Analysis
-
max time kernel
170s -
max time network
198s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08/05/2022, 07:30
Static task
static1
Behavioral task
behavioral1
Sample
f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe
Resource
win10v2004-20220414-en
General
-
Target
f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe
-
Size
2.1MB
-
MD5
e42e185f70b5c89af184424bb35da929
-
SHA1
2023e739f67dca9aadfa3143678444b53d9711ed
-
SHA256
f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e
-
SHA512
c6f171100ce8411246db5f49e7b7ace7780eefd6cce5490bb570f45d3abc928ae45d78f0d26d90e211612fe67f37942010a9ccd21d53efec8b77b13f9c534430
Malware Config
Signatures
-
BitRAT Payload 3 IoCs
resource yara_rule behavioral1/memory/1668-80-0x0000000000805D30-mapping.dmp family_bitrat behavioral1/memory/1668-83-0x0000000000400000-0x000000000081E000-memory.dmp family_bitrat behavioral1/memory/1668-86-0x0000000000400000-0x000000000081E000-memory.dmp family_bitrat -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe\"" f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe -
resource yara_rule behavioral1/memory/1668-74-0x0000000000400000-0x000000000081E000-memory.dmp upx behavioral1/memory/1668-76-0x0000000000400000-0x000000000081E000-memory.dmp upx behavioral1/memory/1668-77-0x0000000000400000-0x000000000081E000-memory.dmp upx behavioral1/memory/1668-79-0x0000000000400000-0x000000000081E000-memory.dmp upx behavioral1/memory/1668-81-0x0000000000400000-0x000000000081E000-memory.dmp upx behavioral1/memory/1668-82-0x0000000000400000-0x000000000081E000-memory.dmp upx behavioral1/memory/1668-83-0x0000000000400000-0x000000000081E000-memory.dmp upx behavioral1/memory/1668-86-0x0000000000400000-0x000000000081E000-memory.dmp upx -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe = "0" f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe = "0" f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe" f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe" f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 myexternalip.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
pid Process 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 1668 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 1668 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2024 set thread context of 1668 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 38 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 980 2024 WerFault.exe 16 -
Delays execution with timeout.exe 1 IoCs
pid Process 1744 timeout.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1288 powershell.exe 1096 powershell.exe 1480 powershell.exe 872 powershell.exe 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe Token: SeDebugPrivilege 1288 powershell.exe Token: SeDebugPrivilege 1096 powershell.exe Token: SeDebugPrivilege 1480 powershell.exe Token: SeDebugPrivilege 872 powershell.exe Token: SeDebugPrivilege 1668 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe Token: SeShutdownPrivilege 1668 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1668 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 1668 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2024 wrote to memory of 1744 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 28 PID 2024 wrote to memory of 1744 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 28 PID 2024 wrote to memory of 1744 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 28 PID 2024 wrote to memory of 1744 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 28 PID 2024 wrote to memory of 1288 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 30 PID 2024 wrote to memory of 1288 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 30 PID 2024 wrote to memory of 1288 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 30 PID 2024 wrote to memory of 1288 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 30 PID 2024 wrote to memory of 1096 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 32 PID 2024 wrote to memory of 1096 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 32 PID 2024 wrote to memory of 1096 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 32 PID 2024 wrote to memory of 1096 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 32 PID 2024 wrote to memory of 1480 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 34 PID 2024 wrote to memory of 1480 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 34 PID 2024 wrote to memory of 1480 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 34 PID 2024 wrote to memory of 1480 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 34 PID 2024 wrote to memory of 872 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 36 PID 2024 wrote to memory of 872 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 36 PID 2024 wrote to memory of 872 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 36 PID 2024 wrote to memory of 872 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 36 PID 2024 wrote to memory of 1668 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 38 PID 2024 wrote to memory of 1668 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 38 PID 2024 wrote to memory of 1668 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 38 PID 2024 wrote to memory of 1668 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 38 PID 2024 wrote to memory of 1668 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 38 PID 2024 wrote to memory of 1668 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 38 PID 2024 wrote to memory of 1668 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 38 PID 2024 wrote to memory of 1668 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 38 PID 2024 wrote to memory of 1668 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 38 PID 2024 wrote to memory of 980 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 39 PID 2024 wrote to memory of 980 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 39 PID 2024 wrote to memory of 980 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 39 PID 2024 wrote to memory of 980 2024 f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe"C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\timeout.exetimeout 42⤵
- Delays execution with timeout.exe
PID:1744
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1288
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872
-
-
C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe"C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1668
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 13522⤵
- Program crash
PID:980
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5c0fb8fdae68d5c81d305b649333a84e5
SHA1e7a77ef57e1d8ec42f4bcc48436d08f4dcfaa85e
SHA2560dacd23f0a9494d130852841b7ed8cdd0b8b3a33f8f52f695db807bbe5e876f7
SHA51205878de9298ff97fed97a9d394cbb5f53576518461249a50c48f24d6615d0c3a9c7668d132e4d7a1433be9534d47e6503acac0eb32e003a77c06430280b023ef
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5c0fb8fdae68d5c81d305b649333a84e5
SHA1e7a77ef57e1d8ec42f4bcc48436d08f4dcfaa85e
SHA2560dacd23f0a9494d130852841b7ed8cdd0b8b3a33f8f52f695db807bbe5e876f7
SHA51205878de9298ff97fed97a9d394cbb5f53576518461249a50c48f24d6615d0c3a9c7668d132e4d7a1433be9534d47e6503acac0eb32e003a77c06430280b023ef
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5c0fb8fdae68d5c81d305b649333a84e5
SHA1e7a77ef57e1d8ec42f4bcc48436d08f4dcfaa85e
SHA2560dacd23f0a9494d130852841b7ed8cdd0b8b3a33f8f52f695db807bbe5e876f7
SHA51205878de9298ff97fed97a9d394cbb5f53576518461249a50c48f24d6615d0c3a9c7668d132e4d7a1433be9534d47e6503acac0eb32e003a77c06430280b023ef