Analysis

  • max time kernel
    150s
  • max time network
    180s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    10/05/2022, 05:40

General

  • Target

    Cjryjsra.exe

  • Size

    3.2MB

  • MD5

    04b92d276e5e29aaef5069087a1d25d3

  • SHA1

    b3c133b9a56767f934b0bac585c7e6f7dcb92d9a

  • SHA256

    fc31934152ea6e5d60c4ee949140d28b2cfe30764451f0c6d62ee2945490656d

  • SHA512

    c70b4f7ef2ae8c9533d6b464f367d15e38e03df080f06b024134ee7f3f566d6dc209aec205f796bac7acd0bcee629eb676c80695b35cbff4c229faf4295afb83

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

212.193.30.54:3680

Attributes
  • communication_password

    46821e93230f353d5c46240b0462a0fe

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Cjryjsra.exe
    "C:\Users\Admin\AppData\Local\Temp\Cjryjsra.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1840
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 36
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1208
      • C:\Windows\SysWOW64\timeout.exe
        timeout 36
        3⤵
        • Delays execution with timeout.exe
        PID:1172
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1956

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1840-54-0x0000000000B40000-0x0000000000E76000-memory.dmp

          Filesize

          3.2MB

        • memory/1840-55-0x00000000751C1000-0x00000000751C3000-memory.dmp

          Filesize

          8KB

        • memory/1840-56-0x0000000005BC0000-0x0000000005EE4000-memory.dmp

          Filesize

          3.1MB

        • memory/1840-59-0x0000000008980000-0x0000000008B74000-memory.dmp

          Filesize

          2.0MB

        • memory/1956-63-0x0000000000400000-0x00000000007CE000-memory.dmp

          Filesize

          3.8MB

        • memory/1956-61-0x0000000000400000-0x00000000007CE000-memory.dmp

          Filesize

          3.8MB

        • memory/1956-60-0x0000000000400000-0x00000000007CE000-memory.dmp

          Filesize

          3.8MB

        • memory/1956-65-0x0000000000400000-0x00000000007CE000-memory.dmp

          Filesize

          3.8MB

        • memory/1956-67-0x0000000000400000-0x00000000007CE000-memory.dmp

          Filesize

          3.8MB

        • memory/1956-69-0x0000000000400000-0x00000000007CE000-memory.dmp

          Filesize

          3.8MB

        • memory/1956-70-0x0000000000400000-0x00000000007CE000-memory.dmp

          Filesize

          3.8MB

        • memory/1956-72-0x0000000000400000-0x00000000007CE000-memory.dmp

          Filesize

          3.8MB

        • memory/1956-75-0x0000000000400000-0x00000000007CE000-memory.dmp

          Filesize

          3.8MB

        • memory/1956-77-0x0000000000400000-0x00000000007CE000-memory.dmp

          Filesize

          3.8MB