bitrat | d54df888565db74fd2065bfa327e5b5d2476df10564a25f2b99f3bf7f9504ab0

Analysis

max time kernel
98s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2023, 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

docbit20230908.exe
Size

400.0MB
MD5

81e0872e2be9487534ddd879b05e6f62
SHA1

f97c783cb79036a9f2ff27e70a182f1b6919da18
SHA256

d54df888565db74fd2065bfa327e5b5d2476df10564a25f2b99f3bf7f9504ab0
SHA512

40bfff8cb99869510332a8f2c4f62a354de1ed0aa02fcef522c38deecac90c5429a19ee31c1d3eac6bf10f3e7e9cd3439891c949f5d2763bf2463d7bcdab6f90
SSDEEP

98304:XZ7MAV7nUqgfiWsNkFi589X/JiQGTfZ5MULBhT8i4wv7:XZ7tVDUq6iPkFiedRiQePLBpUw

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

homesafe1000.duckdns.org:1234

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Executes dropped EXE 1 IoCs

pid	Process
896	svchost.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2344-76-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/2344-78-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/2344-79-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/2344-83-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral2/memory/2344-129-0x0000000000400000-0x00000000008DC000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
1668	RegAsm.exe
1668	RegAsm.exe
1668	RegAsm.exe
1668	RegAsm.exe
1668	RegAsm.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4704 set thread context of 1668	4704	docbit20230908.exe	99
PID 1668 set thread context of 2344	1668	RegAsm.exe	107

Drops file in Windows directory 25 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\softokn3.dll	RegAsm.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Unknown.dll	RegAsm.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\License.XenArmor	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-math-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-utility-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\msvcp140.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-string-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-conio-l1-1-0_not.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-environment-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-filesystem-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-runtime-l1-1-0.dll	RegAsm.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-convert-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-stdio-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\nss3.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-multibyte-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-time-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\freebl3.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\mozglue.dll	RegAsm.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\License.XenArmor	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-heap-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\api-ms-win-crt-locale-l1-1-0.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\External\ComponentsExt\vcruntime140.dll	RegAsm.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Unknown.dll	RegAsm.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2656	schtasks.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1668	RegAsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1668	RegAsm.exe
1668	RegAsm.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 1668	4704	docbit20230908.exe	99
PID 4704 wrote to memory of 1668	4704	docbit20230908.exe	99
PID 4704 wrote to memory of 1668	4704	docbit20230908.exe	99
PID 4704 wrote to memory of 1668	4704	docbit20230908.exe	99
PID 4704 wrote to memory of 1668	4704	docbit20230908.exe	99
PID 4704 wrote to memory of 1668	4704	docbit20230908.exe	99
PID 4704 wrote to memory of 1668	4704	docbit20230908.exe	99
PID 4704 wrote to memory of 1668	4704	docbit20230908.exe	99
PID 4704 wrote to memory of 1668	4704	docbit20230908.exe	99
PID 4704 wrote to memory of 1668	4704	docbit20230908.exe	99
PID 4704 wrote to memory of 1668	4704	docbit20230908.exe	99
PID 4704 wrote to memory of 1764	4704	docbit20230908.exe	100
PID 4704 wrote to memory of 1764	4704	docbit20230908.exe	100
PID 4704 wrote to memory of 1764	4704	docbit20230908.exe	100
PID 4704 wrote to memory of 1072	4704	docbit20230908.exe	105
PID 4704 wrote to memory of 1072	4704	docbit20230908.exe	105
PID 4704 wrote to memory of 1072	4704	docbit20230908.exe	105
PID 4704 wrote to memory of 2092	4704	docbit20230908.exe	101
PID 4704 wrote to memory of 2092	4704	docbit20230908.exe	101
PID 4704 wrote to memory of 2092	4704	docbit20230908.exe	101
PID 1072 wrote to memory of 2656	1072	cmd.exe	106
PID 1072 wrote to memory of 2656	1072	cmd.exe	106
PID 1072 wrote to memory of 2656	1072	cmd.exe	106
PID 1668 wrote to memory of 2344	1668	RegAsm.exe	107
PID 1668 wrote to memory of 2344	1668	RegAsm.exe	107
PID 1668 wrote to memory of 2344	1668	RegAsm.exe	107
PID 1668 wrote to memory of 2344	1668	RegAsm.exe	107
PID 1668 wrote to memory of 2344	1668	RegAsm.exe	107
PID 1668 wrote to memory of 2344	1668	RegAsm.exe	107
PID 1668 wrote to memory of 2344	1668	RegAsm.exe	107
PID 1668 wrote to memory of 2344	1668	RegAsm.exe	107
PID 2344 wrote to memory of 4504	2344	RegAsm.exe	108
PID 2344 wrote to memory of 4504	2344	RegAsm.exe	108
PID 2344 wrote to memory of 4504	2344	RegAsm.exe	108

C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe
"C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    -a "C:\Users\Admin\AppData\Local\ed01f8a1\plg\VUmm8IJD.json"
    3⤵
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      -a "C:\Users\Admin\AppData\Local\Temp\unk.xml"
      4⤵
      PID:4504
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
  2⤵
  PID:1764
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
  2⤵
  PID:2092
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2656

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
- Executes dropped EXE
PID:896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ed01f8a1\plg\VUmm8IJD.json

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
448KB

MD5
54fa5d2c128d1b7ef3323d30bd34100f

SHA1
661f68773383ac6bafc1d09f1ba967acaf6106ef

SHA256
21fec52cb164c053b92e54690769d7f60f4bbe5f0af2109737f8ed470226b4df

SHA512
1bb671bb1f3d10233ba477fecb4e15978dcb3aee19e2f15a697324a9799ba40b045015468ed1f70052a86085c940aea1f62426f2d1a10b2e03775da8505b10c9

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
58KB

MD5
ac51c340fe4d262b623695075ff7981d

SHA1
85623cce7bc0d6798fdc8199c7165dc46c56c741

SHA256
8c0594ff2d021b44745951f3fd86c1f3671dd1ac876974f289e14f6280073df1

SHA512
536ea5c823123e9ac6245382e9954604461123d5f3e0175121ccdd410ad330480bb7018e724e29f7eb12ee01f4e23a751cf170f92f269e20be7485f6e01c0221

Download Submit
memory/1668-46-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-54-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-7-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-9-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-131-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-15-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-17-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-19-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-21-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-23-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-26-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-27-0x0000000074470000-0x00000000744A9000-memory.dmp

Filesize
228KB

Download
memory/1668-28-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-29-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-30-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-31-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-32-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-33-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-34-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-35-0x0000000074810000-0x0000000074849000-memory.dmp

Filesize
228KB

Download
memory/1668-36-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-37-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-38-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-39-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-40-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-41-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-42-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-43-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-44-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-5-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-13-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-47-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-11-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-51-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-52-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-53-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-48-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-55-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-62-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-63-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-64-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-65-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-66-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-67-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-68-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-69-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-70-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-71-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-73-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-50-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-104-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2344-79-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/2344-83-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/2344-78-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/2344-76-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/2344-129-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/4704-2-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/4704-1-0x0000000000A60000-0x0000000000E62000-memory.dmp

Filesize
4.0MB

Download
memory/4704-0-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/4704-3-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/4704-4-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/4704-8-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads