0000000000400000-0x00000000007E4000-memory.dmp

                      • memory/2760-123-0x0000000000400000-0x00000000007E4000-memory.dmp