Analysis
-
max time kernel
189s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
15-06-2022 14:32
Static task
static1
Behavioral task
behavioral1
Sample
RKS7D5D6F_ETRANSFER_RECEIPT.exe
Resource
win7-20220414-en
General
-
Target
RKS7D5D6F_ETRANSFER_RECEIPT.exe
-
Size
300.0MB
-
MD5
7298a9ef42c45144a0caab46893fc9e3
-
SHA1
809492d6628db6cb0af75ceb861ca209079029af
-
SHA256
cd4000e6ed2eeeb0af7509cc6c74ea8d2ef08d5d6f6551aeebad6a96de57d7cd
-
SHA512
ac95e369ed001e74b5c32cb94ac109f3b7c76b9c9dd82fd92c0569682589ccd94521599a7b03921a633c4668905a73ba87c9c7d5e31935d047f61c1284dd4459
Malware Config
Extracted
bitrat
1.38
bitrat9300.duckdns.org:9300
-
communication_password
e10adc3949ba59abbe56e057f20f883e
-
tor_process
tor
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
Executes dropped EXE 1 IoCs
Processes:
nhbyg.exepid process 628 nhbyg.exe -
Processes:
resource yara_rule behavioral1/memory/1320-63-0x0000000000470000-0x0000000000854000-memory.dmp upx behavioral1/memory/1320-66-0x0000000000470000-0x0000000000854000-memory.dmp upx behavioral1/memory/1320-67-0x0000000000470000-0x0000000000854000-memory.dmp upx behavioral1/memory/1320-70-0x0000000000470000-0x0000000000854000-memory.dmp upx behavioral1/memory/1320-77-0x0000000000470000-0x0000000000854000-memory.dmp upx behavioral1/memory/1320-80-0x0000000000470000-0x0000000000854000-memory.dmp upx behavioral1/memory/808-87-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/808-90-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/808-92-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/808-96-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/808-98-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/808-97-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/808-93-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/808-99-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
RegAsm.exeRegAsm.exepid process 1320 RegAsm.exe 1320 RegAsm.exe 1320 RegAsm.exe 1320 RegAsm.exe 1320 RegAsm.exe 808 RegAsm.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
RKS7D5D6F_ETRANSFER_RECEIPT.exenhbyg.exedescription pid process target process PID 844 set thread context of 1320 844 RKS7D5D6F_ETRANSFER_RECEIPT.exe RegAsm.exe PID 628 set thread context of 808 628 nhbyg.exe RegAsm.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1092 schtasks.exe 1616 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
RegAsm.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1320 RegAsm.exe Token: SeShutdownPrivilege 1320 RegAsm.exe Token: SeDebugPrivilege 808 RegAsm.exe Token: SeShutdownPrivilege 808 RegAsm.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
RegAsm.exepid process 1320 RegAsm.exe 1320 RegAsm.exe -
Suspicious use of WriteProcessMemory 50 IoCs
Processes:
RKS7D5D6F_ETRANSFER_RECEIPT.execmd.exetaskeng.exenhbyg.execmd.exedescription pid process target process PID 844 wrote to memory of 1400 844 RKS7D5D6F_ETRANSFER_RECEIPT.exe cmd.exe PID 844 wrote to memory of 1400 844 RKS7D5D6F_ETRANSFER_RECEIPT.exe cmd.exe PID 844 wrote to memory of 1400 844 RKS7D5D6F_ETRANSFER_RECEIPT.exe cmd.exe PID 844 wrote to memory of 1400 844 RKS7D5D6F_ETRANSFER_RECEIPT.exe cmd.exe PID 1400 wrote to memory of 1092 1400 cmd.exe schtasks.exe PID 1400 wrote to memory of 1092 1400 cmd.exe