Analysis Overview
SHA256
c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3
Threat Level: Known bad
The file c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe was found to be: Known bad.
Malicious Activity Summary
BitRAT
XenArmor Suite
Reads local data of messenger clients
Reads user/profile data of local email clients
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
UPX packed file
Reads data files stored by FTP clients
Loads dropped DLL
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-15 13:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-15 13:28
Reported
2023-09-15 13:30
Platform
win7-20230831-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
BitRAT
XenArmor Suite
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\pint\pint.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\pint\pint.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\pint\pint.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\pint\pint.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe | N/A |
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1728 set thread context of 2324 | N/A | C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe | C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe |
| PID 2324 set thread context of 2844 | N/A | C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe | C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe |
| PID 3028 set thread context of 2904 | N/A | C:\Users\Admin\AppData\Roaming\pint\pint.exe | C:\Users\Admin\AppData\Roaming\pint\pint.exe |
| PID 2844 set thread context of 1316 | N/A | C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe | C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe |
| PID 2728 set thread context of 2608 | N/A | C:\Users\Admin\AppData\Roaming\pint\pint.exe | C:\Users\Admin\AppData\Roaming\pint\pint.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
"C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe"
C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
"C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\pint"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe" "C:\Users\Admin\AppData\Roaming\pint\pint.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f
C:\Windows\system32\taskeng.exe
taskeng.exe {B21CE224-7A11-4A4E-B1A1-F1EB67302892} S-1-5-21-86725733-3001458681-3405935542-1000:ZWKQHIWB\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\pint\pint.exe
C:\Users\Admin\AppData\Roaming\pint\pint.exe
C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
-a "C:\Users\Admin\AppData\Local\f9be9104\plg\QeXGQiWA.json"
C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe
-a "C:\Users\Admin\AppData\Local\f9be9104\plg\QeXGQiWA.json"
C:\Users\Admin\AppData\Roaming\pint\pint.exe
"C:\Users\Admin\AppData\Roaming\pint\pint.exe"
C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe
-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\pint"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\pint\pint.exe" "C:\Users\Admin\AppData\Roaming\pint\pint.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f
C:\Users\Admin\AppData\Roaming\pint\pint.exe
C:\Users\Admin\AppData\Roaming\pint\pint.exe
C:\Users\Admin\AppData\Roaming\pint\pint.exe
"C:\Users\Admin\AppData\Roaming\pint\pint.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\pint"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\pint\pint.exe" "C:\Users\Admin\AppData\Roaming\pint\pint.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f
Network
| Country | Destination | Domain | Proto |
| NL | 185.225.75.68:3569 | tcp | |
| NL | 185.225.75.68:3569 | tcp | |
| US | 8.8.8.8:53 | www.xenarmor.com | udp |
| US | 69.64.94.128:80 | www.xenarmor.com | tcp |
| NL | 185.225.75.68:3569 | tcp |
Files
memory/1728-0-0x00000000000A0000-0x0000000000478000-memory.dmp
memory/1728-1-0x00000000744D0000-0x0000000074BBE000-memory.dmp
memory/1728-2-0x0000000004D50000-0x0000000004D90000-memory.dmp
memory/1728-3-0x0000000005070000-0x0000000005438000-memory.dmp
memory/2324-4-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-5-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-6-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-7-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-8-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-9-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-10-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2324-14-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-18-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-22-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/1728-25-0x00000000744D0000-0x0000000074BBE000-memory.dmp
memory/2324-26-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-27-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-28-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-29-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-30-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-31-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-32-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-33-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-34-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-35-0x0000000000480000-0x000000000048A000-memory.dmp
memory/2324-36-0x0000000000480000-0x000000000048A000-memory.dmp
memory/2324-37-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-38-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-39-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-43-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-44-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-45-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-46-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-47-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-50-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-51-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-52-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-53-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-54-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-55-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-56-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-57-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-58-0x0000000000740000-0x0000000000B0E000-memory.dmp
