Overview

overview

10

Static

static

1

7f55a7b60a...48.rtf

windows7-x64

10

7f55a7b60a...48.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    19-03-2023 18:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7f55a7b60a243743fe8f8f25220e8aae506d985ff963587200329f229cca2248.rtf

  • Size

    3KB

  • MD5

    a5a6fbe5e7f86784d14ce1f4d7672f6b

  • SHA1

    c8b9fc16cea841705b1b80152cc95f3322799c80

  • SHA256

    7f55a7b60a243743fe8f8f25220e8aae506d985ff963587200329f229cca2248

  • SHA512

    322944cc12604db232973329f9ad5e49c034d9ca4e55ffba3ddc8b4d2dc815c2afaeddae740436d07c88f46d9017902c88dac0cdc0610dcbd47cb9d0825218b3

Score
10/10
bitrattrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

74.201.28.92:3569

Attributes
  • communication_password

    148b191cf4e80b549e1b1a4444f2bdf6

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 5 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 53 IoCs
  • Suspicious use of SendNotifyMessage 53 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7f55a7b60a243743fe8f8f25220e8aae506d985ff963587200329f229cca2248.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1372
    • C:\Windows\SysWOW64\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe"
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1952
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:1340
    • C:\Users\Admin\AppData\Roaming\fdry.exe
      C:\Users\Admin\AppData\Roaming\fdry.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1316
      • C:\Users\Admin\AppData\Roaming\fdry.exe
        "C:\Users\Admin\AppData\Roaming\fdry.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:324
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\wbnh"
        3⤵
          PID:1216
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2044
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f
            4⤵
            • Creates scheduled task(s)
            PID:304
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c copy "C:\Users\Admin\AppData\Roaming\fdry.exe" "C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"
          3⤵
            PID:1888
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {EC2475C2-5E93-4F9D-A842-675D53248D64} S-1-5-21-3499517378-2376672570-1134980332-1000:MLXLFKOI\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1700
        • C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
          C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1820
          • C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
            "C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of AdjustPrivilegeToken
            PID:1472
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\wbnh"
            3⤵
              PID:832
            • C:\Windows\SysWOW64\cmd.exe
              "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1908
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f
                4⤵
                • Creates scheduled task(s)
                PID:1648
            • C:\Windows\SysWOW64\cmd.exe
              "cmd" /c copy "C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe" "C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"
              3⤵
                PID:2004

