Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
19-03-2023 18:12
General
-
Target
7f55a7b60a243743fe8f8f25220e8aae506d985ff963587200329f229cca2248.rtf
-
Size
3KB
-
MD5
a5a6fbe5e7f86784d14ce1f4d7672f6b
-
SHA1
c8b9fc16cea841705b1b80152cc95f3322799c80
-
SHA256
7f55a7b60a243743fe8f8f25220e8aae506d985ff963587200329f229cca2248
-
SHA512
322944cc12604db232973329f9ad5e49c034d9ca4e55ffba3ddc8b4d2dc815c2afaeddae740436d07c88f46d9017902c88dac0cdc0610dcbd47cb9d0825218b3
Malware Config
Extracted
bitrat
1.38
74.201.28.92:3569
-
communication_password
148b191cf4e80b549e1b1a4444f2bdf6
-
tor_process
tor
Signatures
-
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 5 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 41 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 53 IoCs
-
Suspicious use of SendNotifyMessage 53 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7f55a7b60a243743fe8f8f25220e8aae506d985ff963587200329f229cca2248.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\system32\taskmgr.exe"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\fdry.exeC:\Users\Admin\AppData\Roaming\fdry.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\fdry.exe"C:\Users\Admin\AppData\Roaming\fdry.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\wbnh"3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\fdry.exe" "C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"3⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {EC2475C2-5E93-4F9D-A842-675D53248D64} S-1-5-21-3499517378-2376672570-1134980332-1000:MLXLFKOI\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exeC:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\wbnh"3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe" "C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
61KB
MD5e71c8443ae0bc2e282c73faead0a6dd3
SHA10c110c1b01e68edfacaeae64781a37b1995fa94b
SHA25695b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6
-
C:\Users\Admin\AppData\Roaming\fdry.exeFilesize
3.8MB
MD586000b0a976dc4a377b2e5192fe30445
SHA1ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA25611fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA5124d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19
-
C:\Users\Admin\AppData\Roaming\fdry.exeFilesize
3.8MB
MD586000b0a976dc4a377b2e5192fe30445
SHA1ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA25611fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA5124d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19
-
C:\Users\Admin\AppData\Roaming\fdry.exeFilesize
3.8MB
MD586000b0a976dc4a377b2e5192fe30445
SHA1ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA25611fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA5124d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19
-
C:\Users\Admin\AppData\Roaming\fdry.exeFilesize
3.8MB
MD586000b0a976dc4a377b2e5192fe30445
SHA1ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA25611fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA5124d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19
-
C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exeFilesize
3.8MB
MD586000b0a976dc4a377b2e5192fe30445
SHA1ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA25611fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA5124d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19
-
C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exeFilesize
3.8MB
MD586000b0a976dc4a377b2e5192fe30445
SHA1ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA25611fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA5124d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19
-
C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exeFilesize
3.8MB
MD586000b0a976dc4a377b2e5192fe30445
SHA1ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA25611fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA5124d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19
-
\Users\Admin\AppData\Roaming\fdry.exeFilesize
3.8MB
MD586000b0a976dc4a377b2e5192fe30445
SHA1ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA25611fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA5124d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19
-
\Users\Admin\AppData\Roaming\fdry.exeFilesize
3.8MB
MD586000b0a976dc4a377b2e5192fe30445
SHA1ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA25611fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA5124d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19
-
\Users\Admin\AppData\Roaming\fdry.exeFilesize
3.8MB
MD586000b0a976dc4a377b2e5192fe30445
SHA1ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA25611fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA5124d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19
-
memory/324-128-0x0000000000710000-0x0000000000ADE000-memory.dmpFilesize
3.8MB
-
memory/324-134-0x0000000000710000-0x0000000000ADE000-memory.dmpFilesize
3.8MB
-
memory/324-110-0x0000000000710000-0x0000000000ADE000-memory.dmpFilesize
3.8MB
-
memory/324-112-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/324-115-0x0000000000710000-0x0000000000ADE000-memory.dmpFilesize
3.8MB
-
memory/324-108-0x0000000000710000-0x0000000000ADE000-memory.dmpFilesize
3.8MB
-
memory/324-111-0x0000000000710000-0x0000000000ADE000-memory.dmpFilesize
3.8MB
-
memory/324-119-0x0000000000710000-0x0000000000ADE000-memory.dmpFilesize
3.8MB
-
memory/324-123-0x0000000000710000-0x0000000000ADE000-memory.dmpFilesize
3.8MB
-
memory/324-126-0x0000000000710000-0x0000000000ADE000-memory.dmpFilesize
3.8MB
-
memory/324-127-0x0000000000710000-0x0000000000ADE000-memory.dmpFilesize
3.8MB
-
memory/324-167-0x0000000000710000-0x0000000000ADE000-memory.dmpFilesize
3.8MB
-
memory/324-129-0x0000000000710000-0x0000000000ADE000-memory.dmpFilesize
3.8MB
-
memory/324-130-0x0000000000710000-0x0000000000ADE000-memory.dmpFilesize
3.8MB
-
memory/324-131-0x0000000000710000-0x0000000000ADE000-memory.dmpFilesize
3.8MB
-
memory/324-132-0x0000000000710000-0x0000000000ADE000-memory.dmpFilesize
3.8MB
-
memory/324-133-0x0000000000710000-0x0000000000ADE000-memory.dmpFilesize
3.8MB
-
memory/324-109-0x0000000000710000-0x0000000000ADE000-memory.dmpFilesize
3.8MB
-
memory/324-135-0x0000000000710000-0x0000000000ADE000-memory.dmpFilesize
3.8MB
-
memory/324-107-0x0000000000710000-0x0000000000ADE000-memory.dmpFilesize
3.8MB
-
memory/324-105-0x0000000000710000-0x0000000000ADE000-memory.dmpFilesize
3.8MB
-
memory/324-166-0x0000000000710000-0x0000000000ADE000-memory.dmpFilesize
3.8MB
-
memory/324-165-0x0000000000710000-0x0000000000ADE000-memory.dmpFilesize
3.8MB
-
memory/324-164-0x0000000000710000-0x0000000000ADE000-memory.dmpFilesize
3.8MB
-
memory/324-163-0x0000000000710000-0x0000000000ADE000-memory.dmpFilesize
3.8MB
-
memory/324-162-0x0000000000710000-0x0000000000ADE000-memory.dmpFilesize
3.8MB
-
memory/324-104-0x0000000000710000-0x0000000000ADE000-memory.dmpFilesize
3.8MB
-
memory/1316-103-0x00000000000C0000-0x0000000000496000-memory.dmpFilesize
3.8MB
-
memory/1316-106-0x00000000046A0000-0x00000000046E0000-memory.dmpFilesize
256KB
-
memory/1372-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1472-154-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1472-152-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1472-151-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/1472-147-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1820-140-0x0000000004C30000-0x0000000004C70000-memory.dmpFilesize
256KB
-
memory/1820-138-0x0000000000860000-0x0000000000C36000-memory.dmpFilesize
3.8MB