Analysis Overview
SHA256
cc7bf8c734a4146942f8f754ab55e257a8be68f5c687c3bcc9fcdb7a5dabf871
Threat Level: Known bad
The file Updaters_JC.exe was found to be: Known bad.
Malicious Activity Summary
BitRAT
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-01 16:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-01 16:21
Reported
2023-09-01 16:24
Platform
win7-20230831-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
BitRAT
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\updater = "C:\\Users\\Admin\\AppData\\Local\\chrome\\updater" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1964 set thread context of 2464 | N/A | C:\Users\Admin\AppData\Local\Temp\Updaters_JC.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Updaters_JC.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Updaters_JC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Updaters_JC.exe
"C:\Users\Admin\AppData\Local\Temp\Updaters_JC.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rornfl12.duckdns.org | udp |
| KR | 112.173.56.153:3072 | rornfl12.duckdns.org | tcp |
| US | 8.8.8.8:53 | rornfl12.duckdns.org | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/1964-1-0x0000000000020000-0x00000000002FC000-memory.dmp
memory/1964-0-0x0000000073FC0000-0x00000000746AE000-memory.dmp
memory/1964-2-0x00000000050D0000-0x0000000005110000-memory.dmp
memory/1964-3-0x0000000005F40000-0x00000000061BC000-memory.dmp
memory/1964-4-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-5-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-7-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-9-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-11-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-13-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-15-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-17-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-19-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-21-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-23-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-25-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-27-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-29-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-31-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-33-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-35-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-37-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-39-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-41-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-43-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-45-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-47-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-49-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-51-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-53-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-55-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-57-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-59-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-61-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-63-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-65-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-67-0x0000000005F40000-0x00000000061B6000-memory.dmp
memory/1964-70-0x0000000073FC0000-0x00000000746AE000-memory.dmp
memory/1964-166-0x00000000050D0000-0x0000000005110000-memory.dmp
memory/1964-1082-0x0000000000650000-0x0000000000651000-memory.dmp
memory/1964-1083-0x0000000008380000-0x0000000008576000-memory.dmp
memory/1964-1084-0x0000000004F00000-0x0000000004F4C000-memory.dmp
memory/2464-1099-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/1964-1100-0x0000000073FC0000-0x00000000746AE000-memory.dmp
memory/2464-1111-0x0000000000170000-0x000000000017A000-memory.dmp
memory/2464-1110-0x0000000000170000-0x000000000017A000-memory.dmp
memory/2464-1115-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2464-1119-0x0000000000170000-0x000000000017A000-memory.dmp
memory/2464-1120-0x0000000000170000-0x000000000017A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-01 16:21
Reported
2023-09-01 16:24
Platform
win10v2004-20230831-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
BitRAT
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "C:\\Users\\Admin\\AppData\\Local\\chrome\\updater" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "C:\\Users\\Admin\\AppData\\Local\\chrome\\updateré´€" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "C:\\Users\\Admin\\AppData\\Local\\chrome\\updaterÔ€" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2212 set thread context of 4688 | N/A | C:\Users\Admin\AppData\Local\Temp\Updaters_JC.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Updaters_JC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Updaters_JC.exe
"C:\Users\Admin\AppData\Local\Temp\Updaters_JC.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rornfl12.duckdns.org | udp |
| KR | 112.173.56.153:3072 | rornfl12.duckdns.org | tcp |
| US | 8.8.8.8:53 | 153.56.173.112.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.21.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rornfl12.duckdns.org | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rornfl12.duckdns.org | udp |
Files
memory/2212-1-0x00000000004D0000-0x00000000007AC000-memory.dmp
memory/2212-0-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/2212-2-0x0000000005790000-0x0000000005D34000-memory.dmp
memory/2212-3-0x00000000051E0000-0x0000000005272000-memory.dmp
memory/2212-4-0x00000000050F0000-0x0000000005100000-memory.dmp
memory/2212-5-0x0000000005180000-0x000000000518A000-memory.dmp
memory/2212-6-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-7-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-9-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-11-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-13-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-15-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-17-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-19-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-21-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-23-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-25-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-27-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-29-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-31-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-33-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-35-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-37-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-39-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-41-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-43-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-45-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-47-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-49-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-51-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-53-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-55-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-57-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-59-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-61-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-63-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-65-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-67-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-69-0x0000000007A10000-0x0000000007C86000-memory.dmp
memory/2212-212-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/2212-355-0x00000000050F0000-0x0000000005100000-memory.dmp
memory/2212-1084-0x0000000007F30000-0x0000000007F31000-memory.dmp
memory/4688-1089-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2212-1090-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/4688-1092-0x0000000074CB0000-0x0000000074CE9000-memory.dmp
memory/4688-1100-0x0000000074970000-0x00000000749A9000-memory.dmp
memory/4688-1106-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4688-1137-0x0000000074970000-0x00000000749A9000-memory.dmp