schtasks.exe PID 1400 wrote to memory of 1092 1400 cmd.exe schtasks.exe PID 1400 wrote to memory of 1092 1400 cmd.exe schtasks.exe PID 844 wrote to memory of 1196 844 RKS7D5D6F_ETRANSFER_RECEIPT.exe cmd.exe PID 844 wrote to memory of 1196 844 RKS7D5D6F_ETRANSFER_RECEIPT.exe cmd.exe PID 844 wrote to memory of 1196 844 RKS7D5D6F_ETRANSFER_RECEIPT.exe cmd.exe PID 844 wrote to memory of 1196 844 RKS7D5D6F_ETRANSFER_RECEIPT.exe cmd.exe PID 844 wrote to memory of 1320 844 RKS7D5D6F_ETRANSFER_RECEIPT.exe RegAsm.exe PID 844 wrote to memory of 1320 844 RKS7D5D6F_ETRANSFER_RECEIPT.exe RegAsm.exe PID 844 wrote to memory of 1320 844 RKS7D5D6F_ETRANSFER_RECEIPT.exe RegAsm.exe PID 844 wrote to memory of 1320 844 RKS7D5D6F_ETRANSFER_RECEIPT.exe RegAsm.exe PID 844 wrote to memory of 1320 844 RKS7D5D6F_ETRANSFER_RECEIPT.exe RegAsm.exe PID 844 wrote to memory of 1320 844 RKS7D5D6F_ETRANSFER_RECEIPT.exe RegAsm.exe PID 844 wrote to memory of 1320 844 RKS7D5D6F_ETRANSFER_RECEIPT.exe RegAsm.exe PID 844 wrote to memory of 1320 844 RKS7D5D6F_ETRANSFER_RECEIPT.exe RegAsm.exe PID 844 wrote to memory of 1320 844 RKS7D5D6F_ETRANSFER_RECEIPT.exe RegAsm.exe PID 844 wrote to memory of 1320 844 RKS7D5D6F_ETRANSFER_RECEIPT.exe RegAsm.exe PID 844 wrote to memory of 1320 844 RKS7D5D6F_ETRANSFER_RECEIPT.exe RegAsm.exe PID 1916 wrote to memory of 628 1916 taskeng.exe nhbyg.exe PID 1916 wrote to memory of 628 1916 taskeng.exe nhbyg.exe PID 1916 wrote to memory of 628 1916 taskeng.exe nhbyg.exe PID 1916 wrote to memory of 628 1916 taskeng.exe nhbyg.exe PID 628 wrote to memory of 1524 628 nhbyg.exe cmd.exe PID 628 wrote to memory of 1524 628 nhbyg.exe cmd.exe PID 628 wrote to memory of 1524 628 nhbyg.exe cmd.exe PID 628 wrote to memory of 1524 628 nhbyg.exe cmd.exe PID 1524 wrote to memory of 1616 1524 cmd.exe schtasks.exe PID 1524 wrote to memory of 1616 1524 cmd.exe schtasks.exe PID 1524 wrote to memory of 1616 1524 cmd.exe schtasks.exe PID 1524 wrote to memory of 1616 1524 cmd.exe schtasks.exe PID 628 wrote to memory of 1356 628 nhbyg.exe cmd.exe PID 628 wrote to memory of 1356 628 nhbyg.exe cmd.exe PID 628 wrote to memory of 1356 628 nhbyg.exe cmd.exe PID 628 wrote to memory of 1356 628 nhbyg.exe cmd.exe PID 628 wrote to memory of 808 628 nhbyg.exe RegAsm.exe PID 628 wrote to memory of 808 628 nhbyg.exe RegAsm.exe PID 628 wrote to memory of 808 628 nhbyg.exe RegAsm.exe PID 628 wrote to memory of 808 628 nhbyg.exe RegAsm.exe PID 628 wrote to memory of 808 628 nhbyg.exe RegAsm.exe PID 628 wrote to memory of 808 628 nhbyg.exe RegAsm.exe PID 628 wrote to memory of 808 628 nhbyg.exe RegAsm.exe PID 628 wrote to memory of 808 628 nhbyg.exe RegAsm.exe PID 628 wrote to memory of 808 628 nhbyg.exe RegAsm.exe PID 628 wrote to memory of 808 628 nhbyg.exe RegAsm.exe PID 628 wrote to memory of 808 628 nhbyg.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RKS7D5D6F_ETRANSFER_RECEIPT.exe"C:\Users\Admin\AppData\Local\Temp\RKS7D5D6F_ETRANSFER_RECEIPT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\nhbyg.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\nhbyg.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\RKS7D5D6F_ETRANSFER_RECEIPT.exe" "C:\Users\Admin\AppData\Roaming\nhbyg.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskeng.exetaskeng.exe {7A0F8F06-2E6C-4B10-AE01-3C54750D4D59} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\nhbyg.exeC:\Users\Admin\AppData\Roaming\nhbyg.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\nhbyg.exe'" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\nhbyg.exe'" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\nhbyg.exe" "C:\Users\Admin\AppData\Roaming\nhbyg.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\nhbyg.exeFilesize
