Analysis Overview
SHA256
99f6adbb8a1e75b3c0d9dc7f9e7b1e48576e0621f234dcae2691fbf7636dd039
Threat Level: Known bad
The file BGA07HSJYEUW.exe was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
BitRAT
Executes dropped EXE
UPX packed file
Uses the VBS compiler for execution
Checks computer location settings
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-10 18:48
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-10 18:47
Reported
2022-05-10 18:53
Platform
win10v2004-20220414-en
Max time kernel
177s
Max time network
189s
Command Line
Signatures
BitRAT
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\rtez.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\rtez.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\rtez.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BGA07HSJYEUW.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5052 set thread context of 724 | N/A | C:\Users\Admin\AppData\Local\Temp\BGA07HSJYEUW.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 2224 set thread context of 4504 | N/A | C:\Users\Admin\AppData\Roaming\rtez.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BGA07HSJYEUW.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\BGA07HSJYEUW.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BGA07HSJYEUW.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\rtez.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Roaming\rtez.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\rtez.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\rtez.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Roaming\rtez.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\rtez.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\BGA07HSJYEUW.exe
"C:\Users\Admin\AppData\Local\Temp\BGA07HSJYEUW.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\rtez.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\BGA07HSJYEUW.exe" "C:\Users\Admin\AppData\Roaming\rtez.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\rtez.exe'" /f
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 724 -ip 724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 724 -s 188
C:\Users\Admin\AppData\Roaming\rtez.exe
C:\Users\Admin\AppData\Roaming\rtez.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\rtez.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\rtez.exe" "C:\Users\Admin\AppData\Roaming\rtez.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\rtez.exe'" /f
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Users\Admin\AppData\Roaming\rtez.exe
C:\Users\Admin\AppData\Roaming\rtez.exe
Network
| Country | Destination | Domain | Proto |
| NL | 20.190.160.71:443 | tcp | |
| NL | 20.190.160.71:443 | tcp | |
| NL | 20.190.160.71:443 | tcp | |
| NL | 20.190.160.129:443 | tcp | |
| US | 142.4.113.7:80 | tcp | |
| NL | 20.190.160.129:443 | tcp | |
| NL | 20.190.160.129:443 | tcp | |
| JP | 40.74.98.195:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 20.190.160.4:443 | tcp | |
| NL | 20.190.160.4:443 | tcp | |
| NL | 20.190.160.4:443 | tcp | |
| NL | 20.190.160.67:443 | tcp | |
| NL | 20.190.160.67:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 20.190.160.67:443 | tcp | |
| NL | 20.190.160.6:443 | tcp | |
| NL | 20.190.160.6:443 | tcp | |
| NL | 20.190.160.6:443 | tcp | |
| NL | 20.190.160.73:443 | tcp | |
| NL | 20.190.160.73:443 | tcp | |
| NL | 20.190.160.73:443 | tcp | |
| US | 8.8.8.8:53 | bitm01071.duckdns.org | udp |
| VN | 103.145.254.223:5021 | bitm01071.duckdns.org | tcp |
Files
memory/5052-130-0x0000000000560000-0x00000000006EC000-memory.dmp
memory/5052-131-0x0000000005560000-0x0000000005B04000-memory.dmp
memory/5052-132-0x0000000005090000-0x0000000005122000-memory.dmp
memory/2228-133-0x0000000000000000-mapping.dmp
memory/3708-134-0x0000000000000000-mapping.dmp
memory/5100-135-0x0000000000000000-mapping.dmp
memory/724-136-0x0000000000000000-mapping.dmp
memory/724-139-0x0000000000700000-0x0000000000AE4000-memory.dmp
memory/724-138-0x0000000000700000-0x0000000000AE4000-memory.dmp
C:\Users\Admin\AppData\Roaming\rtez.exe
| MD5 | 417e5e454f625ec291102dcb0edaadfd |
| SHA1 | 34c7f664c21dcc78c49b10d668773a8dbe314054 |
| SHA256 | 99f6adbb8a1e75b3c0d9dc7f9e7b1e48576e0621f234dcae2691fbf7636dd039 |
| SHA512 | dd3da693c7f2a3629f382b2bdd9ee23bc5512bdd8ee34bffed14bb5442f755798c787eeb04b5010e059582f913cf591de4e435f717adda7f04db725d1edabb07 |
C:\Users\Admin\AppData\Roaming\rtez.exe
| MD5 | 417e5e454f625ec291102dcb0edaadfd |
| SHA1 | 34c7f664c21dcc78c49b10d668773a8dbe314054 |
| SHA256 | 99f6adbb8a1e75b3c0d9dc7f9e7b1e48576e0621f234dcae2691fbf7636dd039 |
| SHA512 | dd3da693c7f2a3629f382b2bdd9ee23bc5512bdd8ee34bffed14bb5442f755798c787eeb04b5010e059582f913cf591de4e435f717adda7f04db725d1edabb07 |
memory/2456-142-0x0000000000000000-mapping.dmp
memory/4568-143-0x0000000000000000-mapping.dmp
memory/1368-144-0x0000000000000000-mapping.dmp
