Analysis
-
max time kernel
147s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08/05/2022, 06:13
Static task
static1
Behavioral task
behavioral1
Sample
d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe
Resource
win10v2004-20220414-en
General
-
Target
d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe
-
Size
4.2MB
-
MD5
24389427385fcb96d62cacbcbc86249e
-
SHA1
8f0e2ba854091afd15c846fb3d35cc3930633d67
-
SHA256
d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125
-
SHA512
0fd000e30ca04f227f540d3e34e8985668c95ab5168681327c0e8c1b609b1831c9dbb26ddfcb044fe8dc675f69f2193b381a41b2736940c92dd2dc16b4bd1ede
Malware Config
Signatures
-
BitRAT Payload 9 IoCs
resource yara_rule behavioral1/memory/1960-76-0x0000000000400000-0x00000000007FF000-memory.dmp family_bitrat behavioral1/memory/1960-78-0x0000000000400000-0x00000000007FF000-memory.dmp family_bitrat behavioral1/memory/1960-80-0x0000000000400000-0x00000000007FF000-memory.dmp family_bitrat behavioral1/memory/1960-81-0x0000000000400000-0x00000000007FF000-memory.dmp family_bitrat behavioral1/memory/1960-83-0x0000000000400000-0x00000000007FF000-memory.dmp family_bitrat behavioral1/memory/1960-85-0x0000000000400000-0x00000000007FF000-memory.dmp family_bitrat behavioral1/memory/1960-86-0x0000000000620E0E-mapping.dmp family_bitrat behavioral1/memory/1960-88-0x0000000000400000-0x00000000007FF000-memory.dmp family_bitrat behavioral1/memory/1960-90-0x0000000000400000-0x00000000007FF000-memory.dmp family_bitrat -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe\"" d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe = "0" d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe = "0" d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe" d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe" d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 myexternalip.com 12 myexternalip.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 26 IoCs
pid Process 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 1960 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 1960 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 1960 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 1960 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 1960 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 1960 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 1960 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 1960 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 1960 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 1960 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 1960 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 1960 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 1960 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 1960 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 780 set thread context of 1960 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 38 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1664 780 WerFault.exe 16 -
Delays execution with timeout.exe 1 IoCs
pid Process 968 timeout.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1588 powershell.exe 524 powershell.exe 1840 powershell.exe 1728 powershell.exe 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe Token: SeDebugPrivilege 1840 powershell.exe Token: SeDebugPrivilege 1728 powershell.exe Token: SeDebugPrivilege 1588 powershell.exe Token: SeDebugPrivilege 524 powershell.exe Token: SeDebugPrivilege 1960 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe Token: SeShutdownPrivilege 1960 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1960 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 1960 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 780 wrote to memory of 968 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 28 PID 780 wrote to memory of 968 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 28 PID 780 wrote to memory of 968 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 28 PID 780 wrote to memory of 968 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 28 PID 780 wrote to memory of 1728 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 37 PID 780 wrote to memory of 1728 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 37 PID 780 wrote to memory of 1728 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 37 PID 780 wrote to memory of 1728 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 37 PID 780 wrote to memory of 1588 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 36 PID 780 wrote to memory of 1588 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 36 PID 780 wrote to memory of 1588 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 36 PID 780 wrote to memory of 1588 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 36 PID 780 wrote to memory of 1840 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 35 PID 780 wrote to memory of 1840 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 35 PID 780 wrote to memory of 1840 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 35 PID 780 wrote to memory of 1840 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 35 PID 780 wrote to memory of 524 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 33 PID 780 wrote to memory of 524 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 33 PID 780 wrote to memory of 524 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 33 PID 780 wrote to memory of 524 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 33 PID 780 wrote to memory of 1960 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 38 PID 780 wrote to memory of 1960 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 38 PID 780 wrote to memory of 1960 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 38 PID 780 wrote to memory of 1960 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 38 PID 780 wrote to memory of 1960 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 38 PID 780 wrote to memory of 1960 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 38 PID 780 wrote to memory of 1960 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 38 PID 780 wrote to memory of 1960 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 38 PID 780 wrote to memory of 1960 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 38 PID 780 wrote to memory of 1960 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 38 PID 780 wrote to memory of 1960 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 38 PID 780 wrote to memory of 1960 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 38 PID 780 wrote to memory of 1960 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 38 PID 780 wrote to memory of 1664 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 39 PID 780 wrote to memory of 1664 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 39 PID 780 wrote to memory of 1664 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 39 PID 780 wrote to memory of 1664 780 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe"C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\timeout.exetimeout 42⤵
- Delays execution with timeout.exe
PID:968
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:524
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1840
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
-
C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe"C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1960
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 18402⤵
- Program crash
PID:1664
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD53533292edb8d69a6cb99b664126761f9
SHA1a1e39a951fb8c856bb305277c5ffbce6f0876892
SHA256a8a0eb5bb2d52ca08a23b8f712b0063e4a3598ad5b4e9529d657242b8e06f646
SHA5121e4654ad4716b82546efdf76d77610e30cf07cbdffa8dc23de95e574ef904eed7a71988d32a92e7a4422b737373441125328d6fa74e2831dee8a241b8ce6dec8