Malware Analysis Report

2025-01-03 05:10

Sample ID 230822-cbazbahd77
Target bdd1438c98225e3ea172ec284a6708f9.bin
SHA256 6920c222d9646d2f191e93a2a0f5ea080615ddc88f0b65d18342eb335dfa480c
Tags
bitrat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6920c222d9646d2f191e93a2a0f5ea080615ddc88f0b65d18342eb335dfa480c

Threat Level: Known bad

The file bdd1438c98225e3ea172ec284a6708f9.bin was found to be: Known bad.

Malicious Activity Summary

bitrat trojan upx

BitRAT

Executes dropped EXE

UPX packed file

Uses the VBS compiler for execution

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-22 01:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-22 01:53

Reported

2023-08-22 01:56

Platform

win7-20230712-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe"

Signatures

BitRAT

trojan bitrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1780 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1780 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1780 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1780 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1780 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1780 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1780 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1780 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1780 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2664 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2664 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2664 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1780 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 268 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe
PID 2972 wrote to memory of 268 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe
PID 2972 wrote to memory of 268 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe
PID 2972 wrote to memory of 268 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe
PID 268 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 268 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 268 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 268 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 268 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 268 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 268 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 268 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 268 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe C:\Windows\SysWOW64\cmd.exe
PID 268 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe C:\Windows\SysWOW64\cmd.exe
PID 268 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe C:\Windows\SysWOW64\cmd.exe
PID 268 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe C:\Windows\SysWOW64\cmd.exe
PID 268 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe C:\Windows\SysWOW64\cmd.exe
PID 268 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe C:\Windows\SysWOW64\cmd.exe
PID 268 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe C:\Windows\SysWOW64\cmd.exe
PID 268 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1836 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1836 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1836 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 268 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe C:\Windows\SysWOW64\cmd.exe
PID 268 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe C:\Windows\SysWOW64\cmd.exe
PID 268 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe C:\Windows\SysWOW64\cmd.exe
PID 268 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 812 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe
PID 2972 wrote to memory of 812 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe
PID 2972 wrote to memory of 812 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe
PID 2972 wrote to memory of 812 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe

"C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\Temp\rttre"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe" "C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {3A708C52-DC18-488D-B626-C426FF838D44} S-1-5-21-1014134971-2480516131-292343513-1000:NYBYVYTJ\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe

C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\Temp\rttre"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe" "C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe'" /f

C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe

C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bitrat9300.duckdns.org udp
RU 194.147.140.172:9300 bitrat9300.duckdns.org tcp
US 8.8.8.8:53 bitrat9300.duckdns.org udp

Files

memory/1780-54-0x0000000074620000-0x0000000074D0E000-memory.dmp

memory/1780-55-0x0000000000CA0000-0x0000000000E2A000-memory.dmp

memory/1780-56-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

memory/1780-57-0x0000000074620000-0x0000000074D0E000-memory.dmp

memory/2088-58-0x00000000005A0000-0x0000000000984000-memory.dmp

memory/2088-59-0x00000000005A0000-0x0000000000984000-memory.dmp

memory/2088-60-0x00000000005A0000-0x0000000000984000-memory.dmp

memory/2088-61-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2088-62-0x00000000005A0000-0x0000000000984000-memory.dmp

memory/2088-64-0x00000000005A0000-0x0000000000984000-memory.dmp

memory/2088-66-0x00000000005A0000-0x0000000000984000-memory.dmp

memory/2088-65-0x00000000005A0000-0x0000000000984000-memory.dmp

memory/2088-63-0x00000000005A0000-0x0000000000984000-memory.dmp

memory/1780-69-0x0000000074620000-0x0000000074D0E000-memory.dmp

memory/2088-70-0x00000000005A0000-0x0000000000984000-memory.dmp

memory/2088-72-0x00000000005A0000-0x0000000000984000-memory.dmp

memory/2088-73-0x00000000005A0000-0x0000000000984000-memory.dmp

memory/2088-71-0x00000000005A0000-0x0000000000984000-memory.dmp

memory/2088-75-0x00000000005A0000-0x0000000000984000-memory.dmp

memory/2088-76-0x00000000005A0000-0x0000000000984000-memory.dmp

memory/2088-74-0x00000000005A0000-0x0000000000984000-memory.dmp

memory/2088-77-0x00000000005A0000-0x0000000000984000-memory.dmp

memory/2088-78-0x00000000005A0000-0x0000000000984000-memory.dmp

memory/2088-80-0x0000000000090000-0x000000000009A000-memory.dmp

memory/2088-79-0x0000000000090000-0x000000000009A000-memory.dmp

memory/2088-81-0x00000000005A0000-0x0000000000984000-memory.dmp

memory/2088-82-0x00000000005A0000-0x0000000000984000-memory.dmp

memory/2088-83-0x00000000005A0000-0x0000000000984000-memory.dmp

memory/2088-84-0x00000000005A0000-0x0000000000984000-memory.dmp

memory/2088-85-0x00000000005A0000-0x0000000000984000-memory.dmp

memory/2088-87-0x0000000000090000-0x000000000009A000-memory.dmp

memory/2088-88-0x0000000000090000-0x000000000009A000-memory.dmp

memory/2088-91-0x00000000005A0000-0x0000000000984000-memory.dmp

memory/2088-95-0x00000000005A0000-0x0000000000984000-memory.dmp

memory/2088-99-0x00000000005A0000-0x0000000000984000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe

