Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
19-07-2022 09:36
Static task
static1
Behavioral task
behavioral1
Sample
order invoice.exe
Resource
win7-20220718-en
General
-
Target
order invoice.exe
-
Size
2.0MB
-
MD5
e7bab8f16adf2f5ba2f2247ce37bf8d7
-
SHA1
c4b0b7894e1110fc6dc4f0d1a591a3acdab22bfb
-
SHA256
0b38682544ecd94b8ce910e22593dd8a4671f38aa52a53aa314af9fd24a65d19
-
SHA512
356460ea6737f08201de548853b302f0825f60b9783d26778e6458b12d05011b55b305604594de0066b6640d6aabb713a138455b4fca4c2454be2838145708b4
Malware Config
Extracted
bitrat
1.38
103.133.105.50:1234
-
communication_password
e10adc3949ba59abbe56e057f20f883e
-
tor_process
tor
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
Processes:
resource yara_rule behavioral1/memory/268-65-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/268-67-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/268-68-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/268-70-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/268-71-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/268-72-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/268-75-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/268-79-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/268-81-0x00000000000F0000-0x00000000000FA000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
order invoice.exepid process 268 order invoice.exe 268 order invoice.exe 268 order invoice.exe 268 order invoice.exe 268 order invoice.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
order invoice.exedescription pid process target process PID 1072 set thread context of 268 1072 order invoice.exe order invoice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1628 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exeorder invoice.exedescription pid process Token: SeDebugPrivilege 1628 powershell.exe Token: SeDebugPrivilege 268 order invoice.exe Token: SeShutdownPrivilege 268 order invoice.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
order invoice.exepid process 268 order invoice.exe 268 order invoice.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
order invoice.exedescription pid process target process PID 1072 wrote to memory of 1628 1072 order invoice.exe powershell.exe PID 1072 wrote to memory of 1628 1072 order invoice.exe powershell.exe PID 1072 wrote to memory of 1628 1072 order invoice.exe powershell.exe PID 1072 wrote to memory of 1628 1072 order invoice.exe powershell.exe PID 1072 wrote to memory of 1288 1072 order invoice.exe schtasks.exe PID 1072 wrote to memory of 1288 1072 order invoice.exe schtasks.exe PID 1072 wrote to memory of 1288 1072 order invoice.exe schtasks.exe PID 1072 wrote to memory of 1288 1072 order invoice.exe schtasks.exe PID 1072 wrote to memory of 268 1072 order invoice.exe order invoice.exe PID 1072 wrote to memory of 268 1072 order invoice.exe order invoice.exe PID 1072 wrote to memory of 268 1072 order invoice.exe order invoice.exe PID 1072 wrote to memory of 268 1072 order invoice.exe order invoice.exe PID 1072 wrote to memory of 268 1072 order invoice.exe order invoice.exe PID 1072 wrote to memory of 268 1072 order invoice.exe order invoice.exe PID 1072 wrote to memory of 268 1072 order invoice.exe order invoice.exe PID 1072 wrote to memory of 268 1072 order invoice.exe order invoice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\order invoice.exe"C:\Users\Admin\AppData\Local\Temp\order invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QNalNtYY.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QNalNtYY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD8D3.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\order invoice.exe"C:\Users\Admin\AppData\Local\Temp\order invoice.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD8D3.tmpFilesize
1KB
MD50d865658ee632d08b974a561e0d34fa8
SHA134a2c5170eb898cc10fb159f95da421a4e3e4c09
SHA256cb46724b5f67bd91d040b5538e3bf773d28749c980f97e1b257b16a4bd434fc6
SHA512563d30a0f726347fa93e95e0f19e04843cbf1faec58458e586cacf16402a1119d0210f0b0ce2011a682da6d96cd39cfae2dd80949bebc79711389776e8ec71ae
-
memory/268-75-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/268-72-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/268-67-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/268-80-0x00000000000F0000-0x00000000000FA000-memory.dmpFilesize
40KB
-
memory/268-68-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/268-78-0x00000000000F0000-0x00000000000FA000-memory.dmpFilesize
40KB
-
memory/268-77-0x00000000000F0000-0x00000000000FA000-memory.dmpFilesize
40KB
-
memory/268-70-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/268-64-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/268-65-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/268-81-0x00000000000F0000-0x00000000000FA000-memory.dmpFilesize
40KB
-
memory/268-79-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/268-69-0x00000000007E2730-mapping.dmp
-
memory/268-71-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1072-55-0x0000000075C51000-0x0000000075C53000-memory.dmpFilesize
8KB
-
memory/1072-63-0x0000000008C40000-0x0000000008DB8000-memory.dmpFilesize
1.5MB
-
memory/1072-54-0x0000000000B60000-0x0000000000D64000-memory.dmpFilesize
2.0MB
-
memory/1072-56-0x00000000003E0000-0x00000000003F4000-memory.dmpFilesize
80KB
-
memory/1072-58-0x0000000008650000-0x0000000008800000-memory.dmpFilesize
1.7MB
-
memory/1072-57-0x0000000000420000-0x000000000042A000-memory.dmpFilesize
40KB
-
memory/1288-60-0x0000000000000000-mapping.dmp
-
memory/1628-74-0x000000006E700000-0x000000006ECAB000-memory.dmpFilesize
5.7MB
-
memory/1628-76-0x000000006E700000-0x000000006ECAB000-memory.dmpFilesize
5.7MB
-
memory/1628-59-0x0000000000000000-mapping.dmp