Analysis
-
max time kernel
4265097s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
17-01-2022 19:09
Static task
static1
Behavioral task
behavioral1
Sample
Juicio No 17292201700138, PRIMERA INSTANCIA.exe
Resource
win7-en-20211208
General
-
Target
Juicio No 17292201700138, PRIMERA INSTANCIA.exe
-
Size
292KB
-
MD5
c7ef2678503427b2196bcd3043228fda
-
SHA1
2939b316e7c6b30ca7b298bbbaf8cad789a92bc1
-
SHA256
a74a193f0864f96cb4a8a49c01495cd2e6223893e832c494a70cba3d0e9b765c
-
SHA512
697f21ec76268ad48d34ff07a5b647e86c2138c66e909e5b185651e9674047689757d2d646a57d2fdb297b6828c46e29ce3882fc04f59afc770d9b2d544b0e2c
Malware Config
Extracted
bitrat
1.38
positivoooooo.duckdns.org:3005
-
communication_password
202cb962ac59075b964b07152d234b70
-
tor_process
tor
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
Processes:
resource yara_rule behavioral2/memory/1724-150-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/1724-151-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/1724-152-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Juicio No 17292201700138, PRIMERA INSTANCIA.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation Juicio No 17292201700138, PRIMERA INSTANCIA.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
InstallUtil.exepid process 1724 InstallUtil.exe 1724 InstallUtil.exe 1724 InstallUtil.exe 1724 InstallUtil.exe 1724 InstallUtil.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Juicio No 17292201700138, PRIMERA INSTANCIA.exedescription pid process target process PID 1764 set thread context of 1724 1764 Juicio No 17292201700138, PRIMERA INSTANCIA.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotification.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotification.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotification.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1224 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeJuicio No 17292201700138, PRIMERA INSTANCIA.exepid process 2784 powershell.exe 2784 powershell.exe 1764 Juicio No 17292201700138, PRIMERA INSTANCIA.exe 1764 Juicio No 17292201700138, PRIMERA INSTANCIA.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Juicio No 17292201700138, PRIMERA INSTANCIA.exepowershell.exeMusNotification.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 1764 Juicio No 17292201700138, PRIMERA INSTANCIA.exe Token: SeDebugPrivilege 2784 powershell.exe Token: SeShutdownPrivilege 3392 MusNotification.exe Token: SeCreatePagefilePrivilege 3392 MusNotification.exe Token: SeShutdownPrivilege 1724 InstallUtil.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
InstallUtil.exepid process 1724 InstallUtil.exe 1724 InstallUtil.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Juicio No 17292201700138, PRIMERA INSTANCIA.exepowershell.execmd.exedescription pid process target process PID 1764 wrote to memory of 2784 1764 Juicio No 17292201700138, PRIMERA INSTANCIA.exe powershell.exe PID 1764 wrote to memory of 2784 1764 Juicio No 17292201700138, PRIMERA INSTANCIA.exe powershell.exe PID 1764 wrote to memory of 2784 1764 Juicio No 17292201700138, PRIMERA INSTANCIA.exe powershell.exe PID 2784 wrote to memory of 660 2784 powershell.exe cmd.exe PID 2784 wrote to memory of 660 2784 powershell.exe cmd.exe PID 2784 wrote to memory of 660 2784 powershell.exe cmd.exe PID 660 wrote to memory of 1224 660 cmd.exe timeout.exe PID 660 wrote to memory of 1224 660 cmd.exe timeout.exe PID 660 wrote to memory of 1224 660 cmd.exe timeout.exe PID 1764 wrote to memory of 1724 1764 Juicio No 17292201700138, PRIMERA INSTANCIA.exe InstallUtil.exe PID 1764 wrote to memory of 1724 1764 Juicio No 17292201700138, PRIMERA INSTANCIA.exe InstallUtil.exe PID 1764 wrote to memory of 1724 1764 Juicio No 17292201700138, PRIMERA INSTANCIA.exe InstallUtil.exe PID 1764 wrote to memory of 1724 1764 Juicio No 17292201700138, PRIMERA INSTANCIA.exe InstallUtil.exe PID 1764 wrote to memory of 1724 1764 Juicio No 17292201700138, PRIMERA INSTANCIA.exe InstallUtil.exe PID 1764 wrote to memory of 1724 1764 Juicio No 17292201700138, PRIMERA INSTANCIA.exe InstallUtil.exe PID 1764 wrote to memory of 1724 1764 Juicio No 17292201700138, PRIMERA INSTANCIA.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Juicio No 17292201700138, PRIMERA INSTANCIA.exe"C:\Users\Admin\AppData\Local\Temp\Juicio No 17292201700138, PRIMERA INSTANCIA.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc YwBtAGQAIAAvAGMAIAB0AGkAbQBlAG8AdQB0ACAAMQA5AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout 193⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 194⤵
- Delays execution with timeout.exe
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/660-144-0x0000000000000000-mapping.dmp
-
memory/1224-145-0x0000000000000000-mapping.dmp
-
memory/1724-152-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1724-151-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1724-150-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1724-149-0x0000000000000000-mapping.dmp
-
memory/1764-131-0x0000000000050000-0x000000000009E000-memory.dmpFilesize
312KB
-
memory/1764-132-0x0000000004AF0000-0x0000000004AF1000-memory.dmpFilesize
4KB
-
memory/1764-130-0x0000000000050000-0x000000000009E000-memory.dmpFilesize
312KB
-
memory/1764-148-0x0000000000910000-0x00000000009A2000-memory.dmpFilesize
584KB
-
memory/2784-135-0x0000000004E70000-0x0000000004E71000-memory.dmpFilesize
4KB
-
memory/2784-141-0x0000000007CC0000-0x0000000007D26000-memory.dmpFilesize
408KB
-
memory/2784-142-0x0000000007D30000-0x0000000007D96000-memory.dmpFilesize
408KB
-
memory/2784-143-0x0000000008560000-0x000000000857E000-memory.dmpFilesize
120KB
-
memory/2784-140-0x00000000074B0000-0x00000000074D2000-memory.dmpFilesize
136KB
-
memory/2784-139-0x0000000007620000-0x0000000007C48000-memory.dmpFilesize
6.2MB
-
memory/2784-146-0x0000000004E70000-0x0000000004E71000-memory.dmpFilesize
4KB
-
memory/2784-147-0x0000000006F65000-0x0000000006F67000-memory.dmpFilesize
8KB
-
memory/2784-138-0x0000000006F62000-0x0000000006F63000-memory.dmpFilesize
4KB
-
memory/2784-137-0x0000000006F60000-0x0000000006F61000-memory.dmpFilesize
4KB
-
memory/2784-136-0x0000000006FB0000-0x0000000006FE6000-memory.dmpFilesize
216KB
-
memory/2784-134-0x0000000004E70000-0x0000000004E71000-memory.dmpFilesize
4KB
-
memory/2784-133-0x0000000000000000-mapping.dmp