bitrat | 5ca468704e7ccb8e1b37c0f7595c54df4e2f4035345b6e442e8bd4e11c58f791

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-10-2022 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

193KB
MD5

34793c6520dcf3c6130dc031fa640c71
SHA1

200417a239bb0ac8dedbcd6e74b91ce5401577b4
SHA256

5ca468704e7ccb8e1b37c0f7595c54df4e2f4035345b6e442e8bd4e11c58f791
SHA512

cc226eee8d1b0dc4841f8a6b5ad07aefb0cca4d30373370930dd44de9869b3551c0e97c2324db7d1427ce2460027b8df3f01b803e4845a644d6b8ca96df3c67e
SSDEEP

1536:JPE+R6swvj1q3w45lEdhKzozSFeuiS2FIlKWz0PEziNQKjoe:5EEwvj1aw4IhKzozSFeuiS2FIInwKoe

Score

10^/10

bitrat persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

gh9st.mywire.org:5005

Attributes

communication_password
803355ca422bf9b37bc523a750e21842
install_dir
svcsvc
install_file
svcsvc.exe
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Downloads MZ/PE file

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp.exetmp.exetmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kjcrksvp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Vlevqbxxsx\\Kjcrksvp.exe\""	tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fsaxd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Fdqudm\\Fsaxd.exe\""	tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\svcsvc = "C:\\Users\\Admin\\AppData\\Local\\svcsvc\\svcsvc.exe"	tmp.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

tmp.exe

pid process

1604 tmp.exe
1604 tmp.exe
1604 tmp.exe
1604 tmp.exe
1604 tmp.exe

pid	process
1604	tmp.exe
1604	tmp.exe
1604	tmp.exe
1604	tmp.exe
1604	tmp.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

tmp.exetmp.exetmp.exe

description	pid	process	target process
PID 2040 set thread context of 980	2040	tmp.exe	tmp.exe
PID 980 set thread context of 1076	980	tmp.exe	tmp.exe
PID 1076 set thread context of 1604	1076	tmp.exe	tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exetmp.exepowershell.exetmp.exe

pid process

1368 powershell.exe
2040 tmp.exe
1068 powershell.exe
1076 tmp.exe
1076 tmp.exe
Suspicious behavior: RenamesItself 3 IoCs

Processes:

tmp.exe

pid process

1604 tmp.exe
1604 tmp.exe
1604 tmp.exe

pid	process
1368	powershell.exe
2040	tmp.exe
1068	powershell.exe
1076	tmp.exe
1076	tmp.exe

pid	process
1604	tmp.exe
1604	tmp.exe
1604	tmp.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

tmp.exepowershell.exepowershell.exetmp.exetmp.exe

description	pid	process
Token: SeDebugPrivilege	2040	tmp.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	1076	tmp.exe
Token: SeDebugPrivilege	1604	tmp.exe
Token: SeShutdownPrivilege	1604	tmp.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

tmp.exe

pid process

1604 tmp.exe
1604 tmp.exe

pid	process
1604	tmp.exe
1604	tmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exetmp.exetmp.exe

