Malware Analysis Report

2025-01-03 05:14

Sample ID 221130-rwc2qshc73
Target bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b
SHA256 bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b
Tags
bitrat agilenet persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b

Threat Level: Known bad

The file bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b was found to be: Known bad.

Malicious Activity Summary

bitrat agilenet persistence trojan upx

BitRAT

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

UPX packed file

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-30 14:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-30 14:32

Reported

2022-12-02 12:26

Platform

win7-20220812-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\W = "C:\\Users\\Admin\\AppData\\Roaming\\W.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2016 set thread context of 1600 N/A C:\Users\Admin\AppData\Roaming\W.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\W.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1960 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1744 wrote to memory of 952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1744 wrote to memory of 952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1744 wrote to memory of 952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe C:\Users\Admin\AppData\Roaming\W.exe
PID 1960 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe C:\Users\Admin\AppData\Roaming\W.exe
PID 1960 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe C:\Users\Admin\AppData\Roaming\W.exe
PID 1960 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe C:\Users\Admin\AppData\Roaming\W.exe
PID 2016 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\W.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 2016 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\W.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 2016 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\W.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 2016 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\W.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 2016 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\W.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 2016 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\W.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 2016 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\W.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 2016 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\W.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 1600 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe C:\Users\Admin\AppData\Local\954a5290\tor\TORBUILD.exe
PID 1600 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe C:\Users\Admin\AppData\Local\954a5290\tor\TORBUILD.exe
PID 1600 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe C:\Users\Admin\AppData\Local\954a5290\tor\TORBUILD.exe
PID 1600 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe C:\Users\Admin\AppData\Local\954a5290\tor\TORBUILD.exe
PID 1600 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe C:\Users\Admin\AppData\Local\954a5290\tor\TORBUILD.exe
PID 1600 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe C:\Users\Admin\AppData\Local\954a5290\tor\TORBUILD.exe
PID 1600 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe C:\Users\Admin\AppData\Local\954a5290\tor\TORBUILD.exe
PID 1600 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe C:\Users\Admin\AppData\Local\954a5290\tor\TORBUILD.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe

"C:\Users\Admin\AppData\Local\Temp\bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "W" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\W.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "W" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\W.exe"

C:\Users\Admin\AppData\Roaming\W.exe

"C:\Users\Admin\AppData\Roaming\W.exe"

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"

C:\Users\Admin\AppData\Local\954a5290\tor\TORBUILD.exe

"C:\Users\Admin\AppData\Local\954a5290\tor\TORBUILD.exe" -f torrc

C:\Users\Admin\AppData\Local\954a5290\tor\TORBUILD.exe

"C:\Users\Admin\AppData\Local\954a5290\tor\TORBUILD.exe" -f torrc

Network

Country Destination Domain Proto
N/A 127.0.0.1:49217 tcp
N/A 31.185.104.21:443 tcp
N/A 193.70.43.76:9001 tcp
N/A 127.0.0.1:45808 tcp
N/A 50.7.74.173:9001 tcp
N/A 171.25.193.25:443 tcp
N/A 198.96.155.3:5001 tcp
N/A 131.188.40.189:443 tcp
N/A 50.7.74.172:443 tcp
N/A 198.140.141.51:443 tcp
N/A 95.214.54.70:8443 tcp
N/A 91.143.88.2:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 198.140.141.51:443 tcp
N/A 91.143.88.2:443 tcp
N/A 127.0.0.1:49256 tcp
N/A 141.98.136.79:443 tcp
N/A 185.125.168.42:443 tcp

Files

memory/1960-54-0x0000000000310000-0x0000000000BC2000-memory.dmp

memory/1960-55-0x0000000076181000-0x0000000076183000-memory.dmp

memory/1960-56-0x0000000000EC0000-0x0000000000EE8000-memory.dmp

memory/1744-57-0x0000000000000000-mapping.dmp

memory/952-58-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\W.exe

MD5 99da955426a8cfa74ac059a995a2a9a6
SHA1 cc6d485ed25c1e25fad316c51a5529f0e646c68e
SHA256 bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b
SHA512 e0a0430f929d71396c48ce3687652ebfac26490c17c5da091562804ecc4b023639548416bafffd2f2ab2ab00c1ecebcd8b7cad8a34c113f0031dc5cd14ddc67d

memory/2016-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\W.exe

MD5 99da955426a8cfa74ac059a995a2a9a6
SHA1 cc6d485ed25c1e25fad316c51a5529f0e646c68e
SHA256 bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b
SHA512 e0a0430f929d71396c48ce3687652ebfac26490c17c5da091562804ecc4b023639548416bafffd2f2ab2ab00c1ecebcd8b7cad8a34c113f0031dc5cd14ddc67d

