Analysis
-
max time kernel
208s -
max time network
211s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08/05/2022, 06:14
Static task
static1
Behavioral task
behavioral1
Sample
ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe
Resource
win7-20220414-en
0 signatures
0 seconds
General
-
Target
ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe
-
Size
1.8MB
-
MD5
14e2737c5b66f86935ec2b174e7bfbfa
-
SHA1
f99879eccea381506840f9693cd185ee81e2c56a
-
SHA256
ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e
-
SHA512
f974bd374b27948f38f2abbd1c2ec6331a7e4f66efe89e14bf10ea17afa499ba3b51eb2665de60280508c9cff99542c677115088a7b9c71039596b4cbbd1998f
Malware Config
Signatures
-
BitRAT Payload 2 IoCs
resource yara_rule behavioral2/memory/5108-137-0x0000000000400000-0x0000000000801000-memory.dmp family_bitrat behavioral2/memory/5108-138-0x0000000000400000-0x0000000000801000-memory.dmp family_bitrat -
resource yara_rule behavioral2/memory/5108-134-0x0000000000400000-0x0000000000801000-memory.dmp upx behavioral2/memory/5108-135-0x0000000000400000-0x0000000000801000-memory.dmp upx behavioral2/memory/5108-136-0x0000000000400000-0x0000000000801000-memory.dmp upx behavioral2/memory/5108-137-0x0000000000400000-0x0000000000801000-memory.dmp upx behavioral2/memory/5108-138-0x0000000000400000-0x0000000000801000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2408 set thread context of 5108 2408 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 82 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2408 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 2408 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 2408 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 2408 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 2408 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeCreatePagefilePrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeCreatePagefilePrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeCreatePagefilePrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeCreatePagefilePrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeCreatePagefilePrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeCreatePagefilePrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeCreatePagefilePrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeCreatePagefilePrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeCreatePagefilePrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeCreatePagefilePrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeCreatePagefilePrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeCreatePagefilePrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeCreatePagefilePrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeCreatePagefilePrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeCreatePagefilePrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeCreatePagefilePrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeShutdownPrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe Token: SeCreatePagefilePrivilege 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 5108 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2408 wrote to memory of 1096 2408 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 80 PID 2408 wrote to memory of 1096 2408 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 80 PID 2408 wrote to memory of 1096 2408 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 80 PID 2408 wrote to memory of 5088 2408 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 81 PID 2408 wrote to memory of 5088 2408 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 81 PID 2408 wrote to memory of 5088 2408 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 81 PID 2408 wrote to memory of 5108 2408 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 82 PID 2408 wrote to memory of 5108 2408 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 82 PID 2408 wrote to memory of 5108 2408 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 82 PID 2408 wrote to memory of 5108 2408 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 82 PID 2408 wrote to memory of 5108 2408 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 82 PID 2408 wrote to memory of 5108 2408 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 82 PID 2408 wrote to memory of 5108 2408 ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe"C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe"C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe"2⤵PID:1096
-
-
C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe"C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe"2⤵PID:5088
-
-
C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe"C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5108
-