Overview

overview

10

Static

static

10

7538dd6e69...18.msi

windows7-x64

7

7538dd6e69...18.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2024 18:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7538dd6e69d0c65d2dc0eb091c3ced18.msi

  • Size

    3.8MB

  • MD5

    7538dd6e69d0c65d2dc0eb091c3ced18

  • SHA1

    9d91e4cc3c59c258ae2655119692c13c899d68d2

  • SHA256

    142a30f9ba3c2e1efbdf15241721da3b20d7b6436761d3eaafdcc095dc681fc4

  • SHA512

    935aed41fbc1bb42cdc4b2c10fd306286642428c017248a71297d7674439415a410464a75b0529eec4b7a98f052408afcde24a501f6970fa405d642aafadb6c6

  • SSDEEP

    98304:D77Pmq33rE/JDLPWZADUGer7B6iY74M/mmlwXVZaFB:L+R/eZADUXR

Score
10/10
bitrattrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

79.134.225.73:19099

Attributes
  • communication_password

    411f9a6dd54344976e951469585a6963

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Drops file in Windows directory 8 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\7538dd6e69d0c65d2dc0eb091c3ced18.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3020
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3448
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2060
    • C:\Windows\Installer\MSI63EB.tmp
      "C:\Windows\Installer\MSI63EB.tmp"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3568
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:4888

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Installer\MSI63EB.tmp
    Filesize

    622KB

    MD5

    6cded6959dd71cb648451d57c7ad54f9

    SHA1

    1c7df898f185d8e698714a339a13c649d0073e7c

    SHA256

    96a07383bb98901d336d79e333a7a35bb93c3c7f2d691155c69b22da389d8be7

    SHA512

    a7156072d82ff14cca9533dc9ecda923425a79eba5cd27f35a4bf8d5d7f692898fefbebaf9cf3968d5d0be0147e2a7311ed129d894cec2ca4b5f99a550cd2e38

    Download Submit
  • C:\Windows\Installer\MSI63EB.tmp
    Filesize

    353KB

    MD5

    8bb80649caf6beb2460f7ed60e69b990

    SHA1

    c4acdb55ae847c22a38856bfdd5f7a077a0a75e8

    SHA256

    e76c8b4429c1c647948ee7c3ec43b1586a033fce60da5bce6b5eb2fe6be3fa10

    SHA512

    3b744fd2a7edbb401ce98c6d5f837106c8511db9b9fc3f7977016b7c2d332f58c17b12e8c53656c7ff5f9575360da50ee1af16ce8fe088fc14d249ef6070085e

    Download Submit
  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    646KB

    MD5

    3f4c60dda9d727a7d2de4e49d5411dd7

    SHA1

    f0ed7ac5e0fbdeba30677aba632ccfdb55d5a206

    SHA256

    cd64af15e46bf76f3d535f0596adb072118e8b030fe0b84807e253f57075153c

    SHA512

    16a74f2fc2c0e11aa3eec79a79a7d0fd5f72749b50a74cbfb12ff4746b742b570db6ebd26f5e703f357a1a695f09cd276cd348002d62a9220d23354f19b13f99

    Download Submit
  • \??\Volume{542e36da-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{395f1825-f139-446c-a4a1-1141dced3771}_OnDiskSnapshotProp
    Filesize

    6KB

    MD5

    7e83983c675f17d042abcc86cd1009a8

    SHA1

    99e9c62bd963bd9a294d84cdb38f8fab86b8ac7c

    SHA256

    0fa3e9db9cbb64ed3d7757d3d9108db000935c761f4df59af80b899a5e2f4602

    SHA512

    a8a3cb21d5c2010f44450c15afa3267f793b69d903de246bbb3ff787b919a432b70c2a4555c5d6c630255801c1532e7bd062cb096689de60de6b7ca30351e2a6

    Download Submit
  • memory/3568-13-0x0000000074860000-0x0000000074899000-memory.dmp
    Filesize

    228KB

    Download
  • memory/3568-14-0x0000000074860000-0x0000000074899000-memory.dmp
    Filesize

    228KB

    Download
  • memory/3568-12-0x00000000744C0000-0x00000000744F9000-memory.dmp
    Filesize

    228KB

    Download
  • memory/3568-17-0x0000000074860000-0x0000000074899000-memory.dmp
    Filesize

    228KB

    Download
  • memory/3568-18-0x0000000074860000-0x0000000074899000-memory.dmp
    Filesize

    228KB

    Download
  • memory/3568-23-0x0000000074860000-0x0000000074899000-memory.dmp
    Filesize

    228KB

    Download
  • memory/3568-24-0x0000000074860000-0x0000000074899000-memory.dmp
    Filesize

    228KB

    Download
  • memory/3568-25-0x0000000074860000-0x0000000074899000-memory.dmp
    Filesize

    228KB

    Download
  • memory/3568-26-0x0000000074860000-0x0000000074899000-memory.dmp
    Filesize

    228KB

    Download
  • memory/3568-27-0x0000000074860000-0x0000000074899000-memory.dmp
    Filesize

    228KB

    Download