Overview

overview

10

Static

static

5d7d0a5904...dc.exe

windows7_x64

1

5d7d0a5904...dc.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    14-07-2022 17:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5d7d0a5904199e6196c09c6cddf091dc.exe

  • Size

    1.0MB

  • MD5

    5d7d0a5904199e6196c09c6cddf091dc

  • SHA1

    037b6bcd6c82f80acf1062dcb56e29eb34fd450a

  • SHA256

    b8f3a767a3ec216bd009cd4b75e20b5b3daaafff409ced7b3ae6c6a05854342d

  • SHA512

    068412a7e2afbab702dd6edc73ef91d785fd2499c4a8546e26165b2d5b0663d8dbc385c978cc085d60fbb5860e559545ad60bc8f2f0ab2f146573cb95803c806

Score
10/10
bitratpersistencesuricatatrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bendecidobendiciones.con-ip.com:3005

Attributes
  • communication_password

    202cb962ac59075b964b07152d234b70

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    suricata
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d7d0a5904199e6196c09c6cddf091dc.exe
    "C:\Users\Admin\AppData\Local\Temp\5d7d0a5904199e6196c09c6cddf091dc.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1496
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1504
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2508

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1496-130-0x0000000000F00000-0x000000000100C000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1504-131-0x0000000000000000-mapping.dmp

    Download

  • memory/1504-132-0x0000000002C20000-0x0000000002C56000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1504-133-0x00000000053E0000-0x0000000005A08000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1504-134-0x0000000005310000-0x0000000005332000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1504-135-0x0000000005A10000-0x0000000005A76000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1504-136-0x0000000005B90000-0x0000000005BF6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1504-137-0x00000000061E0000-0x00000000061FE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1504-138-0x0000000007A50000-0x00000000080CA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1504-139-0x00000000066E0000-0x00000000066FA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2508-140-0x0000000000000000-mapping.dmp

    Download

  • memory/2508-141-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2508-142-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2508-143-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2508-145-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2508-144-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2508-146-0x0000000074BA0000-0x0000000074BD9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2508-147-0x0000000074F20000-0x0000000074F59000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2508-148-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2508-149-0x0000000074BA0000-0x0000000074BD9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2508-150-0x0000000074F20000-0x0000000074F59000-memory.dmp

    Filesize

    228KB

    Download