C:\Users\Admin\AppData\Roaming\W.exe

MD5 99da955426a8cfa74ac059a995a2a9a6
SHA1 cc6d485ed25c1e25fad316c51a5529f0e646c68e
SHA256 bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b
SHA512 e0a0430f929d71396c48ce3687652ebfac26490c17c5da091562804ecc4b023639548416bafffd2f2ab2ab00c1ecebcd8b7cad8a34c113f0031dc5cd14ddc67d

memory/2016-63-0x0000000000AC0000-0x0000000001372000-memory.dmp

memory/2016-65-0x00000000003A0000-0x00000000003B4000-memory.dmp

memory/2016-66-0x00000000007B0000-0x00000000007B6000-memory.dmp

\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

MD5 6a673bfc3b67ae9782cb31af2f234c68
SHA1 7544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256 978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA512 72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

MD5 6a673bfc3b67ae9782cb31af2f234c68
SHA1 7544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256 978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA512 72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

memory/1600-69-0x0000000000220000-0x0000000000E17000-memory.dmp

memory/1600-75-0x0000000000BECCD0-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

MD5 6a673bfc3b67ae9782cb31af2f234c68
SHA1 7544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256 978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA512 72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

memory/1600-79-0x0000000000220000-0x0000000000E17000-memory.dmp

memory/1600-81-0x0000000000220000-0x0000000000E17000-memory.dmp

memory/1600-82-0x0000000000220000-0x0000000000E17000-memory.dmp

\Users\Admin\AppData\Local\954a5290\tor\TORBUILD.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

\Users\Admin\AppData\Local\954a5290\tor\TORBUILD.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/1928-85-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\954a5290\tor\TORBUILD.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\954a5290\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

\Users\Admin\AppData\Local\954a5290\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\954a5290\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\954a5290\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\954a5290\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

memory/1600-94-0x00000000042B0000-0x00000000046B4000-memory.dmp

\Users\Admin\AppData\Local\954a5290\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

memory/1600-95-0x00000000042B0000-0x00000000046B4000-memory.dmp

C:\Users\Admin\AppData\Local\954a5290\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\954a5290\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

memory/1928-98-0x0000000000EA0000-0x00000000012A4000-memory.dmp

C:\Users\Admin\AppData\Local\954a5290\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/1928-99-0x0000000074C40000-0x0000000074F0F000-memory.dmp

memory/1928-100-0x0000000075200000-0x0000000075249000-memory.dmp

\Users\Admin\AppData\Local\954a5290\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\954a5290\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\954a5290\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\954a5290\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\954a5290\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\954a5290\tor\torrc

MD5 593e865b08dbc7145bae68904242dcf7
SHA1 bd8cb5843113f5dad36f63331fc235eb544b014e
SHA256 c1dffd6d7e4f0ffb4c0244cc3dcf5a385a1f21c9aa6c47e8db8cb3c9edba3f45
SHA512 6e1ffcbffc2bda094f462c1b8886981584092d0c1293e62893420499bc5e359fbaad3ccc4823a94210aa7bbb538e34dc4ab607b8b40989712c23e7fff55a8b29

memory/1928-108-0x0000000075130000-0x00000000751F8000-memory.dmp

memory/1928-109-0x0000000074B30000-0x0000000074C3A000-memory.dmp

memory/1928-110-0x0000000074AA0000-0x0000000074B28000-memory.dmp

memory/1928-111-0x00000000749D0000-0x0000000074A9E000-memory.dmp

memory/1928-112-0x00000000752A0000-0x00000000752C4000-memory.dmp

memory/1600-113-0x00000000042B0000-0x00000000046B4000-memory.dmp

memory/1928-114-0x0000000000EA0000-0x00000000012A4000-memory.dmp

memory/1928-115-0x0000000075200000-0x0000000075249000-memory.dmp

memory/1600-116-0x00000000042B0000-0x00000000046B4000-memory.dmp

memory/1928-117-0x0000000074C40000-0x0000000074F0F000-memory.dmp

memory/952-119-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\954a5290\tor\TORBUILD.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/1928-127-0x0000000000EA0000-0x00000000012A4000-memory.dmp

\Users\Admin\AppData\Local\954a5290\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\954a5290\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\954a5290\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\954a5290\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\954a5290\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\954a5290\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\954a5290\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\954a5290\tor\TORBUILD.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\954a5290\tor\torrc

MD5 593e865b08dbc7145bae68904242dcf7
SHA1 bd8cb5843113f5dad36f63331fc235eb544b014e
SHA256 c1dffd6d7e4f0ffb4c0244cc3dcf5a385a1f21c9aa6c47e8db8cb3c9edba3f45
SHA512 6e1ffcbffc2bda094f462c1b8886981584092d0c1293e62893420499bc5e359fbaad3ccc4823a94210aa7bbb538e34dc4ab607b8b40989712c23e7fff55a8b29

