bitrat | 142a30f9ba3c2e1efbdf15241721da3b20d7b6436761d3eaafdcc095dc681fc4

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7538dd6e69d0c65d2dc0eb091c3ced18.msi
Size

3.8MB
MD5

7538dd6e69d0c65d2dc0eb091c3ced18
SHA1

9d91e4cc3c59c258ae2655119692c13c899d68d2
SHA256

142a30f9ba3c2e1efbdf15241721da3b20d7b6436761d3eaafdcc095dc681fc4
SHA512

935aed41fbc1bb42cdc4b2c10fd306286642428c017248a71297d7674439415a410464a75b0529eec4b7a98f052408afcde24a501f6970fa405d642aafadb6c6
SSDEEP

98304:D77Pmq33rE/JDLPWZADUGer7B6iY74M/mmlwXVZaFB:L+R/eZADUXR

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

79.134.225.73:19099

Attributes

communication_password
411f9a6dd54344976e951469585a6963
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Executes dropped EXE 1 IoCs

pid	Process
3568	MSI63EB.tmp

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3568	MSI63EB.tmp
3568	MSI63EB.tmp
3568	MSI63EB.tmp
3568	MSI63EB.tmp

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI63AB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI63EB.tmp	msiexec.exe
File created	C:\Windows\Installer\e57630f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57630f.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000da362e54a03ebf190000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000da362e540000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900da362e54000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dda362e54000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000da362e5400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3448	msiexec.exe
3448	msiexec.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3020	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3020	msiexec.exe
Token: SeSecurityPrivilege	3448	msiexec.exe
Token: SeCreateTokenPrivilege	3020	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3020	msiexec.exe
Token: SeLockMemoryPrivilege	3020	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3020	msiexec.exe
Token: SeMachineAccountPrivilege	3020	msiexec.exe
Token: SeTcbPrivilege	3020	msiexec.exe
Token: SeSecurityPrivilege	3020	msiexec.exe
Token: SeTakeOwnershipPrivilege	3020	msiexec.exe
Token: SeLoadDriverPrivilege	3020	msiexec.exe
Token: SeSystemProfilePrivilege	3020	msiexec.exe
Token: SeSystemtimePrivilege	3020	msiexec.exe
Token: SeProfSingleProcessPrivilege	3020	msiexec.exe
Token: SeIncBasePriorityPrivilege	3020	msiexec.exe
Token: SeCreatePagefilePrivilege	3020	msiexec.exe
Token: SeCreatePermanentPrivilege	3020	msiexec.exe
Token: SeBackupPrivilege	3020	msiexec.exe
Token: SeRestorePrivilege	3020	msiexec.exe
Token: SeShutdownPrivilege	3020	msiexec.exe
Token: SeDebugPrivilege	3020	msiexec.exe
Token: SeAuditPrivilege	3020	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3020	msiexec.exe
Token: SeChangeNotifyPrivilege	3020	msiexec.exe
Token: SeRemoteShutdownPrivilege	3020	msiexec.exe
Token: SeUndockPrivilege	3020	msiexec.exe
Token: SeSyncAgentPrivilege	3020	msiexec.exe
Token: SeEnableDelegationPrivilege	3020	msiexec.exe
Token: SeManageVolumePrivilege	3020	msiexec.exe
Token: SeImpersonatePrivilege	3020	msiexec.exe
Token: SeCreateGlobalPrivilege	3020	msiexec.exe
Token: SeBackupPrivilege	4888	vssvc.exe
Token: SeRestorePrivilege	4888	vssvc.exe
Token: SeAuditPrivilege	4888	vssvc.exe
Token: SeBackupPrivilege	3448	msiexec.exe
Token: SeRestorePrivilege	3448	msiexec.exe
Token: SeRestorePrivilege	3448	msiexec.exe
Token: SeTakeOwnershipPrivilege	3448	msiexec.exe
Token: SeRestorePrivilege	3448	msiexec.exe
Token: SeTakeOwnershipPrivilege	3448	msiexec.exe
Token: SeRestorePrivilege	3448	msiexec.exe
Token: SeTakeOwnershipPrivilege	3448	msiexec.exe
Token: SeShutdownPrivilege	3568	MSI63EB.tmp
Token: SeBackupPrivilege	2060	srtasks.exe
Token: SeRestorePrivilege	2060	srtasks.exe
Token: SeSecurityPrivilege	2060	srtasks.exe
Token: SeTakeOwnershipPrivilege	2060	srtasks.exe
Token: SeBackupPrivilege	2060	srtasks.exe
Token: SeRestorePrivilege	2060	srtasks.exe
Token: SeSecurityPrivilege	2060	srtasks.exe
Token: SeTakeOwnershipPrivilege	2060	srtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3020	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3568	MSI63EB.tmp
3568	MSI63EB.tmp

