Malware Analysis Report

2025-01-03 05:25

Sample ID 231014-aj929shb74
Target docbit20230908.exe.1
SHA256 d54df888565db74fd2065bfa327e5b5d2476df10564a25f2b99f3bf7f9504ab0
Tags
bitrat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d54df888565db74fd2065bfa327e5b5d2476df10564a25f2b99f3bf7f9504ab0

Threat Level: Known bad

The file docbit20230908.exe.1 was found to be: Known bad.

Malicious Activity Summary

bitrat trojan

BitRAT

Executes dropped EXE

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-14 00:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-14 00:15

Reported

2023-10-14 11:58

Platform

win10v2004-20230915-en

Max time kernel

57s

Max time network

84s

Command Line

"C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe"

Signatures

BitRAT

trojan bitrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3004 set thread context of 2084 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3004 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3004 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3004 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3004 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3004 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3004 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3004 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3004 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3004 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3004 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3004 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3004 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1920 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1920 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe

"C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2084 -ip 2084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 540

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 29.81.57.23.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp

Files

memory/3004-1-0x0000000000AC0000-0x0000000000EC2000-memory.dmp

memory/3004-0-0x00000000752E0000-0x0000000075A90000-memory.dmp

memory/3004-2-0x0000000005810000-0x0000000005820000-memory.dmp

memory/3004-3-0x00000000752E0000-0x0000000075A90000-memory.dmp

memory/3004-4-0x0000000005990000-0x0000000005D58000-memory.dmp

memory/2084-5-0x0000000000A10000-0x0000000000DDE000-memory.dmp

memory/3004-9-0x00000000752E0000-0x0000000075A90000-memory.dmp

memory/2084-11-0x0000000000A10000-0x0000000000DDE000-memory.dmp

memory/2084-15-0x0000000000A10000-0x0000000000DDE000-memory.dmp

memory/2084-16-0x0000000000A10000-0x0000000000DDE000-memory.dmp

memory/2084-17-0x0000000000A10000-0x0000000000DDE000-memory.dmp

memory/2084-18-0x0000000000A10000-0x0000000000DDE000-memory.dmp

memory/2084-19-0x0000000000A10000-0x0000000000DDE000-memory.dmp

memory/2084-20-0x0000000000A10000-0x0000000000DDE000-memory.dmp

memory/2084-21-0x0000000000A10000-0x0000000000DDE000-memory.dmp

memory/2084-22-0x0000000000A10000-0x0000000000DDE000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

MD5 95a5e311796bc58c13c63ca0b265670c
SHA1 260cc604b669fb8c16cd2a2df09b13417b0c5752
SHA256 d456e464f553687d60c65119dc0d6806f3f610dda2f20fd85ad535a486c0d0a4
SHA512 b73cef59a652293b9783ad6c1674f7691122bfce35a1f3474072a7d2a43171478621ec1640612b47d296427211cfea122cdba268921a3be667e23efe6bc13b2a

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

MD5 6c91392709935a32f7784e6cc7a4430a
SHA1 6d02ae73900d758ab509410a2512e2154f1f0595
SHA256 0cfe393681b073e2634167e2554e654f93eacbb02de04e2f18f66f360f137d86
SHA512 4c9c66046dc21a54e6d9b9a5a8221a56b9146da4808c75d6be8029b7f544cfa1cb102eeb5246000f60897c737327d923fcbbe69da8937d75b179f0ac45accc21

memory/4792-27-0x00000000752E0000-0x0000000075A90000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-14 00:15

Reported

2023-10-14 11:58

Platform

win7-20230831-en

Max time kernel

152s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe"

Signatures

BitRAT

trojan bitrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1964 set thread context of 2736 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1804 set thread context of 860 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1748 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1748 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1748 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2032 wrote to memory of 1804 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
PID 2032 wrote to memory of 1804 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
PID 2032 wrote to memory of 1804 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
PID 2032 wrote to memory of 1804 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
PID 1804 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1804 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1804 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1804 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1804 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1804 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1804 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1804 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1804 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1804 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1804 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1804 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1804 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1804 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1804 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1804 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1804 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1804 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1804 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1804 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1804 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1804 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1804 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1804 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1804 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1804 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1804 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Roaming\svchost\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1836 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe

"C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f

C:\Windows\system32\taskeng.exe

taskeng.exe {6673C2F3-4517-473A-AF12-6C3B0AB6446C} S-1-5-21-2180306848-1874213455-4093218721-1000:XEBBURHY\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 homesafe1000.duckdns.org udp
NL 79.110.62.151:1234 homesafe1000.duckdns.org tcp
NL 79.110.62.151:1234 homesafe1000.duckdns.org tcp
NL 79.110.62.151:1234 homesafe1000.duckdns.org tcp
US 8.8.8.8:53 homesafe1000.duckdns.org udp
NL 79.110.62.151:1234 homesafe1000.duckdns.org tcp
NL 79.110.62.151:1234 homesafe1000.duckdns.org tcp
NL 79.110.62.151:1234 homesafe1000.duckdns.org tcp
NL 79.110.62.151:1234 homesafe1000.duckdns.org tcp
US 8.8.8.8:53 homesafe1000.duckdns.org udp
NL 79.110.62.151:1234 homesafe1000.duckdns.org tcp

Files

memory/1964-1-0x00000000003C0000-0x00000000007C2000-memory.dmp

memory/1964-0-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/1964-2-0x0000000004C00000-0x0000000004C40000-memory.dmp

memory/1964-3-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/1964-4-0x0000000004C00000-0x0000000004C40000-memory.dmp

memory/1964-5-0x0000000005540000-0x0000000005908000-memory.dmp

memory/2736-6-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2736-8-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2736-10-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2736-12-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2736-14-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2736-16-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2736-18-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2736-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2736-22-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1964-25-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/2736-24-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2736-27-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2736-29-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2736-32-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2736-34-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2736-36-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2736-42-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2736-40-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2736-38-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2736-44-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2736-45-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2736-46-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2736-47-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2736-49-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2736-50-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2736-51-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2736-52-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2736-53-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2736-54-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2736-55-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2736-57-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2736-56-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

MD5 81e0872e2be9487534ddd879b05e6f62
SHA1 f97c783cb79036a9f2ff27e70a182f1b6919da18
SHA256 d54df888565db74fd2065bfa327e5b5d2476df10564a25f2b99f3bf7f9504ab0
SHA512 40bfff8cb99869510332a8f2c4f62a354de1ed0aa02fcef522c38deecac90c5429a19ee31c1d3eac6bf10f3e7e9cd3439891c949f5d2763bf2463d7bcdab6f90

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

MD5 81e0872e2be9487534ddd879b05e6f62
SHA1 f97c783cb79036a9f2ff27e70a182f1b6919da18
SHA256 d54df888565db74fd2065bfa327e5b5d2476df10564a25f2b99f3bf7f9504ab0
SHA512 40bfff8cb99869510332a8f2c4f62a354de1ed0aa02fcef522c38deecac90c5429a19ee31c1d3eac6bf10f3e7e9cd3439891c949f5d2763bf2463d7bcdab6f90

memory/1804-60-0x0000000000210000-0x0000000000612000-memory.dmp

memory/1804-61-0x0000000073690000-0x0000000073D7E000-memory.dmp

memory/1804-62-0x0000000004C00000-0x0000000004C40000-memory.dmp

memory/2736-63-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1804-64-0x0000000073690000-0x0000000073D7E000-memory.dmp

memory/2736-65-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1804-66-0x0000000004C00000-0x0000000004C40000-memory.dmp

memory/2736-67-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2736-68-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/860-78-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1804-85-0x0000000073690000-0x0000000073D7E000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

MD5 985982995f86012f6bd7d44c76c7f953
SHA1 4454ebbb28b01c158c2ae8f18197d78785391eab
SHA256 b93651c9fba3c4c0480f9dac06f9bb59b18ad2941343d395c156a54aacf0e463
SHA512 e9018fb64bb085b9712edfed4e58dbd82408dba523308ae671b65de96c0cab8e61ce635e130e733c8a04a1f6e16bfa4e27e2378a7eb03e890e87637cc3861c8b

memory/568-87-0x0000000072FA0000-0x000000007368E000-memory.dmp

memory/568-90-0x0000000000BE0000-0x0000000000FE2000-memory.dmp

memory/568-91-0x0000000000650000-0x0000000000690000-memory.dmp

memory/568-92-0x0000000072FA0000-0x000000007368E000-memory.dmp

memory/568-93-0x0000000000650000-0x0000000000690000-memory.dmp