300.0MB
MD57298a9ef42c45144a0caab46893fc9e3
SHA1809492d6628db6cb0af75ceb861ca209079029af
SHA256cd4000e6ed2eeeb0af7509cc6c74ea8d2ef08d5d6f6551aeebad6a96de57d7cd
SHA512ac95e369ed001e74b5c32cb94ac109f3b7c76b9c9dd82fd92c0569682589ccd94521599a7b03921a633c4668905a73ba87c9c7d5e31935d047f61c1284dd4459
-
C:\Users\Admin\AppData\Roaming\nhbyg.exeFilesize
300.0MB
MD57298a9ef42c45144a0caab46893fc9e3
SHA1809492d6628db6cb0af75ceb861ca209079029af
SHA256cd4000e6ed2eeeb0af7509cc6c74ea8d2ef08d5d6f6551aeebad6a96de57d7cd
SHA512ac95e369ed001e74b5c32cb94ac109f3b7c76b9c9dd82fd92c0569682589ccd94521599a7b03921a633c4668905a73ba87c9c7d5e31935d047f61c1284dd4459
-
memory/628-75-0x0000000000360000-0x00000000004F4000-memory.dmpFilesize
1.6MB
-
memory/628-73-0x0000000000000000-mapping.dmp
-
memory/808-98-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/808-90-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/808-93-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/808-97-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/808-86-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/808-96-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/808-92-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/808-87-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/808-91-0x00000000007E2730-mapping.dmp
-
memory/808-99-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/844-56-0x00000000052B0000-0x0000000005426000-memory.dmpFilesize
1.5MB
-
memory/844-55-0x0000000076461000-0x0000000076463000-memory.dmpFilesize
8KB
-
memory/844-54-0x00000000001D0000-0x0000000000364000-memory.dmpFilesize
1.6MB
-
memory/1092-58-0x0000000000000000-mapping.dmp
-
memory/1196-59-0x0000000000000000-mapping.dmp
-
memory/1320-77-0x0000000000470000-0x0000000000854000-memory.dmpFilesize
3.9MB
-
memory/1320-67-0x0000000000470000-0x0000000000854000-memory.dmpFilesize
3.9MB
-
memory/1320-82-0x00000000000B0000-0x00000000000BA000-memory.dmpFilesize
40KB
-
memory/1320-61-0x00000000006E2000-0x0000000000853000-memory.dmpFilesize
1.4MB
-
memory/1320-63-0x0000000000470000-0x0000000000854000-memory.dmpFilesize
3.9MB
-
memory/1320-65-0x00000000007E2730-mapping.dmp
-
memory/1320-80-0x0000000000470000-0x0000000000854000-memory.dmpFilesize
3.9MB
-
memory/1320-79-0x00000000000B0000-0x00000000000BA000-memory.dmpFilesize
40KB
-
memory/1320-78-0x00000000000B0000-0x00000000000BA000-memory.dmpFilesize
40KB
-
memory/1320-70-0x0000000000470000-0x0000000000854000-memory.dmpFilesize
3.9MB
-
memory/1320-81-0x00000000000B0000-0x00000000000BA000-memory.dmpFilesize
40KB
-
memory/1320-66-0x0000000000470000-0x0000000000854000-memory.dmpFilesize
3.9MB
-
memory/1356-85-0x0000000000000000-mapping.dmp
-
memory/1400-57-0x0000000000000000-mapping.dmp
-
memory/1524-83-0x0000000000000000-mapping.dmp
-
memory/1616-84-0x0000000000000000-mapping.dmp