Analysis
-
max time kernel
159s -
max time network
170s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-07-2022 06:55
Static task
static1
Behavioral task
behavioral1
Sample
RPDQOPKDGSA_PAYMENT_INVOICE.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
RPDQOPKDGSA_PAYMENT_INVOICE.exe
Resource
win10v2004-20220414-en
General
-
Target
RPDQOPKDGSA_PAYMENT_INVOICE.exe
-
Size
299.0MB
-
MD5
e19f652edb3ad5c5d322a9458f0bd57b
-
SHA1
3c21da297f2119d4312c5401981dc31fcbb4bf81
-
SHA256
30200a7b327e28ce7e846002f0cb8e63716fac612a8bf3c78d2abe568d9de9d9
-
SHA512
e82fc0d590c3017e478e0eb3c34a8c9af231dd8ddbb8d224b2445d1365e3743476bbaac4877ef0cef6484ad4310518a85d09a16ecc7e5483342fbddc0a5c05b8
Malware Config
Extracted
bitrat
1.38
sh1673009.duckdns.org:7812
-
communication_password
81dc9bdb52d04dc20036dbd8313ed055
-
tor_process
tor
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
Executes dropped EXE 1 IoCs
Processes:
yfnqw.exepid process 432 yfnqw.exe -
Processes:
resource yara_rule behavioral1/memory/1528-65-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1528-67-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1528-68-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1528-71-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1528-70-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1528-74-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1528-75-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1528-76-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1528-77-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
RegAsm.exepid process 1528 RegAsm.exe 1528 RegAsm.exe 1528 RegAsm.exe 1528 RegAsm.exe 1528 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RPDQOPKDGSA_PAYMENT_INVOICE.exedescription pid process target process PID 1240 set thread context of 1528 1240 RPDQOPKDGSA_PAYMENT_INVOICE.exe RegAsm.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 1528 RegAsm.exe Token: SeShutdownPrivilege 1528 RegAsm.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
RegAsm.exepid process 1528 RegAsm.exe 1528 RegAsm.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
RPDQOPKDGSA_PAYMENT_INVOICE.execmd.exetaskeng.exedescription pid process target process PID 1240 wrote to memory of 940 1240 RPDQOPKDGSA_PAYMENT_INVOICE.exe cmd.exe PID 1240 wrote to memory of 940 1240 RPDQOPKDGSA_PAYMENT_INVOICE.exe cmd.exe PID 1240 wrote to memory of 940 1240 RPDQOPKDGSA_PAYMENT_INVOICE.exe cmd.exe PID 1240 wrote to memory of 940 1240 RPDQOPKDGSA_PAYMENT_INVOICE.exe cmd.exe PID 940 wrote to memory of 1616 940 cmd.exe schtasks.exe PID 940 wrote to memory of 1616 940 cmd.exe schtasks.exe PID 940 wrote to memory of 1616 940 cmd.exe schtasks.exe PID 940 wrote to memory of 1616 940 cmd.exe schtasks.exe PID 1240 wrote to memory of 1428 1240 RPDQOPKDGSA_PAYMENT_INVOICE.exe cmd.exe PID 1240 wrote to memory of 1428 1240 RPDQOPKDGSA_PAYMENT_INVOICE.exe cmd.exe PID 1240 wrote to memory of 1428 1240 RPDQOPKDGSA_PAYMENT_INVOICE.exe cmd.exe PID 1240 wrote to memory of 1428 1240 RPDQOPKDGSA_PAYMENT_INVOICE.exe cmd.exe PID 1200 wrote to memory of 432 1200 taskeng.exe yfnqw.exe PID 1200 wrote to memory of 432 1200 taskeng.exe yfnqw.exe PID 1200 wrote to memory of 432 1200 taskeng.exe yfnqw.exe PID 1200 wrote to memory of 432 1200 taskeng.exe yfnqw.exe PID 1240 wrote to memory of 1528 1240 RPDQOPKDGSA_PAYMENT_INVOICE.exe