8f161c203384b95bc5b20e122a9c1c68

General
Target

8f161c203384b95bc5b20e122a9c1c68.exe

Filesize

323KB

Completed

20-01-2022 20:02

Score
10/10
MD5

8f161c203384b95bc5b20e122a9c1c68

SHA1

c72b4a03fef8c75ff0aab7bd97722249c9334ab0

SHA256

4ea881ce90cbf4c9f6f26b940e062bbd147531c6754390f7e61784d892b54668

Malware Config

Extracted

Family bitrat
Version 1.38
C2

utfghjhkyut.duckdns.org:1882

Attributes
communication_password
81dc9bdb52d04dc20036dbd8313ed055
install_dir
AppData
install_file
chrome.exe
tor_process
tor
Signatures 11

Filter: none

Defense Evasion
Discovery
Persistence
  • BitRAT

    Description

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/560-65-0x0000000000400000-0x00000000007E4000-memory.dmpupx
    behavioral1/memory/560-66-0x0000000000400000-0x00000000007E4000-memory.dmpupx
    behavioral1/memory/560-67-0x0000000000400000-0x00000000007E4000-memory.dmpupx
    behavioral1/memory/560-69-0x0000000000400000-0x00000000007E4000-memory.dmpupx
    behavioral1/memory/560-70-0x0000000000400000-0x00000000007E4000-memory.dmpupx
  • Adds Run key to start application
    RegAsm.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\AppData\\Local\\AppData\\chrome.exe"RegAsm.exe
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    RegAsm.exe

    Reported IOCs

    pidprocess
    560RegAsm.exe
    560RegAsm.exe
    560RegAsm.exe
    560RegAsm.exe
    560RegAsm.exe
  • Suspicious use of SetThreadContext
    8f161c203384b95bc5b20e122a9c1c68.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1108 set thread context of 56011088f161c203384b95bc5b20e122a9c1c68.exeRegAsm.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Runs ping.exe
    PING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    1996PING.EXE
    2012PING.EXE
    1832PING.EXE
    1132PING.EXE
    1764PING.EXE
  • Suspicious behavior: EnumeratesProcesses
    powershell.exe8f161c203384b95bc5b20e122a9c1c68.exe

    Reported IOCs

    pidprocess
    576powershell.exe
    11088f161c203384b95bc5b20e122a9c1c68.exe
    11088f161c203384b95bc5b20e122a9c1c68.exe
  • Suspicious use of AdjustPrivilegeToken
    8f161c203384b95bc5b20e122a9c1c68.exepowershell.exeRegAsm.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege11088f161c203384b95bc5b20e122a9c1c68.exe
    Token: SeDebugPrivilege576powershell.exe
    Token: SeDebugPrivilege560RegAsm.exe
    Token: SeShutdownPrivilege560RegAsm.exe
  • Suspicious use of SetWindowsHookEx
    RegAsm.exe

