Analysis
-
max time kernel
152s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-10-2022 17:43
Static task
static1
Behavioral task
behavioral1
Sample
1f3b0c2_comppdf.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
General
-
Target
1f3b0c2_comppdf.exe
-
Size
82KB
-
MD5
c170b74c3ca105d636876a6f81d17d02
-
SHA1
aae66cfd3e1b3132e2188e1d229896d1d42493c1
-
SHA256
74cab4c8f16ad111496aab0e1fb101e25fb7c26cebb79cf6a870c12d318efdda
-
SHA512
d3b18d6bfc78cb6bf1e61dc81a67f721ad5f806d5c6ffa0de1982ec2602259a4f015046c1ce878d80b586733a54fa844879faba098cb71555ae2f2687587b7e2
-
SSDEEP
768:t20v/xNDKwkuedmdVKCPhpoj+f5RdNKW:d/xNDKwkvdmdVKCP7owdNr
Malware Config
Extracted
Family
bitrat
Version
1.38
C2
192.3.76.153:5200
Attributes
-
communication_password
e10adc3949ba59abbe56e057f20f883e
-
tor_process
tor
Signatures
-
Processes:
resource yara_rule behavioral2/memory/2816-135-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/2816-138-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/2816-139-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/2816-140-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/2816-141-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/2816-143-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
CasPol.exepid process 2816 CasPol.exe 2816 CasPol.exe 2816 CasPol.exe 2816 CasPol.exe 2816 CasPol.exe 2816 CasPol.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1f3b0c2_comppdf.exedescription pid process target process PID 4688 set thread context of 2816 4688 1f3b0c2_comppdf.exe CasPol.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1f3b0c2_comppdf.exepid process 4688 1f3b0c2_comppdf.exe 4688 1f3b0c2_comppdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
1f3b0c2_comppdf.exeCasPol.exedescription pid process Token: SeDebugPrivilege 4688 1f3b0c2_comppdf.exe Token: SeShutdownPrivilege 2816 CasPol.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
CasPol.exepid process 2816 CasPol.exe 2816 CasPol.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
1f3b0c2_comppdf.exedescription pid process target process PID 4688 wrote to memory of 2704 4688 1f3b0c2_comppdf.exe CasPol.exe PID 4688 wrote to memory of 2704 4688 1f3b0c2_comppdf.exe CasPol.exe PID 4688 wrote to memory of 2704 4688 1f3b0c2_comppdf.exe CasPol.exe PID 4688 wrote to memory of 2816 4688 1f3b0c2_comppdf.exe CasPol.exe PID 4688 wrote to memory of 2816 4688 1f3b0c2_comppdf.exe CasPol.exe PID 4688 wrote to memory of 2816 4688 1f3b0c2_comppdf.exe CasPol.exe PID 4688 wrote to memory of 2816 4688 1f3b0c2_comppdf.exe CasPol.exe PID 4688 wrote to memory of 2816 4688 1f3b0c2_comppdf.exe CasPol.exe PID 4688 wrote to memory of 2816 4688 1f3b0c2_comppdf.exe CasPol.exe PID 4688 wrote to memory of 2816 4688 1f3b0c2_comppdf.exe CasPol.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f3b0c2_comppdf.exe"C:\Users\Admin\AppData\Local\Temp\1f3b0c2_comppdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵PID:2704
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2816