bitrat | 311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c

General

Target

7e319c1315d5b97983fb7cb4d93ddf0c.exe
Size

65KB
MD5

7e319c1315d5b97983fb7cb4d93ddf0c
SHA1

fde2d21cb08b8d95ea2e4419e51aa43f8da348ac
SHA256

311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c
SHA512

02f59f8d2dd41e1e287c46a8bd3119c98d2f2500a95a7d980791f7f6f326cad43111385b30d3c8e6de912905a81527632dd9a7089f1aa6f1716eabe4608bcfad
SSDEEP

1536:WIHebrEKfgYBUngABZvxZ/DOG8s8MkeNSzXzK1:Gb4KRapBZP/Dl8DMDSzX+1

Score

10^/10

bitrat persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

37.139.128.233:3569

Attributes

communication_password
ce952068942604a6d6df06ed5002fad6
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7e319c1315d5b97983fb7cb4d93ddf0c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ajfpl = "\"C:\\Users\\Admin\\AppData\\Roaming\\Cagqu\\Ajfpl.exe\""	7e319c1315d5b97983fb7cb4d93ddf0c.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

InstallUtil.exe

pid process

1912 InstallUtil.exe
1912 InstallUtil.exe
1912 InstallUtil.exe
1912 InstallUtil.exe
1912 InstallUtil.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

7e319c1315d5b97983fb7cb4d93ddf0c.exe

description pid process target process

PID 624 set thread context of 1912 624 7e319c1315d5b97983fb7cb4d93ddf0c.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1912	InstallUtil.exe
1912	InstallUtil.exe
1912	InstallUtil.exe
1912	InstallUtil.exe
1912	InstallUtil.exe

description	pid	process	target process
PID 624 set thread context of 1912	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	InstallUtil.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

7e319c1315d5b97983fb7cb4d93ddf0c.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	7e319c1315d5b97983fb7cb4d93ddf0c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	7e319c1315d5b97983fb7cb4d93ddf0c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	7e319c1315d5b97983fb7cb4d93ddf0c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	7e319c1315d5b97983fb7cb4d93ddf0c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	7e319c1315d5b97983fb7cb4d93ddf0c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	7e319c1315d5b97983fb7cb4d93ddf0c.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exe7e319c1315d5b97983fb7cb4d93ddf0c.exe

pid process

1348 powershell.exe
756 powershell.exe
624 7e319c1315d5b97983fb7cb4d93ddf0c.exe

pid	process
1348	powershell.exe
756	powershell.exe
624	7e319c1315d5b97983fb7cb4d93ddf0c.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exe7e319c1315d5b97983fb7cb4d93ddf0c.exepowershell.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	1912	InstallUtil.exe
Token: SeShutdownPrivilege	1912	InstallUtil.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

InstallUtil.exe

pid process

1912 InstallUtil.exe
1912 InstallUtil.exe

pid	process
1912	InstallUtil.exe
1912	InstallUtil.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

7e319c1315d5b97983fb7cb4d93ddf0c.exe

description	pid	process	target process
PID 624 wrote to memory of 1348	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	powershell.exe
PID 624 wrote to memory of 1348	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	powershell.exe
PID 624 wrote to memory of 1348	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	powershell.exe
PID 624 wrote to memory of 1348	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	powershell.exe
PID 624 wrote to memory of 756	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	powershell.exe
PID 624 wrote to memory of 756	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	powershell.exe
PID 624 wrote to memory of 756	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	powershell.exe
PID 624 wrote to memory of 756	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	powershell.exe
PID 624 wrote to memory of 632	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	InstallUtil.exe
PID 624 wrote to memory of 632	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	InstallUtil.exe
PID 624 wrote to memory of 632	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	InstallUtil.exe
PID 624 wrote to memory of 632	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	InstallUtil.exe
PID 624 wrote to memory of 632	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	InstallUtil.exe
PID 624 wrote to memory of 632	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	InstallUtil.exe
PID 624 wrote to memory of 632	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	InstallUtil.exe
PID 624 wrote to memory of 1912	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	InstallUtil.exe
PID 624 wrote to memory of 1912	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	InstallUtil.exe
PID 624 wrote to memory of 1912	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	InstallUtil.exe
PID 624 wrote to memory of 1912	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	InstallUtil.exe
PID 624 wrote to memory of 1912	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	InstallUtil.exe
PID 624 wrote to memory of 1912	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	InstallUtil.exe
PID 624 wrote to memory of 1912	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	InstallUtil.exe
PID 624 wrote to memory of 1912	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	InstallUtil.exe
PID 624 wrote to memory of 1912	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	InstallUtil.exe
PID 624 wrote to memory of 1912	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	InstallUtil.exe
PID 624 wrote to memory of 1912	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	InstallUtil.exe
PID 624 wrote to memory of 1912	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	InstallUtil.exe
PID 624 wrote to memory of 1912	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	InstallUtil.exe
PID 624 wrote to memory of 1912	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	InstallUtil.exe
PID 624 wrote to memory of 1912	624	7e319c1315d5b97983fb7cb4d93ddf0c.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\7e319c1315d5b97983fb7cb4d93ddf0c.exe
"C:\Users\Admin\AppData\Local\Temp\7e319c1315d5b97983fb7cb4d93ddf0c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-Date
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
PID:632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f2f2c39711591c92f4cd87423bc69efe

SHA1
875cad7003659f79feca7e8f767f49854ac1d822

SHA256
841009e72115d50c7884f7b4363ac01b11878ed7ef16b8f8c13393fd937b1fd2

SHA512
4ae7558d24df410d7fe0e25f1a92d28519aac0aa93ccdbba9d2b38cd78869036cc25207ebeb716a6a8b4eacb9e79e5c10ea46b20c271b69ea5edf8a2bf709b44

Download Submit
memory/624-54-0x0000000000E20000-0x0000000000E36000-memory.dmp

Filesize
88KB

Download
memory/624-61-0x00000000074E0000-0x00000000078BC000-memory.dmp

Filesize
3.9MB

Download
memory/756-62-0x0000000000000000-mapping.dmp

Download
memory/756-65-0x000000006EC60000-0x000000006F20B000-memory.dmp

Filesize
5.7MB

Download
memory/756-66-0x000000006EC60000-0x000000006F20B000-memory.dmp

Filesize
5.7MB

Download
memory/756-67-0x000000006EC60000-0x000000006F20B000-memory.dmp

Filesize
5.7MB

Download
memory/1348-55-0x0000000000000000-mapping.dmp

Download
memory/1348-56-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download
memory/1348-58-0x0000000070040000-0x00000000705EB000-memory.dmp

Filesize
5.7MB

Download
memory/1348-59-0x0000000070040000-0x00000000705EB000-memory.dmp

Filesize
5.7MB

Download
memory/1348-60-0x0000000070040000-0x00000000705EB000-memory.dmp

Filesize
5.7MB

Download
memory/1912-71-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1912-80-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1912-68-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1912-73-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1912-75-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1912-77-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1912-78-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1912-69-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1912-81-0x000000000068A488-mapping.dmp

Download
memory/1912-83-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1912-85-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1912-86-0x0000000000110000-0x000000000011A000-memory.dmp

Filesize
40KB

Download
memory/1912-87-0x0000000000110000-0x000000000011A000-memory.dmp

Filesize
40KB

Download
memory/1912-88-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1912-89-0x0000000000110000-0x000000000011A000-memory.dmp

Filesize
40KB

Download
memory/1912-90-0x0000000000110000-0x000000000011A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads