Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
10/05/2022, 22:35
Static task
static1
Behavioral task
behavioral1
Sample
f0fd5d38ffa54d8dfd6456c0b7a8664b.exe
Resource
win7-20220414-en
General
-
Target
f0fd5d38ffa54d8dfd6456c0b7a8664b.exe
-
Size
4.6MB
-
MD5
f0fd5d38ffa54d8dfd6456c0b7a8664b
-
SHA1
36387a6cd5c900fb78e6fc67a88e84a472d05b61
-
SHA256
4e3056448e294407b47e08e4dd3364b14acc1fe05d602cbe3347e10800f925ae
-
SHA512
80b57e0e8feb4241631adfd73678ea8c4094397c4053855bfd3cce2d4762be8c67da46fe3e41b73766596723d370692cb31a75ba2bf475b40f2c4f2c1a9eb7db
Malware Config
Extracted
bitrat
1.38
https.myvnc.com:9111
-
communication_password
c4ca4238a0b923820dcc509a6f75849b
-
tor_process
tor
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation f0fd5d38ffa54d8dfd6456c0b7a8664b.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 4304 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 4304 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 4304 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 4304 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 4304 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3356 set thread context of 4304 3356 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 97 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2508 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3356 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 3260 powershell.exe 2660 powershell.exe 3260 powershell.exe 2660 powershell.exe 3356 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 3356 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 3356 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3356 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe Token: SeDebugPrivilege 3260 powershell.exe Token: SeDebugPrivilege 2660 powershell.exe Token: SeShutdownPrivilege 4304 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4304 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 4304 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 3356 wrote to memory of 3260 3356 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 90 PID 3356 wrote to memory of 3260 3356 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 90 PID 3356 wrote to memory of 3260 3356 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 90 PID 3356 wrote to memory of 2660 3356 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 92 PID 3356 wrote to memory of 2660 3356 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 92 PID 3356 wrote to memory of 2660 3356 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 92 PID 3356 wrote to memory of 2508 3356 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 94 PID 3356 wrote to memory of 2508 3356 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 94 PID 3356 wrote to memory of 2508 3356 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 94 PID 3356 wrote to memory of 4196 3356 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 96 PID 3356 wrote to memory of 4196 3356 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 96 PID 3356 wrote to memory of 4196 3356 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 96 PID 3356 wrote to memory of 4304 3356 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 97 PID 3356 wrote to memory of 4304 3356 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 97 PID 3356 wrote to memory of 4304 3356 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 97 PID 3356 wrote to memory of 4304 3356 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 97 PID 3356 wrote to memory of 4304 3356 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 97 PID 3356 wrote to memory of 4304 3356 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 97 PID 3356 wrote to memory of 4304 3356 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 97 PID 3356 wrote to memory of 4304 3356 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 97 PID 3356 wrote to memory of 4304 3356 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 97 PID 3356 wrote to memory of 4304 3356 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 97 PID 3356 wrote to memory of 4304 3356 f0fd5d38ffa54d8dfd6456c0b7a8664b.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe"C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3260
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rGucnaAeGqFkx.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rGucnaAeGqFkx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp248F.tmp"2⤵
- Creates scheduled task(s)
PID:2508
-
-
C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe"C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe"2⤵PID:4196
-
-
C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe"C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4304
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
609B
MD504bebfdd3dd2a37f8a6c4b866531a336
SHA1b974edb0ddedac47aad59dfb284933ce4941390b
SHA2561b61025d347152bbfba6cfd465f1121843ca6953627eafb5c6dc22f5b22fb667
SHA51217d7a787ae4e38bb0e7bc8c49c0331ba3ff30d53ddc7eade292e939dd17f79b4f7476bbd08866bc91674b649bf909034a1efa4a3d5ee2cedb5683bccf274bd1f
-
Filesize
1KB
MD54b13bd67cade98501400c62a2f4eb0e3
SHA16504f657347472c185eaad89af67857856e2f7e8
SHA256396029ad083faeb4cc90b75044e16427303beb75987e116a2c7311d9e088e90c
SHA512c5d43312407966404eb7f6d8f11c8e43b393bb002dbc2c6270ce2e70cc95776a87e137a573febdc1a77e28e0f45e8bfa5c02865a1938b480d1357be59ae8f7ec