Overview

overview

10

Static

static

1

The Predic....8.msi

windows7-x64

10

The Predic....8.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    78s
  • max time network
    78s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    20-01-2024 17:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    The Predictor 7.6.8.msi

  • Size

    9.9MB

  • MD5

    e93294aa36d5ffa52e3288e9b68aa97e

  • SHA1

    4bc3b7d7aa86cc9cce78222f22dc49d1e3496879

  • SHA256

    3fe6b840e057a28be8300bacbc4c2fe7f3c2711911206cad2e6a6e6a2e5207e3

  • SHA512

    e8564a98c6621fdfc47bf24118088e468e14ad4e94de505ed2698f66065218d901736f0fc03983cb88ac064f12d3bbc19640771a3524abda727b954109003da1

  • SSDEEP

    196608:asXAv5pYll8mqqYJeTTtzJVMHw2RFxiKhf6NEGRn2N9CdE:X6ClakfTt9Vf0FxLoNHR2mC

Score
10/10
bitrattrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

185.157.162.126:443

Attributes
  • communication_password

    a76d949640a165da25ccfe9a8fd82c8a

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 14 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 59 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 61 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\The Predictor 7.6.8.msi"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1876
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 1CA0F5B6AA38C9E12299D4C0C78E8929
      2⤵
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      PID:3020
    • C:\Program Files (x86)\The predictor 7.6.3.8\The predictor 7.6.3.8\Package\msnmsgr.exe
      "C:\Program Files (x86)\The predictor 7.6.3.8\The predictor 7.6.3.8\Package\msnmsgr.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:876
      • C:\Users\Admin\AppData\Local\TtlsExt\msnmsgr.exe
        "C:\Users\Admin\AppData\Local\TtlsExt\msnmsgr.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:440
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1116
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            5⤵
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1076
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1660

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f76564e.rbs
    Filesize

    2KB

    MD5

    4c2dabd95a2e7d3b07870bcca4975aee

    SHA1

    81fccca4e34526df9afa802347f62ea962148fab

    SHA256

    c8b8be9fcd0f6eae0531e042bd68310c9fa3cc7165a069490d9d3a7d2db3eb0c

    SHA512

    c4e6b7ebc99218221e129c95b04b7ef65d3ce42b7d3605b676792a19648d67d46cb1d9e05b84c4046b520a0584bf33b6eb18acfbdd1dbf2ce11086532405a27f

    Download Submit
  • C:\Program Files (x86)\The predictor 7.6.3.8\The predictor 7.6.3.8\Package\MSNCore.dll
    Filesize

    991KB

    MD5

    deaa38a71c85d2f9d4ba71343d1603da

    SHA1

    bdbb492512cee480794e761d1bea718db14013ec

    SHA256

    1dc120f34b294e964eee949c4d1ebd9c271715d46b38ae082fec2f1d505e8d65

    SHA512

    87b152b642a020e07ad46e9ed5b4a462c12cf0918f82025c230f662eddb3bf4b2d3aa15ca770970beae5988dd5d5d9b7bcaf7a77c6d2f3acf6d12826f3a9ead7

    Download Submit
  • C:\Program Files (x86)\The predictor 7.6.3.8\The predictor 7.6.3.8\Package\apophyge.xlsx
    Filesize

    2.2MB

    MD5

    555b082df23ae1bccbe9b73ad21551df

    SHA1

    320f8731e35ad32bbd40fe4889a12a56d4e4d365

    SHA256

    4a7675f0ad5c3191073a1f6f765ad01d07bae071f049232f3269101d1de00fc9

    SHA512

    cc4f422f7bb00da05ede09b8c90514d3491eaea3652daef1f771056b753baabdeb0ba9317aaf00f21c3799d9deebe841e199bda056090ea08037139edcfc6ce5

    Download Submit
  • C:\Program Files (x86)\The predictor 7.6.3.8\The predictor 7.6.3.8\Package\msidcrl40.dll
    Filesize

    791KB

    MD5

    cf587eaeed3f09e54d7733821f44f7d6

    SHA1

    50c1acbd9d7e599b641a26374fe145cc754028c0

    SHA256

    4bbc36675f922d4b13779ee3d3b81a5b3bbf39a3e5a0bc52f8e8d522d167e89d

    SHA512

    3c35624620c3249b2f9935450603dd9a0392a9a92c4f400a9f9e489cb130c623fe23f7aaed5bcfe93c18014dd13371da4dbe3a895f491feb20ee6b13eefb7263

    Download Submit
  • C:\Program Files (x86)\The predictor 7.6.3.8\The predictor 7.6.3.8\Package\msnmsgr.exe
    Filesize

