bitrat | 01bad7f8fe6dd20f9c1efeae2a31cfc0ac4e865cc72033c12d1b1a200cf8be3c

Analysis

max time kernel
82s
max time network
123s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01bad7f8fe6dd20f9c1efeae2a31cfc0ac4e865cc72033c12d1b1a200cf8be3c.msi
Size

9.2MB
MD5

17f3277513d19cf79bbe6559fb2052c0
SHA1

ad1e3466883a4e3150d14de7ae5c394bf969bd1d
SHA256

01bad7f8fe6dd20f9c1efeae2a31cfc0ac4e865cc72033c12d1b1a200cf8be3c
SHA512

9d5fefd9949daeaa8c916e072773fa26c0d496352abcb68fb120112116f0a5f5fe7730cc499c5d22efd26b5e7f2780849c9413f315a52809fd4229708779e4fc
SSDEEP

196608:ZAoTAYfvjVvkv5ae8y0f8tHh/WrjdZbCjkzAtqj8Kr8+UgiqH:RTXrVvC5N0ch/W1pCjGAfKCgR

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

93.115.20.35:443

Attributes

communication_password
bfcff6e70c553d5acebca13a9fe9653f
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Loads dropped DLL 8 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exe

pid process

848 MsiExec.exe
848 MsiExec.exe
848 MsiExec.exe
848 MsiExec.exe
848 MsiExec.exe
1292 MsiExec.exe
1292 MsiExec.exe
1596 MsiExec.exe

pid	process
848	MsiExec.exe
848	MsiExec.exe
848	MsiExec.exe
848	MsiExec.exe
848	MsiExec.exe
1292	MsiExec.exe
1292	MsiExec.exe
1596	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

WerFault.exe

pid process

1568 WerFault.exe
1568 WerFault.exe
1568 WerFault.exe
1568 WerFault.exe
1568 WerFault.exe

pid	process
1568	WerFault.exe
1568	WerFault.exe
1568	WerFault.exe
1568	WerFault.exe
1568	WerFault.exe

Suspicious use of SetThreadContext 12 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exe

description	pid	process	target process
PID 848 set thread context of 1568	848	MsiExec.exe	WerFault.exe
PID 848 set thread context of 1568	848	MsiExec.exe	WerFault.exe
PID 848 set thread context of 1568	848	MsiExec.exe	WerFault.exe
PID 848 set thread context of 1568	848	MsiExec.exe	WerFault.exe
PID 1292 set thread context of 396	1292	MsiExec.exe	WerFault.exe
PID 1292 set thread context of 396	1292	MsiExec.exe	WerFault.exe
PID 1292 set thread context of 396	1292	MsiExec.exe	WerFault.exe
PID 1292 set thread context of 396	1292	MsiExec.exe	WerFault.exe
PID 1596 set thread context of 1680	1596	MsiExec.exe	WerFault.exe
PID 1596 set thread context of 1680	1596	MsiExec.exe	WerFault.exe
PID 1596 set thread context of 1680	1596	MsiExec.exe	WerFault.exe
PID 1596 set thread context of 1680	1596	MsiExec.exe	WerFault.exe

Drops file in Program Files directory 3 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\The predictor\The predictor\dmg.dll	msiexec.exe
File created	C:\Program Files (x86)\The predictor\The predictor\clip.dll	msiexec.exe
File created	C:\Program Files (x86)\The predictor\The predictor\zlib1.dll	msiexec.exe

Drops file in Windows directory 14 IoCs

Processes:

msiexec.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\6c756f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI7986.tmp	msiexec.exe
File created	C:\Windows\Installer\6c7571.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7678.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI78CA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7BD9.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\6c756f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7BA9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICA58.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9C9.tmp	msiexec.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

DrvInst.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

760 msiexec.exe
760 msiexec.exe

pid	process
760	msiexec.exe
760	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeDrvInst.exe