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
            Filesize

            61KB

            MD5

            e71c8443ae0bc2e282c73faead0a6dd3

            SHA1

            0c110c1b01e68edfacaeae64781a37b1995fa94b

            SHA256

            95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

            SHA512

            b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

            Download Submit

          • C:\Users\Admin\AppData\Roaming\fdry.exe
            Filesize

            3.8MB

            MD5

            86000b0a976dc4a377b2e5192fe30445

            SHA1

            ad29b138883d7906f8d6e75f2e5f60e5285d4a56

            SHA256

            11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e

            SHA512

            4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

            Download Submit

          • C:\Users\Admin\AppData\Roaming\fdry.exe
            Filesize

            3.8MB

            MD5

            86000b0a976dc4a377b2e5192fe30445

            SHA1

            ad29b138883d7906f8d6e75f2e5f60e5285d4a56

            SHA256

            11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e

            SHA512

            4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

            Download Submit

          • C:\Users\Admin\AppData\Roaming\fdry.exe
            Filesize

            3.8MB

            MD5

            86000b0a976dc4a377b2e5192fe30445

            SHA1

            ad29b138883d7906f8d6e75f2e5f60e5285d4a56

            SHA256

            11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e

            SHA512

            4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

            Download Submit

          • C:\Users\Admin\AppData\Roaming\fdry.exe
            Filesize

            3.8MB

            MD5

            86000b0a976dc4a377b2e5192fe30445

            SHA1

            ad29b138883d7906f8d6e75f2e5f60e5285d4a56

            SHA256

            11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e

            SHA512

            4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

            Download Submit

          • C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
            Filesize

            3.8MB

            MD5

            86000b0a976dc4a377b2e5192fe30445

            SHA1

            ad29b138883d7906f8d6e75f2e5f60e5285d4a56

            SHA256

            11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e

            SHA512

            4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

            Download Submit

          • C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
            Filesize

            3.8MB

            MD5

            86000b0a976dc4a377b2e5192fe30445

            SHA1

            ad29b138883d7906f8d6e75f2e5f60e5285d4a56

            SHA256

            11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e

            SHA512

            4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

            Download Submit

          • C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
            Filesize

            3.8MB

            MD5

            86000b0a976dc4a377b2e5192fe30445

            SHA1

            ad29b138883d7906f8d6e75f2e5f60e5285d4a56

            SHA256

            11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e

            SHA512

            4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

            Download Submit

          • \Users\Admin\AppData\Roaming\fdry.exe
            Filesize

            3.8MB

            MD5

            86000b0a976dc4a377b2e5192fe30445

            SHA1

            ad29b138883d7906f8d6e75f2e5f60e5285d4a56

            SHA256

            11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e

            SHA512

            4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

            Download Submit

          • \Users\Admin\AppData\Roaming\fdry.exe
            Filesize

            3.8MB

            MD5

            86000b0a976dc4a377b2e5192fe30445

            SHA1

            ad29b138883d7906f8d6e75f2e5f60e5285d4a56

            SHA256

            11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e

            SHA512

            4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

            Download Submit

          • \Users\Admin\AppData\Roaming\fdry.exe
            Filesize

            3.8MB

            MD5

            86000b0a976dc4a377b2e5192fe30445

            SHA1

            ad29b138883d7906f8d6e75f2e5f60e5285d4a56

            SHA256

            11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e

            SHA512

            4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

            Download Submit

          • memory/324-128-0x0000000000710000-0x0000000000ADE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/324-134-0x0000000000710000-0x0000000000ADE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/324-110-0x0000000000710000-0x0000000000ADE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/324-112-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/324-115-0x0000000000710000-0x0000000000ADE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/324-108-0x0000000000710000-0x0000000000ADE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/324-111-0x0000000000710000-0x0000000000ADE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/324-119-0x0000000000710000-0x0000000000ADE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/324-123-0x0000000000710000-0x0000000000ADE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/324-126-0x0000000000710000-0x0000000000ADE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/324-127-0x0000000000710000-0x0000000000ADE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/324-167-0x0000000000710000-0x0000000000ADE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/324-129-0x0000000000710000-0x0000000000ADE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/324-130-0x0000000000710000-0x0000000000ADE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/324-131-0x0000000000710000-0x0000000000ADE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/324-132-0x0000000000710000-0x0000000000ADE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/324-133-0x0000000000710000-0x0000000000ADE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/324-109-0x0000000000710000-0x0000000000ADE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/324-135-0x0000000000710000-0x0000000000ADE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/324-107-0x0000000000710000-0x0000000000ADE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/324-105-0x0000000000710000-0x0000000000ADE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/324-166-0x0000000000710000-0x0000000000ADE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/324-165-0x0000000000710000-0x0000000000ADE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/324-164-0x0000000000710000-0x0000000000ADE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/324-163-0x0000000000710000-0x0000000000ADE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/324-162-0x0000000000710000-0x0000000000ADE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/324-104-0x0000000000710000-0x0000000000ADE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/1316-103-0x00000000000C0000-0x0000000000496000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/1316-106-0x00000000046A0000-0x00000000046E0000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1372-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1472-154-0x0000000000400000-0x00000000007CE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/1472-152-0x0000000000400000-0x00000000007CE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/1472-151-0x0000000000400000-0x00000000007CE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/1472-147-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1820-140-0x0000000004C30000-0x0000000004C70000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1820-138-0x0000000000860000-0x0000000000C36000-memory.dmp

            Filesize

            3.8MB

            Download