Analysis
-
max time kernel
160s -
max time network
175s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08/05/2022, 06:14
Static task
static1
Behavioral task
behavioral1
Sample
ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe
Resource
win7-20220414-en
0 signatures
0 seconds
General
-
Target
ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe
-
Size
1.8MB
-
MD5
14e2737c5b66f86935ec2b174e7bfbfa
-
SHA1
f99879eccea381506840f9693cd185ee81e2c56a
-
SHA256
ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e
-
SHA512
f974bd374b27948f38f2abbd1c2ec6331a7e4f66efe89e14bf10ea17afa499ba3b51eb2665de60280508c9cff99542c677115088a7b9c71039596b4cbbd1998f
Malware Config
Signatures
-
BitRAT Payload 5 IoCs
resource yara_rule behavioral1/memory/1564-65-0x0000000000400000-0x0000000000801000-memory.dmp family_bitrat behavioral1/memory/1564-67-0x0000000000400000-0x0000000000801000-memory.dmp family_bitrat behavioral1/memory/1564-68-0x0000000004BB0000-0x0000000005BB0000-memory.dmp family_bitrat behavioral1/memory/1564-69-0x0000000005C20000-0x0000000006C20000-memory.dmp family_bitrat behavioral1/memory/1564-70-0x0000000005C20000-0x0000000006C20000-memory.dmp family_bitrat -
resource yara_rule behavioral1/memory/1564-58-0x0000000000400000-0x0000000000801000-memory.dmp upx behavioral1/memory/1564-60-0x0000000000400000-0x0000000000801000-memory.dmp upx behavioral1/memory/1564-61-0x0000000000400000-0x0000000000801000-memory.dmp upx behavioral1/memory/1564-63-0x0000000000400000-0x0000000000801000-memory.dmp upx behavioral1/memory/1564-64-0x0000000000400000-0x0000000000801000-memory.dmp upx behavioral1/memory/1564-65-0x0000000000400000-0x0000000000801000-memory.dmp upx behavioral1/memory/1564-67-0x0000000000400000-0x0000000000801000-memory.dmp upx behavioral1/memory/1564-68-0x0000000004BB0000-0x0000000005BB0000-memory.dmp upx -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 myexternalip.com 5 myexternalip.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
pid Process 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1052 set thread context of 1564 1052 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 27 -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 1052 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 1564 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1052 wrote to memory of 1564 1052 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 27 PID 1052 wrote to memory of 1564 1052 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 27 PID 1052 wrote to memory of 1564 1052 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 27 PID 1052 wrote to memory of 1564 1052 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 27 PID 1052 wrote to memory of 1564 1052 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 27 PID 1052 wrote to memory of 1564 1052 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 27 PID 1052 wrote to memory of 1564 1052 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 27 PID 1052 wrote to memory of 1564 1052 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe"C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe"C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1564
-