Analysis
-
max time kernel
157s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-06-2022 14:58
Static task
static1
Behavioral task
behavioral1
Sample
NIS75FJ4D_ETRANSFER_RECEIPT.exe
Resource
win7-20220414-en
General
-
Target
NIS75FJ4D_ETRANSFER_RECEIPT.exe
-
Size
300.0MB
-
MD5
d072528e13a5c62a4f27192472f757da
-
SHA1
361a23cc18bb659c6663e7e4d962c002ca89b716
-
SHA256
0cf97758629ff73febf6d092d1efa21076274de36257722e9f33ed71937b1c0b
-
SHA512
59dd288c9e820a575b2a977b07976e6c6b36f87e6dc8a6028e51cc8e6aae60668de1d4f9be9c34bc3489875fc3440727f47542a3c0ad48a19a83b5c03f5fb397
Malware Config
Extracted
bitrat
1.38
bitrat9300.duckdns.org:9300
-
communication_password
e10adc3949ba59abbe56e057f20f883e
-
tor_process
tor
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
Executes dropped EXE 2 IoCs
Processes:
nhbyg.exenhbyg.exepid process 4152 nhbyg.exe 4624 nhbyg.exe -
Processes:
resource yara_rule behavioral2/memory/208-138-0x0000000000800000-0x0000000000BE4000-memory.dmp upx behavioral2/memory/208-137-0x0000000000800000-0x0000000000BE4000-memory.dmp upx behavioral2/memory/3216-145-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/3216-146-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/3216-147-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/3216-148-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/3216-151-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
RegAsm.exepid process 3216 RegAsm.exe 3216 RegAsm.exe 3216 RegAsm.exe 3216 RegAsm.exe 3216 RegAsm.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
NIS75FJ4D_ETRANSFER_RECEIPT.exenhbyg.exedescription pid process target process PID 2088 set thread context of 208 2088 NIS75FJ4D_ETRANSFER_RECEIPT.exe RegAsm.exe PID 4152 set thread context of 3216 4152 nhbyg.exe RegAsm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3492 208 WerFault.exe RegAsm.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1992 schtasks.exe 5064 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeShutdownPrivilege 3216 RegAsm.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
RegAsm.exepid process 3216 RegAsm.exe 3216 RegAsm.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
NIS75FJ4D_ETRANSFER_RECEIPT.execmd.exenhbyg.execmd.exedescription pid process target process PID 2088 wrote to memory of 1796 2088 NIS75FJ4D_ETRANSFER_RECEIPT.exe cmd.exe PID 2088 wrote to memory of 1796 2088 NIS75FJ4D_ETRANSFER_RECEIPT.exe cmd.exe PID 2088 wrote to memory of 1796 2088 NIS75FJ4D_ETRANSFER_RECEIPT.exe cmd.exe PID 1796 wrote to memory of 1992 1796 cmd.exe schtasks.exe PID 1796 wrote to memory of 1992 1796 cmd.exe schtasks.exe PID 1796 wrote to memory of 1992 1796 cmd.exe schtasks.exe PID 2088 wrote to memory of 3384 2088 NIS75FJ4D_ETRANSFER_RECEIPT.exe cmd.exe PID 2088 wrote to memory of 3384 2088 NIS75FJ4D_ETRANSFER_RECEIPT.exe cmd.exe PID 2088 wrote to memory of 3384 2088 NIS75FJ4D_ETRANSFER_RECEIPT.exe cmd.exe PID 2088 wrote to memory of 208 2088 NIS75FJ4D_ETRANSFER_RECEIPT.exe RegAsm.exe PID 2088 wrote to memory of 208 2088 NIS75FJ4D_ETRANSFER_RECEIPT.exe RegAsm.exe PID 2088 wrote to memory of 208 2088 NIS75FJ4D_ETRANSFER_RECEIPT.exe RegAsm.exe PID 2088 wrote to memory of 208 2088 NIS75FJ4D_ETRANSFER_RECEIPT.exe RegAsm.exe PID 2088 wrote to memory of 208 2088 NIS75FJ4D_ETRANSFER_RECEIPT.exe RegAsm.exe PID 2088 wrote to memory of 208 2088 NIS75FJ4D_ETRANSFER_RECEIPT.exe RegAsm.exe PID 2088 wrote to memory of 208 2088 NIS75FJ4D_ETRANSFER_RECEIPT.exe RegAsm.exe PID 4152 wrote to memory of 4308 4152 nhbyg.exe cmd.exe PID 4152 wrote to memory of 4308 4152 nhbyg.exe cmd.exe PID 4152 wrote to memory of 4308 4152 nhbyg.exe cmd.exe PID 4308 wrote to memory of 5064 4308 cmd.exe schtasks.exe PID 4308 wrote to memory of 5064 4308 cmd.exe schtasks.exe PID 4308 wrote to memory of 5064 4308 cmd.exe schtasks.exe PID 4152 wrote to memory of 3380 4152 nhbyg.exe cmd.exe PID 4152 wrote to memory of 3380 4152 nhbyg.exe cmd.exe PID 4152 wrote to memory of 3380 4152 nhbyg.exe cmd.exe PID 4152 wrote to memory of 3216 4152 nhbyg.exe RegAsm.exe PID 4152 wrote to memory of 3216 4152 nhbyg.exe RegAsm.exe PID 4152 wrote to memory of 3216 4152 nhbyg.exe RegAsm.exe PID 4152 wrote to memory of 3216 4152 nhbyg.exe RegAsm.exe PID 4152 wrote to memory of 3216 4152 nhbyg.exe RegAsm.exe PID 4152 wrote to memory of 3216 4152 nhbyg.exe RegAsm.exe PID 4152 wrote to memory of 3216 4152 nhbyg.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NIS75FJ4D_ETRANSFER_RECEIPT.exe"C:\Users\Admin\AppData\Local\Temp\NIS75FJ4D_ETRANSFER_RECEIPT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\nhbyg.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\nhbyg.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\NIS75FJ4D_ETRANSFER_RECEIPT.exe" "C:\Users\Admin\AppData\Roaming\nhbyg.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 5403⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 208 -ip 2081⤵
-
C:\Users\Admin\AppData\Roaming\nhbyg.exeC:\Users\Admin\AppData\Roaming\nhbyg.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\nhbyg.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\nhbyg.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\nhbyg.exe" "C:\Users\Admin\AppData\Roaming\nhbyg.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\nhbyg.exeC:\Users\Admin\AppData\Roaming\nhbyg.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nhbyg.exe.logFilesize
520B
MD541c37de2b4598f7759f865817dba5f80
SHA1884ccf344bc2dd409425dc5ace0fd909a5f8cce4
SHA256427235491a8da3fc8770ed60d30af731835c94585cd08d4d81fca9f703b283bc
SHA512a8f3c74916623de100e4cf22e05df9cdf541b1e32443aab0434f35fb9c4a7fa950b997ce589b532e65731ae471a1f152cd5c00ea1df4bd7a6b57eb27c93c54bd
-
C:\Users\Admin\AppData\Roaming\nhbyg.exeFilesize
300.0MB
MD5d072528e13a5c62a4f27192472f757da
SHA1361a23cc18bb659c6663e7e4d962c002ca89b716
SHA2560cf97758629ff73febf6d092d1efa21076274de36257722e9f33ed71937b1c0b
SHA51259dd288c9e820a575b2a977b07976e6c6b36f87e6dc8a6028e51cc8e6aae60668de1d4f9be9c34bc3489875fc3440727f47542a3c0ad48a19a83b5c03f5fb397
-
C:\Users\Admin\AppData\Roaming\nhbyg.exeFilesize
300.0MB
MD5d072528e13a5c62a4f27192472f757da
SHA1361a23cc18bb659c6663e7e4d962c002ca89b716
SHA2560cf97758629ff73febf6d092d1efa21076274de36257722e9f33ed71937b1c0b
SHA51259dd288c9e820a575b2a977b07976e6c6b36f87e6dc8a6028e51cc8e6aae60668de1d4f9be9c34bc3489875fc3440727f47542a3c0ad48a19a83b5c03f5fb397
-
C:\Users\Admin\AppData\Roaming\nhbyg.exeFilesize
250.1MB
MD5a23b2ddb0bf05d91d5ece0b080f12172
SHA1e1606320d8cdb9eb095ff0dc968c739640ff6895
SHA256085646961c749b1affd2fae08b453a38c4919d489035180b7ae0e567b01d3d80
SHA5120d15e0f028d15431a8209afbf438d86a4a38245b225a7aa75969646e71f3ac6f327fc97fef6e6875176a33c97738f70a4c23df0c6f31c1d4f925b28b2297b4d7
-
memory/208-135-0x0000000000000000-mapping.dmp
-
memory/208-138-0x0000000000800000-0x0000000000BE4000-memory.dmpFilesize
3.9MB
-
memory/208-137-0x0000000000800000-0x0000000000BE4000-memory.dmpFilesize
3.9MB
-
memory/1796-131-0x0000000000000000-mapping.dmp
-
memory/1992-132-0x0000000000000000-mapping.dmp
-
memory/2088-130-0x0000000000FD0000-0x0000000001164000-memory.dmpFilesize
1.6MB
-
memory/2088-133-0x00000000065E0000-0x0000000006B84000-memory.dmpFilesize
5.6MB
-
memory/3216-146-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/3216-144-0x0000000000000000-mapping.dmp
-
memory/3216-145-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/3216-147-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/3216-148-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/3216-149-0x0000000074CE0000-0x0000000074D19000-memory.dmpFilesize
228KB
-
memory/3216-150-0x0000000075080000-0x00000000750B9000-memory.dmpFilesize
228KB
-
memory/3216-151-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/3380-143-0x0000000000000000-mapping.dmp
-
memory/3384-134-0x0000000000000000-mapping.dmp
-
memory/4308-141-0x0000000000000000-mapping.dmp
-
memory/5064-142-0x0000000000000000-mapping.dmp