Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08/05/2022, 06:35
Static task
static1
Behavioral task
behavioral1
Sample
3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca.exe
Resource
win10v2004-20220414-en
General
-
Target
3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca.exe
-
Size
2.1MB
-
MD5
b2feac6aa6a89365b3f010a0cd34147d
-
SHA1
2faf499f54dbeb1dd46ab018b9f31b566711c432
-
SHA256
3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca
-
SHA512
d96bf8aebfc1467d0380f41652e98a56b39f8252843b29024b69d7ad44121ab876fea5d752a49b9b6f5cf24e2d791ececdc7d50092e7f2d7ab1586fd97742349
Malware Config
Signatures
-
BitRAT Payload 2 IoCs
resource yara_rule behavioral2/memory/4864-149-0x0000000000400000-0x0000000000807000-memory.dmp family_bitrat behavioral2/memory/4864-150-0x0000000000400000-0x0000000000807000-memory.dmp family_bitrat -
Executes dropped EXE 3 IoCs
pid Process 3676 Cavqm.exe 1772 Cavqm.exe 4864 Cavqm.exe -
resource yara_rule behavioral2/memory/4864-147-0x0000000000400000-0x0000000000807000-memory.dmp upx behavioral2/memory/4864-145-0x0000000000400000-0x0000000000807000-memory.dmp upx behavioral2/memory/4864-148-0x0000000000400000-0x0000000000807000-memory.dmp upx behavioral2/memory/4864-149-0x0000000000400000-0x0000000000807000-memory.dmp upx behavioral2/memory/4864-150-0x0000000000400000-0x0000000000807000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Ojtkmq = "C:\\Users\\Admin\\AppData\\Roaming\\Fehulu\\Ojtkmq.url" Cavqm.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 66 myexternalip.com 67 myexternalip.com 76 myexternalip.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
pid Process 4864 Cavqm.exe 4864 Cavqm.exe 4864 Cavqm.exe 4864 Cavqm.exe 4864 Cavqm.exe 4864 Cavqm.exe 4864 Cavqm.exe 4864 Cavqm.exe 4864 Cavqm.exe 4864 Cavqm.exe 4864 Cavqm.exe 4864 Cavqm.exe 4864 Cavqm.exe 4864 Cavqm.exe 4864 Cavqm.exe 4864 Cavqm.exe 4864 Cavqm.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3676 set thread context of 4596 3676 Cavqm.exe 98 PID 3676 set thread context of 4864 3676 Cavqm.exe 107 PID 3676 set thread context of 4132 3676 Cavqm.exe 108 PID 3676 set thread context of 548 3676 Cavqm.exe 114 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4860 4596 WerFault.exe 98 4148 4132 WerFault.exe 108 -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 3676 Cavqm.exe 3676 Cavqm.exe 3676 Cavqm.exe 3676 Cavqm.exe 3676 Cavqm.exe 3676 Cavqm.exe 3676 Cavqm.exe 3676 Cavqm.exe 3676 Cavqm.exe 3676 Cavqm.exe 3676 Cavqm.exe 3676 Cavqm.exe 3676 Cavqm.exe 3676 Cavqm.exe 3676 Cavqm.exe 3676 Cavqm.exe 3676 Cavqm.exe 3676 Cavqm.exe 3676 Cavqm.exe 3676 Cavqm.exe 548 regasm.exe 548 regasm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3676 Cavqm.exe Token: SeShutdownPrivilege 4864 Cavqm.exe Token: SeDebugPrivilege 548 regasm.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4864 Cavqm.exe 4864 Cavqm.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 1316 wrote to memory of 3676 1316 3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca.exe 88 PID 1316 wrote to memory of 3676 1316 3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca.exe 88 PID 1316 wrote to memory of 3676 1316 3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca.exe 88 PID 3676 wrote to memory of 3044 3676 Cavqm.exe 93 PID 3676 wrote to memory of 3044 3676 Cavqm.exe 93 PID 3676 wrote to memory of 3044 3676 Cavqm.exe 93 PID 3676 wrote to memory of 1772 3676 Cavqm.exe 94 PID 3676 wrote to memory of 1772 3676 Cavqm.exe 94 PID 3676 wrote to memory of 1772 3676 Cavqm.exe 94 PID 3676 wrote to memory of 2952 3676 Cavqm.exe 95 PID 3676 wrote to memory of 2952 3676 Cavqm.exe 95 PID 3676 wrote to memory of 2952 3676 Cavqm.exe 95 PID 3676 wrote to memory of 4596 3676 Cavqm.exe 98 PID 3676 wrote to memory of 4596 3676 Cavqm.exe 98 PID 3676 wrote to memory of 4596 3676 Cavqm.exe 98 PID 3676 wrote to memory of 4596 3676 Cavqm.exe 98 PID 3676 wrote to memory of 4596 3676 Cavqm.exe 98 PID 3676 wrote to memory of 4596 3676 Cavqm.exe 98 PID 3676 wrote to memory of 4596 3676 Cavqm.exe 98 PID 3676 wrote to memory of 4596 3676 Cavqm.exe 98 PID 3676 wrote to memory of 396 3676 Cavqm.exe 104 PID 3676 wrote to memory of 396 3676 Cavqm.exe 104 PID 3676 wrote to memory of 396 3676 Cavqm.exe 104 PID 3676 