Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
06-02-2022 15:31
General
-
Target
RequestORDERQuote.exe
-
Size
2.3MB
-
MD5
3f02190df38e5dadd7e1b694f547c539
-
SHA1
32769a00df7264940c155f9a2222812e0fbf86be
-
SHA256
91b24eab863880a23663f812e043b6b83dab1e658b234b1b98521e28071527b9
-
SHA512
5068205c43a7fc49fb1b0e1b48526181355e0af091b2086ab35e37a60dbb8d3136f5325b7b614402a9f52515a08e67d5255b195b71a5c5e5332a24098a9b24da
Score
10/10
Malware Config
Extracted
Family
bitrat
Version
1.35
C2
vst.fastestmaking.com:5433
Attributes
-
communication_password
331316d4efb44682092a006307b9ae3a
-
tor_process
tor
Signatures
-
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 47 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RequestORDERQuote.exe"C:\Users\Admin\AppData\Local\Temp\RequestORDERQuote.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RequestORDERQuote.exeC:\Users\Admin\AppData\Local\Temp\RequestORDERQuote.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\RequestORDERQuote.exeC:\Users\Admin\AppData\Local\Temp\RequestORDERQuote.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\RequestORDERQuote.exeC:\Users\Admin\AppData\Local\Temp\RequestORDERQuote.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3336-135-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/3336-136-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/3824-130-0x0000000000DD0000-0x0000000001022000-memory.dmpFilesize
2.3MB
-
memory/3824-131-0x00000000060B0000-0x0000000006654000-memory.dmpFilesize
5.6MB
-
memory/3824-132-0x0000000005A40000-0x0000000005AD2000-memory.dmpFilesize
584KB
-
memory/3824-133-0x00000000032C0000-0x00000000032D1000-memory.dmpFilesize
68KB
-
memory/3824-134-0x00000000059D0000-0x00000000059DA000-memory.dmpFilesize
40KB