Analysis

  • max time kernel
    153s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    10/05/2022, 05:40

General

  • Target

    Cjryjsra.exe

  • Size

    3.2MB

  • MD5

    04b92d276e5e29aaef5069087a1d25d3

  • SHA1

    b3c133b9a56767f934b0bac585c7e6f7dcb92d9a

  • SHA256

    fc31934152ea6e5d60c4ee949140d28b2cfe30764451f0c6d62ee2945490656d

  • SHA512

    c70b4f7ef2ae8c9533d6b464f367d15e38e03df080f06b024134ee7f3f566d6dc209aec205f796bac7acd0bcee629eb676c80695b35cbff4c229faf4295afb83

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

212.193.30.54:3680

Attributes
  • communication_password

    46821e93230f353d5c46240b0462a0fe

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Cjryjsra.exe
    "C:\Users\Admin\AppData\Local\Temp\Cjryjsra.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4356
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 36
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Windows\SysWOW64\timeout.exe
        timeout 36
        3⤵
        • Delays execution with timeout.exe
        PID:3516
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
        PID:376
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        2⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:608

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/608-138-0x0000000000400000-0x00000000007CE000-memory.dmp

            Filesize

            3.8MB

          • memory/608-139-0x0000000000400000-0x00000000007CE000-memory.dmp

            Filesize

            3.8MB

          • memory/608-140-0x0000000000400000-0x00000000007CE000-memory.dmp

            Filesize

            3.8MB

          • memory/608-141-0x0000000000400000-0x00000000007CE000-memory.dmp

            Filesize

            3.8MB

          • memory/4356-130-0x0000000000060000-0x0000000000396000-memory.dmp

            Filesize

            3.2MB

          • memory/4356-131-0x0000000005370000-0x0000000005914000-memory.dmp

            Filesize

            5.6MB

          • memory/4356-132-0x0000000004DC0000-0x0000000004E52000-memory.dmp

            Filesize

            584KB

          • memory/4356-133-0x0000000004D60000-0x0000000004D6A000-memory.dmp

            Filesize

            40KB