Analysis Overview
SHA256
a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5
Threat Level: Known bad
The file a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5 was found to be: Known bad.
Malicious Activity Summary
BitRAT
Executes dropped EXE
Checks computer location settings
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-29 19:30
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-29 19:30
Reported
2023-01-29 19:33
Platform
win7-20220812-en
Max time kernel
151s
Max time network
138s
Command Line
Signatures
BitRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1160 wrote to memory of 1976 | N/A | C:\Users\Admin\AppData\Local\Temp\a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe | C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe |
| PID 1160 wrote to memory of 1976 | N/A | C:\Users\Admin\AppData\Local\Temp\a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe | C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe |
| PID 1160 wrote to memory of 1976 | N/A | C:\Users\Admin\AppData\Local\Temp\a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe | C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe |
| PID 1160 wrote to memory of 1976 | N/A | C:\Users\Admin\AppData\Local\Temp\a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe | C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe
"C:\Users\Admin\AppData\Local\Temp\a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe"
C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe
"C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 87.78.165.108:25625 | tcp | |
| N/A | 8.8.8.8:53 | cdn-35.anonfiles.com | udp |
| N/A | 87.78.165.108:25625 | tcp | |
| N/A | 87.78.165.108:25625 | tcp | |
| N/A | 87.78.165.108:25625 | tcp |
Files
memory/1160-54-0x0000000001010000-0x00000000011FE000-memory.dmp
memory/1160-55-0x0000000000F56000-0x0000000000F75000-memory.dmp
memory/1160-56-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe
| MD5 | 14b0626141c4e627aeb5d13411277d83 |
| SHA1 | ec8f50af65560de5a63d1174809ed9cec31191cf |
| SHA256 | d9d78c09e03266f7718b049f360aa7620a75e765811373f7e38e00bc962f9e6e |
| SHA512 | f0beab68df89e93063b1409578d0e086d554a6d505c1e26f0cc5485ddad5e7108006173ad9fa000700a64471439998c3f895acc6f2c8e08418f1bea3ff13a027 |
memory/1976-57-0x0000000000000000-mapping.dmp
memory/1976-59-0x0000000075A91000-0x0000000075A93000-memory.dmp
memory/1160-60-0x0000000000F56000-0x0000000000F75000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-29 19:30
Reported
2023-01-29 19:33
Platform
win10v2004-20220901-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
BitRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4972 wrote to memory of 4312 | N/A | C:\Users\Admin\AppData\Local\Temp\a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe | C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe |
| PID 4972 wrote to memory of 4312 | N/A | C:\Users\Admin\AppData\Local\Temp\a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe | C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe |
| PID 4972 wrote to memory of 4312 | N/A | C:\Users\Admin\AppData\Local\Temp\a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe | C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe
"C:\Users\Admin\AppData\Local\Temp\a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe"
C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe
"C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | cdn-35.anonfiles.com | udp |
| N/A | 87.78.165.108:25625 | tcp | |
| N/A | 104.208.16.90:443 | tcp | |
| N/A | 87.78.165.108:25625 | tcp | |
| N/A | 67.26.207.254:80 | tcp | |
| N/A | 67.26.207.254:80 | tcp | |
| N/A | 67.26.207.254:80 | tcp | |
| N/A | 87.78.165.108:25625 | tcp | |
| N/A | 87.78.165.108:25625 | tcp | |
| N/A | 87.78.165.108:25625 | tcp |
Files
memory/4972-132-0x0000000000320000-0x000000000050E000-memory.dmp
memory/4972-133-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp
memory/4312-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe
| MD5 | 14b0626141c4e627aeb5d13411277d83 |
| SHA1 | ec8f50af65560de5a63d1174809ed9cec31191cf |
| SHA256 | d9d78c09e03266f7718b049f360aa7620a75e765811373f7e38e00bc962f9e6e |
| SHA512 | f0beab68df89e93063b1409578d0e086d554a6d505c1e26f0cc5485ddad5e7108006173ad9fa000700a64471439998c3f895acc6f2c8e08418f1bea3ff13a027 |
C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe
| MD5 | 14b0626141c4e627aeb5d13411277d83 |
| SHA1 | ec8f50af65560de5a63d1174809ed9cec31191cf |
| SHA256 | d9d78c09e03266f7718b049f360aa7620a75e765811373f7e38e00bc962f9e6e |
| SHA512 | f0beab68df89e93063b1409578d0e086d554a6d505c1e26f0cc5485ddad5e7108006173ad9fa000700a64471439998c3f895acc6f2c8e08418f1bea3ff13a027 |
memory/4972-137-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp
memory/4312-138-0x0000000074F80000-0x0000000074FB9000-memory.dmp
memory/4312-139-0x0000000075320000-0x0000000075359000-memory.dmp
memory/4312-140-0x0000000075320000-0x0000000075359000-memory.dmp
memory/4312-141-0x0000000075320000-0x0000000075359000-memory.dmp
memory/4312-142-0x0000000074F80000-0x0000000074FB9000-memory.dmp
memory/4312-143-0x0000000075320000-0x0000000075359000-memory.dmp
memory/4312-144-0x0000000075320000-0x0000000075359000-memory.dmp
memory/4312-145-0x0000000075320000-0x0000000075359000-memory.dmp
memory/4312-146-0x0000000075320000-0x0000000075359000-memory.dmp
memory/4312-147-0x0000000075320000-0x0000000075359000-memory.dmp