description	pid	process	target process
PID 2040 wrote to memory of 1368	2040	tmp.exe	powershell.exe
PID 2040 wrote to memory of 1368	2040	tmp.exe	powershell.exe
PID 2040 wrote to memory of 1368	2040	tmp.exe	powershell.exe
PID 2040 wrote to memory of 1368	2040	tmp.exe	powershell.exe
PID 2040 wrote to memory of 576	2040	tmp.exe	tmp.exe
PID 2040 wrote to memory of 576	2040	tmp.exe	tmp.exe
PID 2040 wrote to memory of 576	2040	tmp.exe	tmp.exe
PID 2040 wrote to memory of 576	2040	tmp.exe	tmp.exe
PID 2040 wrote to memory of 576	2040	tmp.exe	tmp.exe
PID 2040 wrote to memory of 576	2040	tmp.exe	tmp.exe
PID 2040 wrote to memory of 576	2040	tmp.exe	tmp.exe
PID 2040 wrote to memory of 980	2040	tmp.exe	tmp.exe
PID 2040 wrote to memory of 980	2040	tmp.exe	tmp.exe
PID 2040 wrote to memory of 980	2040	tmp.exe	tmp.exe
PID 2040 wrote to memory of 980	2040	tmp.exe	tmp.exe
PID 2040 wrote to memory of 980	2040	tmp.exe	tmp.exe
PID 2040 wrote to memory of 980	2040	tmp.exe	tmp.exe
PID 2040 wrote to memory of 980	2040	tmp.exe	tmp.exe
PID 2040 wrote to memory of 980	2040	tmp.exe	tmp.exe
PID 2040 wrote to memory of 980	2040	tmp.exe	tmp.exe
PID 2040 wrote to memory of 980	2040	tmp.exe	tmp.exe
PID 2040 wrote to memory of 980	2040	tmp.exe	tmp.exe
PID 2040 wrote to memory of 980	2040	tmp.exe	tmp.exe
PID 2040 wrote to memory of 980	2040	tmp.exe	tmp.exe
PID 2040 wrote to memory of 980	2040	tmp.exe	tmp.exe
PID 2040 wrote to memory of 980	2040	tmp.exe	tmp.exe
PID 980 wrote to memory of 1268	980	tmp.exe	tmp.exe
PID 980 wrote to memory of 1268	980	tmp.exe	tmp.exe
PID 980 wrote to memory of 1268	980	tmp.exe	tmp.exe
PID 980 wrote to memory of 1268	980	tmp.exe	tmp.exe
PID 980 wrote to memory of 1268	980	tmp.exe	tmp.exe
PID 980 wrote to memory of 1268	980	tmp.exe	tmp.exe
PID 980 wrote to memory of 1268	980	tmp.exe	tmp.exe
PID 980 wrote to memory of 1076	980	tmp.exe	tmp.exe
PID 980 wrote to memory of 1076	980	tmp.exe	tmp.exe
PID 980 wrote to memory of 1076	980	tmp.exe	tmp.exe
PID 980 wrote to memory of 1076	980	tmp.exe	tmp.exe
PID 980 wrote to memory of 1076	980	tmp.exe	tmp.exe
PID 980 wrote to memory of 1076	980	tmp.exe	tmp.exe
PID 980 wrote to memory of 1076	980	tmp.exe	tmp.exe
PID 980 wrote to memory of 1076	980	tmp.exe	tmp.exe
PID 980 wrote to memory of 1076	980	tmp.exe	tmp.exe
PID 980 wrote to memory of 1076	980	tmp.exe	tmp.exe
PID 980 wrote to memory of 1076	980	tmp.exe	tmp.exe
PID 980 wrote to memory of 1076	980	tmp.exe	tmp.exe
PID 1076 wrote to memory of 1068	1076	tmp.exe	powershell.exe
PID 1076 wrote to memory of 1068	1076	tmp.exe	powershell.exe
PID 1076 wrote to memory of 1068	1076	tmp.exe	powershell.exe
PID 1076 wrote to memory of 1068	1076	tmp.exe	powershell.exe
PID 1076 wrote to memory of 1604	1076	tmp.exe	tmp.exe
PID 1076 wrote to memory of 1604	1076	tmp.exe	tmp.exe
PID 1076 wrote to memory of 1604	1076	tmp.exe	tmp.exe
PID 1076 wrote to memory of 1604	1076	tmp.exe	tmp.exe
PID 1076 wrote to memory of 1604	1076	tmp.exe	tmp.exe
PID 1076 wrote to memory of 1604	1076	tmp.exe	tmp.exe
PID 1076 wrote to memory of 1604	1076	tmp.exe	tmp.exe
PID 1076 wrote to memory of 1604	1076	tmp.exe	tmp.exe
PID 1076 wrote to memory of 1604	1076	tmp.exe	tmp.exe
PID 1076 wrote to memory of 1604	1076	tmp.exe	tmp.exe
PID 1076 wrote to memory of 1604	1076	tmp.exe	tmp.exe
PID 1076 wrote to memory of 1604	1076	tmp.exe	tmp.exe
PID 1076 wrote to memory of 1604	1076	tmp.exe	tmp.exe
PID 1076 wrote to memory of 1604	1076	tmp.exe	tmp.exe
PID 1076 wrote to memory of 1604	1076	tmp.exe	tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Users\Admin\AppData\Local\Temp\tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp.exe
2⤵
PID:576

C:\Users\Admin\AppData\Local\Temp\tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:980

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
3⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
3⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Users\Admin\AppData\Local\Temp\tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp.exe
4⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
aacbcee8ffd88eace765619ee0a3eeb0

SHA1
7537102897bf6f70494c6e39752700d95bcb0d99

SHA256
a31001fdd90e32d4b9513e02e162605ae9d061c5786a434c0b5a9ecbcba70f88

SHA512
770abc1d2af08ddbf7e3984c43e5cba7351e9f007473cf0177e5e77a46fe9b0be16192d25752e5832c3350be39cc4d3080cc31311c6ebacb13310ca59c54e795

Download Submit
memory/980-78-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/980-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/980-74-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/980-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/980-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/980-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/980-70-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/980-75-0x000000000040AE9E-mapping.dmp

Download
memory/980-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/980-65-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/980-67-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/980-69-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1068-94-0x0000000000000000-mapping.dmp

Download
memory/1068-98-0x000000006F560000-0x000000006FB0B000-memory.dmp

Filesize
5.7MB

Download
memory/1068-99-0x000000006F560000-0x000000006FB0B000-memory.dmp

Filesize
5.7MB

Download
memory/1068-97-0x000000006F560000-0x000000006FB0B000-memory.dmp

Filesize
5.7MB

Download
memory/1076-86-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1076-80-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1076-81-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1076-83-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1076-85-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1076-87-0x000000000087EFFE-mapping.dmp

Download
memory/1076-90-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1076-92-0x0000000000400000-0x00000000008B2000-memory.dmp

Filesize
4.7MB

Download
memory/1076-93-0x0000000005FB0000-0x00000000061F4000-memory.dmp

Filesize
2.3MB

Download
memory/1368-59-0x0000000000000000-mapping.dmp

Download
memory/1368-62-0x000000006F170000-0x000000006F71B000-memory.dmp

Filesize
5.7MB

Download
memory/1368-63-0x000000006F170000-0x000000006F71B000-memory.dmp

Filesize
5.7MB

Download
memory/1368-61-0x000000006F170000-0x000000006F71B000-memory.dmp

Filesize
5.7MB

Download
memory/1604-107-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1604-113-0x000000000068A488-mapping.dmp

Download
memory/1604-120-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1604-119-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/1604-118-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/1604-100-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1604-101-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1604-103-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1604-105-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1604-117-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1604-109-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1604-110-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1604-112-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1604-115-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2040-58-0x0000000005270000-0x0000000005302000-memory.dmp

Filesize
584KB

Download
memory/2040-54-0x0000000000FD0000-0x0000000001006000-memory.dmp

Filesize
216KB

Download
memory/2040-55-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/2040-56-0x0000000005460000-0x0000000005500000-memory.dmp

Filesize
640KB

Download
memory/2040-57-0x0000000004F70000-0x0000000004FCA000-memory.dmp

Filesize
360KB

Download