Bon de commande.exe

General
Target

Bon de commande.exe

Filesize

26KB

Completed

21-01-2022 13:20

Score
10/10
MD5

00286c04e7817a33d830719ef9afda61

SHA1

3e59b07e3aa255dc4086c9c631d814ac201e9951

SHA256

263b305d6a17491a0dd9dd32c5e56536263326e716e0474a132c1d8f8cc0878d

Malware Config

Extracted

Family bitrat
Version 1.38
C2

severdops.ddns.net:3071

Attributes
communication_password
29ef52e7563626a96cea7f4b4085c124
tor_process
tor
Signatures 12

Filter: none

Defense Evasion
Discovery
Persistence
  • BitRAT

    Description

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

  • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    Description

    suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    Tags

  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1720-62-0x0000000000400000-0x00000000007E4000-memory.dmpupx
    behavioral1/memory/1720-63-0x0000000000400000-0x00000000007E4000-memory.dmpupx
    behavioral1/memory/1720-64-0x0000000000400000-0x00000000007E4000-memory.dmpupx
    behavioral1/memory/1720-65-0x0000000000400000-0x00000000007E4000-memory.dmpupx
    behavioral1/memory/1720-67-0x0000000000400000-0x00000000007E4000-memory.dmpupx
  • Adds Run key to start application
    Bon de commande.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windowexe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Demo\\Windowexe.exe\""Bon de commande.exe
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    Bon de commande.exe

    Reported IOCs

    pidprocess
    1720Bon de commande.exe
    1720Bon de commande.exe
    1720Bon de commande.exe
    1720Bon de commande.exe
    1720Bon de commande.exe
  • Suspicious use of SetThreadContext
    Bon de commande.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1100 set thread context of 17201100Bon de commande.exeBon de commande.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Runs ping.exe
    PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    2040PING.EXE
    604PING.EXE
    1956PING.EXE
    896PING.EXE
    1080PING.EXE
    936PING.EXE
    1488PING.EXE
    588PING.EXE
    1652PING.EXE
    560PING.EXE
    1716PING.EXE
    1412PING.EXE
  • Suspicious behavior: EnumeratesProcesses
    Bon de commande.exe

    Reported IOCs

    pidprocess
    1100Bon de commande.exe
  • Suspicious use of AdjustPrivilegeToken
    Bon de commande.exeBon de commande.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1100Bon de commande.exe
    Token: SeDebugPrivilege1720Bon de commande.exe
    Token: SeShutdownPrivilege1720Bon de commande.exe
  • Suspicious use of SetWindowsHookEx
    Bon de commande.exe

