Overview

overview

10

Static

static

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-10-2022 19:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    4.7MB

  • MD5

    fea9e6588163a319883a3b4d9b1f48fe

  • SHA1

    56365a251100676323840fa5dfdabaad99f2f772

  • SHA256

    92a433340dd32cb379159432fbc26a6f2ca495ef97c31f7fd333913ced03d773

  • SHA512

    1ff3265167ee61827fd19818da1bcf8f5abd97fa7cf4f601e7dcab7b19cb5fc14b0b21b7966ed174e5f055344fb97b54791be47e15a8a7642f853ea855d65cab

  • SSDEEP

    24576:MztFdtnYQb6VOFv1bdLOqGmXL4pu2OqfNoROKiuHym1fkBonH6X7GUAUTiS0YZRT:

Score
10/10
bitratpersistencetrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

gh9st.mywire.org:5005

Attributes
  • communication_password

    803355ca422bf9b37bc523a750e21842

  • install_dir

    svcsvc

  • install_file

    svcsvc.exe

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: RenamesItself 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4968
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4204
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      C:\Users\Admin\AppData\Local\Temp\tmp.exe
      2⤵
        PID:3120
      • C:\Users\Admin\AppData\Local\Temp\tmp.exe
        C:\Users\Admin\AppData\Local\Temp\tmp.exe
        2⤵
          PID:3712
        • C:\Users\Admin\AppData\Local\Temp\tmp.exe
          C:\Users\Admin\AppData\Local\Temp\tmp.exe
          2⤵
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: RenamesItself
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3020

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3020-150-0x0000000074410000-0x0000000074449000-memory.dmp

        Filesize

        228KB

        Download

      • memory/3020-151-0x0000000074410000-0x0000000074449000-memory.dmp

        Filesize

        228KB

        Download

      • memory/3020-144-0x0000000000000000-mapping.dmp

        Download

      • memory/3020-156-0x0000000074410000-0x0000000074449000-memory.dmp

        Filesize

        228KB

        Download

      • memory/3020-145-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/3020-155-0x0000000074410000-0x0000000074449000-memory.dmp

        Filesize

        228KB

        Download

      • memory/3020-154-0x0000000074410000-0x0000000074449000-memory.dmp

        Filesize

        228KB

        Download

      • memory/3020-146-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/3020-153-0x0000000074410000-0x0000000074449000-memory.dmp

        Filesize

        228KB

        Download

      • memory/3020-152-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/3020-149-0x0000000074750000-0x0000000074789000-memory.dmp

        Filesize

        228KB

        Download

      • memory/3020-148-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/3020-147-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/3120-142-0x0000000000000000-mapping.dmp

        Download

      • memory/3712-143-0x0000000000000000-mapping.dmp

        Download

      • memory/4204-136-0x0000000005410000-0x0000000005A38000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/4204-139-0x0000000006140000-0x000000000615E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4204-134-0x0000000000000000-mapping.dmp

        Download

      • memory/4204-141-0x0000000006640000-0x000000000665A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4204-140-0x00000000077B0000-0x0000000007E2A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/4204-138-0x00000000051A0000-0x0000000005206000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4204-137-0x0000000005130000-0x0000000005196000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4204-135-0x0000000002820000-0x0000000002856000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4968-132-0x0000000000E80000-0x0000000001332000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/4968-133-0x0000000006E70000-0x0000000006E92000-memory.dmp

        Filesize

        136KB

        Download