Analysis

  • max time kernel
    177s
  • max time network
    189s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    10/05/2022, 18:47

General

  • Target

    BGA07HSJYEUW.exe

  • Size

    300.0MB

  • MD5

    417e5e454f625ec291102dcb0edaadfd

  • SHA1

    34c7f664c21dcc78c49b10d668773a8dbe314054

  • SHA256

    99f6adbb8a1e75b3c0d9dc7f9e7b1e48576e0621f234dcae2691fbf7636dd039

  • SHA512

    dd3da693c7f2a3629f382b2bdd9ee23bc5512bdd8ee34bffed14bb5442f755798c787eeb04b5010e059582f913cf591de4e435f717adda7f04db725d1edabb07

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitm01071.duckdns.org:5021

Attributes
  • communication_password

    81dc9bdb52d04dc20036dbd8313ed055

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

  • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

  • Executes dropped EXE 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BGA07HSJYEUW.exe
    "C:\Users\Admin\AppData\Local\Temp\BGA07HSJYEUW.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5052
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\rtez.exe'" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2228
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\rtez.exe'" /f
        3⤵
        • Creates scheduled task(s)
        PID:5100
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\BGA07HSJYEUW.exe" "C:\Users\Admin\AppData\Roaming\rtez.exe"
      2⤵
        PID:3708
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        2⤵
          PID:724
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 724 -s 188
            3⤵
            • Program crash
            PID:1532
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 724 -ip 724
        1⤵
          PID:400
        • C:\Users\Admin\AppData\Roaming\rtez.exe
          C:\Users\Admin\AppData\Roaming\rtez.exe
          1⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2224
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\rtez.exe'" /f
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2456
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\rtez.exe'" /f
              3⤵
              • Creates scheduled task(s)
              PID:1368
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\rtez.exe" "C:\Users\Admin\AppData\Roaming\rtez.exe"
            2⤵
              PID:4568
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
              2⤵
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:4504
          • C:\Users\Admin\AppData\Roaming\rtez.exe
            C:\Users\Admin\AppData\Roaming\rtez.exe
            1⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:3780

          Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rtez.exe.log

                  Filesize

                  609B

                  MD5

                  f78129c2d7c98a4397fa4931b11feef4

                  SHA1

                  ea26f38d12515741651ff161ea8393d5fa41a5bd

                  SHA256

                  29830390784d06271342237443b6224bb98be0539e34b64e7344c78d7cdd93d9

                  SHA512

                  cbca1d486c2bd7655752930b9020ccf3f8ae67a67dcb2cca51c31763a51fea8fb951d617c31a3746680303a8c6d45361c120f15ef06c30b417202949728b5b35

                • C:\Users\Admin\AppData\Roaming\rtez.exe

                  Filesize

                  300.0MB

                  MD5

                  417e5e454f625ec291102dcb0edaadfd

                  SHA1

                  34c7f664c21dcc78c49b10d668773a8dbe314054

                  SHA256

                  99f6adbb8a1e75b3c0d9dc7f9e7b1e48576e0621f234dcae2691fbf7636dd039

                  SHA512

                  dd3da693c7f2a3629f382b2bdd9ee23bc5512bdd8ee34bffed14bb5442f755798c787eeb04b5010e059582f913cf591de4e435f717adda7f04db725d1edabb07

                • C:\Users\Admin\AppData\Roaming\rtez.exe

                  Filesize

                  300.0MB

                  MD5

                  417e5e454f625ec291102dcb0edaadfd

                  SHA1

                  34c7f664c21dcc78c49b10d668773a8dbe314054

                  SHA256

                  99f6adbb8a1e75b3c0d9dc7f9e7b1e48576e0621f234dcae2691fbf7636dd039

                  SHA512

                  dd3da693c7f2a3629f382b2bdd9ee23bc5512bdd8ee34bffed14bb5442f755798c787eeb04b5010e059582f913cf591de4e435f717adda7f04db725d1edabb07

                • C:\Users\Admin\AppData\Roaming\rtez.exe

                  Filesize

                  214.4MB

                  MD5

                  1cf87beef5bc4b7bc78ddd19aca5c4e3

                  SHA1

                  f9561c71694a782cd50bbe32b5d368ab6c56d1f4

                  SHA256

                  84f1dc592911db9569183b7f084eaf87f61880ff49c1ecfaf0d2b1efe4631220

                  SHA512

                  d7406a7426f84d98cc1ca4c48d34d8d78f38a97a2f89ab29959df4752a30e1e0455e8317efff7a7b19af5dc26e2838b6a9bbef6371a0082756ddbf951330876b

                • memory/724-139-0x0000000000700000-0x0000000000AE4000-memory.dmp

                  Filesize

                  3.9MB

                • memory/724-138-0x0000000000700000-0x0000000000AE4000-memory.dmp

                  Filesize

                  3.9MB

                • memory/4504-146-0x0000000000400000-0x00000000007E4000-memory.dmp

                  Filesize

                  3.9MB

                • memory/4504-147-0x0000000000400000-0x00000000007E4000-memory.dmp

                  Filesize

                  3.9MB

                • memory/4504-148-0x0000000000400000-0x00000000007E4000-memory.dmp

                  Filesize

                  3.9MB

                • memory/4504-149-0x0000000000400000-0x00000000007E4000-memory.dmp

                  Filesize

                  3.9MB

                • memory/4504-150-0x0000000000400000-0x00000000007E4000-memory.dmp

                  Filesize

                  3.9MB

                • memory/5052-130-0x0000000000560000-0x00000000006EC000-memory.dmp

                  Filesize

                  1.5MB

                • memory/5052-132-0x0000000005090000-0x0000000005122000-memory.dmp

                  Filesize

                  584KB

                • memory/5052-131-0x0000000005560000-0x0000000005B04000-memory.dmp

                  Filesize

                  5.6MB