Overview

overview

10

Static

static

3

9d60e01d95...65.exe

windows7-x64

10

9d60e01d95...65.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-02-2024 08:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9d60e01d9595b6c66499c8bf32c2ea65.exe

  • Size

    3.9MB

  • MD5

    9d60e01d9595b6c66499c8bf32c2ea65

  • SHA1

    619e2c8bf88d90c5982b22176597ec2525a88ce1

  • SHA256

    00f90cda9f514832ed2e3d6c232ad0677b2bad1550719cf2a02f1988980942ff

  • SHA512

    11fee982a4ded0f498b51a707e0622fc7d49de25e69bf7def6772e71997fcec18a3fc352b22eff260663f77abbda6dcc52daa406d1478d5ab02992245f7fda38

  • SSDEEP

    98304:yU2vuU2djpabFxBaSpKHm/E/QJi3WpQnoE7/AWTM7/YlnuvzKf83e:KaOFxsPH/rWpQnoEDA0+Ylnb8

Score
10/10
bitrattrojan

Malware Config

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d60e01d9595b6c66499c8bf32c2ea65.exe
    "C:\Users\Admin\AppData\Local\Temp\9d60e01d9595b6c66499c8bf32c2ea65.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /create /tn T1053_005_OnLogon /sc onlogon /tr C:\Windows\PermanentControl\HPAp47C6WJ.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4300
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn T1053_005_OnLogon /sc onlogon /tr C:\Windows\PermanentControl\HPAp47C6WJ.exe
        3⤵
        • Creates scheduled task(s)
        PID:4808
    • C:\Windows\PermanentControl\HPAp47C6WJ.exe
      "C:\Windows\PermanentControl\HPAp47C6WJ.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5112
      • C:\Windows\SysWOW64\attrib.exe
        "C:\Windows\System32\attrib.exe"
        3⤵
        • Views/modifies file attributes
        PID:2092
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 2360
      2⤵
      • Program crash
      PID:3988
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2980 -ip 2980
    1⤵
      PID:2912

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1xbugkkz.bpq.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Windows\PermanentControl\HPAp47C6WJ.exe
      Filesize

      3.8MB

      MD5

      82f82ee7ea7cc9905942913e34fc9559

      SHA1

      1b49e6d4efba70b64eb183ea0e03788dd7a27a02

      SHA256

      dff77567e77fb1fc95fb29a971fb6a6bd8c9b0fddd45328634d98ecd865ed1cf

      SHA512

      3889a6587daf4f66bc05644c9f27d350d8501631bbfc2a096652170f41f53bb8c07ec681ed99edd1bb4c1725e1b8d9fa7ccdeae8d7ff433840894412392f35c4

      Download Submit

    • memory/2980-24-0x000000000A000000-0x000000000A5A4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2980-5-0x0000000007930000-0x0000000007D04000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/2980-0-0x0000000074410000-0x0000000074BC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2980-27-0x0000000005240000-0x0000000005250000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2980-6-0x0000000005240000-0x0000000005250000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2980-7-0x0000000005240000-0x0000000005250000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2980-8-0x00000000086A0000-0x0000000008CC8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2980-2-0x0000000005240000-0x0000000005250000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2980-18-0x00000000082B0000-0x00000000082CA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2980-19-0x0000000008D10000-0x0000000008D46000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2980-20-0x00000000093D0000-0x0000000009A4A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/2980-23-0x0000000009000000-0x0000000009066000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2980-22-0x0000000008E80000-0x0000000008EA2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2980-21-0x0000000008EF0000-0x0000000008F86000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2980-26-0x0000000009070000-0x00000000090BA000-memory.dmp

      Filesize

      296KB

      Download

    • memory/2980-25-0x0000000008F90000-0x0000000008FAE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2980-4-0x0000000006970000-0x0000000006D47000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/2980-28-0x0000000009B90000-0x0000000009EE4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2980-3-0x00000000013B0000-0x00000000013B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2980-29-0x000000000A5B0000-0x000000000A616000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2980-30-0x000000000A650000-0x000000000A672000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2980-31-0x000000000A780000-0x000000000A7CC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2980-32-0x000000007FC30000-0x000000007FC40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2980-42-0x000000000BB90000-0x000000000BBAE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2980-43-0x000000000BC10000-0x000000000BCB3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/2980-44-0x000000000BE00000-0x000000000BE0A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2980-45-0x000000000BFE0000-0x000000000BFF1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2980-46-0x000000000C010000-0x000000000C01E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2980-47-0x000000000C020000-0x000000000C034000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2980-48-0x000000000C070000-0x000000000C08A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2980-49-0x000000000C090000-0x000000000C098000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2980-1-0x00000000004B0000-0x0000000000890000-memory.dmp

      Filesize

      3.9MB

      Download

    • memory/2980-65-0x0000000074410000-0x0000000074BC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5112-62-0x0000000000590000-0x0000000000962000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/5112-64-0x0000000074410000-0x0000000074BC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5112-61-0x0000000074410000-0x0000000074BC0000-memory.dmp

      Filesize

      7.7MB

      Download