description	pid	process
Token: SeShutdownPrivilege	620	msiexec.exe
Token: SeIncreaseQuotaPrivilege	620	msiexec.exe
Token: SeRestorePrivilege	760	msiexec.exe
Token: SeTakeOwnershipPrivilege	760	msiexec.exe
Token: SeSecurityPrivilege	760	msiexec.exe
Token: SeCreateTokenPrivilege	620	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	620	msiexec.exe
Token: SeLockMemoryPrivilege	620	msiexec.exe
Token: SeIncreaseQuotaPrivilege	620	msiexec.exe
Token: SeMachineAccountPrivilege	620	msiexec.exe
Token: SeTcbPrivilege	620	msiexec.exe
Token: SeSecurityPrivilege	620	msiexec.exe
Token: SeTakeOwnershipPrivilege	620	msiexec.exe
Token: SeLoadDriverPrivilege	620	msiexec.exe
Token: SeSystemProfilePrivilege	620	msiexec.exe
Token: SeSystemtimePrivilege	620	msiexec.exe
Token: SeProfSingleProcessPrivilege	620	msiexec.exe
Token: SeIncBasePriorityPrivilege	620	msiexec.exe
Token: SeCreatePagefilePrivilege	620	msiexec.exe
Token: SeCreatePermanentPrivilege	620	msiexec.exe
Token: SeBackupPrivilege	620	msiexec.exe
Token: SeRestorePrivilege	620	msiexec.exe
Token: SeShutdownPrivilege	620	msiexec.exe
Token: SeDebugPrivilege	620	msiexec.exe
Token: SeAuditPrivilege	620	msiexec.exe
Token: SeSystemEnvironmentPrivilege	620	msiexec.exe
Token: SeChangeNotifyPrivilege	620	msiexec.exe
Token: SeRemoteShutdownPrivilege	620	msiexec.exe
Token: SeUndockPrivilege	620	msiexec.exe
Token: SeSyncAgentPrivilege	620	msiexec.exe
Token: SeEnableDelegationPrivilege	620	msiexec.exe
Token: SeManageVolumePrivilege	620	msiexec.exe
Token: SeImpersonatePrivilege	620	msiexec.exe
Token: SeCreateGlobalPrivilege	620	msiexec.exe
Token: SeBackupPrivilege	660	vssvc.exe
Token: SeRestorePrivilege	660	vssvc.exe
Token: SeAuditPrivilege	660	vssvc.exe
Token: SeBackupPrivilege	760	msiexec.exe
Token: SeRestorePrivilege	760	msiexec.exe
Token: SeRestorePrivilege	820	DrvInst.exe
Token: SeRestorePrivilege	820	DrvInst.exe
Token: SeRestorePrivilege	820	DrvInst.exe
Token: SeRestorePrivilege	820	DrvInst.exe
Token: SeRestorePrivilege	820	DrvInst.exe
Token: SeRestorePrivilege	820	DrvInst.exe
Token: SeRestorePrivilege	820	DrvInst.exe
Token: SeLoadDriverPrivilege	820	DrvInst.exe
Token: SeLoadDriverPrivilege	820	DrvInst.exe
Token: SeLoadDriverPrivilege	820	DrvInst.exe
Token: SeRestorePrivilege	760	msiexec.exe
Token: SeTakeOwnershipPrivilege	760	msiexec.exe
Token: SeRestorePrivilege	760	msiexec.exe
Token: SeTakeOwnershipPrivilege	760	msiexec.exe
Token: SeRestorePrivilege	760	msiexec.exe
Token: SeTakeOwnershipPrivilege	760	msiexec.exe
Token: SeRestorePrivilege	760	msiexec.exe
Token: SeTakeOwnershipPrivilege	760	msiexec.exe
Token: SeRestorePrivilege	760	msiexec.exe
Token: SeTakeOwnershipPrivilege	760	msiexec.exe
Token: SeRestorePrivilege	760	msiexec.exe
Token: SeTakeOwnershipPrivilege	760	msiexec.exe
Token: SeRestorePrivilege	760	msiexec.exe
Token: SeTakeOwnershipPrivilege	760	msiexec.exe
Token: SeRestorePrivilege	760	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

620 msiexec.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WerFault.exe

pid process

1568 WerFault.exe
1568 WerFault.exe

pid	process
620	msiexec.exe

pid	process
1568	WerFault.exe
1568	WerFault.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

