Document.exe

General
Target

Document.exe

Filesize

839KB

Completed

19-01-2022 14:59

Score
10/10
MD5

2a5a12f5a3bc62ecd263e1ebde57cba7

SHA1

f1d3ba0fc6343e145663c944e6aeebe5e96eaa6b

SHA256

b93811479bf82f08e97be19c596166482cdb2b31b8762c8c310307dfd6dab61e

Malware Config

Extracted

Family bitrat
Version 1.38
C2

covid66758.ddns.net:9090

Attributes
communication_password
b4df9f494056d51f86c7f1a89850c467
tor_process
tor
Signatures 8

Filter: none

Defense Evasion
Persistence
  • BitRAT

    Description

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

  • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    Description

    suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    Tags

  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1296-88-0x0000000072480000-0x0000000072864000-memory.dmpupx
    behavioral1/memory/1296-93-0x0000000072480000-0x0000000072864000-memory.dmpupx
  • Adds Run key to start application
    Document.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nzmmycmfys = "C:\\Users\\Admin\\Contacts\\syfmcymmzN.url"Document.exe
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    logagent.exe

    Reported IOCs

    pidprocess
    1296logagent.exe
    1296logagent.exe
    1296logagent.exe
    1296logagent.exe
    1296logagent.exe
  • Suspicious use of AdjustPrivilegeToken
    logagent.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1296logagent.exe
    Token: SeShutdownPrivilege1296logagent.exe
  • Suspicious use of SetWindowsHookEx
    logagent.exe

    Reported IOCs

    pidprocess
    1296logagent.exe
    1296logagent.exe
  • Suspicious use of WriteProcessMemory
    Document.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1412 wrote to memory of 12961412Document.exelogagent.exe
    PID 1412 wrote to memory of 12961412Document.exelogagent.exe
    PID 1412 wrote to memory of 12961412Document.exelogagent.exe
    PID 1412 wrote to memory of 12961412Document.exelogagent.exe
    PID 1412 wrote to memory of 12961412Document.exelogagent.exe
    PID 1412 wrote to memory of 12961412Document.exelogagent.exe
    PID 1412 wrote to memory of 12961412Document.exelogagent.exe
    PID 1412 wrote to memory of 12961412Document.exelogagent.exe
    PID 1412 wrote to memory of 12961412Document.exelogagent.exe
    PID 1412 wrote to memory of 12961412Document.exelogagent.exe
    PID 1412 wrote to memory of 12961412Document.exelogagent.exe
    PID 1412 wrote to memory of 12961412Document.exelogagent.exe
    PID 1412 wrote to memory of 12961412Document.exelogagent.exe
    PID 1412 wrote to memory of 12961412Document.exelogagent.exe
    PID 1412 wrote to memory of 12961412Document.exelogagent.exe
    PID 1412 wrote to memory of 12961412Document.exelogagent.exe
    PID 1412 wrote to memory of 12961412Document.exelogagent.exe
    PID 1412 wrote to memory of 12961412Document.exelogagent.exe
    PID 1412 wrote to memory of 12961412Document.exelogagent.exe
    PID 1412 wrote to memory of 12961412Document.exelogagent.exe
    PID 1412 wrote to memory of 12961412Document.exelogagent.exe
    PID 1412 wrote to memory of 12961412Document.exelogagent.exe
    PID 1412 wrote to memory of 12961412Document.exelogagent.exe
    PID 1412 wrote to memory of 12961412Document.exelogagent.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\Document.exe
    "C:\Users\Admin\AppData\Local\Temp\Document.exe"
    Adds Run key to start application
    Suspicious use of WriteProcessMemory
    PID:1412
    • C:\Windows\SysWOW64\logagent.exe
      C:\Windows\System32\logagent.exe
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1296
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/1296-91-0x00000000000C0000-0x00000000000C1000-memory.dmp

                      • memory/1296-92-0x00000000002A0000-0x00000000002A1000-memory.dmp

                      • memory/1296-66-0x0000000000080000-0x0000000000081000-memory.dmp

                      • memory/1296-85-0x0000000072480000-0x0000000072864000-memory.dmp

                      • memory/1296-88-0x0000000072480000-0x0000000072864000-memory.dmp

                      • memory/1296-90-0x0000000000080000-0x0000000000081000-memory.dmp

                      • memory/1296-93-0x0000000072480000-0x0000000072864000-memory.dmp

                      • memory/1412-54-0x0000000076851000-0x0000000076853000-memory.dmp

                      • memory/1412-55-0x0000000000330000-0x0000000000331000-memory.dmp