Analysis
-
max time kernel
1800s -
max time network
1803s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
12-11-2022 16:17
General
-
Target
statement_docx.exe
-
Size
1.7MB
-
MD5
2aedd0caff110812c17de4072cde09ba
-
SHA1
a2850f291012d07ef1acedbb9ac24884fb8db8d0
-
SHA256
9f38198ca55e984bd65f7a324853411d19a3426ac0455f64b76eb3aa2c1d85e8
-
SHA512
b83a5576522d128fe9ad5d9e579403fb96b69afef97a4440527c9e534e998bb38537bcb6fb64eddc7ca7ca92385621b0a48bc90abb2854c6f504211084d540e0
-
SSDEEP
49152:cSJ9EoE2fT7om1nLbta4BN/0yLhsLZNhONEIwS:cc1PxBLGtNENBwS
Malware Config
Extracted
bitrat
1.38
celesperial.ddns.net:5200
-
communication_password
81dc9bdb52d04dc20036dbd8313ed055
-
tor_process
tor
Signatures
-
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 10 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 50 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\statement_docx.exe"C:\Users\Admin\AppData\Local\Temp\statement_docx.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.8MB
-
Filesize
472KB
-
Filesize
10.8MB
-
Filesize
120KB
-
Filesize
10.8MB
-
Filesize
1.7MB
-
Filesize
3.9MB
-
Filesize
228KB
-
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
228KB
-
Filesize
228KB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
228KB
-
Filesize
228KB
-
Filesize
228KB
-
Filesize
228KB
-
Filesize
228KB
-
Filesize
228KB
-
Filesize
228KB