msiexec.exeMsiExec.exeMsiExec.exeMsiExec.exe

description	pid	process	target process
PID 760 wrote to memory of 848	760	msiexec.exe	MsiExec.exe
PID 760 wrote to memory of 848	760	msiexec.exe	MsiExec.exe
PID 760 wrote to memory of 848	760	msiexec.exe	MsiExec.exe
PID 760 wrote to memory of 848	760	msiexec.exe	MsiExec.exe
PID 760 wrote to memory of 848	760	msiexec.exe	MsiExec.exe
PID 760 wrote to memory of 848	760	msiexec.exe	MsiExec.exe
PID 760 wrote to memory of 848	760	msiexec.exe	MsiExec.exe
PID 848 wrote to memory of 1568	848	MsiExec.exe	WerFault.exe
PID 848 wrote to memory of 1568	848	MsiExec.exe	WerFault.exe
PID 848 wrote to memory of 1568	848	MsiExec.exe	WerFault.exe
PID 848 wrote to memory of 1568	848	MsiExec.exe	WerFault.exe
PID 848 wrote to memory of 1568	848	MsiExec.exe	WerFault.exe
PID 848 wrote to memory of 1568	848	MsiExec.exe	WerFault.exe
PID 848 wrote to memory of 1568	848	MsiExec.exe	WerFault.exe
PID 848 wrote to memory of 1568	848	MsiExec.exe	WerFault.exe
PID 760 wrote to memory of 1292	760	msiexec.exe	MsiExec.exe
PID 760 wrote to memory of 1292	760	msiexec.exe	MsiExec.exe
PID 760 wrote to memory of 1292	760	msiexec.exe	MsiExec.exe
PID 760 wrote to memory of 1292	760	msiexec.exe	MsiExec.exe
PID 760 wrote to memory of 1292	760	msiexec.exe	MsiExec.exe
PID 760 wrote to memory of 1292	760	msiexec.exe	MsiExec.exe
PID 760 wrote to memory of 1292	760	msiexec.exe	MsiExec.exe
PID 1292 wrote to memory of 396	1292	MsiExec.exe	WerFault.exe
PID 1292 wrote to memory of 396	1292	MsiExec.exe	WerFault.exe
PID 1292 wrote to memory of 396	1292	MsiExec.exe	WerFault.exe
PID 1292 wrote to memory of 396	1292	MsiExec.exe	WerFault.exe
PID 1292 wrote to memory of 396	1292	MsiExec.exe	WerFault.exe
PID 1292 wrote to memory of 396	1292	MsiExec.exe	WerFault.exe
PID 1292 wrote to memory of 396	1292	MsiExec.exe	WerFault.exe
PID 1292 wrote to memory of 396	1292	MsiExec.exe	WerFault.exe
PID 760 wrote to memory of 1596	760	msiexec.exe	MsiExec.exe
PID 760 wrote to memory of 1596	760	msiexec.exe	MsiExec.exe
PID 760 wrote to memory of 1596	760	msiexec.exe	MsiExec.exe
PID 760 wrote to memory of 1596	760	msiexec.exe	MsiExec.exe
PID 760 wrote to memory of 1596	760	msiexec.exe	MsiExec.exe
PID 760 wrote to memory of 1596	760	msiexec.exe	MsiExec.exe
PID 760 wrote to memory of 1596	760	msiexec.exe	MsiExec.exe
PID 1596 wrote to memory of 1680	1596	MsiExec.exe	WerFault.exe
PID 1596 wrote to memory of 1680	1596	MsiExec.exe	WerFault.exe
PID 1596 wrote to memory of 1680	1596	MsiExec.exe	WerFault.exe
PID 1596 wrote to memory of 1680	1596	MsiExec.exe	WerFault.exe
PID 1596 wrote to memory of 1680	1596	MsiExec.exe	WerFault.exe
PID 1596 wrote to memory of 1680	1596	MsiExec.exe	WerFault.exe
PID 1596 wrote to memory of 1680	1596	MsiExec.exe	WerFault.exe
PID 1596 wrote to memory of 1680	1596	MsiExec.exe	WerFault.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\01bad7f8fe6dd20f9c1efeae2a31cfc0ac4e865cc72033c12d1b1a200cf8be3c.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:620

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 22AD2733D0A53205962886150E812431
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\WerFault.exe
"C:\Windows\System32\WerFault.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1568

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 03819756C4F8F3C0AEB50A864D3CB763
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\WerFault.exe
"C:\Windows\System32\WerFault.exe"
3⤵
PID:396

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8E2741A7B6DCA8C13420844D92A117C5
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\SysWOW64\WerFault.exe
"C:\Windows\System32\WerFault.exe"
3⤵
PID:1680

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:660

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005A8" "0000000000000328"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
PID:852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RoakBit_gaming\RoakBit_gaming.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\ProgramData\rtalkos_Gaming\rtalkos_Gaming.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\Installer\MSI7678.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI78CA.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI7986.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI7BD9.tmp

Filesize
2.6MB

MD5
b3508d2e7d5011126378ce803f0209d2

SHA1
da27385e8af3b64acefb68f9ed6811a5f2fdb8ee

SHA256
0b23ee0953de58e027ae459088b9c07943f8a687ed41855354eb95b14836d540

SHA512
2296ab1fb643396e9a799b5150dd5f7c831938f1aa34e6fee01274df93987ed1dcb7d70b56215b8b89d5a89b451d21d7d62d111c56974909c3c9d453dd0274ce

