Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
12-01-2022 17:47
Static task
static1
Behavioral task
behavioral1
Sample
Document.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
Document.exe
-
Size
435KB
-
MD5
12103b3952c09d930bf11af9df5b3ac4
-
SHA1
914ec6513405dfe91192ed9ae2e82c9fe32c366a
-
SHA256
4da51788f3414e7329cf4b720086550d686fa3d557c86b573a1eb0b218403c5f
-
SHA512
a7c09de2b7d617b780238df68abf5d6c80b791af8da4d32eb56f96efe1c03cbb46c5332ed287dd8a32bd42f76d17b19b442bb854f3dbd03f80b3ebb377680064
Malware Config
Extracted
Family
bitrat
Version
1.38
C2
covid1987.ddns.net:9090
Attributes
-
communication_password
b4df9f494056d51f86c7f1a89850c467
-
tor_process
tor
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
Downloads MZ/PE file
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
RegAsm.exepid process 2160 RegAsm.exe 2160 RegAsm.exe 2160 RegAsm.exe 2160 RegAsm.exe 2160 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Document.exedescription pid process target process PID 1572 set thread context of 2160 1572 Document.exe RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Document.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1572 Document.exe Token: SeShutdownPrivilege 2160 RegAsm.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
RegAsm.exepid process 2160 RegAsm.exe 2160 RegAsm.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Document.exedescription pid process target process PID 1572 wrote to memory of 2160 1572 Document.exe RegAsm.exe PID 1572 wrote to memory of 2160 1572 Document.exe RegAsm.exe PID 1572 wrote to memory of 2160 1572 Document.exe RegAsm.exe PID 1572 wrote to memory of 2160 1572 Document.exe RegAsm.exe PID 1572 wrote to memory of 2160 1572 Document.exe RegAsm.exe PID 1572 wrote to memory of 2160 1572 Document.exe RegAsm.exe PID 1572 wrote to memory of 2160 1572 Document.exe RegAsm.exe PID 1572 wrote to memory of 2160 1572 Document.exe RegAsm.exe PID 1572 wrote to memory of 2160 1572 Document.exe RegAsm.exe PID 1572 wrote to memory of 2160 1572 Document.exe RegAsm.exe PID 1572 wrote to memory of 2160 1572 Document.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Document.exe"C:\Users\Admin\AppData\Local\Temp\Document.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1572-115-0x0000000000D80000-0x0000000000DF4000-memory.dmpFilesize
464KB
-
memory/1572-116-0x0000000000D80000-0x0000000000DF4000-memory.dmpFilesize
464KB
-
memory/1572-117-0x0000000005D10000-0x000000000620E000-memory.dmpFilesize
5.0MB
-
memory/1572-118-0x00000000056B0000-0x0000000005742000-memory.dmpFilesize
584KB
-
memory/1572-119-0x0000000005620000-0x000000000562A000-memory.dmpFilesize
40KB
-
memory/1572-120-0x0000000005810000-0x0000000005D0E000-memory.dmpFilesize
5.0MB
-
memory/1572-121-0x0000000005810000-0x0000000005D0E000-memory.dmpFilesize
5.0MB
-
memory/1572-122-0x0000000007F90000-0x0000000007FB6000-memory.dmpFilesize
152KB
-
memory/2160-124-0x000000000068A488-mapping.dmp
-
memory/2160-123-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/2160-125-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/2160-126-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB