Analysis

  • max time kernel
    204s
  • max time network
    249s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    08/05/2022, 06:12

General

  • Target

    ed5d49b6a5348ec9c64d9fd3c5df4218a24e7c819de5716adc3de05702890ec8.exe

  • Size

    951KB

  • MD5

    78f3c0e0e1ebb93fde1ab54078e1a45f

  • SHA1

    a2cd4f5901cfecc3f788993fe986404c37e34702

  • SHA256

    ed5d49b6a5348ec9c64d9fd3c5df4218a24e7c819de5716adc3de05702890ec8

  • SHA512

    ac72c4d5df979fa215e23fae83403e6f035598be077d48f97382bbbd4b1823ed0050b7bdf970e59ae39993c048ef505943e1cf22507eea0266225cdc84e309df

Malware Config

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

  • BitRAT Payload 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry key 1 TTPs 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed5d49b6a5348ec9c64d9fd3c5df4218a24e7c819de5716adc3de05702890ec8.exe
    "C:\Users\Admin\AppData\Local\Temp\ed5d49b6a5348ec9c64d9fd3c5df4218a24e7c819de5716adc3de05702890ec8.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Windows\SysWOW64\Notepad.exe
      "C:\Windows\System32\Notepad.exe"
      2⤵
        PID:3444
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat
          3⤵
            PID:1116
            • C:\Windows\SysWOW64\reg.exe
              reg delete hkcu\Environment /v windir /f
              4⤵
              • Modifies registry key
              PID:1028
            • C:\Windows\SysWOW64\reg.exe
              reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "
              4⤵
              • Modifies registry key
              PID:2116
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
              4⤵
                PID:3952
              • C:\Windows\SysWOW64\reg.exe
                reg delete hkcu\Environment /v windir /f
                4⤵
                • Modifies registry key
                PID:4240
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat
              3⤵
                PID:4264
            • C:\Users\Admin\AppData\Local\Temp\ed5d49b6a5348ec9c64d9fd3c5df4218a24e7c819de5716adc3de05702890ec8.exe
              "C:\Users\Admin\AppData\Local\Temp\ed5d49b6a5348ec9c64d9fd3c5df4218a24e7c819de5716adc3de05702890ec8.exe"
              2⤵
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:3144

          Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Public\Natso.bat

                  Filesize

                  283B

                  MD5

                  5cc1682955fd9f5800a8f1530c9a4334

                  SHA1

                  e09b6a4d729f2f4760ee42520ec30c3192c85548

                  SHA256

                  5562cc607d2f698327efacc4a21bd079bb14a99b03e7a01b3c67f8440e341cb3

                  SHA512

                  80767263aad44c739236161d4338d5dd8b0b58613f22cd173c3e88ebf143220ee56bbf93ace69a07d3c2f00daff0adbaa8461a1d53d12699725395c931c43cb6

                • memory/2352-132-0x0000000050480000-0x000000005049A000-memory.dmp

                  Filesize

                  104KB

                • memory/3144-146-0x0000000000400000-0x0000000000800000-memory.dmp

                  Filesize

                  4.0MB

                • memory/3144-148-0x0000000000400000-0x0000000000800000-memory.dmp

                  Filesize

                  4.0MB

                • memory/3144-149-0x0000000000400000-0x0000000000800000-memory.dmp

                  Filesize

                  4.0MB

                • memory/3144-150-0x0000000000400000-0x0000000000800000-memory.dmp

                  Filesize

                  4.0MB

                • memory/3444-143-0x0000000050480000-0x000000005049A000-memory.dmp

                  Filesize

                  104KB