    Reported IOCs

    pidprocess
    560RegAsm.exe
    560RegAsm.exe
  • Suspicious use of WriteProcessMemory
    8f161c203384b95bc5b20e122a9c1c68.exepowershell.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1108 wrote to memory of 57611088f161c203384b95bc5b20e122a9c1c68.exepowershell.exe
    PID 1108 wrote to memory of 57611088f161c203384b95bc5b20e122a9c1c68.exepowershell.exe
    PID 1108 wrote to memory of 57611088f161c203384b95bc5b20e122a9c1c68.exepowershell.exe
    PID 1108 wrote to memory of 57611088f161c203384b95bc5b20e122a9c1c68.exepowershell.exe
    PID 576 wrote to memory of 1764576powershell.exePING.EXE
    PID 576 wrote to memory of 1764576powershell.exePING.EXE
    PID 576 wrote to memory of 1764576powershell.exePING.EXE
    PID 576 wrote to memory of 1764576powershell.exePING.EXE
    PID 576 wrote to memory of 1996576powershell.exePING.EXE
    PID 576 wrote to memory of 1996576powershell.exePING.EXE
    PID 576 wrote to memory of 1996576powershell.exePING.EXE
    PID 576 wrote to memory of 1996576powershell.exePING.EXE
    PID 576 wrote to memory of 2012576powershell.exePING.EXE
    PID 576 wrote to memory of 2012576powershell.exePING.EXE
    PID 576 wrote to memory of 2012576powershell.exePING.EXE
    PID 576 wrote to memory of 2012576powershell.exePING.EXE
    PID 576 wrote to memory of 1832576powershell.exePING.EXE
    PID 576 wrote to memory of 1832576powershell.exePING.EXE
    PID 576 wrote to memory of 1832576powershell.exePING.EXE
    PID 576 wrote to memory of 1832576powershell.exePING.EXE
    PID 576 wrote to memory of 1132576powershell.exePING.EXE
    PID 576 wrote to memory of 1132576powershell.exePING.EXE
    PID 576 wrote to memory of 1132576powershell.exePING.EXE
    PID 576 wrote to memory of 1132576powershell.exePING.EXE
    PID 1108 wrote to memory of 56011088f161c203384b95bc5b20e122a9c1c68.exeRegAsm.exe
    PID 1108 wrote to memory of 56011088f161c203384b95bc5b20e122a9c1c68.exeRegAsm.exe
    PID 1108 wrote to memory of 56011088f161c203384b95bc5b20e122a9c1c68.exeRegAsm.exe
    PID 1108 wrote to memory of 56011088f161c203384b95bc5b20e122a9c1c68.exeRegAsm.exe
    PID 1108 wrote to memory of 56011088f161c203384b95bc5b20e122a9c1c68.exeRegAsm.exe
    PID 1108 wrote to memory of 56011088f161c203384b95bc5b20e122a9c1c68.exeRegAsm.exe
    PID 1108 wrote to memory of 56011088f161c203384b95bc5b20e122a9c1c68.exeRegAsm.exe
    PID 1108 wrote to memory of 56011088f161c203384b95bc5b20e122a9c1c68.exeRegAsm.exe
    PID 1108 wrote to memory of 56011088f161c203384b95bc5b20e122a9c1c68.exeRegAsm.exe
    PID 1108 wrote to memory of 56011088f161c203384b95bc5b20e122a9c1c68.exeRegAsm.exe
    PID 1108 wrote to memory of 56011088f161c203384b95bc5b20e122a9c1c68.exeRegAsm.exe
Processes 8
  • C:\Users\Admin\AppData\Local\Temp\8f161c203384b95bc5b20e122a9c1c68.exe
    "C:\Users\Admin\AppData\Local\Temp\8f161c203384b95bc5b20e122a9c1c68.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1108
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABpAG4AZwAgAHkAYQBoAG8AbwAuAGMAbwBtADsAIABwAGkAbgBnACAAeQBhAGgAbwBvAC4AYwBvAG0AOwBwAGkAbgBnACAAeQBhAGgAbwBvAC4AYwBvAG0AOwBwAGkAbgBnACAAeQBhAGgAbwBvAC4AYwBvAG0AOwBwAGkAbgBnACAAeQBhAGgAbwBvAC4AYwBvAG0AOwA=
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:576
      • C:\Windows\SysWOW64\PING.EXE
        "C:\Windows\system32\PING.EXE" yahoo.com
        Runs ping.exe
        PID:1764
      • C:\Windows\SysWOW64\PING.EXE
        "C:\Windows\system32\PING.EXE" yahoo.com
        Runs ping.exe
        PID:1996
      • C:\Windows\SysWOW64\PING.EXE
        "C:\Windows\system32\PING.EXE" yahoo.com
        Runs ping.exe
        PID:2012
      • C:\Windows\SysWOW64\PING.EXE
        "C:\Windows\system32\PING.EXE" yahoo.com
        Runs ping.exe
        PID:1832
      • C:\Windows\SysWOW64\PING.EXE
        "C:\Windows\system32\PING.EXE" yahoo.com
        Runs ping.exe
        PID:1132
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:560
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • memory/560-65-0x0000000000400000-0x00000000007E4000-memory.dmp

                    • memory/560-70-0x0000000000400000-0x00000000007E4000-memory.dmp

                    • memory/560-64-0x0000000000400000-0x00000000007E4000-memory.dmp

                    • memory/560-69-0x0000000000400000-0x00000000007E4000-memory.dmp

                    • memory/560-67-0x0000000000400000-0x00000000007E4000-memory.dmp

                    • memory/560-66-0x0000000000400000-0x00000000007E4000-memory.dmp

                    • memory/560-71-0x0000000000401000-0x00000000007E4000-memory.dmp

                    • memory/576-59-0x00000000025B0000-0x00000000031FA000-memory.dmp

                    • memory/576-58-0x00000000025B0000-0x00000000031FA000-memory.dmp

                    • memory/1108-63-0x0000000004ED0000-0x0000000004F1C000-memory.dmp

                    • memory/1108-62-0x00000000061F0000-0x0000000006386000-memory.dmp

                    • memory/1108-61-0x0000000005E60000-0x000000000600E000-memory.dmp

                    • memory/1108-60-0x0000000005650000-0x0000000005651000-memory.dmp

                    • memory/1108-54-0x0000000075431000-0x0000000075433000-memory.dmp

                    • memory/1108-53-0x0000000000B80000-0x0000000000BD8000-memory.dmp