Analysis Overview
SHA256
b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd
Threat Level: Known bad
The file b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd was found to be: Known bad.
Malicious Activity Summary
BitRAT
Checks computer location settings
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-29 19:28
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-29 19:28
Reported
2023-01-29 19:30
Platform
win7-20221111-en
Max time kernel
151s
Max time network
143s
Command Line
Signatures
BitRAT
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1976 set thread context of 1388 | N/A | C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe
"C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RgKuObYJRjVYK" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE86C.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 185.157.162.234:54262 | tcp |
Files
memory/1976-54-0x00000000013D0000-0x00000000018D6000-memory.dmp
memory/1976-55-0x0000000076651000-0x0000000076653000-memory.dmp
memory/1976-56-0x0000000000390000-0x000000000039C000-memory.dmp
memory/1976-57-0x0000000005760000-0x0000000005B50000-memory.dmp
memory/524-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE86C.tmp
| MD5 | d0106f3f67a6264ff65473435d75ed9e |
| SHA1 | ae4bea29090eb81506c25c811df97f5cbdb76ace |
| SHA256 | 41aaf1943d75fe36891e8fb1d71798809142d52e42523e694ef7f5bbf9f8626b |
| SHA512 | 3c1780b9358751e4bd1a9132ad4cf36e705f929fb1646487c4411b53a174dcd97f983887e1ac405b5421949aef19c5222127bf79d6ec81a5d97b352ffaea44d6 |
memory/1388-60-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/1388-61-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/1388-63-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/1388-65-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/1388-67-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/1388-69-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/1388-70-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/1388-73-0x0000000000689A84-mapping.dmp
memory/1388-72-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/1388-75-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/1388-77-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/1388-78-0x0000000000400000-0x00000000007CD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-29 19:28
Reported
2023-01-29 19:30
Platform
win10v2004-20220812-en
Max time kernel
145s
Max time network
153s
Command Line
Signatures
BitRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1488 set thread context of 1840 | N/A | C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe
"C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RgKuObYJRjVYK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2A47.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 52.168.117.170:443 | tcp | |
| N/A | 8.252.51.254:80 | tcp | |
| N/A | 8.253.183.120:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 8.8.8.8:53 | 97.97.242.52.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa | udp |
| N/A | 185.157.162.234:54262 | tcp | |
| N/A | 185.157.162.234:54262 | tcp | |
| N/A | 8.247.211.254:80 | tcp |
Files
memory/1488-132-0x0000000000EF0000-0x00000000013F6000-memory.dmp
memory/1488-133-0x0000000005D50000-0x0000000005DEC000-memory.dmp
memory/1488-134-0x0000000006410000-0x00000000069B4000-memory.dmp
memory/1488-135-0x0000000005F00000-0x0000000005F92000-memory.dmp
memory/1488-136-0x0000000005E40000-0x0000000005E4A000-memory.dmp
memory/1488-137-0x00000000060E0000-0x0000000006136000-memory.dmp
memory/4304-138-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp2A47.tmp
| MD5 | b803451044b4525bfe28c58fa69cc7d4 |
| SHA1 | 9a91d443dce51d0393dccdda9eb4f9ad9e523e5f |
| SHA256 | f584ed25d24c759b7cbe78a7762717c141bdaf2c07ef0fad5ce8c730ad8dd7e0 |
| SHA512 | db56d92e39085dfcb8868413593df07881660e108d817dfd26fc330d68da4586f99927288f2ebbdc49badcdd96f6ffd48e112e7e5a90699291d382ab6e29a375 |
memory/1496-140-0x0000000000000000-mapping.dmp
memory/1840-141-0x0000000000000000-mapping.dmp
memory/1840-142-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/1840-143-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/1840-144-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/1840-145-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/1840-146-0x0000000074970000-0x00000000749A9000-memory.dmp
memory/1840-147-0x0000000074CF0000-0x0000000074D29000-memory.dmp
memory/1840-148-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/1840-149-0x0000000074CF0000-0x0000000074D29000-memory.dmp