Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
10-01-2022 10:02
Static task
static1
Behavioral task
behavioral1
Sample
RECEIPTUSD97.00.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
RECEIPTUSD97.00.exe
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
General
-
Target
RECEIPTUSD97.00.exe
-
Size
1.0MB
-
MD5
08e0f6fc015b6008f3d0e583c94c8772
-
SHA1
ea87a156303f0cd82266734f7f9678faecffa18b
-
SHA256
84e9426e79655328d7e51384cd16697772d5fa8043ef793e4777ec7e3c38c6d0
-
SHA512
bf340c263cf3a4c1d1d58304ce921f228e2e20a70eef29322ee01894a5b7b68b5646fd800a3c4ea826472450195b7228166272b9afff750f057f8bcdd514a35c
Score
10/10
Malware Config
Extracted
Family
bitrat
Version
1.38
C2
bitpeople.duckdns.org:9173
Attributes
-
communication_password
81dc9bdb52d04dc20036dbd8313ed055
-
tor_process
tor
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RECEIPTUSD97.00.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xgbwmzqxzm = "C:\\Users\\Admin\\Contacts\\mzxqzmwbgX.url" RECEIPTUSD97.00.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
RECEIPTUSD97.00.exepid process 4340 RECEIPTUSD97.00.exe 4340 RECEIPTUSD97.00.exe 4340 RECEIPTUSD97.00.exe 4340 RECEIPTUSD97.00.exe 4340 RECEIPTUSD97.00.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RECEIPTUSD97.00.exedescription pid process target process PID 3436 set thread context of 4340 3436 RECEIPTUSD97.00.exe RECEIPTUSD97.00.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RECEIPTUSD97.00.exedescription pid process Token: SeShutdownPrivilege 4340 RECEIPTUSD97.00.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
RECEIPTUSD97.00.exepid process 4340 RECEIPTUSD97.00.exe 4340 RECEIPTUSD97.00.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
RECEIPTUSD97.00.exedescription pid process target process PID 3436 wrote to memory of 4340 3436 RECEIPTUSD97.00.exe RECEIPTUSD97.00.exe PID 3436 wrote to memory of 4340 3436 RECEIPTUSD97.00.exe RECEIPTUSD97.00.exe PID 3436 wrote to memory of 4340 3436 RECEIPTUSD97.00.exe RECEIPTUSD97.00.exe PID 3436 wrote to memory of 4340 3436 RECEIPTUSD97.00.exe RECEIPTUSD97.00.exe PID 3436 wrote to memory of 4340 3436 RECEIPTUSD97.00.exe RECEIPTUSD97.00.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RECEIPTUSD97.00.exe"C:\Users\Admin\AppData\Local\Temp\RECEIPTUSD97.00.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RECEIPTUSD97.00.exeC:\Users\Admin\AppData\Local\Temp\RECEIPTUSD97.00.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3436-114-0x00000000007C0000-0x00000000007C1000-memory.dmpFilesize
4KB
-
memory/3436-115-0x0000000002440000-0x0000000002441000-memory.dmpFilesize
4KB
-
memory/3436-116-0x0000000002441000-0x0000000002455000-memory.dmpFilesize
80KB
-
memory/4340-118-0x000000000068A488-mapping.dmp
-
memory/4340-117-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/4340-119-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB