Analysis
-
max time kernel
189s -
max time network
228s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
22-06-2022 09:12
Static task
static1
Behavioral task
behavioral1
Sample
68efb40ce0cf7c5d05737929727cd1e08f4ccbace0b14e9102d332c4c4b40667.zip
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
68efb40ce0cf7c5d05737929727cd1e08f4ccbace0b14e9102d332c4c4b40667.zip
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
n3m18xb4m_Receipt.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
n3m18xb4m_Receipt.exe
Resource
win10v2004-20220414-en
General
-
Target
n3m18xb4m_Receipt.exe
-
Size
300.0MB
-
MD5
600264e6c435659230d5e8fa5c461f8e
-
SHA1
d73cccf02e3f6fe73c95b0760579091455036b4b
-
SHA256
e03cb09284d307ffc4121661c8d6fc9c4451127cbd2616adcc638ff19de44831
-
SHA512
26ad49be4f9e1f7c928af4be1c5b84a149e410a20cc12257225cb89753b98b6b38d669bb23527a3325d6783070359b12201c89498f5c169f36d7ef3e30f38dee
Malware Config
Extracted
bitrat
1.38
bitranew3500.duckdns.org:3500
-
communication_password
e10adc3949ba59abbe56e057f20f883e
-
tor_process
tor
Signatures
-
Processes:
resource yara_rule behavioral3/memory/1768-58-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral3/memory/1768-60-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral3/memory/1768-61-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral3/memory/1768-63-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral3/memory/1768-64-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral3/memory/1768-67-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral3/memory/1768-68-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral3/memory/1768-70-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral3/memory/1768-71-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
RegAsm.exepid process 1768 RegAsm.exe 1768 RegAsm.exe 1768 RegAsm.exe 1768 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
n3m18xb4m_Receipt.exedescription pid process target process PID 1288 set thread context of 1768 1288 n3m18xb4m_Receipt.exe RegAsm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1800 1288 WerFault.exe n3m18xb4m_Receipt.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
n3m18xb4m_Receipt.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1288 n3m18xb4m_Receipt.exe Token: 33 1288 n3m18xb4m_Receipt.exe Token: SeIncBasePriorityPrivilege 1288 n3m18xb4m_Receipt.exe Token: SeDebugPrivilege 1768 RegAsm.exe Token: SeShutdownPrivilege 1768 RegAsm.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
RegAsm.exepid process 1768 RegAsm.exe 1768 RegAsm.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
n3m18xb4m_Receipt.exedescription pid process target process PID 1288 wrote to memory of 1768 1288 n3m18xb4m_Receipt.exe RegAsm.exe PID 1288 wrote to memory of 1768 1288 n3m18xb4m_Receipt.exe RegAsm.exe PID 1288 wrote to memory of 1768 1288 n3m18xb4m_Receipt.exe RegAsm.exe PID 1288 wrote to memory of 1768 1288 n3m18xb4m_Receipt.exe RegAsm.exe PID 1288 wrote to memory of 1768 1288 n3m18xb4m_Receipt.exe RegAsm.exe PID 1288 wrote to memory of 1768 1288 n3m18xb4m_Receipt.exe RegAsm.exe PID 1288 wrote to memory of 1768 1288 n3m18xb4m_Receipt.exe RegAsm.exe PID 1288 wrote to memory of 1768 1288 n3m18xb4m_Receipt.exe RegAsm.exe PID 1288 wrote to memory of 1768 1288 n3m18xb4m_Receipt.exe RegAsm.exe PID 1288 wrote to memory of 1768 1288 n3m18xb4m_Receipt.exe RegAsm.exe PID 1288 wrote to memory of 1768 1288 n3m18xb4m_Receipt.exe RegAsm.exe PID 1288 wrote to memory of 1800 1288 n3m18xb4m_Receipt.exe WerFault.exe PID 1288 wrote to memory of 1800 1288 n3m18xb4m_Receipt.exe WerFault.exe PID 1288 wrote to memory of 1800 1288 n3m18xb4m_Receipt.exe WerFault.exe PID 1288 wrote to memory of 1800 1288 n3m18xb4m_Receipt.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\n3m18xb4m_Receipt.exe"C:\Users\Admin\AppData\Local\Temp\n3m18xb4m_Receipt.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 7042⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1288-54-0x0000000001120000-0x00000000012B2000-memory.dmpFilesize
1.6MB
-
memory/1288-55-0x0000000075F61000-0x0000000075F63000-memory.dmpFilesize
8KB
-
memory/1288-56-0x0000000005490000-0x0000000005606000-memory.dmpFilesize
1.5MB
-
memory/1768-61-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1768-58-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1768-60-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1768-57-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1768-62-0x00000000007E2730-mapping.dmp
-
memory/1768-63-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1768-64-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1768-67-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1768-68-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1768-70-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1768-71-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1800-69-0x0000000000000000-mapping.dmp