C:\Users\Admin\AppData\Local\954a5290\tor\data\state

MD5 a44d1e82ea8be3d97d5c8f24fa83fb59
SHA1 97992823e1db31c5ebf5a2ce631ae758ae3974ef
SHA256 574484b8979efaef90ea345447632e6e4ef650bcdf6396e6f12e3c7d2d0f9ba6
SHA512 985a1ce1ef91636eb30aab0482cd36cda57227fe061bab55a851281de58b8c75815ca1fea1c12410cb37e02a247350dd9e0056302973a474da4da3dfaba8dbb2

C:\Users\Admin\AppData\Local\954a5290\tor\data\cached-certs

MD5 6722813343c6c39cc84631cb340c363a
SHA1 cfef92dc63d38dc70f0b9d648b359013582b2675
SHA256 22656fe0e2d3123be13bc5a59c848c00eaa8a40e4dc7a65c78c85b1911b78f0a
SHA512 ac7a966206c11fa478697a7e0e863fa1afc9d76bb3e775a37e5865fc1485e8a63b563ec89b78b50d9ff547a69179faf0831bf1cd8972ca69197e63f83d57f62c

C:\Users\Admin\AppData\Local\954a5290\tor\data\cached-microdesc-consensus

MD5 ef4ce74e85152715b340e5ed98a6818d
SHA1 e24dd6270924ba88c8ee69d7eb640165ab0c9feb
SHA256 3eb828d5ebc27ab9c4a090d196d87e083254ca4072a80e6634cb64399ffef838
SHA512 9793221e53209379e62a10abf5f2fb6231571212ddd5d0e9280f2f29930ed28c143de889291ce552c22eee85bdae3bd68d21c9ef6e8162cb86e3148c65e46f7d

C:\Users\Admin\AppData\Local\954a5290\tor\data\cached-microdescs.new

MD5 a6710a2471803dc5853f753d0db81ecb
SHA1 455aa5f77e7658b0b3d71443bea81da94174e4cf
SHA256 5957f0dcfca3d1a728cbc8ce8074039c9f607f4b340733957ffc2e942e8eaa4b
SHA512 2d00fc83d1156f991944c4faf5a8152964b3a094b7eca1f0567cdd4a51d0edbe82ca124fb7bcc88d1efa90af26263a6ac51e997eaf8f2fa6e049f07ee872d9ad

memory/1600-135-0x0000000004F40000-0x0000000005344000-memory.dmp

memory/952-136-0x0000000000EA0000-0x00000000012A4000-memory.dmp

memory/952-137-0x0000000074C40000-0x0000000074F0F000-memory.dmp

memory/952-138-0x0000000075200000-0x0000000075249000-memory.dmp

memory/952-139-0x0000000075130000-0x00000000751F8000-memory.dmp

memory/952-140-0x0000000074B30000-0x0000000074C3A000-memory.dmp

memory/952-141-0x0000000074AA0000-0x0000000074B28000-memory.dmp

memory/952-142-0x00000000749D0000-0x0000000074A9E000-memory.dmp

memory/952-143-0x00000000752A0000-0x00000000752C4000-memory.dmp

C:\Users\Admin\AppData\Local\954a5290\tor\data\unverified-microdesc-consensus

MD5 ef4ce74e85152715b340e5ed98a6818d
SHA1 e24dd6270924ba88c8ee69d7eb640165ab0c9feb
SHA256 3eb828d5ebc27ab9c4a090d196d87e083254ca4072a80e6634cb64399ffef838
SHA512 9793221e53209379e62a10abf5f2fb6231571212ddd5d0e9280f2f29930ed28c143de889291ce552c22eee85bdae3bd68d21c9ef6e8162cb86e3148c65e46f7d

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-30 14:32

Reported

2022-12-02 12:30

Platform

win10v2004-20221111-en

Max time kernel

298s

Max time network

334s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe

"C:\Users\Admin\AppData\Local\Temp\bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe"

Network

Country Destination Domain Proto
N/A 40.79.197.35:443 tcp
N/A 72.21.91.29:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 51.11.192.48:443 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 104.80.225.205:443 tcp
N/A 8.8.8.8:53 14.110.152.52.in-addr.arpa udp

Files

memory/2876-132-0x00000000009D0000-0x0000000001282000-memory.dmp

memory/2876-133-0x00000000062A0000-0x0000000006844000-memory.dmp

memory/2876-134-0x0000000005C30000-0x0000000005CC2000-memory.dmp

memory/2876-135-0x00000000060F0000-0x000000000618C000-memory.dmp