Analysis

  • max time kernel
    160s
  • max time network
    163s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    10/05/2022, 19:23

General

  • Target

    Invoice May 2 to 6 2022.exe

  • Size

    300.0MB

  • MD5

    9ee044706961afb5c1b1cc98936786b5

  • SHA1

    b583dd8cb884cc786ae6ccb5c007537f42ca20d0

  • SHA256

    9fd0b4d7a63cd7cd3574b4f6a766f99f6c3ec1d1a9f83627e5c10a811f289657

  • SHA512

    255752dd32861a2935509cd54d9ee78e59340ae292216d91243593682b5b876bfe3c157d4396dc4a692d067fe90f4260acc4431baeed06dab1ce4739fcaccb03

Score
10/10

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

houseofc.duckdns.org:24993

Attributes
  • communication_password

    d6723e7cd6735df68d1ce4c704c29a04

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 6 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe
    "C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1496
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f
        3⤵
        • Creates scheduled task(s)
        PID:1732
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\Invoice May 2 to 6 2022.exe" "C:\Users\Admin\AppData\Roaming\laoqp.exe"
      2⤵
        PID:1132
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        2⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:940
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {373D1864-ADA7-4F1E-99D8-2EFC04C06788} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:336
      • C:\Users\Admin\AppData\Roaming\laoqp.exe
        C:\Users\Admin\AppData\Roaming\laoqp.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1756
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1468
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f
            4⤵
            • Creates scheduled task(s)
            PID:1528
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\laoqp.exe" "C:\Users\Admin\AppData\Roaming\laoqp.exe"
          3⤵
            PID:1556
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            3⤵
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of AdjustPrivilegeToken
            PID:1620
        • C:\Users\Admin\AppData\Roaming\laoqp.exe
          C:\Users\Admin\AppData\Roaming\laoqp.exe
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:676
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\laoqp.exe'" /f
            3⤵
              PID:1876
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\laoqp.exe" "C:\Users\Admin\AppData\Roaming\laoqp.exe"
              3⤵
                PID:1132

          Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Roaming\laoqp.exe

                  Filesize

                  119.9MB

                  MD5

                  bc45f1e32934b0f55184598b6d72876e

                  SHA1

                  15cc5c507d5bc2a8c033e3abe9ac9e79abce12fa

                  SHA256

                  d586340535ef6dc92abbd0bf36cc5c98617408b17270f77757a4834a3429ed5d

                  SHA512

                  46d5b893ed80deba400ff773e3567bc07c7c270c0fa2281613d9ad804b016fd7552a75b66c077e7b9e3b6d9cb51177ca780842a2dd3e51324fe62e104e015f27

                • C:\Users\Admin\AppData\Roaming\laoqp.exe

                  Filesize

                  212.9MB

                  MD5

                  73600dca4b4b6e13b7dd4b11585b8f2b

                  SHA1

                  a22b9d207aaac2f1fbee2073c9572784fd4f2a76

                  SHA256

                  3e1c367708e0a8a3a3bc965eb0b071b32c205a62e0e6cad73eacb0fae0b62aee

                  SHA512

                  e853e92b22e3f9bba064f12e0a8b2dc5a4a8a1c3fb800c4c6a68ce0e6b5a8fe6e5bafd42528026e91dd80efdb86432a120223535b916c67fadfeb23a70d0b67e

                • C:\Users\Admin\AppData\Roaming\laoqp.exe

                  Filesize

                  195.4MB

                  MD5

                  b794720fe2b03d4e6db634ce73b241c2

                  SHA1

                  c47c0adb163059a09d1963e9850c118ef0d2ad84

                  SHA256

                  bfbb251f4add7c763e4d24d85bbf7ab01a024acd96dc9f3948cb0f3249550d5b

                  SHA512

                  c6ba84879db14e9df3bfbc2df811056ea2867abeb616868fa0128f096c85c1478968e79792963ab1aea9e5bb5c4ff7f8531da734aff639e985245d47b9c99bd1

                • \Users\Admin\AppData\Roaming\laoqp.exe

                  Filesize

                  62.0MB

                  MD5

                  b865da217191971a172a53a74297bb82

                  SHA1

                  f1bf7016ab178914bc140d0ecb374f19fbdca2e0

                  SHA256

                  0e9087e98ea160d358c4ff1744d6422700736e4f6da6275114450d502fe7836a

                  SHA512

                  4c34df096c56903655ee0495c1e0d9a336dc3bd9cce59c6c379fc39b9dd6bccdbe69f733bc631d5fd225fd485dd91aa02671e38dace798fa1cf647a54879844e

