Analysis
-
max time kernel
177s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
10/05/2022, 18:47
Static task
static1
Behavioral task
behavioral1
Sample
BGA07HSJYEUW.exe
Resource
win7-20220414-en
General
-
Target
BGA07HSJYEUW.exe
-
Size
300.0MB
-
MD5
417e5e454f625ec291102dcb0edaadfd
-
SHA1
34c7f664c21dcc78c49b10d668773a8dbe314054
-
SHA256
99f6adbb8a1e75b3c0d9dc7f9e7b1e48576e0621f234dcae2691fbf7636dd039
-
SHA512
dd3da693c7f2a3629f382b2bdd9ee23bc5512bdd8ee34bffed14bb5442f755798c787eeb04b5010e059582f913cf591de4e435f717adda7f04db725d1edabb07
Malware Config
Extracted
bitrat
1.38
bitm01071.duckdns.org:5021
-
communication_password
81dc9bdb52d04dc20036dbd8313ed055
-
tor_process
tor
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
Executes dropped EXE 2 IoCs
pid Process 2224 rtez.exe 3780 rtez.exe -
resource yara_rule behavioral2/memory/724-139-0x0000000000700000-0x0000000000AE4000-memory.dmp upx behavioral2/memory/724-138-0x0000000000700000-0x0000000000AE4000-memory.dmp upx behavioral2/memory/4504-146-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/4504-147-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/4504-148-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/4504-149-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/4504-150-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation rtez.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation BGA07HSJYEUW.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 4504 vbc.exe 4504 vbc.exe 4504 vbc.exe 4504 vbc.exe 4504 vbc.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5052 set thread context of 724 5052 BGA07HSJYEUW.exe 102 PID 2224 set thread context of 4504 2224 rtez.exe 113 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1532 724 WerFault.exe 102 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5100 schtasks.exe 1368 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 5052 BGA07HSJYEUW.exe Token: 33 5052 BGA07HSJYEUW.exe Token: SeIncBasePriorityPrivilege 5052 BGA07HSJYEUW.exe Token: SeDebugPrivilege 2224 rtez.exe Token: 33 2224 rtez.exe Token: SeIncBasePriorityPrivilege 2224 rtez.exe Token: SeShutdownPrivilege 4504 vbc.exe Token: SeDebugPrivilege 3780 rtez.exe Token: 33 3780 rtez.exe Token: SeIncBasePriorityPrivilege 3780 rtez.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4504 vbc.exe 4504 vbc.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 5052 wrote to memory of 2228 5052 BGA07HSJYEUW.exe 97 PID 5052 wrote to memory of 2228 5052 BGA07HSJYEUW.exe 97 PID 5052 wrote to memory of 2228 5052 BGA07HSJYEUW.exe 97 PID 5052 wrote to memory of 3708 5052 BGA07HSJYEUW.exe 99 PID 5052 wrote to memory of 3708 5052 BGA07HSJYEUW.exe 99 PID 5052 wrote to memory of 3708 5052 BGA07HSJYEUW.exe 99 PID 2228 wrote to memory of 5100 2228 cmd.exe 101 PID 2228 wrote to memory of 5100 2228 cmd.exe 101 PID 2228 wrote to memory of 5100 2228 cmd.exe 101 PID 5052 wrote to memory of 724 5052 BGA07HSJYEUW.exe 102 PID 5052 wrote to memory of 724 5052 BGA07HSJYEUW.exe 102 PID 5052 wrote to memory of 724 5052 BGA07HSJYEUW.exe 102 PID 5052 wrote to memory of 724 5052 BGA07HSJYEUW.exe 102 PID 5052 wrote to memory of 724 5052 BGA07HSJYEUW.exe 102 PID 5052 wrote to memory of 724 5052 BGA07HSJYEUW.exe 102 PID 5052 wrote to memory of 724 5052 