memory/4504-145-0x0000000000000000-mapping.dmp
memory/4504-146-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/4504-147-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/4504-148-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/4504-149-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/4504-150-0x0000000000400000-0x00000000007E4000-memory.dmp
C:\Users\Admin\AppData\Roaming\rtez.exe
| MD5 | 1cf87beef5bc4b7bc78ddd19aca5c4e3 |
| SHA1 | f9561c71694a782cd50bbe32b5d368ab6c56d1f4 |
| SHA256 | 84f1dc592911db9569183b7f084eaf87f61880ff49c1ecfaf0d2b1efe4631220 |
| SHA512 | d7406a7426f84d98cc1ca4c48d34d8d78f38a97a2f89ab29959df4752a30e1e0455e8317efff7a7b19af5dc26e2838b6a9bbef6371a0082756ddbf951330876b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rtez.exe.log
| MD5 | f78129c2d7c98a4397fa4931b11feef4 |
| SHA1 | ea26f38d12515741651ff161ea8393d5fa41a5bd |
| SHA256 | 29830390784d06271342237443b6224bb98be0539e34b64e7344c78d7cdd93d9 |
| SHA512 | cbca1d486c2bd7655752930b9020ccf3f8ae67a67dcb2cca51c31763a51fea8fb951d617c31a3746680303a8c6d45361c120f15ef06c30b417202949728b5b35 |
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-10 18:47
Reported
2022-05-10 18:54
Platform
win7-20220414-en
Max time kernel
168s
Max time network
234s
Command Line
Signatures
BitRAT
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\rtez.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 944 set thread context of 1172 | N/A | C:\Users\Admin\AppData\Local\Temp\BGA07HSJYEUW.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 1960 set thread context of 1616 | N/A | C:\Users\Admin\AppData\Roaming\rtez.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BGA07HSJYEUW.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\BGA07HSJYEUW.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BGA07HSJYEUW.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\rtez.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Roaming\rtez.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\rtez.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\BGA07HSJYEUW.exe
"C:\Users\Admin\AppData\Local\Temp\BGA07HSJYEUW.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\rtez.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\BGA07HSJYEUW.exe" "C:\Users\Admin\AppData\Roaming\rtez.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\rtez.exe'" /f
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {CDE5789C-4157-47FA-A1D0-67620DCCAF19} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\rtez.exe
C:\Users\Admin\AppData\Roaming\rtez.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\rtez.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\rtez.exe" "C:\Users\Admin\AppData\Roaming\rtez.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\rtez.exe'" /f
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 142.4.113.7:80 | tcp | |
| US | 8.8.8.8:53 | bitm01071.duckdns.org | udp |
| VN | 103.145.254.223:5021 | bitm01071.duckdns.org | tcp |
| US | 8.8.8.8:53 | bitm01071.duckdns.org | udp |
Files
memory/944-54-0x0000000001160000-0x00000000012EC000-memory.dmp
memory/944-55-0x00000000765C1000-0x00000000765C3000-memory.dmp
memory/1888-56-0x0000000000000000-mapping.dmp
memory/896-57-0x0000000000000000-mapping.dmp
memory/948-58-0x0000000000000000-mapping.dmp
memory/1172-59-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/1172-60-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/1172-62-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/1172-63-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/1172-64-0x00000000007E2740-mapping.dmp
memory/1172-66-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/1172-65-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/1172-67-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/1172-69-0x0000000000400000-0x00000000007E4000-memory.dmp
C:\Users\Admin\AppData\Roaming\rtez.exe
| MD5 | 417e5e454f625ec291102dcb0edaadfd |
| SHA1 | 34c7f664c21dcc78c49b10d668773a8dbe314054 |
| SHA256 | 99f6adbb8a1e75b3c0d9dc7f9e7b1e48576e0621f234dcae2691fbf7636dd039 |
| SHA512 | dd3da693c7f2a3629f382b2bdd9ee23bc5512bdd8ee34bffed14bb5442f755798c787eeb04b5010e059582f913cf591de4e435f717adda7f04db725d1edabb07 |
memory/1960-71-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\rtez.exe
| MD5 | 417e5e454f625ec291102dcb0edaadfd |
| SHA1 | 34c7f664c21dcc78c49b10d668773a8dbe314054 |
| SHA256 | 99f6adbb8a1e75b3c0d9dc7f9e7b1e48576e0621f234dcae2691fbf7636dd039 |
| SHA512 | dd3da693c7f2a3629f382b2bdd9ee23bc5512bdd8ee34bffed14bb5442f755798c787eeb04b5010e059582f913cf591de4e435f717adda7f04db725d1edabb07 |
memory/1960-73-0x0000000000DE0000-0x0000000000F6C000-memory.dmp
memory/1748-75-0x0000000000000000-mapping.dmp
memory/832-76-0x0000000000000000-mapping.dmp
memory/1012-77-0x0000000000000000-mapping.dmp
memory/1616-83-0x00000000007E2740-mapping.dmp
memory/1616-88-0x0000000000400000-0x00000000007E4000-memory.dmp