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 2060	3448	msiexec.exe	99
PID 3448 wrote to memory of 2060	3448	msiexec.exe	99
PID 3448 wrote to memory of 3568	3448	msiexec.exe	100
PID 3448 wrote to memory of 3568	3448	msiexec.exe	100
PID 3448 wrote to memory of 3568	3448	msiexec.exe	100

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\7538dd6e69d0c65d2dc0eb091c3ced18.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3020

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\Installer\MSI63EB.tmp
  "C:\Windows\Installer\MSI63EB.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3568

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI63EB.tmp

Filesize
622KB

MD5
6cded6959dd71cb648451d57c7ad54f9

SHA1
1c7df898f185d8e698714a339a13c649d0073e7c

SHA256
96a07383bb98901d336d79e333a7a35bb93c3c7f2d691155c69b22da389d8be7

SHA512
a7156072d82ff14cca9533dc9ecda923425a79eba5cd27f35a4bf8d5d7f692898fefbebaf9cf3968d5d0be0147e2a7311ed129d894cec2ca4b5f99a550cd2e38

Download Submit
C:\Windows\Installer\MSI63EB.tmp

Filesize
353KB

MD5
8bb80649caf6beb2460f7ed60e69b990

SHA1
c4acdb55ae847c22a38856bfdd5f7a077a0a75e8

SHA256
e76c8b4429c1c647948ee7c3ec43b1586a033fce60da5bce6b5eb2fe6be3fa10

SHA512
3b744fd2a7edbb401ce98c6d5f837106c8511db9b9fc3f7977016b7c2d332f58c17b12e8c53656c7ff5f9575360da50ee1af16ce8fe088fc14d249ef6070085e

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
646KB

MD5
3f4c60dda9d727a7d2de4e49d5411dd7

SHA1
f0ed7ac5e0fbdeba30677aba632ccfdb55d5a206

SHA256
cd64af15e46bf76f3d535f0596adb072118e8b030fe0b84807e253f57075153c

SHA512
16a74f2fc2c0e11aa3eec79a79a7d0fd5f72749b50a74cbfb12ff4746b742b570db6ebd26f5e703f357a1a695f09cd276cd348002d62a9220d23354f19b13f99

Download Submit
\??\Volume{542e36da-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{395f1825-f139-446c-a4a1-1141dced3771}_OnDiskSnapshotProp

Filesize
6KB

MD5
7e83983c675f17d042abcc86cd1009a8

SHA1
99e9c62bd963bd9a294d84cdb38f8fab86b8ac7c

SHA256
0fa3e9db9cbb64ed3d7757d3d9108db000935c761f4df59af80b899a5e2f4602

SHA512
a8a3cb21d5c2010f44450c15afa3267f793b69d903de246bbb3ff787b919a432b70c2a4555c5d6c630255801c1532e7bd062cb096689de60de6b7ca30351e2a6

Download Submit
memory/3568-13-0x0000000074860000-0x0000000074899000-memory.dmp

Filesize
228KB

Download
memory/3568-14-0x0000000074860000-0x0000000074899000-memory.dmp

Filesize
228KB

Download
memory/3568-12-0x00000000744C0000-0x00000000744F9000-memory.dmp

Filesize
228KB

Download
memory/3568-17-0x0000000074860000-0x0000000074899000-memory.dmp

Filesize
228KB

Download
memory/3568-18-0x0000000074860000-0x0000000074899000-memory.dmp

Filesize
228KB

Download
memory/3568-23-0x0000000074860000-0x0000000074899000-memory.dmp

Filesize
228KB

Download
memory/3568-24-0x0000000074860000-0x0000000074899000-memory.dmp

Filesize
228KB

Download
memory/3568-25-0x0000000074860000-0x0000000074899000-memory.dmp

Filesize
228KB

Download
memory/3568-26-0x0000000074860000-0x0000000074899000-memory.dmp

Filesize
228KB

Download
memory/3568-27-0x0000000074860000-0x0000000074899000-memory.dmp

Filesize
228KB

Download