BGA07HSJYEUW.exe 102 PID 2224 wrote to memory of 2456 2224 rtez.exe 108 PID 2224 wrote to memory of 2456 2224 rtez.exe 108 PID 2224 wrote to memory of 2456 2224 rtez.exe 108 PID 2224 wrote to memory of 4568 2224 rtez.exe 110 PID 2224 wrote to memory of 4568 2224 rtez.exe 110 PID 2224 wrote to memory of 4568 2224 rtez.exe 110 PID 2456 wrote to memory of 1368 2456 cmd.exe 112 PID 2456 wrote to memory of 1368 2456 cmd.exe 112 PID 2456 wrote to memory of 1368 2456 cmd.exe 112 PID 2224 wrote to memory of 4504 2224 rtez.exe 113 PID 2224 wrote to memory of 4504 2224 rtez.exe 113 PID 2224 wrote to memory of 4504 2224 rtez.exe 113 PID 2224 wrote to memory of 4504 2224 rtez.exe 113 PID 2224 wrote to memory of 4504 2224 rtez.exe 113 PID 2224 wrote to memory of 4504 2224 rtez.exe 113 PID 2224 wrote to memory of 4504 2224 rtez.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\BGA07HSJYEUW.exe"C:\Users\Admin\AppData\Local\Temp\BGA07HSJYEUW.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\rtez.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\rtez.exe'" /f3⤵
- Creates scheduled task(s)
PID:5100
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\BGA07HSJYEUW.exe" "C:\Users\Admin\AppData\Roaming\rtez.exe"2⤵PID:3708
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:724
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 724 -s 1883⤵
- Program crash
PID:1532
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 724 -ip 7241⤵PID:400
-
C:\Users\Admin\AppData\Roaming\rtez.exeC:\Users\Admin\AppData\Roaming\rtez.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\rtez.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\rtez.exe'" /f3⤵
- Creates scheduled task(s)
PID:1368
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\rtez.exe" "C:\Users\Admin\AppData\Roaming\rtez.exe"2⤵PID:4568
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4504
-
-
C:\Users\Admin\AppData\Roaming\rtez.exeC:\Users\Admin\AppData\Roaming\rtez.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3780
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
609B
MD5f78129c2d7c98a4397fa4931b11feef4
SHA1ea26f38d12515741651ff161ea8393d5fa41a5bd
SHA25629830390784d06271342237443b6224bb98be0539e34b64e7344c78d7cdd93d9
SHA512cbca1d486c2bd7655752930b9020ccf3f8ae67a67dcb2cca51c31763a51fea8fb951d617c31a3746680303a8c6d45361c120f15ef06c30b417202949728b5b35
-
Filesize
300.0MB
MD5417e5e454f625ec291102dcb0edaadfd
SHA134c7f664c21dcc78c49b10d668773a8dbe314054
SHA25699f6adbb8a1e75b3c0d9dc7f9e7b1e48576e0621f234dcae2691fbf7636dd039
SHA512dd3da693c7f2a3629f382b2bdd9ee23bc5512bdd8ee34bffed14bb5442f755798c787eeb04b5010e059582f913cf591de4e435f717adda7f04db725d1edabb07
-
Filesize
300.0MB
MD5417e5e454f625ec291102dcb0edaadfd
SHA134c7f664c21dcc78c49b10d668773a8dbe314054
SHA25699f6adbb8a1e75b3c0d9dc7f9e7b1e48576e0621f234dcae2691fbf7636dd039
SHA512dd3da693c7f2a3629f382b2bdd9ee23bc5512bdd8ee34bffed14bb5442f755798c787eeb04b5010e059582f913cf591de4e435f717adda7f04db725d1edabb07
-
Filesize
214.4MB
MD51cf87beef5bc4b7bc78ddd19aca5c4e3
SHA1f9561c71694a782cd50bbe32b5d368ab6c56d1f4
SHA25684f1dc592911db9569183b7f084eaf87f61880ff49c1ecfaf0d2b1efe4631220
SHA512d7406a7426f84d98cc1ca4c48d34d8d78f38a97a2f89ab29959df4752a30e1e0455e8317efff7a7b19af5dc26e2838b6a9bbef6371a0082756ddbf951330876b