Analysis Overview
SHA256
08cfe144396f7fc7aaf3a47e86826d439502e4e80e6a9043bcb026ae2f1e845a
Threat Level: Known bad
The file INVOICEXls223.exe was found to be: Known bad.
Malicious Activity Summary
BitRAT
UPX packed file
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-02-14 07:06
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-14 07:06
Reported
2023-02-14 07:08
Platform
win7-20220812-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
BitRAT
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1088 set thread context of 1716 | N/A | C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | celesperial.ddns.net | udp |
| CA | 209.127.19.155:5200 | celesperial.ddns.net | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | celesperial.ddns.net | udp |
| US | 8.8.8.8:53 | celesperial.ddns.net | udp |
Files
memory/1088-54-0x0000000000BC0000-0x0000000001228000-memory.dmp
memory/1088-55-0x0000000000240000-0x0000000000252000-memory.dmp
memory/1088-56-0x0000000000500000-0x0000000000508000-memory.dmp
memory/1716-57-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/1716-58-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/1716-60-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/1716-61-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/1716-62-0x00000000007E2730-mapping.dmp
memory/1716-63-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/1716-64-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/1716-65-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/1716-67-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/1716-66-0x0000000074D61000-0x0000000074D63000-memory.dmp
memory/1716-68-0x0000000000110000-0x000000000011A000-memory.dmp
memory/1716-69-0x0000000000400000-0x00000000007E4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-14 07:06
Reported
2023-02-14 07:08
Platform
win10v2004-20221111-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
BitRAT
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2500 set thread context of 3260 | N/A | C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | celesperial.ddns.net | udp |
| CA | 209.127.19.155:5200 | celesperial.ddns.net | tcp |
| CA | 209.127.19.155:5200 | celesperial.ddns.net | tcp |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 20.189.173.12:443 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| US | 8.8.8.8:53 | celesperial.ddns.net | udp |
| US | 8.8.8.8:53 | celesperial.ddns.net | udp |
Files
memory/2500-132-0x0000000000180000-0x00000000007E8000-memory.dmp
memory/748-133-0x0000000000000000-mapping.dmp
memory/3260-134-0x0000000000000000-mapping.dmp
memory/3260-135-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/3260-137-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/3260-138-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/3260-136-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/3260-139-0x0000000074F50000-0x0000000074F89000-memory.dmp
memory/3260-140-0x00000000752D0000-0x0000000075309000-memory.dmp
memory/3260-141-0x0000000000400000-0x00000000007E4000-memory.dmp
memory/3260-142-0x00000000752D0000-0x0000000075309000-memory.dmp
memory/3260-143-0x0000000074F50000-0x0000000074F89000-memory.dmp
memory/3260-144-0x00000000752D0000-0x0000000075309000-memory.dmp
memory/3260-145-0x00000000752D0000-0x0000000075309000-memory.dmp