Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    08/05/2022, 06:35

General

  • Target

    3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca.exe

  • Size

    2.1MB

  • MD5

    b2feac6aa6a89365b3f010a0cd34147d

  • SHA1

    2faf499f54dbeb1dd46ab018b9f31b566711c432

  • SHA256

    3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca

  • SHA512

    d96bf8aebfc1467d0380f41652e98a56b39f8252843b29024b69d7ad44121ab876fea5d752a49b9b6f5cf24e2d791ececdc7d50092e7f2d7ab1586fd97742349

Malware Config

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

  • BitRAT Payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca.exe
    "C:\Users\Admin\AppData\Local\Temp\3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1316
    • C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe
      "C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3676
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
        3⤵
          PID:3044
        • C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe
          "C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe"
          3⤵
          • Executes dropped EXE
          PID:1772
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
          3⤵
            PID:2952
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
            3⤵
              PID:4596
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 152
                4⤵
                • Program crash
                PID:4860
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
              3⤵
                PID:396
              • C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe
                "C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe"
                3⤵
                • Executes dropped EXE
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:4864
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                3⤵
                  PID:4132
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 152
                    4⤵
                    • Program crash
                    PID:4148
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                  3⤵
                    PID:1396
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                    3⤵
                      PID:4788
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                      3⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:548
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4596 -ip 4596
                  1⤵
                    PID:4640
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4132 -ip 4132
                    1⤵
                      PID:3444

                    Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe

                            Filesize

                            2.1MB

                            MD5

                            b2feac6aa6a89365b3f010a0cd34147d

                            SHA1

                            2faf499f54dbeb1dd46ab018b9f31b566711c432

                            SHA256

                            3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca

                            SHA512

                            d96bf8aebfc1467d0380f41652e98a56b39f8252843b29024b69d7ad44121ab876fea5d752a49b9b6f5cf24e2d791ececdc7d50092e7f2d7ab1586fd97742349

                          • C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe

                            Filesize

                            2.1MB

                            MD5

                            b2feac6aa6a89365b3f010a0cd34147d

                            SHA1

                            2faf499f54dbeb1dd46ab018b9f31b566711c432

                            SHA256

                            3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca

                            SHA512

                            d96bf8aebfc1467d0380f41652e98a56b39f8252843b29024b69d7ad44121ab876fea5d752a49b9b6f5cf24e2d791ececdc7d50092e7f2d7ab1586fd97742349

                          • C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe

                            Filesize

                            2.1MB

                            MD5

                            b2feac6aa6a89365b3f010a0cd34147d

                            SHA1

                            2faf499f54dbeb1dd46ab018b9f31b566711c432

                            SHA256

                            3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca

                            SHA512

                            d96bf8aebfc1467d0380f41652e98a56b39f8252843b29024b69d7ad44121ab876fea5d752a49b9b6f5cf24e2d791ececdc7d50092e7f2d7ab1586fd97742349

                          • C:\Users\Admin\AppData\Roaming\Fehulu\Cavqm.exe

                            Filesize

                            2.1MB

                            MD5

                            b2feac6aa6a89365b3f010a0cd34147d

                            SHA1

                            2faf499f54dbeb1dd46ab018b9f31b566711c432

                            SHA256

                            3ac92596215d32932cf4e2c59cfed2665d23a5a5acd5c7355da04271132203ca

                            SHA512

                            d96bf8aebfc1467d0380f41652e98a56b39f8252843b29024b69d7ad44121ab876fea5d752a49b9b6f5cf24e2d791ececdc7d50092e7f2d7ab1586fd97742349

                          • C:\Users\Admin\AppData\Roaming\Fehulu\Ojtkmq.url

                            Filesize

                            168B

                            MD5

                            1745f298ce618adb5c667e42b2e1b5c9

                            SHA1

                            66ab7e9f4dc3780fcc0b6d0ee31cb0259f2d2060

                            SHA256

                            9bcd11157e69126e6b191cfaee6e51104b364347fe6a20dcb64bce8bc47a1b74

                            SHA512

                            13bf2e06b196eb914c693ee28b9d7c03932026760f163248ca129f30178b1054d1bc6e99294e180d1b7ae1656f062a5ebaca6ef10ce8f189d8afb8dc67df094c

                          • memory/1316-130-0x0000000000CD0000-0x0000000000EFA000-memory.dmp

                            Filesize

                            2.2MB

                          • memory/1316-131-0x0000000005FB0000-0x0000000006554000-memory.dmp

                            Filesize

                            5.6MB

                          • memory/1316-132-0x0000000005910000-0x00000000059A2000-memory.dmp

                            Filesize

                            584KB

                          • memory/1316-133-0x00000000058B0000-0x00000000058BA000-memory.dmp

                            Filesize

                            40KB

                          • memory/4596-142-0x0000000000400000-0x0000000000412000-memory.dmp

                            Filesize

                            72KB

                          • memory/4864-148-0x0000000000400000-0x0000000000807000-memory.dmp

                            Filesize

                            4.0MB

                          • memory/4864-149-0x0000000000400000-0x0000000000807000-memory.dmp

                            Filesize

                            4.0MB

                          • memory/4864-150-0x0000000000400000-0x0000000000807000-memory.dmp

                            Filesize

                            4.0MB

                          • memory/4864-145-0x0000000000400000-0x0000000000807000-memory.dmp

                            Filesize

                            4.0MB

                          • memory/4864-147-0x0000000000400000-0x0000000000807000-memory.dmp

                            Filesize

                            4.0MB