memory/2324-59-0x0000000000740000-0x0000000000B0E000-memory.dmp
C:\Users\Admin\AppData\Roaming\pint\pint.exe
| MD5 | 6d4c3a4ff3637ec34f820172f897d476 |
| SHA1 | d53fe8f0ecb0536088ec9be5247ab6627baf31cb |
| SHA256 | c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3 |
| SHA512 | 1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894 |
C:\Users\Admin\AppData\Roaming\pint\pint.exe
| MD5 | 6d4c3a4ff3637ec34f820172f897d476 |
| SHA1 | d53fe8f0ecb0536088ec9be5247ab6627baf31cb |
| SHA256 | c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3 |
| SHA512 | 1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894 |
memory/3028-65-0x0000000073E30000-0x000000007451E000-memory.dmp
memory/3028-66-0x00000000003C0000-0x0000000000798000-memory.dmp
memory/3028-67-0x0000000004B20000-0x0000000004B60000-memory.dmp
memory/2324-68-0x0000000000740000-0x0000000000B0E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe
| MD5 | ca42e05f9d53c7ec9383307c1ea282bb |
| SHA1 | ed0efa1b59b461dcda08121a39411bee72f6b4cb |
| SHA256 | 63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade |
| SHA512 | 4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196 |
memory/2844-78-0x0000000000400000-0x00000000008DC000-memory.dmp
\Users\Admin\AppData\Local\Temp\T0frH3jx.exe
| MD5 | ca42e05f9d53c7ec9383307c1ea282bb |
| SHA1 | ed0efa1b59b461dcda08121a39411bee72f6b4cb |
| SHA256 | 63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade |
| SHA512 | 4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196 |
\Users\Admin\AppData\Local\Temp\T0frH3jx.exe
| MD5 | ca42e05f9d53c7ec9383307c1ea282bb |
| SHA1 | ed0efa1b59b461dcda08121a39411bee72f6b4cb |
| SHA256 | 63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade |
| SHA512 | 4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196 |
memory/2844-80-0x0000000000400000-0x00000000008DC000-memory.dmp
memory/2844-81-0x0000000000400000-0x00000000008DC000-memory.dmp
memory/2844-83-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2844-85-0x0000000000400000-0x00000000008DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe
| MD5 | ca42e05f9d53c7ec9383307c1ea282bb |
| SHA1 | ed0efa1b59b461dcda08121a39411bee72f6b4cb |
| SHA256 | 63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade |
| SHA512 | 4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196 |
memory/2844-88-0x0000000000400000-0x00000000008DC000-memory.dmp
\Users\Admin\AppData\Local\Temp\T0frH3jx.exe
| MD5 | ca42e05f9d53c7ec9383307c1ea282bb |
| SHA1 | ed0efa1b59b461dcda08121a39411bee72f6b4cb |
| SHA256 | 63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade |
| SHA512 | 4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196 |
C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe
| MD5 | ca42e05f9d53c7ec9383307c1ea282bb |
| SHA1 | ed0efa1b59b461dcda08121a39411bee72f6b4cb |
| SHA256 | 63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade |
| SHA512 | 4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196 |
C:\Users\Admin\AppData\Roaming\pint\pint.exe
| MD5 | 6d4c3a4ff3637ec34f820172f897d476 |
| SHA1 | d53fe8f0ecb0536088ec9be5247ab6627baf31cb |
| SHA256 | c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3 |
| SHA512 | 1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894 |
C:\Users\Admin\AppData\Local\Temp\T0frH3jx.exe
| MD5 | ca42e05f9d53c7ec9383307c1ea282bb |
| SHA1 | ed0efa1b59b461dcda08121a39411bee72f6b4cb |
| SHA256 | 63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade |
| SHA512 | 4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196 |
memory/1316-149-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/1316-155-0x0000000000400000-0x00000000006FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Unknown.dll
| MD5 | 86114faba7e1ec4a667d2bcb2e23f024 |
| SHA1 | 670df6e1ba1dc6bece046e8b2e573dd36748245e |
| SHA256 | 568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d |
| SHA512 | d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f |
\Users\Admin\AppData\Local\Temp\Unknown.dll
| MD5 | 86114faba7e1ec4a667d2bcb2e23f024 |
| SHA1 | 670df6e1ba1dc6bece046e8b2e573dd36748245e |
| SHA256 | 568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d |
| SHA512 | d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f |
C:\Users\Admin\AppData\Local\Temp\License.XenArmor
| MD5 | 4f3bde9212e17ef18226866d6ac739b6 |
| SHA1 | 732733bec8314beb81437e60876ffa75e72ae6cd |
| SHA256 | 212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174 |
| SHA512 | 10b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744 |
memory/1316-159-0x0000000010000000-0x0000000010227000-memory.dmp
memory/3028-161-0x0000000073E30000-0x000000007451E000-memory.dmp
memory/2844-166-0x0000000000400000-0x00000000008DC000-memory.dmp
memory/1316-177-0x0000000010000000-0x0000000010227000-memory.dmp
memory/1316-178-0x0000000000400000-0x00000000006FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\License.XenArmor
| MD5 | bf5da170f7c9a8eae88d1cb1a191ff80 |
| SHA1 | dd1b991a1b03587a5d1edc94e919a2070e325610 |
| SHA256 | e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd |
| SHA512 | 9e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e |
C:\Users\Admin\AppData\Local\Temp\unk.xml
| MD5 | 67efe59fbf8aaf3e8de7d67dab21c2a7 |
| SHA1 | 0869d3ea3b16639ed4a0803acea1c476e199b16c |
| SHA256 | 63ca5c5c3cf4be4765115926225c060d89ef54d6f6fc3ec284cb3ecb398b0cb1 |
