Analysis
-
max time kernel
320s -
max time network
337s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07/05/2022, 21:48
Static task
static1
Behavioral task
behavioral1
Sample
448d23c53cc9f4a1a97683474c4e2e7a45ac05570effebc9018924a2c3cc44dc.ps1
Resource
win7-20220414-en
0 signatures
0 seconds
General
-
Target
448d23c53cc9f4a1a97683474c4e2e7a45ac05570effebc9018924a2c3cc44dc.ps1
-
Size
3.1MB
-
MD5
6889cfb3137ffee92478c3c2bb2a7722
-
SHA1
3d52224ca0af65863a464c90896270b56b81028e
-
SHA256
448d23c53cc9f4a1a97683474c4e2e7a45ac05570effebc9018924a2c3cc44dc
-
SHA512
29be084668fd981782ae40bbac90ea1d2730cc2e83a59ffa58ed497de24ff1d75696ca0a437192c8a6ccd1d851fb589a886b455e6f531674162ac8a7754fac66
Malware Config
Extracted
Family
bitrat
Version
1.38
C2
bitrat9300.duckdns.org:9300
Attributes
-
communication_password
e10adc3949ba59abbe56e057f20f883e
-
tor_process
tor
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
resource yara_rule behavioral2/memory/4928-132-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/4928-134-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/4928-135-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/4928-136-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/4928-137-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 4928 aspnet_regbrowsers.exe 4928 aspnet_regbrowsers.exe 4928 aspnet_regbrowsers.exe 4928 aspnet_regbrowsers.exe 4928 aspnet_regbrowsers.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2140 set thread context of 4928 2140 powershell.exe 89 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2140 powershell.exe 2140 powershell.exe 2140 powershell.exe 2140 powershell.exe 2140 powershell.exe 2140 powershell.exe 2140 powershell.exe 2140 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2140 powershell.exe Token: SeShutdownPrivilege 4928 aspnet_regbrowsers.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4928 aspnet_regbrowsers.exe 4928 aspnet_regbrowsers.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2140 wrote to memory of 844 2140 powershell.exe 86 PID 2140 wrote to memory of 844 2140 powershell.exe 86 PID 2140 wrote to memory of 844 2140 powershell.exe 86 PID 2140 wrote to memory of 4204 2140 powershell.exe 87 PID 2140 wrote to memory of 4204 2140 powershell.exe 87 PID 2140 wrote to memory of 4204 2140 powershell.exe 87 PID 2140 wrote to memory of 3736 2140 powershell.exe 88 PID 2140 wrote to memory of 3736 2140 powershell.exe 88 PID 2140 wrote to memory of 3736 2140 powershell.exe 88 PID 2140 wrote to memory of 4928 2140 powershell.exe 89 PID 2140 wrote to memory of 4928 2140 powershell.exe 89 PID 2140 wrote to memory of 4928 2140 powershell.exe 89 PID 2140 wrote to memory of 4928 2140 powershell.exe 89 PID 2140 wrote to memory of 4928 2140 powershell.exe 89 PID 2140 wrote to memory of 4928 2140 powershell.exe 89 PID 2140 wrote to memory of 4928 2140 powershell.exe 89
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\448d23c53cc9f4a1a97683474c4e2e7a45ac05570effebc9018924a2c3cc44dc.ps11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"2⤵PID:844
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"2⤵PID:4204
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"2⤵PID:3736
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4928
-