Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    152s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    21-11-2022 20:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8dd93fd81577033b184647b566e160699006396bcc6cbfff405acc4597c0d688.exe

  • Size

    76KB

  • MD5

    d43ca72d6fd0c9a2e3f3774b74fd5028

  • SHA1

    d28a3f9edb5651de9c7a418e63f8417105c83c63

  • SHA256

    8dd93fd81577033b184647b566e160699006396bcc6cbfff405acc4597c0d688

  • SHA512

    b4e5a5df2885d59ff7f4c8325ee7b00be592a62c2ee006244e9d5a8cc67adcb6b15f557146030b9079960b538dddda8626443b9c2ebbe9f31b6e40ab87cfc639

  • SSDEEP

    1536:EwHgiRJFKfgYBUngABZvxZ/DOG8s8MkeNSzXzKD:EwASJFKRapBZP/Dl8DMDSzX+D

Score
10/10
bitratpersistencetrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

37.139.128.233:3569

Attributes
  • communication_password

    ce952068942604a6d6df06ed5002fad6

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8dd93fd81577033b184647b566e160699006396bcc6cbfff405acc4597c0d688.exe
    "C:\Users\Admin\AppData\Local\Temp\8dd93fd81577033b184647b566e160699006396bcc6cbfff405acc4597c0d688.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1452
    • C:\Users\Admin\AppData\Local\Temp\8dd93fd81577033b184647b566e160699006396bcc6cbfff405acc4597c0d688.exe
      C:\Users\Admin\AppData\Local\Temp\8dd93fd81577033b184647b566e160699006396bcc6cbfff405acc4597c0d688.exe
      2⤵
        PID:2660
      • C:\Users\Admin\AppData\Local\Temp\8dd93fd81577033b184647b566e160699006396bcc6cbfff405acc4597c0d688.exe
        C:\Users\Admin\AppData\Local\Temp\8dd93fd81577033b184647b566e160699006396bcc6cbfff405acc4597c0d688.exe
        2⤵
          PID:4464
        • C:\Users\Admin\AppData\Local\Temp\8dd93fd81577033b184647b566e160699006396bcc6cbfff405acc4597c0d688.exe
          C:\Users\Admin\AppData\Local\Temp\8dd93fd81577033b184647b566e160699006396bcc6cbfff405acc4597c0d688.exe
          2⤵
            PID:4932
          • C:\Users\Admin\AppData\Local\Temp\8dd93fd81577033b184647b566e160699006396bcc6cbfff405acc4597c0d688.exe
            C:\Users\Admin\AppData\Local\Temp\8dd93fd81577033b184647b566e160699006396bcc6cbfff405acc4597c0d688.exe
            2⤵
              PID:4852
            • C:\Users\Admin\AppData\Local\Temp\8dd93fd81577033b184647b566e160699006396bcc6cbfff405acc4597c0d688.exe
              C:\Users\Admin\AppData\Local\Temp\8dd93fd81577033b184647b566e160699006396bcc6cbfff405acc4597c0d688.exe
              2⤵
                PID:3760
              • C:\Users\Admin\AppData\Local\Temp\8dd93fd81577033b184647b566e160699006396bcc6cbfff405acc4597c0d688.exe
                C:\Users\Admin\AppData\Local\Temp\8dd93fd81577033b184647b566e160699006396bcc6cbfff405acc4597c0d688.exe
                2⤵
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:3108

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/1452-210-0x0000000000000000-mapping.dmp

              Download

            • memory/1452-246-0x00000000073C0000-0x00000000073F6000-memory.dmp

              Filesize

              216KB

              Download

            • memory/1452-251-0x0000000007A30000-0x0000000008058000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/1452-270-0x0000000008200000-0x0000000008266000-memory.dmp

              Filesize

              408KB

              Download

            • memory/1452-271-0x0000000008450000-0x00000000084B6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/1452-291-0x0000000009950000-0x000000000996A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/1452-290-0x000000000A3A0000-0x000000000AA18000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/1452-279-0x0000000008AB0000-0x0000000008B26000-memory.dmp

              Filesize

              472KB

              Download

            • memory/1452-275-0x0000000008C40000-0x0000000008C8B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/1452-274-0x0000000008330000-0x000000000834C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/2024-153-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-160-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-123-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-124-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-125-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-126-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-127-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-128-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-129-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-130-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-131-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-132-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-133-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-134-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-135-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-136-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-137-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-138-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-139-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-140-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-141-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-142-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-143-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-144-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-145-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-146-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-147-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-148-0x0000000000410000-0x0000000000428000-memory.dmp

              Filesize

              96KB

              Download

            • memory/2024-149-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-150-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-151-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-152-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-121-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-154-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-155-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-156-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-157-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-158-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-159-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-122-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-161-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-162-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-163-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-164-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-165-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-166-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-167-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-168-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-169-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-170-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-171-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-172-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-174-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-173-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-175-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-176-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-177-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-178-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-179-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-180-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-120-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-119-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-118-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-117-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-116-0x00000000778F0000-0x0000000077A7E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2024-193-0x00000000067D0000-0x0000000006BB6000-memory.dmp

              Filesize

              3.9MB

              Download

            • memory/2024-194-0x0000000006C50000-0x0000000006CE2000-memory.dmp

              Filesize

              584KB

              Download

            • memory/2024-195-0x00000000071F0000-0x00000000076EE000-memory.dmp

              Filesize

              5.0MB

              Download

            • memory/2024-196-0x0000000006CF0000-0x0000000006D12000-memory.dmp

              Filesize

              136KB

              Download

            • memory/2024-198-0x0000000006E40000-0x0000000007190000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/3108-298-0x000000000068A488-mapping.dmp

              Download

            • memory/3108-332-0x0000000000400000-0x00000000007CE000-memory.dmp

              Filesize

              3.8MB

              Download

            • memory/3108-347-0x0000000073F20000-0x0000000073F5A000-memory.dmp

              Filesize

              232KB

              Download

            • memory/3108-397-0x00000000740C0000-0x00000000740FA000-memory.dmp

              Filesize

              232KB

              Download

            • memory/3108-398-0x0000000000400000-0x00000000007CE000-memory.dmp

              Filesize

              3.8MB

              Download

            • memory/3108-399-0x0000000073F20000-0x0000000073F5A000-memory.dmp

              Filesize

              232KB

              Download

            • memory/3108-400-0x00000000740C0000-0x00000000740FA000-memory.dmp

              Filesize

              232KB

              Download