Analysis
-
max time kernel
158s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08/05/2022, 15:45
Static task
static1
Behavioral task
behavioral1
Sample
2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe
Resource
win7-20220414-en
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe
Resource
win10v2004-20220414-en
0 signatures
0 seconds
General
-
Target
2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe
-
Size
4.1MB
-
MD5
71f41aceb312b816242d924bb8d02094
-
SHA1
7395e30d789fdaba56faeb38a296663c9411b3c1
-
SHA256
2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af
-
SHA512
9cccf156d1ddf7c3a7f6d03b3e9660160f6e8b5d279380075558104152d51054511aa1310062408d6ad85c1df9f1546b5138e899de9017d6d5dc7ada309a90ff
Score
10/10
Malware Config
Extracted
Family
bitrat
Version
1.30
Signatures
-
BitRAT Payload 1 IoCs
resource yara_rule behavioral2/memory/4368-130-0x0000000000400000-0x0000000000828000-memory.dmp family_bitrat -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdiagnostichelps = "C:\\Users\\Admin\\AppData\\Local\\sysdiagnosticers\\sysdiagnostichelps.exe" 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdiagnostichelps = "C:\\Users\\Admin\\AppData\\Local\\sysdiagnosticers\\sysdiagnostichelps.exe耀" 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 4368 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 4368 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 4368 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 4368 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe -
Suspicious behavior: RenamesItself 23 IoCs
pid Process 4368 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 4368 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 4368 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 4368 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 4368 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 4368 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 4368 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 4368 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 4368 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 4368 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 4368 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 4368 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 4368 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 4368 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 4368 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 4368 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 4368 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 4368 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 4368 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 4368 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 4368 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 4368 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 4368 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 4368 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4368 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe 4368 2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe"C:\Users\Admin\AppData\Local\Temp\2922ab1111d2f51decc1a4a96a0f784084a6548dd8c36ed4a8988213570368af.exe"1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4368