bitrat | hxxps://github[.]com/genekolgav/kpk/raw/main/

General

Target

https://github.com/genekolgav/kpk/raw/main/

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bit100.accesscam.org:9090

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

ctb.exe

pid process

4580 ctb.exe

pid	process
4580	ctb.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\ctb.exe.98eig7i.partial	upx
C:\Users\Admin\Downloads\ctb.exe	upx
behavioral2/memory/4580-138-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4580-141-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

ctb.exe

pid process

4580 ctb.exe
4580 ctb.exe
4580 ctb.exe
4580 ctb.exe
4580 ctb.exe

pid	process
4580	ctb.exe
4580	ctb.exe
4580	ctb.exe
4580	ctb.exe
4580	ctb.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = e8baa059b9aed801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.live.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url6 = "https://twitter.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TypedURLs	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000af8849b4e908bb240bb85a7655346d755d2ade7ee24fe897b3c146afbb1066a3000000000e8000000002000020000000862f10281bb455dc9c7ea8a941fcc7bdcc96f0b50b9b22923f7475f91380fdcf200000008227c32109886b6a3e63dd76c74f143ceedadc6c8ffc92492bebdf171c113809400000002d49bff903eb6d6adc3295d4006304abd3aba421411ce942050d382521a8d2482ffc10cb0f750f5fa26509d4151f07b02ddc3a019625f955549c279a56969086	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TypedURLsTime	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30984294"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b14216000000000200000000001066000000010000200000003f472cf7bef8bab1943471722a34ba9ec4183452cb9d1f68c988cdefb5d71609000000000e80000000020000200000000ecdb7330f0a2d9e50164e19ff87c18614d82a2fafad5bfd35026a103b010f752000000042228ba7c1f86f59108be2f7119b8a04959eb9f68cfb2a9e38756c3ddb085c2040000000915eecb02d3372b7ce440f97620004def943db02f28524070d506d01c6b9be6f98e5cd8e05b169107ab884009759c0ba69b01b3652f3886c0b2129e6ce0ec18e	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b14216000000000200000000001066000000010000200000004ab02eb1afe1760c67ec1a4814938546aa799cd53260bcebf58988a8a48ee353000000000e8000000002000020000000139ac809030f2afb84418a20e25a95c2d01258d43e9136ced09ee35dcb04cb5600010000333c3afc54337f264b2db18c36c82403dd0ac2f494b911062c592e1db32d444692c7cb1025460c5a68baef28d01724f1e953067cf2d8829f5085ae51ce8270a1c907a3d1b42d3d92492e485e9bc35eaa3fa6ed756bb07ba65aed4d1938ee7f2f635c5c3761c866e00f9860c4761838254827d648252696c7a0c87b77628bc8c63fb485bae83ecf27efba27b642fd8c180498d351d6856c759ba5351050ba5754669a5b571b7233b8b13d857aae235d1a224189ea6e7e5165127f395c266008c4e770ab4275bfa6f9ad63fb7106346c8496c13ce47a556c547e5b934aa114e764202585dc9faa9cda2abcec2b8d9bb92dcdfadc1d77c2967e586b580597bac46c4000000033239542f66e91386d565c8e2b6cb08a8988c7713b37bbaaa67d2d12244119fbc682cf9a156810802f77d496622efb7f994cb011a31b8760b4eedffde689076c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url6 = 0000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url5 = 0000000000000000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url1 = "https://github.com/genekolgav/kpk/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url4 = "https://login.aliexpress.com/"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{44AE3F6B-3459-11ED-B696-5E3721E937B7} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url2 = "https://www.facebook.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url2 = cd87771166c8d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30984294"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000f440f610d14c7af6feabd127a61b6e4298c0c5092b48ad379da0edf47e29a73a000000000e80000000020000200000006a05146cd5186bf943b6100bff44e804973f6c205bd3c09dd8153d2fa1c68f1f200000000c570af0e730671139a93e7accd9d2f93df29d01b7fb9c15bedc0990dabd8d94400000007f3842241a2078e5c9b501cb82e3e730fc4395711fef0f0440febbfd6e34ae84c48f7effa50adef4219f2b1e2e8e4b056aad3761a771310bf3829ae7fcf7b08d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url3 = "https://www.facebook.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url3 = "https://login.aliexpress.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0070442966c8d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b02b382466c8d801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url6 = "https://login.live.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "6"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url5 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30984294"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000915766bb7245494f75e94a7b19a2651b63adcb3933a5c04dd4d016ca9fa5b702000000000e8000000002000020000000562fe9e798c9f4902185651f763a68f5cd42ec33ad2340bfc5c79e8288ccf99b20000000d50c14fbea073e259030a825ae38062baff38981ba6f6558c7e5c79a873647ca40000000812a3e1e058ea670e60616eb58de7e3379bf20ec82e176a5b7eb9cb257fe09bf63f84bfdc6cbc1c3fe2caf78ceb68f6a8278aefb6d079c3ce6e3cc040fa7fb0c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000a4622fdb5dd94d03a997cdd638e3de1944e9024872583741eebf7836d1464abe000000000e8000000002000020000000c0bcd0b1e2f3ef1f36c0242173c8eaa2c5941001f5377bd76113c652ba1cebec000100009ba70a621c0c907c06ffb11971e5ab6defac83e452ac3745fc18b41a9c2ad8e650a2c1fbb113ae0a33bce179551e852a86b219752fbbc63b06b3dcb1f386824b5ba486815ef62759c3af545e2307ab691708e4ef62e244e704e9f9170ecd289cafbae51d45b9baf4824b0b774704b088afe133d35ce88f7da289e852bf2b8831fa9b2c200334f55faa8dd5705b49f6299e6c785e4bcc5579e652d77571c6ed816c71c0c6c78d0a865311da9c92d0e1e113f0adcd1e57eb743adbce1f34ad0b8f365fd13f1c75a1f65a6a3eb85588c4975dc28f65f51e17f8c6799e9a45088b9033ae1854597c8ae1d05dc079dc5ec7a60855a6e78944fb86aa7e776936ffbc6e40000000dcb6522583f253fa16f2213cdee8613a68aa8e10228f7dde3178597dbe6f148c4430e4d01f439ce37ac968e537594c842a29ac63a6a73eced0265cead3c26869	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "424544537"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1099f11a66c8d801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url2 = "https://github.com/genekolgav/kpk/raw/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0e29f1166c8d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url1 = 45c5551466c8d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url1 = cd87771166c8d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "441262789"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{648BC418-BACF-466E-8848-11E5EF2AA8B2}"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 508e9f1466c8d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url4 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url7 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b14216000000000200000000001066000000010000200000005bbe6b4d9911ae5f9d8e8f3a10bdf3278caa1f068f8269c46991f8cd51ede65d000000000e800000000200002000000090fb2bcbaa6a083657f0da7d5365751b229a524f8eaeabec6ee4ee86386a03ec200000002e4e682c0575ddc5c93599bb6e5aaef00a8507243c9e887afa20fed0c52410194000000092c826db9138ef0a6df76bb2f58baf7122161da2a730dc0863a704a267e01b937fc0e42bdfa0b776f11088edb348832d2c8b22d529330454360974a3a795fdad	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "424544537"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url1 = "https://github.com/genekolgav/kpk/raw/"	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

