Analysis

  • max time kernel
    224s
  • max time network
    337s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2022 19:01

General

  • Target

    9a0a5ca2046e116e4e4c4c3afabfa11be5931f85b18df2732a26be06bf418f0f.exe

  • Size

    6.2MB

  • MD5

    188ea6da222629732fd7ec7e22f7cd3b

  • SHA1

    1e9d81e4b41ca5fb4eb4cbb442c183fd4783c6ec

  • SHA256

    9a0a5ca2046e116e4e4c4c3afabfa11be5931f85b18df2732a26be06bf418f0f

  • SHA512

    4634a0e87524d14f3204f5d585d26225258762cc4bc57d043e0bf4fc8f57a6b623649a03690956626b721f04aa8f191bc158d3572c1688d2c28152c790d57ace

  • SSDEEP

    98304:xmBa4AnQ0WOpalZxd/9hMuP8WMLmuZKVSr6ZlDs6XnUbJp5KysMS04ESFtvbcI6T:x0oQ0WOpCZBxPukVSGqX5KyJ4ESjcIg

Malware Config

Extracted

Family

bitrat

Version

1.34

C2

2.56.212.226:1995

Attributes
  • communication_password

    a76d949640a165da25ccfe9a8fd82c8a

  • install_dir

    DiagnosticPerfos

  • install_file

    DiagnosticPerformer.exe

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: RenamesItself 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a0a5ca2046e116e4e4c4c3afabfa11be5931f85b18df2732a26be06bf418f0f.exe
    "C:\Users\Admin\AppData\Local\Temp\9a0a5ca2046e116e4e4c4c3afabfa11be5931f85b18df2732a26be06bf418f0f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1032

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1032-54-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-57-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-58-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-59-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-60-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-61-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-62-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

    Filesize

    8KB

  • memory/1032-63-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-64-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-65-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-66-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-67-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-68-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-69-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-70-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-71-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-72-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-74-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-75-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-76-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-77-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-78-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-79-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-80-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-81-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-82-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-83-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-84-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-85-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-86-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-87-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-88-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-89-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-90-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-91-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-92-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-93-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-94-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-95-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-96-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-97-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-98-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-99-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-100-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-101-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-102-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-104-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-105-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-106-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-107-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-108-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-110-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-111-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-112-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-113-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-114-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-115-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-116-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB

  • memory/1032-117-0x0000000000400000-0x00000000010AA000-memory.dmp

    Filesize

    12.7MB