Analysis

  • max time kernel
    141s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-08-2022 10:56

General

  • Target

    fc1d1af6949a3478a4624ea89cc63cd5d6f2e95c45f687992073b5fddd54293e.exe

  • Size

    8.8MB

  • MD5

    d33c96fb7da2d99335f17ef258aaf38f

  • SHA1

    16f8536b284f5b1805fa1225772f530a5d10e32c

  • SHA256

    fc1d1af6949a3478a4624ea89cc63cd5d6f2e95c45f687992073b5fddd54293e

  • SHA512

    464d63809197f3652a0a44bd5ebb3745a6be6fd38bd5d0441694308b402ce75e141c97e992fa604c41a136b30d6dea18774ce9e32debdb14d6fbe14b77632354

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

185.157.162.75:443

Attributes
  • communication_password

    9a08a0de8505c164e6416807e8627aba

  • tor_process

    tor

Signatures

  • Babadeda

    Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

  • Babadeda Crypter 1 IoCs
  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fc1d1af6949a3478a4624ea89cc63cd5d6f2e95c45f687992073b5fddd54293e.exe
    "C:\Users\Admin\AppData\Local\Temp\fc1d1af6949a3478a4624ea89cc63cd5d6f2e95c45f687992073b5fddd54293e.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4372
    • C:\Users\Admin\AppData\Roaming\Glorylogic\Image Tuner\ImageTuner.exe
      "C:\Users\Admin\AppData\Roaming\Glorylogic\Image Tuner\ImageTuner.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4772

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Glorylogic\Image Tuner\ImageTuner.exe

    Filesize

    7.9MB

    MD5

    fd342536ab9fe7e42f422a77a2b271d4

    SHA1

    f083f2281fa60fdc9e80966701e6437386e20cd9

    SHA256

    d7681dc0bacb86a5e2feebfc48d1f060a1dc4749ca1c48cf5a9d3125fae236c2

    SHA512

    324a0dd8f94e8d7138418a52548b3017350b1921a6f7f4afdfec94c368cb31e5eae663c96764565ba682a6e3aa8ff92534e9785a88307e6de039463c1753fd45

  • C:\Users\Admin\AppData\Roaming\Glorylogic\Image Tuner\ImageTuner.exe

    Filesize

    7.9MB

    MD5

    fd342536ab9fe7e42f422a77a2b271d4

    SHA1

    f083f2281fa60fdc9e80966701e6437386e20cd9

    SHA256

    d7681dc0bacb86a5e2feebfc48d1f060a1dc4749ca1c48cf5a9d3125fae236c2

    SHA512

    324a0dd8f94e8d7138418a52548b3017350b1921a6f7f4afdfec94c368cb31e5eae663c96764565ba682a6e3aa8ff92534e9785a88307e6de039463c1753fd45

  • C:\Users\Admin\AppData\Roaming\Glorylogic\Image Tuner\cds.xml

    Filesize

    9.0MB

    MD5

    5f0a41ab686de22e1834eb9a01dd0ecd

    SHA1

    d78312c7b35b192d1a57ae8e2308371cc1251d3a

    SHA256

    28b5efd92a22241d1bdc6bd0fe27fd61052fa0331528d1a19970a023f9a2fbda

    SHA512

    374132d4fae3860f3ca66a780f4ff9e7e284173a917b6fd5fb5a3a96be29ab867e419968df56572f060ec5ed94021b1e6072587e3520d694a3143071596d4c69

  • C:\Users\Admin\AppData\Roaming\Glorylogic\Image Tuner\libintl-8.dll

    Filesize

    4.1MB

    MD5

    108065b072b922ffa3e269423fce2a07

    SHA1

    83905c9282cd27cd591a5204b622d59153315e30

    SHA256

    81e9e18f628287e0081e551ba2e7ce1fbcf2d6530710888f78a49584f16fce09

    SHA512

    ca2720b452fca6f01f5b1a692c4eab50c66549883a94c638039b4dfd5d7bcdfadf4fdac266e9b14cc7e0a3499096371cece3781cd21350a1c27cf67ffb84e640

  • C:\Users\Admin\AppData\Roaming\Glorylogic\Image Tuner\libintl-8.dll

    Filesize

    4.1MB

    MD5

    108065b072b922ffa3e269423fce2a07

    SHA1

    83905c9282cd27cd591a5204b622d59153315e30

    SHA256

    81e9e18f628287e0081e551ba2e7ce1fbcf2d6530710888f78a49584f16fce09

    SHA512

    ca2720b452fca6f01f5b1a692c4eab50c66549883a94c638039b4dfd5d7bcdfadf4fdac266e9b14cc7e0a3499096371cece3781cd21350a1c27cf67ffb84e640

  • memory/4772-138-0x0000000000A70000-0x000000000129B000-memory.dmp

    Filesize

    8.2MB

  • memory/4772-139-0x0000000074680000-0x00000000746B9000-memory.dmp

    Filesize

    228KB

  • memory/4772-140-0x0000000074360000-0x0000000074399000-memory.dmp

    Filesize

    228KB

  • memory/4772-141-0x0000000000A70000-0x000000000129B000-memory.dmp

    Filesize

    8.2MB

  • memory/4772-142-0x0000000074360000-0x0000000074399000-memory.dmp

    Filesize

    228KB

  • memory/4772-143-0x0000000074360000-0x0000000074399000-memory.dmp

    Filesize

    228KB