Overview

overview

10

Static

static

PAYMENT AD...LY.exe

windows7-x64

10

PAYMENT AD...LY.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    27-07-2022 18:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PAYMENT ADVISE PO#N-R2630005JULY.exe

  • Size

    463KB

  • MD5

    68ca13260b23abea2b5a97cc12a2819a

  • SHA1

    396996761ea6febc579113d0abc3436aa7f74bb3

  • SHA256

    cb24ed92a870498ac3f974711a6894ff0f89d4efa1eb3c0c7d90a8554754f99f

  • SHA512

    a5db697dd597ebe64cc5a8a1e877a690e90e280ca7c119f04057e91d147450076c9e658a4c6d02bfe36199c20d635ceafb30d1191b587ea10386db2222c6c6e5

Score
10/10
bitratpersistencetrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

103.153.79.240:1234

Attributes
  • communication_password

    e10adc3949ba59abbe56e057f20f883e

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PAYMENT ADVISE PO#N-R2630005JULY.exe
    "C:\Users\Admin\AppData\Local\Temp\PAYMENT ADVISE PO#N-R2630005JULY.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:996
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1180
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1780
      • C:\Users\Admin\AppData\Local\Temp\DrNZO6y8k5N0YbXW.exe
        "C:\Users\Admin\AppData\Local\Temp\DrNZO6y8k5N0YbXW.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:592

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DrNZO6y8k5N0YbXW.exe
    Filesize

    3.8MB

    MD5

    086686330159cbeae2d5c94b25967fa9

    SHA1

    19f3571b45823fcf1b1c05cdd25f1c98c45c712a

    SHA256

    f93e5dfa75e3edfabc8bd414b9beaa735ccd8a91b12f9c57bb923aa5c3232e9d

    SHA512

    9ff98a9211162972fcbb277ce1d5cffea39303a25e7209b8a8a3d7ed0e135630b3dee122323c725022a078c462634b34c82ace4baf3680cedc1865f9c27dbba5

    Download Submit
  • \Users\Admin\AppData\Local\Temp\DrNZO6y8k5N0YbXW.exe
    Filesize

    3.8MB

    MD5

    086686330159cbeae2d5c94b25967fa9

    SHA1

    19f3571b45823fcf1b1c05cdd25f1c98c45c712a

    SHA256

    f93e5dfa75e3edfabc8bd414b9beaa735ccd8a91b12f9c57bb923aa5c3232e9d

    SHA512

    9ff98a9211162972fcbb277ce1d5cffea39303a25e7209b8a8a3d7ed0e135630b3dee122323c725022a078c462634b34c82ace4baf3680cedc1865f9c27dbba5

    Download Submit
  • \Users\Admin\AppData\Local\Temp\DrNZO6y8k5N0YbXW.exe
    Filesize

    3.8MB

    MD5

    086686330159cbeae2d5c94b25967fa9

    SHA1

    19f3571b45823fcf1b1c05cdd25f1c98c45c712a

    SHA256

    f93e5dfa75e3edfabc8bd414b9beaa735ccd8a91b12f9c57bb923aa5c3232e9d

    SHA512

    9ff98a9211162972fcbb277ce1d5cffea39303a25e7209b8a8a3d7ed0e135630b3dee122323c725022a078c462634b34c82ace4baf3680cedc1865f9c27dbba5

    Download Submit
  • \Users\Admin\AppData\Local\Temp\DrNZO6y8k5N0YbXW.exe
    Filesize

    3.8MB

    MD5

    086686330159cbeae2d5c94b25967fa9

    SHA1

    19f3571b45823fcf1b1c05cdd25f1c98c45c712a

    SHA256

    f93e5dfa75e3edfabc8bd414b9beaa735ccd8a91b12f9c57bb923aa5c3232e9d

    SHA512

    9ff98a9211162972fcbb277ce1d5cffea39303a25e7209b8a8a3d7ed0e135630b3dee122323c725022a078c462634b34c82ace4baf3680cedc1865f9c27dbba5

    Download Submit
  • \Users\Admin\AppData\Local\Temp\DrNZO6y8k5N0YbXW.exe
    Filesize

    3.8MB

    MD5

    086686330159cbeae2d5c94b25967fa9

    SHA1

    19f3571b45823fcf1b1c05cdd25f1c98c45c712a

    SHA256

    f93e5dfa75e3edfabc8bd414b9beaa735ccd8a91b12f9c57bb923aa5c3232e9d

    SHA512

    9ff98a9211162972fcbb277ce1d5cffea39303a25e7209b8a8a3d7ed0e135630b3dee122323c725022a078c462634b34c82ace4baf3680cedc1865f9c27dbba5

    Download Submit
  • memory/592-83-0x0000000000000000-mapping.dmp
    Download
  • memory/996-57-0x0000000074F01000-0x0000000074F03000-memory.dmp
    Filesize

    8KB

    Download
  • memory/996-56-0x00000000047D0000-0x0000000004862000-memory.dmp
    Filesize

    584KB

    Download
  • memory/996-54-0x0000000000BE0000-0x0000000000C5A000-memory.dmp
    Filesize

    488KB

    Download
  • memory/996-55-0x0000000002060000-0x00000000020D4000-memory.dmp
    Filesize

    464KB

    Download
  • memory/1180-62-0x000000006E370000-0x000000006E91B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1180-61-0x000000006E370000-0x000000006E91B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1180-60-0x000000006E370000-0x000000006E91B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1180-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1780-69-0x0000000000400000-0x000000000043F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1780-73-0x0000000000400000-0x000000000043F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1780-74-0x000000000040AE9E-mapping.dmp
    Download
  • memory/1780-77-0x0000000000400000-0x000000000043F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1780-78-0x0000000000400000-0x000000000043F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1780-71-0x0000000000400000-0x000000000043F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1780-70-0x0000000000400000-0x000000000043F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1780-68-0x0000000000400000-0x000000000043F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1780-66-0x0000000000400000-0x000000000043F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1780-64-0x0000000000400000-0x000000000043F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1780-84-0x0000000000400000-0x000000000043F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1780-63-0x0000000000400000-0x000000000043F000-memory.dmp
    Filesize

    252KB

    Download