Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
04-07-2022 16:35
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Bulz.730395.20983.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Variant.Bulz.730395.20983.exe
Resource
win10v2004-20220414-en
General
-
Target
SecuriteInfo.com.Variant.Bulz.730395.20983.exe
-
Size
1.8MB
-
MD5
2f739f97c66d3045db3493780644c7ad
-
SHA1
66c4b6042c730cac3d6fecf96c0d9cd20b71e47d
-
SHA256
5772bd29784adbf084a02eb16b79167d007b9eac3821cfb789a26196368f3e2a
-
SHA512
b56e3566e366ed36c24f0def539d31211eb53ce6c659db107e094a867a087375f2385c0c782850c2b350ba51aaf01365919a3218d47d3e77fbb2a891388172d0
Malware Config
Extracted
bitrat
1.38
bitrat9300.duckdns.org:9300
-
communication_password
e10adc3949ba59abbe56e057f20f883e
-
tor_process
tor
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
SecuriteInfo.com.Variant.Bulz.730395.20983.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\xdcf.exe\"," SecuriteInfo.com.Variant.Bulz.730395.20983.exe -
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
Processes:
resource yara_rule behavioral1/memory/1652-59-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1652-61-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1652-62-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1652-64-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1652-65-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1652-68-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1652-69-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1652-70-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1652-73-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
RegAsm.exepid process 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Variant.Bulz.730395.20983.exedescription pid process target process PID 1284 set thread context of 1652 1284 SecuriteInfo.com.Variant.Bulz.730395.20983.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
SecuriteInfo.com.Variant.Bulz.730395.20983.exepid process 1284 SecuriteInfo.com.Variant.Bulz.730395.20983.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SecuriteInfo.com.Variant.Bulz.730395.20983.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1284 SecuriteInfo.com.Variant.Bulz.730395.20983.exe Token: SeDebugPrivilege 1652 RegAsm.exe Token: SeShutdownPrivilege 1652 RegAsm.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
RegAsm.exepid process 1652 RegAsm.exe 1652 RegAsm.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
SecuriteInfo.com.Variant.Bulz.730395.20983.exedescription pid process target process PID 1284 wrote to memory of 1652 1284 SecuriteInfo.com.Variant.Bulz.730395.20983.exe RegAsm.exe PID 1284 wrote to memory of 1652 1284 SecuriteInfo.com.Variant.Bulz.730395.20983.exe RegAsm.exe PID 1284 wrote to memory of 1652 1284 SecuriteInfo.com.Variant.Bulz.730395.20983.exe RegAsm.exe PID 1284 wrote to memory of 1652 1284 SecuriteInfo.com.Variant.Bulz.730395.20983.exe RegAsm.exe PID 1284 wrote to memory of 1652 1284 SecuriteInfo.com.Variant.Bulz.730395.20983.exe RegAsm.exe PID 1284 wrote to memory of 1652 1284 SecuriteInfo.com.Variant.Bulz.730395.20983.exe RegAsm.exe PID 1284 wrote to memory of 1652 1284 SecuriteInfo.com.Variant.Bulz.730395.20983.exe RegAsm.exe PID 1284 wrote to memory of 1652 1284 SecuriteInfo.com.Variant.Bulz.730395.20983.exe RegAsm.exe PID 1284 wrote to memory of 1652 1284 SecuriteInfo.com.Variant.Bulz.730395.20983.exe RegAsm.exe PID 1284 wrote to memory of 1652 1284 SecuriteInfo.com.Variant.Bulz.730395.20983.exe RegAsm.exe PID 1284 wrote to memory of 1652 1284 SecuriteInfo.com.Variant.Bulz.730395.20983.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.730395.20983.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.730395.20983.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1284-54-0x0000000000D70000-0x0000000000F50000-memory.dmpFilesize
1.9MB
-
memory/1284-55-0x0000000004FF0000-0x00000000051E0000-memory.dmpFilesize
1.9MB
-
memory/1284-56-0x0000000000AA0000-0x0000000000AEC000-memory.dmpFilesize
304KB
-
memory/1284-57-0x00000000759F1000-0x00000000759F3000-memory.dmpFilesize
8KB
-
memory/1652-58-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1652-59-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1652-61-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1652-63-0x00000000007E2730-mapping.dmp
-
memory/1652-62-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1652-64-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1652-65-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1652-68-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1652-69-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1652-70-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1652-71-0x00000000001A0000-0x00000000001AA000-memory.dmpFilesize
40KB
-
memory/1652-72-0x00000000001A0000-0x00000000001AA000-memory.dmpFilesize
40KB
-
memory/1652-73-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1652-74-0x00000000001A0000-0x00000000001AA000-memory.dmpFilesize
40KB
-
memory/1652-75-0x00000000001A0000-0x00000000001AA000-memory.dmpFilesize
40KB