Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-08-2022 10:33
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
windows7-x64
5 signatures
150 seconds
General
-
Target
tmp.exe
-
Size
1.4MB
-
MD5
21f894391eaac76010275132312ac5c8
-
SHA1
c2f20f6d6a8881ddd0ac04f9d87a11d2e9a817f3
-
SHA256
bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3
-
SHA512
7cdd5fdfb40027a6c6fd5a6dbb0621a29dd183d318be6d203bca51b699c3e26219a4910cfc1ceaaa2183103577eb86e1fb84426e6b8a6f07127abb72bf36244e
-
SSDEEP
24576:bndRKZCy2BrhCeU2i2cJijFbCBTPmiY05tJMSQp5ysA7Yg1nLkz7In5x4ZY:TXDFBU2iIBb0xY/6sUYY7n5b
Malware Config
Extracted
Family
bitrat
Version
1.38
C2
trotox.duckdns.org:55441
Attributes
-
communication_password
4b49ee1f55b1900518dfb23fd2d7c702
-
tor_process
tor
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1248-132-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/1248-136-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
tmp.exepid process 1248 tmp.exe 1248 tmp.exe 1248 tmp.exe 1248 tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tmp.exedescription pid process Token: SeShutdownPrivilege 1248 tmp.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
tmp.exepid process 1248 tmp.exe 1248 tmp.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1248-132-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1248-133-0x0000000074E10000-0x0000000074E49000-memory.dmpFilesize
228KB
-
memory/1248-134-0x0000000075190000-0x00000000751C9000-memory.dmpFilesize
228KB
-
memory/1248-135-0x0000000075190000-0x00000000751C9000-memory.dmpFilesize
228KB
-
memory/1248-136-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1248-137-0x0000000075190000-0x00000000751C9000-memory.dmpFilesize
228KB
-
memory/1248-138-0x0000000075190000-0x00000000751C9000-memory.dmpFilesize
228KB
-
memory/1248-139-0x0000000075190000-0x00000000751C9000-memory.dmpFilesize
228KB
-
memory/1248-140-0x0000000075190000-0x00000000751C9000-memory.dmpFilesize
228KB
-
memory/1248-141-0x0000000074E10000-0x0000000074E49000-memory.dmpFilesize
228KB
-
memory/1248-142-0x0000000075190000-0x00000000751C9000-memory.dmpFilesize
228KB
-
memory/1248-143-0x0000000075190000-0x00000000751C9000-memory.dmpFilesize
228KB
-
memory/1248-144-0x0000000075190000-0x00000000751C9000-memory.dmpFilesize
228KB
-
memory/1248-145-0x0000000075190000-0x00000000751C9000-memory.dmpFilesize
228KB
-
memory/1248-146-0x0000000075190000-0x00000000751C9000-memory.dmpFilesize
228KB
-
memory/1248-147-0x0000000075190000-0x00000000751C9000-memory.dmpFilesize
228KB
-
memory/1248-148-0x0000000075190000-0x00000000751C9000-memory.dmpFilesize
228KB
-
memory/1248-149-0x0000000075190000-0x00000000751C9000-memory.dmpFilesize
228KB
-
memory/1248-150-0x0000000075190000-0x00000000751C9000-memory.dmpFilesize
228KB