Analysis
-
max time kernel
143s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08/05/2022, 06:13
Static task
static1
Behavioral task
behavioral1
Sample
d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe
Resource
win10v2004-20220414-en
General
-
Target
d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe
-
Size
4.2MB
-
MD5
24389427385fcb96d62cacbcbc86249e
-
SHA1
8f0e2ba854091afd15c846fb3d35cc3930633d67
-
SHA256
d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125
-
SHA512
0fd000e30ca04f227f540d3e34e8985668c95ab5168681327c0e8c1b609b1831c9dbb26ddfcb044fe8dc675f69f2193b381a41b2736940c92dd2dc16b4bd1ede
Malware Config
Signatures
-
BitRAT Payload 4 IoCs
resource yara_rule behavioral2/memory/900-163-0x0000000000400000-0x00000000007FF000-memory.dmp family_bitrat behavioral2/memory/900-164-0x0000000000400000-0x00000000007FF000-memory.dmp family_bitrat behavioral2/memory/900-165-0x0000000000400000-0x00000000007FF000-memory.dmp family_bitrat behavioral2/memory/900-166-0x0000000000400000-0x00000000007FF000-memory.dmp family_bitrat -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe\"" d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe = "0" d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe = "0" d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe" d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe" d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
pid Process 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 900 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5068 set thread context of 900 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 99 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 1448 5068 WerFault.exe 65 3164 5068 WerFault.exe 65 -
Delays execution with timeout.exe 1 IoCs
pid Process 5060 timeout.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 4000 powershell.exe 1348 powershell.exe 2728 powershell.exe 4404 powershell.exe 1348 powershell.exe 4404 powershell.exe 4000 powershell.exe 2728 powershell.exe 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe Token: SeDebugPrivilege 2728 powershell.exe Token: SeDebugPrivilege 4000 powershell.exe Token: SeDebugPrivilege 1348 powershell.exe Token: SeDebugPrivilege 4404 powershell.exe Token: SeShutdownPrivilege 900 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 5068 wrote to memory of 5060 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 82 PID 5068 wrote to memory of 5060 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 82 PID 5068 wrote to memory of 5060 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 82 PID 5068 wrote to memory of 2728 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 84 PID 5068 wrote to memory of 2728 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 84 PID 5068 wrote to memory of 2728 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 84 PID 5068 wrote to memory of 1348 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 86 PID 5068 wrote to memory of 1348 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 86 PID 5068 wrote to memory of 1348 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 86 PID 5068 wrote to memory of 4404 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 88 PID 5068 wrote to memory of 4404 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 88 PID 5068 wrote to memory of 4404 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 88 PID 5068 wrote to memory of 4000 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 90 PID 5068 wrote to memory of 4000 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 90 PID 5068 wrote to memory of 4000 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 90 PID 5068 wrote to memory of 900 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 99 PID 5068 wrote to memory of 900 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 99 PID 5068 wrote to memory of 900 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 99 PID 5068 wrote to memory of 900 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 99 PID 5068 wrote to memory of 900 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 99 PID 5068 wrote to memory of 900 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 99 PID 5068 wrote to memory of 900 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 99 PID 5068 wrote to memory of 900 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 99 PID 5068 wrote to memory of 900 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 99 PID 5068 wrote to memory of 900 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 99 PID 5068 wrote to memory of 900 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 99 PID 5068 wrote to memory of 900 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 99 PID 5068 wrote to memory of 1448 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 103 PID 5068 wrote to memory of 1448 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 103 PID 5068 wrote to memory of 1448 5068 d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe"C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\timeout.exetimeout 42⤵
- Delays execution with timeout.exe
PID:5060
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1348
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4404
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4000
-
-
C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe"C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:900
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 20362⤵
- Program crash
PID:1448
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 20362⤵
- Program crash
PID:3164
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5068 -ip 50681⤵PID:4552
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD5ed25c55987b96515e185ba5be6bc0db6
SHA1fd4a4ac80ecad033ca0f07cccf782e29c0474e4a
SHA256120d186fc14d99fcdb074049a0f2ebcdd02720f14598bc3a03d8e24bbbebd8c1
SHA512a0a671cbb42f597513cccff57cfe38e2d78ef5c8d7e85f1e087a776304a46727e86efec8ad5e3f487e778fdb479c8413fadfb80218c9455e87a3968cbe31a2b4
-
Filesize
18KB
MD5e0c5b1ab9d2fadf3525874b62e5efcb5
SHA174ab0f49febfa7a828844ae802232f2c862289d2
SHA256f7a6fdceabe9aa6697f08ebed8c89e97f072512b8cc3a1a8445c058c3241c556
SHA51289cadac46bbcb90ddef664535457f146092e88bb5329c00fed574bcbfa0c4cedd070b272cd372a01e7ab2cd0674b03ee43949377a0289e8658b24d9c66f0acb0
-
Filesize
18KB
MD539f78f240ee7326700553ae5ce89683b
SHA1988cff637774b2255d584b2fdc248a34bc5b04af
SHA256d2003f5480c04de65fba62d583aa9687ade6048025aeb2fca92d8cb66c3a9f08
SHA5124b7489132933af803338533929e01c9efd13cb6462bcc2608b1bf59f1912375db576ce2b578b43b081e4e41f3e8ba0808072bd77744e9c3082d082d239fe4e69