Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

68222440e7...62.exe

windows7-x64

10

68222440e7...62.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    157s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/01/2024, 16:46 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    68222440e7fab33d7b5ec1b6e2672962.exe

  • Size

    2.6MB

  • MD5

    68222440e7fab33d7b5ec1b6e2672962

  • SHA1

    9e756880fc27ce0e0aa9f746039ec5fc0ca60294

  • SHA256

    9f853c69ec51eef3b38c508c2cdfaad6230c9cac218b6c1e2c1aade3e2aaa684

  • SHA512

    8fc00dc22e870a8e2150bd57b3e26d173a425ab1ab665b16548285489622f2a52db7487ce1a9811fc4c0328f673454be0f8a38d72a30e65727afabef04d63388

  • SSDEEP

    49152:wvibll7s0eIB4GzdH21N9vGHE5S9H5EsHBTzPfEAuj0/XN+fX+4T38mc:wS00SGzdHAuPmKJzXEAfXcuwU

Score
10/10
bitrattrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

dns16-microsoft-health.com:80

Attributes
  • communication_password

    1fb84c2caca11d084aafca61f7284a70

  • install_dir

    Intel

  • install_file

    idrvr32.exe

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68222440e7fab33d7b5ec1b6e2672962.exe
    "C:\Users\Admin\AppData\Local\Temp\68222440e7fab33d7b5ec1b6e2672962.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4864
    • C:\Users\Admin\AppData\Local\Temp\68222440e7fab33d7b5ec1b6e2672962.exe
      "C:\Users\Admin\AppData\Local\Temp\68222440e7fab33d7b5ec1b6e2672962.exe"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      PID:3004

Network

  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    196.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.178.17.96.in-addr.arpa
    IN PTR
    Response
    196.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-196deploystaticakamaitechnologiescom
  • flag-us
    DNS
    72.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.134.221.88.in-addr.arpa
    IN PTR
    Response
    18.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-18deploystaticakamaitechnologiescom
  • flag-us
    DNS
    31.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    31.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    27.73.42.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    27.73.42.20.in-addr.arpa
    IN PTR
    Response
  • 52.142.223.178:80
    46 B
     1
  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    196.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    196.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    72.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    72.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    18.134.221.88.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    18.134.221.88.in-addr.arpa

  • 8.8.8.8:53
    31.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    31.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    27.73.42.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    27.73.42.20.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3004-36-0x0000000000400000-0x00000000007D3000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/3004-48-0x0000000074650000-0x0000000074689000-memory.dmp

    Filesize

    228KB

    Download

  • memory/3004-47-0x0000000000400000-0x00000000007D3000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/3004-46-0x0000000000030000-0x0000000000031000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3004-39-0x0000000000400000-0x00000000007D3000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/3004-45-0x0000000077252000-0x0000000077253000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3004-37-0x0000000000400000-0x00000000007D3000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/4864-14-0x0000000000970000-0x0000000000A70000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4864-12-0x0000000000970000-0x0000000000A70000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4864-15-0x0000000000970000-0x0000000000A70000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4864-16-0x0000000000970000-0x0000000000A70000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4864-17-0x0000000000970000-0x0000000000A70000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4864-21-0x0000000000970000-0x0000000000A70000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4864-24-0x0000000000970000-0x0000000000A70000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4864-25-0x0000000000970000-0x0000000000A70000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4864-28-0x0000000000400000-0x000000000069F000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/4864-30-0x0000000000970000-0x0000000000A70000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4864-32-0x0000000000400000-0x000000000069F000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/4864-33-0x0000000000970000-0x0000000000A70000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4864-34-0x0000000000970000-0x0000000000A70000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4864-2-0x0000000077252000-0x0000000077253000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4864-13-0x0000000000400000-0x000000000069F000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/4864-41-0x00000000001C0000-0x00000000001C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4864-44-0x0000000000970000-0x0000000000A70000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4864-11-0x0000000000970000-0x0000000000A70000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4864-42-0x0000000000400000-0x000000000069F000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/4864-40-0x0000000074EA0000-0x0000000074FFD000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/4864-10-0x0000000000970000-0x0000000000A70000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4864-38-0x0000000000970000-0x0000000000A70000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4864-35-0x0000000000970000-0x0000000000A70000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4864-9-0x0000000074EA0000-0x0000000074FFD000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/4864-8-0x0000000000970000-0x0000000000A70000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4864-3-0x0000000002480000-0x0000000002481000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.