1224 iexplore.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ctb.exe

description pid process

Token: SeShutdownPrivilege 4580 ctb.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

1224 iexplore.exe
1224 iexplore.exe

description	pid	process
Token: SeShutdownPrivilege	4580	ctb.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

iexplore.exeIEXPLORE.EXEctb.exe

pid	process
1224	iexplore.exe
1224	iexplore.exe
2944	IEXPLORE.EXE
2944	IEXPLORE.EXE
2944	IEXPLORE.EXE
2944	IEXPLORE.EXE
1224	iexplore.exe
1224	iexplore.exe
2944	IEXPLORE.EXE
2944	IEXPLORE.EXE
2944	IEXPLORE.EXE
2944	IEXPLORE.EXE
4580	ctb.exe
4580	ctb.exe
2944	IEXPLORE.EXE
2944	IEXPLORE.EXE
2944	IEXPLORE.EXE
2944	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1224 wrote to memory of 2944	1224	iexplore.exe	IEXPLORE.EXE
PID 1224 wrote to memory of 2944	1224	iexplore.exe	IEXPLORE.EXE
PID 1224 wrote to memory of 2944	1224	iexplore.exe	IEXPLORE.EXE
PID 1224 wrote to memory of 4580	1224	iexplore.exe	ctb.exe
PID 1224 wrote to memory of 4580	1224	iexplore.exe	ctb.exe
PID 1224 wrote to memory of 4580	1224	iexplore.exe	ctb.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/genekolgav/kpk/raw/main/
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1224