    3.4MB

    MD5

    fbdaa106357268b1b03bd19d8f586524

    SHA1

    0c16fbeb2e4b0d4aca7158a22d2cbfad3206f355

    SHA256

    5ceed6049ad71429f3e144a1e82a40817aba8dc6f2c543393733455cf2d8d62d

    SHA512

    e394c9d83a8e18d625d9675df0ca2c5ca25e9e257013d035bc4ddbb9762c60cdb41afed874bee42f34ae2faf0526c464c814f39d132418943d93ddc9b0e3f9b6

    Download Submit
  • C:\Program Files (x86)\The predictor 7.6.3.8\The predictor 7.6.3.8\Package\msnmsgr.exe
    Filesize

    3.9MB

    MD5

    77f0ad481e646c88908f731176144f5f

    SHA1

    dfaf3874de892e1eb03e0f26a53e11310c639aab

    SHA256

    9e9fbd5c877775ab8a07ccfd3f57e3844000b697767a85f5fc988b28c2ef61e1

    SHA512

    9534d533763a68de7ee0c46c274353275543d2ed3e051d5741a0ba2c78aeac2ca3f2db33bd10bb1b471a211a79a5bc859375f9a8be709a552df0778377ce4839

    Download Submit
  • C:\Program Files (x86)\The predictor 7.6.3.8\The predictor 7.6.3.8\Package\msnmsgr.exe
    Filesize

    2.4MB

    MD5

    8395c8c5b1fcf34609425b1addd5b8a6

    SHA1

    50a5ad649569cd0523bce4e34dc88b151c9f2823

    SHA256

    a01518c57c2b3203a19cf515a749abe47da16fd8a3e23f8194bdc88f41e65cf0

    SHA512

    5f1d69ace1473a2cf1fbd0f00f7c261a9cd42952aba73066b2f5f344e32ad2ed67eae7990f1c65af11373607253536db5acb8fd121bc6efa51f492a3871ddd1f

    Download Submit
  • C:\Program Files (x86)\The predictor 7.6.3.8\The predictor 7.6.3.8\Package\msvcr80.dll
    Filesize

    612KB

    MD5

    43143abb001d4211fab627c136124a44

    SHA1

    edb99760ae04bfe68aaacf34eb0287a3c10ec885

    SHA256

    cb8928ff2faf2921b1eddc267dce1bb64e6fee4d15b68cd32588e0f3be116b03

    SHA512

    ced96ca5d1e2573dbf21875cf98a8fcb86b5bcdca4c041680a9cb87374378e04835f02ab569d5243608c68feb2e9b30ffe39feb598f5081261a57d1ce97556a6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\2817b5f2
    Filesize

    952KB

    MD5

    c0894199768f95a8b049759dba85796b

    SHA1

    8548897bc1c99ffffd84354e1c5e2d1cdfe89cde

    SHA256

    7145dab8758ecb3b85991ace4c79b7cb289dd30b9448277e24ce8e3998268512

    SHA512

    97d21a2313f277fa548dd5154bc41ce48ea5688176caa1b5a82f7b415c407ac9c91f3c2bf23f9f15e7ada0cde0d6552f0adaf39bf6010153ae50984f94f4dc00

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\MSI65476.LOG
    Filesize

    21KB

    MD5

    db4efcdd8842795806d48b71ce12e9c5

    SHA1

    44f104cdbe15b2e260812dd655d0741201e2039c

    SHA256

    5cd9fc021cdccd10485986b2de962f4cffdd6300e7e90a470e6596173a3ce454

    SHA512

    57383fde6b447e9695965414900f7c26898a9694529cac89a467c13d1574b1fce505b4b0abc7e440ccfbcbbf749892b73e5dee43d85c9077260a7988d8b04ba6

    Download Submit
  • C:\Users\Admin\AppData\Local\TtlsExt\apophyge.xlsx
    Filesize

    4.0MB

    MD5

    a89914a5187fa366ae818b38685db30c

    SHA1

    c24d7c520aa341ea664f253fd781961513ac01e7

    SHA256

    694d4f9c60fdc0f623b54e04664864d7afdafc9b15791bae3fd49f2caa4c2321

    SHA512

    e6f90599e1b60ff028987cc4808b5c34525e99c9d2c22772cea35dd393b4945a9b707d8b0bfb3f35c5ac12eb40089391f85fc2594aee8c98663b4a4095a092ff

    Download Submit
  • C:\Users\Admin\AppData\Local\TtlsExt\msnmsgr.exe
    Filesize

