Analysis
-
max time kernel
170s -
max time network
216s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08/05/2022, 15:45
Static task
static1
Behavioral task
behavioral1
Sample
2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe
Resource
win7-20220414-en
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe
Resource
win10v2004-20220414-en
0 signatures
0 seconds
General
-
Target
2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe
-
Size
4.1MB
-
MD5
71f41aceb312b816242d924bb8d02094
-
SHA1
7395e30d789fdaba56faeb38a296663c9411b3c1
-
SHA256
2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af
-
SHA512
9cccf156d1ddf7c3a7f6d03b3e9660160f6e8b5d279380075558104152d51054511aa1310062408d6ad85c1df9f1546b5138e899de9017d6d5dc7ada309a90ff
Score
10/10
Malware Config
Extracted
Family
bitrat
Version
1.30
Signatures
-
BitRAT Payload 1 IoCs
resource yara_rule behavioral1/memory/1784-54-0x0000000000400000-0x0000000000828000-memory.dmp family_bitrat -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\sysdiagnostichelps = "C:\\Users\\Admin\\AppData\\Local\\sysdiagnosticers\\sysdiagnostichelps.exe" 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe -
Suspicious behavior: RenamesItself 25 IoCs
pid Process 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe Token: SeShutdownPrivilege 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 1784 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe"C:\Users\Admin\AppData\Local\Temp\2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe"1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1784