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1224 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2944

C:\Users\Admin\Downloads\ctb.exe
"C:\Users\Admin\Downloads\ctb.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
75cdbc2adde8135b80f988bf64ad1ea2

SHA1
f172f412bfb135e19e90f02ea8e66cad617f73ba

SHA256
5cdbdadebf1c4b2fa8feb613d9a61ba0684f4380b6d0f9003f95d2c8b18417a7

SHA512
b06977d5f270fb52b72f37ad3c7ecd9c9d02316e1f8fefaef3c24dde41625a72807d5c1d090676dc29f5794c6cbe577b036eaf595507943a8be9ac794cb3de93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
5b709928c18a637b4775c63ceedfefdd

SHA1
b88093fd8c760018e1b7e1155d1f1f6088222ca0

SHA256
7efd2590dc4e9a1ec964e25f80e692813d44388e01e3788ea65adb972746e78a

SHA512
3c86e726880654bb345c22f495485e348b309b121d0611a4319a620ba6544805af82d7649c609218276bdebfeeb730c09162f40c2974dbddf23941cfc8602e1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\dqptnfu\imagestore.dat

Filesize
1KB

MD5
16d27f009dc95694fab91e9d67447aaa

SHA1
58e529b1391f6757e35dfe41986a06fd479909e1

SHA256
4f8b518b45e5c5f84171d22f1daa722d05be977a7b7579ebb7d1ee92bc3de912

SHA512
2b0fc8ad085f6d29e05ede5dc2fb8ac0e9142676c47a2e6222bd7930d2a92da4b645c00bc211ce1bc5ecb8d86ec915de1010c20f6b082eb967e0b440691459d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\dqptnfu\imagestore.dat

Filesize
6KB

MD5
5501f127540c35f1744692658430d5ab

SHA1
6d91bb076e3e6d16d046f958dac333ff1c7a68bb

SHA256
a9314127b6c61e4a5f0295108ed7de1e2a3b2f3232109714ebab5db0f3574d4b

SHA512
1273ecdd17805794951e111478640a04db43b2d7bce64d53251f60f502dd5fceb9f0e55b1631e41f67d976c91455d63ebee99471c8f1c0c4f34bee57d1c58b3c

Download Submit
C:\Users\Admin\Downloads\ctb.exe

Filesize
1.4MB

MD5
4614702a90f570a0764605d800613545

SHA1
920c7eab63af0dde1410686a69100eeb0733aa03

SHA256
ca0e5c90261ae7ac2e46cd085ae31f1a1bfd7d7f030a6d33ba6a2cb280176ad1

SHA512
6e6077db88395f51fd2a434a742fa4da34fbcb0677f844510eab8008ff615008fe6a747c0e4a5f1754818eae11af47afa6cfeb1d334685eca485d4fb5dedbfc4

Download Submit
C:\Users\Admin\Downloads\ctb.exe.98eig7i.partial

Filesize
1.4MB

MD5
4614702a90f570a0764605d800613545

SHA1
920c7eab63af0dde1410686a69100eeb0733aa03

SHA256
ca0e5c90261ae7ac2e46cd085ae31f1a1bfd7d7f030a6d33ba6a2cb280176ad1

SHA512
6e6077db88395f51fd2a434a742fa4da34fbcb0677f844510eab8008ff615008fe6a747c0e4a5f1754818eae11af47afa6cfeb1d334685eca485d4fb5dedbfc4

Download Submit
memory/4580-136-0x0000000000000000-mapping.dmp

Download
memory/4580-138-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4580-139-0x000000006EF60000-0x000000006EF99000-memory.dmp

Filesize
228KB

Download
memory/4580-140-0x000000006EE90000-0x000000006EEC9000-memory.dmp

Filesize
228KB

Download
memory/4580-141-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads