Analysis Overview
SHA256
ed5d49b6a5348ec9c64d9fd3c5df4218a24e7c819de5716adc3de05702890ec8
Threat Level: Known bad
The file ed5d49b6a5348ec9c64d9fd3c5df4218a24e7c819de5716adc3de05702890ec8 was found to be: Known bad.
Malicious Activity Summary
BitRAT
BitRAT Payload
UPX packed file
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Program crash
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies registry key
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-08 06:12
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-08 06:12
Reported
2022-05-08 08:29
Platform
win7-20220414-en
Max time kernel
176s
Max time network
269s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\ed5d49b6a5348ec9c64d9fd3c5df4218a24e7c819de5716adc3de05702890ec8.exe |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\ed5d49b6a5348ec9c64d9fd3c5df4218a24e7c819de5716adc3de05702890ec8.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\ed5d49b6a5348ec9c64d9fd3c5df4218a24e7c819de5716adc3de05702890ec8.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1044 wrote to memory of 840 | N/A | C:\Users\Admin\AppData\Local\Temp\ed5d49b6a5348ec9c64d9fd3c5df4218a24e7c819de5716adc3de05702890ec8.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1044 wrote to memory of 840 | N/A | C:\Users\Admin\AppData\Local\Temp\ed5d49b6a5348ec9c64d9fd3c5df4218a24e7c819de5716adc3de05702890ec8.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1044 wrote to memory of 840 | N/A | C:\Users\Admin\AppData\Local\Temp\ed5d49b6a5348ec9c64d9fd3c5df4218a24e7c819de5716adc3de05702890ec8.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1044 wrote to memory of 840 | N/A | C:\Users\Admin\AppData\Local\Temp\ed5d49b6a5348ec9c64d9fd3c5df4218a24e7c819de5716adc3de05702890ec8.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ed5d49b6a5348ec9c64d9fd3c5df4218a24e7c819de5716adc3de05702890ec8.exe
"C:\Users\Admin\AppData\Local\Temp\ed5d49b6a5348ec9c64d9fd3c5df4218a24e7c819de5716adc3de05702890ec8.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 928
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
Files
memory/1044-54-0x0000000075C51000-0x0000000075C53000-memory.dmp
memory/840-55-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-08 06:12
Reported
2022-05-08 08:29
Platform
win10v2004-20220414-en
Max time kernel
204s
Max time network
249s
Command Line
Signatures
BitRAT
BitRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Obak = "C:\\Users\\Admin\\AppData\\Local\\kabO.url" | C:\Users\Admin\AppData\Local\Temp\ed5d49b6a5348ec9c64d9fd3c5df4218a24e7c819de5716adc3de05702890ec8.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ed5d49b6a5348ec9c64d9fd3c5df4218a24e7c819de5716adc3de05702890ec8.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2352 set thread context of 3144 | N/A | C:\Users\Admin\AppData\Local\Temp\ed5d49b6a5348ec9c64d9fd3c5df4218a24e7c819de5716adc3de05702890ec8.exe | C:\Users\Admin\AppData\Local\Temp\ed5d49b6a5348ec9c64d9fd3c5df4218a24e7c819de5716adc3de05702890ec8.exe |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ed5d49b6a5348ec9c64d9fd3c5df4218a24e7c819de5716adc3de05702890ec8.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ed5d49b6a5348ec9c64d9fd3c5df4218a24e7c819de5716adc3de05702890ec8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ed5d49b6a5348ec9c64d9fd3c5df4218a24e7c819de5716adc3de05702890ec8.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ed5d49b6a5348ec9c64d9fd3c5df4218a24e7c819de5716adc3de05702890ec8.exe
"C:\Users\Admin\AppData\Local\Temp\ed5d49b6a5348ec9c64d9fd3c5df4218a24e7c819de5716adc3de05702890ec8.exe"
C:\Windows\SysWOW64\Notepad.exe
"C:\Windows\System32\Notepad.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat
C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
C:\Windows\SysWOW64\reg.exe
reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "
C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
C:\Users\Admin\AppData\Local\Temp\ed5d49b6a5348ec9c64d9fd3c5df4218a24e7c819de5716adc3de05702890ec8.exe
"C:\Users\Admin\AppData\Local\Temp\ed5d49b6a5348ec9c64d9fd3c5df4218a24e7c819de5716adc3de05702890ec8.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat
Network
| Country | Destination | Domain | Proto |
| US | 13.89.178.27:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| US | 8.8.8.8:53 | 97.97.242.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | nexty.dnsupdate.info | udp |
| US | 8.8.8.8:53 | nexty.dnsupdate.info | udp |
Files
memory/3444-131-0x0000000000000000-mapping.dmp
memory/2352-132-0x0000000050480000-0x000000005049A000-memory.dmp
memory/1116-138-0x0000000000000000-mapping.dmp
C:\Users\Public\Natso.bat
| MD5 | 5cc1682955fd9f5800a8f1530c9a4334 |
| SHA1 | e09b6a4d729f2f4760ee42520ec30c3192c85548 |
| SHA256 | 5562cc607d2f698327efacc4a21bd079bb14a99b03e7a01b3c67f8440e341cb3 |
| SHA512 | 80767263aad44c739236161d4338d5dd8b0b58613f22cd173c3e88ebf143220ee56bbf93ace69a07d3c2f00daff0adbaa8461a1d53d12699725395c931c43cb6 |
memory/1028-140-0x0000000000000000-mapping.dmp
memory/2116-141-0x0000000000000000-mapping.dmp
memory/3952-142-0x0000000000000000-mapping.dmp
memory/3444-143-0x0000000050480000-0x000000005049A000-memory.dmp
memory/4240-144-0x0000000000000000-mapping.dmp
memory/3144-145-0x0000000000000000-mapping.dmp
memory/3144-146-0x0000000000400000-0x0000000000800000-memory.dmp
memory/3144-148-0x0000000000400000-0x0000000000800000-memory.dmp
memory/3144-149-0x0000000000400000-0x0000000000800000-memory.dmp
memory/3144-150-0x0000000000400000-0x0000000000800000-memory.dmp
memory/4264-151-0x0000000000000000-mapping.dmp