                • \Users\Admin\AppData\Roaming\laoqp.exe

                  Filesize

                  116.0MB

                  MD5

                  6e06ff738d5a4782e765317a920fcc2e

                  SHA1

                  013bd46e087cd10422e96ef991b857572604fce4

                  SHA256

                  43f2f795dcdbc52d17a61839054dc36b6581f73f6060521ff735cdd3ee3312e4

                  SHA512

                  f8aebb97f2b8a9ff2965b6bc3f086c1b6d7aa40ee019a0a1a4a630dce2a70a9c12075fb36e17ad4a3543e60bfbe46477a27c2e89e821380d63ced3b253795848

                • \Users\Admin\AppData\Roaming\laoqp.exe

                  Filesize

                  115.6MB

                  MD5

                  1f87119dca949b452aada9aa6b8ec354

                  SHA1

                  6d45be7d49fe6483603a8b8cf1471d0c6a5d113d

                  SHA256

                  d684cad79bca493326e15162bae79cb729aea3840841e69c8eee5c22e5e89c79

                  SHA512

                  96b6f0a4504d4427b89a47be49cc425cfaa5af61f092db58258b5d8275d00e2955049beed35f3d9529227d44dabf1824eb96a532e7c9368078d3d1dcef1b68da

                • \Users\Admin\AppData\Roaming\laoqp.exe

                  Filesize

                  216.2MB

                  MD5

                  fbbeb88efbd9bbaa2aecb65e15f4c181

                  SHA1

                  d71352a4a2071385a3d6709846adff238c8d8064

                  SHA256

                  43a14734d9991ed5eb2f58608a6dc2d7fbc64bd04a47992bed91c62dbc8c370e

                  SHA512

                  14a2488959a7a74d16f90e154c02fffce3f0d68e10c4bf77cd80b597e74599e3c8ed4121f7d6eb40d095a55fef4e336ada332f4cbd8010d523225e8f3c33a6ab

                • \Users\Admin\AppData\Roaming\laoqp.exe

                  Filesize

                  197.4MB

                  MD5

                  d3b6b7c4950c4b8168633383857094b3

                  SHA1

                  0f5155188d6aab7ba3544915a917efbbf2974df7

                  SHA256

                  b1362334725ca851bf9264ba2d0ef063e7e2f6550b070b1c44e7a5c11b36341a

                  SHA512

                  3595cd4d350fe77aac78dc83a2758b705f6eaa974add97a151ed8331a700b29f1e93c9160afcd8fcf323e6a882b4f277402bcee037732ff957f8753e319d5ca2

                • \Users\Admin\AppData\Roaming\laoqp.exe

                  Filesize

                  205.8MB

                  MD5

                  67ee008b0ddc5948183c0c155415adf5

                  SHA1

                  782c0a5c17e7b17b12129ce8af3d9681af50ef16

                  SHA256

                  de7158ca9f9d3bd516c03a42ffa82d5d0d09ca74d7a59ba00ada9b9e19088710

                  SHA512

                  682fa804031f38df8f9adf1f5c4b30540c64b69aeeff5408bf36b65905242f65ce99172624f8eeabf6d93ec16cdb96b62264cffbecf3e02f2d62a6875423d876

                • memory/676-108-0x0000000000D60000-0x0000000000F26000-memory.dmp

                  Filesize

                  1.8MB

                • memory/940-63-0x0000000000400000-0x00000000007E4000-memory.dmp

                  Filesize

                  3.9MB

                • memory/940-72-0x0000000000400000-0x00000000007E4000-memory.dmp

                  Filesize

                  3.9MB

                • memory/940-73-0x0000000000400000-0x00000000007E4000-memory.dmp

                  Filesize

                  3.9MB

                • memory/940-74-0x0000000000400000-0x00000000007E4000-memory.dmp

                  Filesize

                  3.9MB

                • memory/940-69-0x0000000000400000-0x00000000007E4000-memory.dmp

                  Filesize

                  3.9MB

                • memory/940-68-0x0000000000400000-0x00000000007E4000-memory.dmp

                  Filesize

                  3.9MB

                • memory/940-66-0x0000000000400000-0x00000000007E4000-memory.dmp

                  Filesize

                  3.9MB

                • memory/940-65-0x0000000000400000-0x00000000007E4000-memory.dmp

                  Filesize

                  3.9MB

                • memory/940-62-0x0000000000400000-0x00000000007E4000-memory.dmp

                  Filesize

                  3.9MB

                • memory/1620-101-0x0000000000400000-0x00000000007E4000-memory.dmp

                  Filesize

                  3.9MB

                • memory/1756-82-0x0000000000AC0000-0x0000000000C86000-memory.dmp

                  Filesize

                  1.8MB

                • memory/1928-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

                  Filesize

                  8KB

                • memory/1928-55-0x0000000001160000-0x0000000001326000-memory.dmp

                  Filesize

                  1.8MB