Overview

overview

10

Static

static

10

7538dd6e69...18.msi

windows7-x64

10

7538dd6e69...18.msi

windows10-2004-x64

7

Analysis

  • max time kernel
    182s
  • max time network
    187s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26-12-2023 14:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7538dd6e69d0c65d2dc0eb091c3ced18.msi

  • Size

    3.8MB

  • MD5

    7538dd6e69d0c65d2dc0eb091c3ced18

  • SHA1

    9d91e4cc3c59c258ae2655119692c13c899d68d2

  • SHA256

    142a30f9ba3c2e1efbdf15241721da3b20d7b6436761d3eaafdcc095dc681fc4

  • SHA512

    935aed41fbc1bb42cdc4b2c10fd306286642428c017248a71297d7674439415a410464a75b0529eec4b7a98f052408afcde24a501f6970fa405d642aafadb6c6

  • SSDEEP

    98304:D77Pmq33rE/JDLPWZADUGer7B6iY74M/mmlwXVZaFB:L+R/eZADUXR

Score
10/10
bitrattrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

79.134.225.73:19099

Attributes
  • communication_password

    411f9a6dd54344976e951469585a6963

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Drops file in Windows directory 9 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 59 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\7538dd6e69d0c65d2dc0eb091c3ced18.msi
    1⤵
    • Enumerates connected drives
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2652
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Windows\Installer\MSIAE99.tmp
      "C:\Windows\Installer\MSIAE99.tmp"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1536
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2544
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003AC" "0000000000000580"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Installer\MSIAE99.tmp
    Filesize

    3.8MB

    MD5

    7f4cf5385ee25468ab2031d4e38c5ab8

    SHA1

    6b3253a4b7cc26942031d2b5cd8a3e05d9f35075

    SHA256

    07e12cd459d8702fd7a5366e060dbca732a3d4353dd6aa84381f98eec53f5426

    SHA512

    b8a25055753736fa162f67b381ebd5563c5b2f6a69a98ef56d88aeba760f4e596cebf2d3d5e949b2b9d433e5f4cda76f2657cf513a3e2dbb3c49785669835e8d

    Download Submit