Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
21-01-2022 13:17
Static task
static1
Behavioral task
behavioral1
Sample
Bon de commande.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Bon de commande.exe
Resource
win10-en-20211208
General
-
Target
Bon de commande.exe
-
Size
26KB
-
MD5
00286c04e7817a33d830719ef9afda61
-
SHA1
3e59b07e3aa255dc4086c9c631d814ac201e9951
-
SHA256
263b305d6a17491a0dd9dd32c5e56536263326e716e0474a132c1d8f8cc0878d
-
SHA512
917d83abba42301eabf3e5bdc7450300150925955cc2b6ddb40b28338c2014ec30c234fad245bc19f5d5345f5ad5de55e0a738e7bb9fa96b765117c3410a8612
Malware Config
Extracted
bitrat
1.38
severdops.ddns.net:3071
-
communication_password
29ef52e7563626a96cea7f4b4085c124
-
tor_process
tor
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
Processes:
resource yara_rule behavioral1/memory/1720-62-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1720-63-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1720-64-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1720-65-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1720-67-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Bon de commande.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windowexe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Demo\\Windowexe.exe\"" Bon de commande.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
Bon de commande.exepid process 1720 Bon de commande.exe 1720 Bon de commande.exe 1720 Bon de commande.exe 1720 Bon de commande.exe 1720 Bon de commande.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Bon de commande.exedescription pid process target process PID 1100 set thread context of 1720 1100 Bon de commande.exe Bon de commande.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 12 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 2040 PING.EXE 604 PING.EXE 1956 PING.EXE 896 PING.EXE 1080 PING.EXE 936 PING.EXE 1488 PING.EXE 588 PING.EXE 1652 PING.EXE 560 PING.EXE 1716 PING.EXE 1412 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Bon de commande.exepid process 1100 Bon de commande.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Bon de commande.exeBon de commande.exedescription pid process Token: SeDebugPrivilege 1100 Bon de commande.exe Token: SeDebugPrivilege 1720 Bon de commande.exe Token: SeShutdownPrivilege 1720 Bon de commande.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Bon de commande.exepid process 1720 Bon de commande.exe 1720 Bon de commande.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Bon de commande.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1100 wrote to memory of 472 1100 Bon de commande.exe cmd.exe PID 1100 wrote to memory of 472 1100 Bon de commande.exe cmd.exe PID 1100 wrote to memory of 472 1100 Bon de commande.exe cmd.exe PID 1100 wrote to memory of 472 1100 Bon de commande.exe cmd.exe PID 472 wrote to memory of 560 472 cmd.exe PING.EXE PID 472 wrote to memory of 560 472 cmd.exe PING.EXE PID 472 wrote to memory of 560 472 cmd.exe PING.EXE PID 472 wrote to memory of 560 472 cmd.exe PING.EXE PID 1100 wrote to memory of 1568 1100 Bon de commande.exe cmd.exe PID 1100 wrote to memory of 1568 1100 Bon de commande.exe cmd.exe PID 1100 wrote to memory of 1568 1100 Bon de commande.exe cmd.exe PID 1100 wrote to memory of 1568 1100 Bon de commande.exe cmd.exe PID 1568 wrote to memory of 604 1568 cmd.exe PING.EXE PID 1568 wrote to memory of 604 1568 cmd.exe PING.EXE PID 1568 wrote to memory of 604 1568 cmd.exe PING.EXE PID 1568 wrote to memory of 604 1568 cmd.exe PING.EXE PID 1100 wrote to memory of 1984 1100 Bon de commande.exe cmd.exe PID 1100 wrote to memory of 1984 1100 Bon de commande.exe cmd.exe PID 1100 wrote to memory of 1984 1100 Bon de commande.exe cmd.exe PID 1100 wrote to memory of 1984 1100 Bon de commande.exe cmd.exe PID 1984 wrote to memory of 1956 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1956 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1956 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1956 1984 cmd.exe PING.EXE PID 1100 wrote to memory of 2020 1100 Bon de commande.exe cmd.exe PID 1100 wrote to memory of 2020 1100 Bon de commande.exe cmd.exe PID 1100 wrote to memory of 2020 1100 Bon de commande.exe cmd.exe PID 1100 wrote to memory of 2020 1100 Bon de commande.exe cmd.exe PID 2020 wrote to memory of 1716 2020 cmd.exe PING.EXE PID 2020 wrote to memory of 1716 2020 cmd.exe PING.EXE PID 2020 wrote to memory of 1716 2020 cmd.exe PING.EXE PID 2020 wrote to memory of 1716 2020 cmd.exe PING.EXE PID 1100 wrote to memory of 1632 1100 Bon de commande.exe cmd.exe PID 1100 wrote to memory