Overview

overview

10

Static

static

order invoice.exe

windows7-x64

10

order invoice.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    19-07-2022 09:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    order invoice.exe

  • Size

    2.0MB

  • MD5

    e7bab8f16adf2f5ba2f2247ce37bf8d7

  • SHA1

    c4b0b7894e1110fc6dc4f0d1a591a3acdab22bfb

  • SHA256

    0b38682544ecd94b8ce910e22593dd8a4671f38aa52a53aa314af9fd24a65d19

  • SHA512

    356460ea6737f08201de548853b302f0825f60b9783d26778e6458b12d05011b55b305604594de0066b6640d6aabb713a138455b4fca4c2454be2838145708b4

Score
10/10
bitratsuricatatrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

103.133.105.50:1234

Attributes
  • communication_password

    e10adc3949ba59abbe56e057f20f883e

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    suricata
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\order invoice.exe
    "C:\Users\Admin\AppData\Local\Temp\order invoice.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1072
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QNalNtYY.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1628
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QNalNtYY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD8D3.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1288
    • C:\Users\Admin\AppData\Local\Temp\order invoice.exe
      "C:\Users\Admin\AppData\Local\Temp\order invoice.exe"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpD8D3.tmp
    Filesize

    1KB

    MD5

    0d865658ee632d08b974a561e0d34fa8

    SHA1

    34a2c5170eb898cc10fb159f95da421a4e3e4c09

    SHA256

    cb46724b5f67bd91d040b5538e3bf773d28749c980f97e1b257b16a4bd434fc6

    SHA512

    563d30a0f726347fa93e95e0f19e04843cbf1faec58458e586cacf16402a1119d0210f0b0ce2011a682da6d96cd39cfae2dd80949bebc79711389776e8ec71ae

    Download Submit
  • memory/268-75-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/268-72-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/268-67-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/268-80-0x00000000000F0000-0x00000000000FA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/268-68-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/268-78-0x00000000000F0000-0x00000000000FA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/268-77-0x00000000000F0000-0x00000000000FA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/268-70-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/268-64-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/268-65-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/268-81-0x00000000000F0000-0x00000000000FA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/268-79-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/268-69-0x00000000007E2730-mapping.dmp
    Download
  • memory/268-71-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1072-55-0x0000000075C51000-0x0000000075C53000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1072-63-0x0000000008C40000-0x0000000008DB8000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1072-54-0x0000000000B60000-0x0000000000D64000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/1072-56-0x00000000003E0000-0x00000000003F4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1072-58-0x0000000008650000-0x0000000008800000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1072-57-0x0000000000420000-0x000000000042A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1288-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1628-74-0x000000006E700000-0x000000006ECAB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1628-76-0x000000006E700000-0x000000006ECAB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1628-59-0x0000000000000000-mapping.dmp
    Download