wrote to memory of 4864 3676 Cavqm.exe 107 PID 3676 wrote to memory of 4864 3676 Cavqm.exe 107 PID 3676 wrote to memory of 4864 3676 Cavqm.exe 107 PID 3676 wrote to memory of 4864 3676 Cavqm.exe 107 PID 3676 wrote to memory of 4864 3676 Cavqm.exe 107 PID 3676 wrote to memory of 4864 3676 Cavqm.exe 107 PID 3676 wrote to memory of 4864 3676 Cavqm.exe 107 PID 3676 wrote to memory of 4132 3676 Cavqm.exe 108 PID 3676 wrote to memory of 4132 3676 Cavqm.exe 108 PID 3676 wrote to memory of 4132 3676 Cavqm.exe 108 PID 3676 wrote to memory of 4132 3676 Cavqm.exe 108 PID 3676 wrote to memory of 4132 3676 Cavqm.exe 108 PID 3676 wrote to memory of 4132 3676 Cavqm.exe 108 PID 3676 wrote to memory of 4132 3676 Cavqm.exe 108 PID 3676 wrote to memory of 4132 3676 Cavqm.exe 108 PID 3676 wrote to memory of 1396 3676 Cavqm.exe 111 PID 3676 wrote to memory of 1396 3676 Cavqm.exe 111 PID 3676 wrote to memory of 1396 3676 Cavqm.exe 111 PID 3676 wrote to memory of 4788 3676 Cavqm.exe 113 PID 3676 wrote to memory of 4788 3676 Cavqm.exe 113 PID 3676 wrote to memory of 4788 3676 Cavqm.exe 113 PID 3676 wrote to memory of 548 3676 Cavqm.exe 114 PID 3676 wrote to memory of 548 3676 Cavqm.exe 114 PID 3676 wrote to memory of 548 3676 Cavqm.exe 114 PID 3676 wrote to memory of 548 3676 Cavqm.exe 114 PID 3676 wrote to memory of 548 3676 Cavqm.exe 114 PID 3676 wrote to memory of 548 3676 Cavqm.exe 114 PID 3676 wrote to memory of 548 3676 Cavqm.exe 114 PID 3676 wrote to memory of 548 3676 Cavqm.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca.exe"C:\Users\Admin\AppData\Local\Temp\3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe"C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"3⤵PID:3044
-
-
C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe"C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe"3⤵
- Executes dropped EXE
PID:1772
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"3⤵PID:2952
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"3⤵PID:4596
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 1524⤵
- Program crash
PID:4860
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"3⤵PID:396
-
-
C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe"C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4864
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"3⤵PID:4132
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 1524⤵
- Program crash
PID:4148
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"3⤵PID:1396
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"3⤵PID:4788
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:548
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4596 -ip 45961⤵PID:4640
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4132 -ip 41321⤵PID:3444
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5b2feac6aa6a89365b3f010a0cd34147d
SHA12faf499f54dbeb1dd46ab018b9f31b566711c432
SHA2563ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca
SHA512d96bf8aebfc1467d0380f41652e98a56b39f8252843b29024b69d7ad44121ab876fea5d752a49b9b6f5cf24e2d791ececdc7d50092e7f2d7ab1586fd97742349
-
Filesize
2.1MB
MD5b2feac6aa6a89365b3f010a0cd34147d
SHA12faf499f54dbeb1dd46ab018b9f31b566711c432
SHA2563ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca
SHA512d96bf8aebfc1467d0380f41652e98a56b39f8252843b29024b69d7ad44121ab876fea5d752a49b9b6f5cf24e2d791ececdc7d50092e7f2d7ab1586fd97742349
-
Filesize
2.1MB
MD5b2feac6aa6a89365b3f010a0cd34147d
SHA12faf499f54dbeb1dd46ab018b9f31b566711c432
SHA2563ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca
SHA512d96bf8aebfc1467d0380f41652e98a56b39f8252843b29024b69d7ad44121ab876fea5d752a49b9b6f5cf24e2d791ececdc7d50092e7f2d7ab1586fd97742349
-
Filesize
2.1MB
MD5b2feac6aa6a89365b3f010a0cd34147d
SHA12faf499f54dbeb1dd46ab018b9f31b566711c432
SHA2563ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca
SHA512d96bf8aebfc1467d0380f41652e98a56b39f8252843b29024b69d7ad44121ab876fea5d752a49b9b6f5cf24e2d791ececdc7d50092e7f2d7ab1586fd97742349
-
Filesize
168B
MD51745f298ce618adb5c667e42b2e1b5c9
SHA166ab7e9f4dc3780fcc0b6d0ee31cb0259f2d2060
SHA2569bcd11157e69126e6b191cfaee6e51104b364347fe6a20dcb64bce8bc47a1b74
SHA51213bf2e06b196eb914c693ee28b9d7c03932026760f163248ca129f30178b1054d1bc6e99294e180d1b7ae1656f062a5ebaca6ef10ce8f189d8afb8dc67df094c