Download Submit
C:\Windows\Installer\MSI9C9.tmp

Filesize
1.3MB

MD5
eef329a2170dc09cd3425aab01e686f5

SHA1
1a4661e23b69319f81ead100faf38cc588e079d2

SHA256
7c2f4475fa66c5f2ce7ce5c0475f072889f69169a48ee58fcc5fa127317772f8

SHA512
98a4707dc9061babe7716f4f1b04aa83820adbf8418ae980e5f4efc7bbc14e3ae0bf0a34be25ab7b1fa6a4cd933fb033325de606ae65a14c35c32784ff586ce2

Download Submit
C:\Windows\Installer\MSICA58.tmp

Filesize
259KB

MD5
1bf39afeb3ded63695d9881bd5d1176b

SHA1
877efa91dd294303988cf113961149062ad9f4ad

SHA256
60409c70198891c80efef7277f5d1fe644c23551937b3f58054ed7388eea3fe2

SHA512
c4df855ce9f1d622164790810e15384b1aa6b8633adf405345880bbecdcc916d49798d62fe27886b768c12156a16b4f47b08ed51668f207e114fe04dcf47305b

Download Submit
\ProgramData\RoakBit_gaming\RoakBit_gaming.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\ProgramData\rtalkos_Gaming\rtalkos_Gaming.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Windows\Installer\MSI7678.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
\Windows\Installer\MSI78CA.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
\Windows\Installer\MSI7986.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
\Windows\Installer\MSI7BD9.tmp

Filesize
2.6MB

MD5
b3508d2e7d5011126378ce803f0209d2

SHA1
da27385e8af3b64acefb68f9ed6811a5f2fdb8ee

SHA256
0b23ee0953de58e027ae459088b9c07943f8a687ed41855354eb95b14836d540

SHA512
2296ab1fb643396e9a799b5150dd5f7c831938f1aa34e6fee01274df93987ed1dcb7d70b56215b8b89d5a89b451d21d7d62d111c56974909c3c9d453dd0274ce

Download Submit
\Windows\Installer\MSI9C9.tmp

Filesize
1.3MB

MD5
eef329a2170dc09cd3425aab01e686f5

SHA1
1a4661e23b69319f81ead100faf38cc588e079d2

SHA256
7c2f4475fa66c5f2ce7ce5c0475f072889f69169a48ee58fcc5fa127317772f8

SHA512
98a4707dc9061babe7716f4f1b04aa83820adbf8418ae980e5f4efc7bbc14e3ae0bf0a34be25ab7b1fa6a4cd933fb033325de606ae65a14c35c32784ff586ce2

Download Submit
\Windows\Installer\MSICA58.tmp

Filesize
259KB

MD5
1bf39afeb3ded63695d9881bd5d1176b

SHA1
877efa91dd294303988cf113961149062ad9f4ad

SHA256
60409c70198891c80efef7277f5d1fe644c23551937b3f58054ed7388eea3fe2

SHA512
c4df855ce9f1d622164790810e15384b1aa6b8633adf405345880bbecdcc916d49798d62fe27886b768c12156a16b4f47b08ed51668f207e114fe04dcf47305b

Download Submit
memory/396-101-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/396-100-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/396-99-0x0000000000401E54-mapping.dmp

Download
memory/396-92-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/620-54-0x000007FEFC331000-0x000007FEFC333000-memory.dmp

Filesize
8KB

Download
memory/848-57-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/848-56-0x0000000000000000-mapping.dmp

Download
memory/848-66-0x0000000062E80000-0x0000000063128000-memory.dmp

Filesize
2.7MB

Download
memory/1292-83-0x0000000000000000-mapping.dmp

Download
memory/1292-89-0x0000000062E80000-0x0000000062EC9000-memory.dmp

Filesize
292KB

Download
memory/1568-79-0x000000000068A488-mapping.dmp

Download
memory/1568-78-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1568-80-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1568-81-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1568-88-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/1568-107-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/1568-87-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/1568-70-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1596-103-0x0000000000000000-mapping.dmp

Download
memory/1596-108-0x0000000062E80000-0x0000000062FCA000-memory.dmp

Filesize
1.3MB

Download
memory/1680-109-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/1680-118-0x000000000045ECA0-mapping.dmp

Download
memory/1680-120-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/1680-121-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download