| SHA512 | 75f162ff2cc23dd7df018109264f157727fdecc869e3f493e4d0bed26b4429ab00fc9724a5ea420488ba1b4b102a07992357c0d3567c7acea6dd5333cd8cebbb |
memory/2844-204-0x0000000000400000-0x00000000008DC000-memory.dmp
C:\Users\Admin\AppData\Local\f9be9104\plg\QeXGQiWA.json
| MD5 | 67efe59fbf8aaf3e8de7d67dab21c2a7 |
| SHA1 | 0869d3ea3b16639ed4a0803acea1c476e199b16c |
| SHA256 | 63ca5c5c3cf4be4765115926225c060d89ef54d6f6fc3ec284cb3ecb398b0cb1 |
| SHA512 | 75f162ff2cc23dd7df018109264f157727fdecc869e3f493e4d0bed26b4429ab00fc9724a5ea420488ba1b4b102a07992357c0d3567c7acea6dd5333cd8cebbb |
C:\Users\Admin\AppData\Roaming\pint\pint.exe
| MD5 | 6d4c3a4ff3637ec34f820172f897d476 |
| SHA1 | d53fe8f0ecb0536088ec9be5247ab6627baf31cb |
| SHA256 | c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3 |
| SHA512 | 1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894 |
memory/2728-230-0x0000000073DB0000-0x000000007449E000-memory.dmp
memory/2728-231-0x00000000003C0000-0x0000000000798000-memory.dmp
memory/2728-234-0x0000000004D70000-0x0000000004DB0000-memory.dmp
C:\Users\Admin\AppData\Roaming\pint\pint.exe
| MD5 | 6d4c3a4ff3637ec34f820172f897d476 |
| SHA1 | d53fe8f0ecb0536088ec9be5247ab6627baf31cb |
| SHA256 | c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3 |
| SHA512 | 1ff5f4b215bedf6824c9c1932b5e8dbcbb8e459ee2839c598cc0f955b2948e25c5ce834b963ee1cf6ea22954e9c1fa4b102f117808f6dc8a4891b36c37d7e894 |
memory/2728-254-0x0000000073DB0000-0x000000007449E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-15 13:28
Reported
2023-09-15 13:30
Platform
win10v2004-20230915-en
Max time kernel
50s
Max time network
86s
Command Line
Signatures
BitRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\pint\pint.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2056 set thread context of 5096 | N/A | C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe | C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
"C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe"
C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe
"C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\pint"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\c609d25041b7c463a726027c99c0a264b1e77415612e445fc39cfc9aae9801f3_JC.exe" "C:\Users\Admin\AppData\Roaming\pint\pint.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\pint\pint.exe'" /f
C:\Users\Admin\AppData\Roaming\pint\pint.exe
C:\Users\Admin\AppData\Roaming\pint\pint.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.113.22.20.in-addr.arpa | udp |
| NL | 185.225.75.68:3569 | tcp | |
| US | 8.8.8.8:53 | 68.75.225.185.in-addr.arpa | udp |
| NL | 185.225.75.68:3569 | tcp |
Files
memory/2056-0-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/2056-1-0x0000000000E30000-0x0000000001208000-memory.dmp
memory/2056-2-0x00000000062A0000-0x0000000006844000-memory.dmp
memory/2056-3-0x0000000005CE0000-0x0000000005CF0000-memory.dmp
memory/2056-4-0x0000000005CF0000-0x00000000060B8000-memory.dmp
memory/5096-5-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/5096-6-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/5096-7-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/5096-9-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2056-10-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/5096-13-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/5096-14-0x0000000074C30000-0x0000000074C69000-memory.dmp
memory/5096-15-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/5096-16-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/5096-17-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/5096-18-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/5096-19-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/5096-20-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/5096-21-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/5096-22-0x0000000074FB0000-0x0000000074FE9000-memory.dmp
memory/5096-23-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/5096-24-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/5096-25-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/5096-26-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/5096-27-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/5096-31-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/5096-32-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/5096-33-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/5096-34-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/5096-35-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/5096-38-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/5096-39-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/5096-40-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/5096-41-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/5096-42-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/5096-43-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/5096-44-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/5096-45-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/5096-46-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/5096-47-0x0000000000400000-0x00000000007CE000-memory.dmp
C:\Users\Admin\AppData\Roaming\pint\pint.exe
| MD5 | 8b7fc4a4ad7b71b10999a1464bf5ca7f |
| SHA1 | 8f4b73478624c1dca486699bf5a8753a1cdb2161 |
| SHA256 | f96065948074ba84b11079b8e2b27a312879db52d13141d3e4281eb273a45ef5 |
| SHA512 | 283aa9d66c7af11299306070372fba9b6ae320399ab723cb6571ef330f9de4e12865c2fcb627b634c66a2e18533ae01bf120dba97d0604ad1064ec7325303824 |
C:\Users\Admin\AppData\Roaming\pint\pint.exe
| MD5 | b3f1bf2d871aa25b54fd035b674a1b1b |
| SHA1 | c78a60f4b9326a1dc433f128aea71c22c554f380 |
| SHA256 | 629ced3b1fa9f56cba96e4ae1cd203f708278d75d28dc98e96569c065287d6e8 |
| SHA512 | c91689196eb23bbc7d5eeda1b17151a4b1524d0aabece9ca8e5e97643379f10c13edc61d2d8833c9eefd9e2228412f3f213843e573a15c3ed1f46ba363768706 |