    747KB

    MD5

    fd21013ea2a3aa5894f53debc9c2a5ce

    SHA1

    569833864929c5e04e78b6497359acbb282a9763

    SHA256

    3ba265ac45ef7871f8b5ed9a6d23822a91b45a0e36a745d850d526df1ccb6255

    SHA512

    0378785399fb053b11734248e18d9e2811263a4a89f16d2adba54e68de6f3625c626da8cab9da78b23c238c80c526bca7462a5f66379436b4d234813fc73ed12

    Download Submit
  • C:\Users\Admin\AppData\Local\TtlsExt\msnmsgr.exe
    Filesize

    5.0MB

    MD5

    e0f0f7384a3abcf7d780fa64ea5c81b8

    SHA1

    2ad44b65911b9bb446a883cdb381c6ce55ff99b7

    SHA256

    afd8dec2a411fcece7f757cf22e5e8cbaac86f1ce174875ea67112cee99160d7

    SHA512

    35847ddb841c032f7848e827828feea72712e9983ab2eca2cb1ba5c335c9ca6c71e370e34cd103bf4235ed21a45c4e53eb95f56d12245b2fb0be29372e11b28f

    Download Submit
  • C:\Windows\Installer\MSI56D7.tmp
    Filesize

    557KB

    MD5

    2c9c51ac508570303c6d46c0571ea3a1

    SHA1

    e3e0fe08fa11a43c8bca533f212bdf0704c726d5

    SHA256

    ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

    SHA512

    df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

    Download Submit
  • C:\Windows\Installer\MSI5A90.tmp
    Filesize

    1.1MB

    MD5

    7768d9d4634bf3dc159cebb6f3ea4718

    SHA1

    a297e0e4dd61ee8f5e88916af1ee6596cd216f26

    SHA256

    745de246181eb58f48224e6433c810ffbaa67fba330c616f03a7361fb1edb121

    SHA512

    985bbf38667609f6a422a22af34d9382ae4112e7995f87b6053a683a0aaa647e17ba70a7a83b5e1309f201fc12a53db3c13ffd2b0fad44c1374fff6f07059cbf

    Download Submit
  • \Program Files (x86)\The predictor 7.6.3.8\The predictor 7.6.3.8\Package\contactsUX.dll
    Filesize

    331KB

    MD5

    54ee6a204238313dc6aca21c7e036c17

    SHA1

    531fd1c18e2e4984c72334eb56af78a1048da6c7

    SHA256

    0abf68b8409046a1555d48ac506fd26fda4b29d8d61e07bc412a4e21de2782fd

    SHA512

    19a2e371712aab54b75059d39a9aea6e7de2eb69b3ffc0332e60df617ebb9de61571b2ca722cddb75c9cbc79f8200d03f73539f21f69366eae3c7641731c7820

    Download Submit
  • \Users\Admin\AppData\Local\TtlsExt\msnmsgr.exe
    Filesize

    5.5MB

    MD5

    537915708fe4e81e18e99d5104b353ed

    SHA1

    128ddb7096e5b748c72dc13f55b593d8d20aa3fb

    SHA256

    6dc7275f2143d1de0ca66c487b0f2ebff3d4c6a79684f03b9619bf23143ecf74

    SHA512

    9ceaaf7aa5889be9f5606646403133782d004b9d78ef83d7007dfce67c0f4f688d7931aebc74f1fc30aac2f1dd6281bdadfb52bc3ea46aca33b334adb4067ae2

    Download Submit
  • memory/440-78-0x00000000751C0000-0x00000000752B0000-memory.dmp
    Filesize

    960KB

    Download
  • memory/440-87-0x00000000751C0000-0x00000000752B0000-memory.dmp
    Filesize

    960KB

    Download
  • memory/440-79-0x00000000751C0000-0x00000000752B0000-memory.dmp
    Filesize

    960KB

    Download
  • memory/1076-148-0x0000000000400000-0x00000000007CF000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/1076-147-0x0000000000400000-0x00000000007CF000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/1076-146-0x00000000009E0000-0x0000000000C61000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/1076-143-0x0000000000400000-0x00000000007CF000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/1076-142-0x0000000077260000-0x0000000077409000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1116-141-0x0000000002000000-0x00000000020F0000-memory.dmp
    Filesize

    960KB

    Download
  • memory/1116-139-0x0000000002000000-0x00000000020F0000-memory.dmp
    Filesize

    960KB

    Download
  • memory/1116-91-0x0000000077260000-0x0000000077409000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1660-140-0x0000000140000000-0x00000001405E8000-memory.dmp
    Filesize

    5.9MB

    Download
  • memory/1660-89-0x0000000140000000-0x00000001405E8000-memory.dmp
    Filesize

    5.9MB

    Download
  • memory/1660-88-0x0000000140000000-0x00000001405E8000-memory.dmp
    Filesize

    5.9MB

    Download