Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
12-09-2023 01:41
Behavioral task
behavioral1
Sample
Bitwithstart.exe
Resource
win7-20230831-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
Bitwithstart.exe
Resource
win10v2004-20230831-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
Bitwithstart.exe
-
Size
1.4MB
-
MD5
86d3ac33ff8836d4f349bdfcf8d7eb05
-
SHA1
a46ca414a72a32d33a6ac88579a1d3cb084f5f63
-
SHA256
692933bda23e175d356d9dedffd90865a650a23cf86bf119a1276c16fc63ae8f
-
SHA512
13f5dc1d4913f96d83981235d2365f1f951b41fb8db6914e605f48fd12de702ab2d61336d882e9b8763c6cd638d313e39350a7e3d51acf6dbf8ed709ec2ba30e
-
SSDEEP
24576:ondRKZCy2BrhCeU2i2cJijFbCBTPmiY05tJMSQp5ysA7Yg1nLkzEYYltVsiw:6XDFBU2iIBb0xY/6sUYYqYy
Score
10/10
Malware Config
Extracted
Family
bitrat
Version
1.38
C2
backu4734.duckdns.org:7904
Attributes
-
communication_password
202cb962ac59075b964b07152d234b70
-
install_dir
ndjej
-
install_file
jdfh.exe
-
tor_process
tor
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1292-0-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1292-1-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Bitwithstart.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\jdfh = "C:\\Users\\Admin\\AppData\\Local\\ndjej\\jdfh.exe" Bitwithstart.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
Bitwithstart.exepid process 1292 Bitwithstart.exe 1292 Bitwithstart.exe 1292 Bitwithstart.exe 1292 Bitwithstart.exe -
Suspicious behavior: RenamesItself 30 IoCs
Processes:
Bitwithstart.exepid process 1292 Bitwithstart.exe 1292 Bitwithstart.exe 1292 Bitwithstart.exe 1292 Bitwithstart.exe 1292 Bitwithstart.exe 1292 Bitwithstart.exe 1292 Bitwithstart.exe 1292 Bitwithstart.exe 1292 Bitwithstart.exe 1292 Bitwithstart.exe 1292 Bitwithstart.exe 1292 Bitwithstart.exe 1292 Bitwithstart.exe 1292 Bitwithstart.exe 1292 Bitwithstart.exe 1292 Bitwithstart.exe 1292 Bitwithstart.exe 1292 Bitwithstart.exe 1292 Bitwithstart.exe 1292 Bitwithstart.exe 1292 Bitwithstart.exe 1292 Bitwithstart.exe 1292 Bitwithstart.exe 1292 Bitwithstart.exe 1292 Bitwithstart.exe 1292 Bitwithstart.exe 1292 Bitwithstart.exe 1292 Bitwithstart.exe 1292 Bitwithstart.exe 1292 Bitwithstart.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Bitwithstart.exedescription pid process Token: SeDebugPrivilege 1292 Bitwithstart.exe Token: SeShutdownPrivilege 1292 Bitwithstart.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Bitwithstart.exepid process 1292 Bitwithstart.exe 1292 Bitwithstart.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bitwithstart.exe"C:\Users\Admin\AppData\Local\Temp\Bitwithstart.exe"1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1292