of 1632 1100 Bon de commande.exe cmd.exe PID 1100 wrote to memory of 1632 1100 Bon de commande.exe cmd.exe PID 1100 wrote to memory of 1632 1100 Bon de commande.exe cmd.exe PID 1632 wrote to memory of 1412 1632 cmd.exe PING.EXE PID 1632 wrote to memory of 1412 1632 cmd.exe PING.EXE PID 1632 wrote to memory of 1412 1632 cmd.exe PING.EXE PID 1632 wrote to memory of 1412 1632 cmd.exe PING.EXE PID 1100 wrote to memory of 1644 1100 Bon de commande.exe cmd.exe PID 1100 wrote to memory of 1644 1100 Bon de commande.exe cmd.exe PID 1100 wrote to memory of 1644 1100 Bon de commande.exe cmd.exe PID 1100 wrote to memory of 1644 1100 Bon de commande.exe cmd.exe PID 1644 wrote to memory of 1080 1644 cmd.exe PING.EXE PID 1644 wrote to memory of 1080 1644 cmd.exe PING.EXE PID 1644 wrote to memory of 1080 1644 cmd.exe PING.EXE PID 1644 wrote to memory of 1080 1644 cmd.exe PING.EXE PID 1100 wrote to memory of 1456 1100 Bon de commande.exe cmd.exe PID 1100 wrote to memory of 1456 1100 Bon de commande.exe cmd.exe PID 1100 wrote to memory of 1456 1100 Bon de commande.exe cmd.exe PID 1100 wrote to memory of 1456 1100 Bon de commande.exe cmd.exe PID 1456 wrote to memory of 936 1456 cmd.exe PING.EXE PID 1456 wrote to memory of 936 1456 cmd.exe PING.EXE PID 1456 wrote to memory of 936 1456 cmd.exe PING.EXE PID 1456 wrote to memory of 936 1456 cmd.exe PING.EXE PID 1100 wrote to memory of 1176 1100 Bon de commande.exe cmd.exe PID 1100 wrote to memory of 1176 1100 Bon de commande.exe cmd.exe PID 1100 wrote to memory of 1176 1100 Bon de commande.exe cmd.exe PID 1100 wrote to memory of 1176 1100 Bon de commande.exe cmd.exe PID 1176 wrote to memory of 1488 1176 cmd.exe PING.EXE PID 1176 wrote to memory of 1488 1176 cmd.exe PING.EXE PID 1176 wrote to memory of 1488 1176 cmd.exe PING.EXE PID 1176 wrote to memory of 1488 1176 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bon de commande.exe"C:\Users\Admin\AppData\Local\Temp\Bon de commande.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping google.com2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping google.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping facebook.com2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping facebook.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping twitter.com2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping twitter.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping google.com2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping google.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping facebook.com2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping facebook.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping twitter.com2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping twitter.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping google.com2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping google.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping facebook.com2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping facebook.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping twitter.com2⤵
-
C:\Windows\SysWOW64\PING.EXEping twitter.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping google.com2⤵
-
C:\Windows\SysWOW64\PING.EXEping google.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping facebook.com2⤵
-
C:\Windows\SysWOW64\PING.EXEping facebook.com3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping twitter.com2⤵
-
C:\Windows\SysWOW64\PING.EXEping twitter.com3⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\Bon de commande.exe"C:\Users\Admin\AppData\Local\Temp\Bon de commande.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1100-55-0x00000000003F0000-0x00000000003FC000-memory.dmpFilesize
48KB
-
memory/1100-56-0x0000000075421000-0x0000000075423000-memory.dmpFilesize
8KB
-
memory/1100-57-0x00000000055E0000-0x00000000055E1000-memory.dmpFilesize
4KB
-
memory/1100-58-0x0000000006280000-0x000000000642E000-memory.dmpFilesize
1.7MB
-
memory/1100-59-0x0000000007430000-0x00000000075C6000-memory.dmpFilesize
1.6MB
-
memory/1100-60-0x0000000004B00000-0x0000000004B4C000-memory.dmpFilesize
304KB
-
memory/1720-61-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1720-62-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1720-63-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1720-64-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1720-65-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1720-67-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1720-68-0x0000000000401000-0x00000000007E4000-memory.dmpFilesize
3.9MB