Overview

overview

10

Static

static

Juicio No ...IA.exe

windows7_x64

10

Juicio No ...IA.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4265097s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    17-01-2022 19:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Juicio No 17292201700138, PRIMERA INSTANCIA.exe

  • Size

    292KB

  • MD5

    c7ef2678503427b2196bcd3043228fda

  • SHA1

    2939b316e7c6b30ca7b298bbbaf8cad789a92bc1

  • SHA256

    a74a193f0864f96cb4a8a49c01495cd2e6223893e832c494a70cba3d0e9b765c

  • SHA512

    697f21ec76268ad48d34ff07a5b647e86c2138c66e909e5b185651e9674047689757d2d646a57d2fdb297b6828c46e29ce3882fc04f59afc770d9b2d544b0e2c

Score
10/10
bitratsuricatatrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

positivoooooo.duckdns.org:3005

Attributes
  • communication_password

    202cb962ac59075b964b07152d234b70

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    suricata
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Juicio No 17292201700138, PRIMERA INSTANCIA.exe
    "C:\Users\Admin\AppData\Local\Temp\Juicio No 17292201700138, PRIMERA INSTANCIA.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1764
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc YwBtAGQAIAAvAGMAIAB0AGkAbQBlAG8AdQB0ACAAMQA5AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c timeout 19
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:660
        • C:\Windows\SysWOW64\timeout.exe
          timeout 19
          4⤵
          • Delays execution with timeout.exe
          PID:1224
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1724
  • C:\Windows\system32\MusNotification.exe
    C:\Windows\system32\MusNotification.exe
    1⤵
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    PID:3392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/660-144-0x0000000000000000-mapping.dmp
    Download
  • memory/1224-145-0x0000000000000000-mapping.dmp
    Download
  • memory/1724-152-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1724-151-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1724-150-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1724-149-0x0000000000000000-mapping.dmp
    Download
  • memory/1764-131-0x0000000000050000-0x000000000009E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/1764-132-0x0000000004AF0000-0x0000000004AF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1764-130-0x0000000000050000-0x000000000009E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/1764-148-0x0000000000910000-0x00000000009A2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2784-135-0x0000000004E70000-0x0000000004E71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2784-141-0x0000000007CC0000-0x0000000007D26000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2784-142-0x0000000007D30000-0x0000000007D96000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2784-143-0x0000000008560000-0x000000000857E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2784-140-0x00000000074B0000-0x00000000074D2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/2784-139-0x0000000007620000-0x0000000007C48000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2784-146-0x0000000004E70000-0x0000000004E71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2784-147-0x0000000006F65000-0x0000000006F67000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2784-138-0x0000000006F62000-0x0000000006F63000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2784-137-0x0000000006F60000-0x0000000006F61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2784-136-0x0000000006FB0000-0x0000000006FE6000-memory.dmp
    Filesize

    216KB

    Download
  • memory/2784-134-0x0000000004E70000-0x0000000004E71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2784-133-0x0000000000000000-mapping.dmp
    Download