RegAsm.exe PID 1240 wrote to memory of 1528 1240 RPDQOPKDGSA_PAYMENT_INVOICE.exe RegAsm.exe PID 1240 wrote to memory of 1528 1240 RPDQOPKDGSA_PAYMENT_INVOICE.exe RegAsm.exe PID 1240 wrote to memory of 1528 1240 RPDQOPKDGSA_PAYMENT_INVOICE.exe RegAsm.exe PID 1240 wrote to memory of 1528 1240 RPDQOPKDGSA_PAYMENT_INVOICE.exe RegAsm.exe PID 1240 wrote to memory of 1528 1240 RPDQOPKDGSA_PAYMENT_INVOICE.exe RegAsm.exe PID 1240 wrote to memory of 1528 1240 RPDQOPKDGSA_PAYMENT_INVOICE.exe RegAsm.exe PID 1240 wrote to memory of 1528 1240 RPDQOPKDGSA_PAYMENT_INVOICE.exe RegAsm.exe PID 1240 wrote to memory of 1528 1240 RPDQOPKDGSA_PAYMENT_INVOICE.exe RegAsm.exe PID 1240 wrote to memory of 1528 1240 RPDQOPKDGSA_PAYMENT_INVOICE.exe RegAsm.exe PID 1240 wrote to memory of 1528 1240 RPDQOPKDGSA_PAYMENT_INVOICE.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RPDQOPKDGSA_PAYMENT_INVOICE.exe"C:\Users\Admin\AppData\Local\Temp\RPDQOPKDGSA_PAYMENT_INVOICE.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\yfnqw.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\yfnqw.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\RPDQOPKDGSA_PAYMENT_INVOICE.exe" "C:\Users\Admin\AppData\Roaming\yfnqw.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskeng.exetaskeng.exe {3B440CB0-D522-40FD-8A32-52922DE29DA3} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\yfnqw.exeC:\Users\Admin\AppData\Roaming\yfnqw.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\yfnqw.exeFilesize
299.0MB
MD5e19f652edb3ad5c5d322a9458f0bd57b
SHA13c21da297f2119d4312c5401981dc31fcbb4bf81
SHA25630200a7b327e28ce7e846002f0cb8e63716fac612a8bf3c78d2abe568d9de9d9
SHA512e82fc0d590c3017e478e0eb3c34a8c9af231dd8ddbb8d224b2445d1365e3743476bbaac4877ef0cef6484ad4310518a85d09a16ecc7e5483342fbddc0a5c05b8
-
C:\Users\Admin\AppData\Roaming\yfnqw.exeFilesize
299.0MB
MD5e19f652edb3ad5c5d322a9458f0bd57b
SHA13c21da297f2119d4312c5401981dc31fcbb4bf81
SHA25630200a7b327e28ce7e846002f0cb8e63716fac612a8bf3c78d2abe568d9de9d9
SHA512e82fc0d590c3017e478e0eb3c34a8c9af231dd8ddbb8d224b2445d1365e3743476bbaac4877ef0cef6484ad4310518a85d09a16ecc7e5483342fbddc0a5c05b8
-
memory/432-62-0x00000000003B0000-0x000000000053E000-memory.dmpFilesize
1.6MB
-
memory/432-60-0x0000000000000000-mapping.dmp
-
memory/940-56-0x0000000000000000-mapping.dmp
-
memory/1240-55-0x00000000753E1000-0x00000000753E3000-memory.dmpFilesize
8KB
-
memory/1240-54-0x00000000012D0000-0x000000000145E000-memory.dmpFilesize
1.6MB
-
memory/1428-58-0x0000000000000000-mapping.dmp
-
memory/1528-65-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1528-70-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1528-79-0x0000000000120000-0x000000000012A000-memory.dmpFilesize
40KB
-
memory/1528-67-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1528-68-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1528-69-0x00000000007E2730-mapping.dmp
-
memory/1528-71-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1528-64-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1528-74-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1528-75-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1528-76-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1528-77-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1528-78-0x0000000000120000-0x000000000012A000-memory.dmpFilesize
40KB
-
memory/1616-57-0x0000000000000000-mapping.dmp