Analysis
-
max time kernel
159s -
max time network
169s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
-
submitted
02-08-2022 21:31
General
-
Target
055b9f696de8a0185e83784fce35314a.exe
-
Size
30KB
-
MD5
055b9f696de8a0185e83784fce35314a
-
SHA1
4dcbf29768551f86d762b02b610bbb37eadb4c34
-
SHA256
f9fb479de7eab6803ff7fdb25fdc447bcaabd26ba4a36c3ea3b4b7b43ed5f313
-
SHA512
60038a839302e19aa7d5c55d310e56eec7575e27b2c7c8e000985984c681467366dc24a053fefaff47ee2c0719bac4d199409b8d14f5ef0a1bfeea78a7b53280
Score
10/10
Malware Config
Extracted
Family
bitrat
Version
1.38
C2
carreor.ddns.net:46525
Attributes
-
communication_password
d97250ddf14876971dd138aba1919877
-
tor_process
tor
Signatures
-
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
-
Drops startup file 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 45 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\055b9f696de8a0185e83784fce35314a.exe"C:\Users\Admin\AppData\Local\Temp\055b9f696de8a0185e83784fce35314a.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\055b9f696de8a0185e83784fce35314a.exe"C:\Users\Admin\AppData\Local\Temp\055b9f696de8a0185e83784fce35314a.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1080-54-0x00000000001F0000-0x00000000001FE000-memory.dmpFilesize
56KB
-
memory/1080-55-0x0000000075481000-0x0000000075483000-memory.dmpFilesize
8KB
-
memory/1080-56-0x00000000060B0000-0x00000000062C2000-memory.dmpFilesize
2.1MB
-
memory/1080-57-0x0000000000380000-0x0000000000388000-memory.dmpFilesize
32KB
-
memory/1080-58-0x00000000008E0000-0x00000000008E8000-memory.dmpFilesize
32KB
-
memory/1204-59-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1204-60-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1204-62-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1204-64-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1204-66-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1204-68-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1204-69-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1204-71-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1204-72-0x000000000068A488-mapping.dmp
-
memory/1204-74-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1204-75-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1204-77-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1204-78-0x0000000000100000-0x000000000010A000-memory.dmpFilesize
40KB
-
memory/1204-79-0x0000000000100000-0x000000000010A000-memory.dmpFilesize
40KB
-
memory/1204-80-0x0000000000100000-0x000000000010A000-memory.dmpFilesize
40KB
-
memory/1204-81-0x0000000000100000-0x000000000010A000-memory.dmpFilesize
40KB