    Reported IOCs

    pidprocess
    1720Bon de commande.exe
    1720Bon de commande.exe
  • Suspicious use of WriteProcessMemory
    Bon de commande.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1100 wrote to memory of 4721100Bon de commande.execmd.exe
    PID 1100 wrote to memory of 4721100Bon de commande.execmd.exe
    PID 1100 wrote to memory of 4721100Bon de commande.execmd.exe
    PID 1100 wrote to memory of 4721100Bon de commande.execmd.exe
    PID 472 wrote to memory of 560472cmd.exePING.EXE
    PID 472 wrote to memory of 560472cmd.exePING.EXE
    PID 472 wrote to memory of 560472cmd.exePING.EXE
    PID 472 wrote to memory of 560472cmd.exePING.EXE
    PID 1100 wrote to memory of 15681100Bon de commande.execmd.exe
    PID 1100 wrote to memory of 15681100Bon de commande.execmd.exe
    PID 1100 wrote to memory of 15681100Bon de commande.execmd.exe
    PID 1100 wrote to memory of 15681100Bon de commande.execmd.exe
    PID 1568 wrote to memory of 6041568cmd.exePING.EXE
    PID 1568 wrote to memory of 6041568cmd.exePING.EXE
    PID 1568 wrote to memory of 6041568cmd.exePING.EXE
    PID 1568 wrote to memory of 6041568cmd.exePING.EXE
    PID 1100 wrote to memory of 19841100Bon de commande.execmd.exe
    PID 1100 wrote to memory of 19841100Bon de commande.execmd.exe
    PID 1100 wrote to memory of 19841100Bon de commande.execmd.exe
    PID 1100 wrote to memory of 19841100Bon de commande.execmd.exe
    PID 1984 wrote to memory of 19561984cmd.exePING.EXE
    PID 1984 wrote to memory of 19561984cmd.exePING.EXE
    PID 1984 wrote to memory of 19561984cmd.exePING.EXE
    PID 1984 wrote to memory of 19561984cmd.exePING.EXE
    PID 1100 wrote to memory of 20201100Bon de commande.execmd.exe
    PID 1100 wrote to memory of 20201100Bon de commande.execmd.exe
    PID 1100 wrote to memory of 20201100Bon de commande.execmd.exe
    PID 1100 wrote to memory of 20201100Bon de commande.execmd.exe
    PID 2020 wrote to memory of 17162020cmd.exePING.EXE
    PID 2020 wrote to memory of 17162020cmd.exePING.EXE
    PID 2020 wrote to memory of 17162020cmd.exePING.EXE
    PID 2020 wrote to memory of 17162020cmd.exePING.EXE
    PID 1100 wrote to memory of 16321100Bon de commande.execmd.exe
    PID 1100 wrote to memory of 16321100Bon de commande.execmd.exe
    PID 1100 wrote to memory of 16321100Bon de commande.execmd.exe
    PID 1100 wrote to memory of 16321100Bon de commande.execmd.exe
    PID 1632 wrote to memory of 14121632cmd.exePING.EXE
    PID 1632 wrote to memory of 14121632cmd.exePING.EXE
    PID 1632 wrote to memory of 14121632cmd.exePING.EXE
    PID 1632 wrote to memory of 14121632cmd.exePING.EXE
    PID 1100 wrote to memory of 16441100Bon de commande.execmd.exe
    PID 1100 wrote to memory of 16441100Bon de commande.execmd.exe
    PID 1100 wrote to memory of 16441100Bon de commande.execmd.exe
    PID 1100 wrote to memory of 16441100Bon de commande.execmd.exe
    PID 1644 wrote to memory of 10801644cmd.exePING.EXE
    PID 1644 wrote to memory of 10801644cmd.exePING.EXE
    PID 1644 wrote to memory of 10801644cmd.exePING.EXE
    PID 1644 wrote to memory of 10801644cmd.exePING.EXE
    PID 1100 wrote to memory of 14561100Bon de commande.execmd.exe
    PID 1100 wrote to memory of 14561100Bon de commande.execmd.exe
    PID 1100 wrote to memory of 14561100Bon de commande.execmd.exe
    PID 1100 wrote to memory of 14561100Bon de commande.execmd.exe
    PID 1456 wrote to memory of 9361456cmd.exePING.EXE
    PID 1456 wrote to memory of 9361456cmd.exePING.EXE
    PID 1456 wrote to memory of 9361456cmd.exePING.EXE
    PID 1456 wrote to memory of 9361456cmd.exePING.EXE
    PID 1100 wrote to memory of 11761100Bon de commande.execmd.exe
    PID 1100 wrote to memory of 11761100Bon de commande.execmd.exe
    PID 1100 wrote to memory of 11761100Bon de commande.execmd.exe
    PID 1100 wrote to memory of 11761100Bon de commande.execmd.exe
    PID 1176 wrote to memory of 14881176cmd.exePING.EXE
    PID 1176 wrote to memory of 14881176cmd.exePING.EXE
    PID 1176 wrote to memory of 14881176cmd.exePING.EXE
    PID 1176 wrote to memory of 14881176cmd.exePING.EXE
Processes 26
  • C:\Users\Admin\AppData\Local\Temp\Bon de commande.exe
    "C:\Users\Admin\AppData\Local\Temp\Bon de commande.exe"
    Adds Run key to start application
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping google.com
      Suspicious use of WriteProcessMemory
      PID:472
      • C:\Windows\SysWOW64\PING.EXE
        ping google.com
        Runs ping.exe
        PID:560
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping facebook.com
      Suspicious use of WriteProcessMemory
      PID:1568
      • C:\Windows\SysWOW64\PING.EXE
        ping facebook.com
        Runs ping.exe
        PID:604
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping twitter.com
      Suspicious use of WriteProcessMemory
      PID:1984
      • C:\Windows\SysWOW64\PING.EXE
        ping twitter.com
        Runs ping.exe
        PID:1956
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping google.com
      Suspicious use of WriteProcessMemory
      PID:2020
      • C:\Windows\SysWOW64\PING.EXE
        ping google.com
        Runs ping.exe
        PID:1716
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping facebook.com
      Suspicious use of WriteProcessMemory
      PID:1632
      • C:\Windows\SysWOW64\PING.EXE
        ping facebook.com
        Runs ping.exe
        PID:1412
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping twitter.com
      Suspicious use of WriteProcessMemory
      PID:1644
      • C:\Windows\SysWOW64\PING.EXE
        ping twitter.com
        Runs ping.exe
        PID:1080
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping google.com
      Suspicious use of WriteProcessMemory
      PID:1456
      • C:\Windows\SysWOW64\PING.EXE
        ping google.com
        Runs ping.exe
        PID:936
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping facebook.com
      Suspicious use of WriteProcessMemory
      PID:1176
      • C:\Windows\SysWOW64\PING.EXE
        ping facebook.com
        Runs ping.exe
        PID:1488
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping twitter.com
      PID:1108
      • C:\Windows\SysWOW64\PING.EXE
        ping twitter.com
        Runs ping.exe
        PID:588
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping google.com
      PID:1104
      • C:\Windows\SysWOW64\PING.EXE
        ping google.com
        Runs ping.exe
        PID:896
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping facebook.com
      PID:1092
      • C:\Windows\SysWOW64\PING.EXE
        ping facebook.com
        Runs ping.exe
        PID:2040
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping twitter.com
      PID:1972
      • C:\Windows\SysWOW64\PING.EXE
        ping twitter.com
        Runs ping.exe
        PID:1652
    • C:\Users\Admin\AppData\Local\Temp\Bon de commande.exe
      "C:\Users\Admin\AppData\Local\Temp\Bon de commande.exe"
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1720
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • memory/1100-55-0x00000000003F0000-0x00000000003FC000-memory.dmp

                    • memory/1100-56-0x0000000075421000-0x0000000075423000-memory.dmp

                    • memory/1100-57-0x00000000055E0000-0x00000000055E1000-memory.dmp

                    • memory/1100-58-0x0000000006280000-0x000000000642E000-memory.dmp

                    • memory/1100-59-0x0000000007430000-0x00000000075C6000-memory.dmp

                    • memory/1100-60-0x0000000004B00000-0x0000000004B4C000-memory.dmp

                    • memory/1720-61-0x0000000000400000-0x00000000007E4000-memory.dmp

                    • memory/1720-62-0x0000000000400000-0x00000000007E4000-memory.dmp

                    • memory/1720-63-0x0000000000400000-0x00000000007E4000-memory.dmp

                    • memory/1720-64-0x0000000000400000-0x00000000007E4000-memory.dmp

                    • memory/1720-65-0x0000000000400000-0x00000000007E4000-memory.dmp

                    • memory/1720-67-0x0000000000400000-0x00000000007E4000-memory.dmp

                    • memory/1720-68-0x0000000000401000-0x00000000007E4000-memory.dmp