MD5 bdd1438c98225e3ea172ec284a6708f9
SHA1 0d1e23278ef4346d2a051f35d4cecf30199e6eae
SHA256 6920c222d9646d2f191e93a2a0f5ea080615ddc88f0b65d18342eb335dfa480c
SHA512 7847f435bf73205fc0f2354c4d80c16d414f2f9076a5a725cbac2bd53d72b7b0f52c5e321d03915a1e9209e99006398d6208ef66c5e77190a256b9067ad2f3a4

C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe

MD5 bdd1438c98225e3ea172ec284a6708f9
SHA1 0d1e23278ef4346d2a051f35d4cecf30199e6eae
SHA256 6920c222d9646d2f191e93a2a0f5ea080615ddc88f0b65d18342eb335dfa480c
SHA512 7847f435bf73205fc0f2354c4d80c16d414f2f9076a5a725cbac2bd53d72b7b0f52c5e321d03915a1e9209e99006398d6208ef66c5e77190a256b9067ad2f3a4

memory/268-103-0x00000000008C0000-0x0000000000A4A000-memory.dmp

memory/268-105-0x0000000004C40000-0x0000000004C80000-memory.dmp

memory/268-104-0x0000000074450000-0x0000000074B3E000-memory.dmp

memory/2088-108-0x00000000005A0000-0x0000000000984000-memory.dmp

memory/268-110-0x0000000074450000-0x0000000074B3E000-memory.dmp

memory/268-111-0x0000000004C40000-0x0000000004C80000-memory.dmp

memory/2088-114-0x00000000005A0000-0x0000000000984000-memory.dmp

memory/2088-118-0x00000000005A0000-0x0000000000984000-memory.dmp

memory/2032-128-0x0000000000720000-0x0000000000B04000-memory.dmp

memory/2032-127-0x0000000000720000-0x0000000000B04000-memory.dmp

memory/2032-129-0x0000000000720000-0x0000000000B04000-memory.dmp

memory/268-130-0x0000000074450000-0x0000000074B3E000-memory.dmp

memory/2032-133-0x0000000000720000-0x0000000000B04000-memory.dmp

memory/2032-134-0x0000000000720000-0x0000000000B04000-memory.dmp

memory/2088-135-0x00000000005A0000-0x0000000000984000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe

MD5 bdd1438c98225e3ea172ec284a6708f9
SHA1 0d1e23278ef4346d2a051f35d4cecf30199e6eae
SHA256 6920c222d9646d2f191e93a2a0f5ea080615ddc88f0b65d18342eb335dfa480c
SHA512 7847f435bf73205fc0f2354c4d80c16d414f2f9076a5a725cbac2bd53d72b7b0f52c5e321d03915a1e9209e99006398d6208ef66c5e77190a256b9067ad2f3a4

memory/812-146-0x00000000743D0000-0x0000000074ABE000-memory.dmp

memory/812-147-0x0000000001080000-0x000000000120A000-memory.dmp

memory/812-148-0x0000000000DF0000-0x0000000000E30000-memory.dmp

memory/812-153-0x00000000743D0000-0x0000000074ABE000-memory.dmp

memory/812-154-0x0000000000DF0000-0x0000000000E30000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-22 01:53

Reported

2023-08-22 01:56

Platform

win10v2004-20230703-en

Max time kernel

78s

Max time network

68s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2388 set thread context of 4120 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2388 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2388 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2388 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2388 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2388 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2388 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2388 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2388 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\SysWOW64\cmd.exe
PID 4208 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4208 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4208 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2388 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe

"C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\Temp\rttre"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe'" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4120 -ip 4120

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\bdd1438c98225e3ea172ec284a6708f9.exe" "C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 188

C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe

C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp

Files

memory/2388-133-0x0000000074890000-0x0000000075040000-memory.dmp

memory/2388-134-0x00000000007F0000-0x000000000097A000-memory.dmp

memory/2388-135-0x00000000052E0000-0x00000000052F0000-memory.dmp

memory/2388-136-0x0000000074890000-0x0000000075040000-memory.dmp

memory/2388-137-0x00000000052E0000-0x00000000052F0000-memory.dmp

memory/4120-138-0x0000000000500000-0x00000000008E4000-memory.dmp

memory/4120-139-0x0000000000500000-0x00000000008E4000-memory.dmp

memory/4120-140-0x0000000000500000-0x00000000008E4000-memory.dmp

memory/4120-141-0x0000000000500000-0x00000000008E4000-memory.dmp

memory/2388-145-0x0000000074890000-0x0000000075040000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe

MD5 bdd1438c98225e3ea172ec284a6708f9
SHA1 0d1e23278ef4346d2a051f35d4cecf30199e6eae
SHA256 6920c222d9646d2f191e93a2a0f5ea080615ddc88f0b65d18342eb335dfa480c
SHA512 7847f435bf73205fc0f2354c4d80c16d414f2f9076a5a725cbac2bd53d72b7b0f52c5e321d03915a1e9209e99006398d6208ef66c5e77190a256b9067ad2f3a4

C:\Users\Admin\AppData\Local\Temp\rttre\rttre.exe

MD5 bdd1438c98225e3ea172ec284a6708f9
SHA1 0d1e23278ef4346d2a051f35d4cecf30199e6eae
SHA256 6920c222d9646d2f191e93a2a0f5ea080615ddc88f0b65d18342eb335dfa480c
SHA512 7847f435bf73205fc0f2354c4d80c16d414f2f9076a5a725cbac2bd53d72b7b0f52c5e321d03915a1e9209e99006398d6208ef66c5e77190a256b9067ad2f3a4

memory/1188-148-0x0000000074890000-0x0000000075040000-memory.dmp