Overview

overview

10

Static

static

3

Exmip.exe

windows7-x64

10

Exmip.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    15-02-2024 12:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Exmip.exe

  • Size

    303KB

  • MD5

    05c5742158cb40afe07e715fb171adcf

  • SHA1

    3ed365cd79b36a6ca50a5d45f4c210b4b6f027d4

  • SHA256

    6e89b0c8f8078991887ba81a7e60b561b71170bef3a2440e3932d6b5293d0a07

  • SHA512

    646b3bfc0340b3372a0aee475cbad92ce44666958bb6e546b8dbc1e12a38ac9fc691bff6225e10a7ada6392067d31c0608929a92f7296b99ec37b3c276f08ce4

  • SSDEEP

    6144:7w1zfkC0CDpPIQuvryFS3Ltp4mZnOous7U4UUU3UUUs9rOA:7wxfkCPKQuToS3zZnBuiU4UUU3UUUca

Score
10/10
bitratzgratpersistencerattrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

103.153.182.247:6161

Attributes
  • communication_password

    81dc9bdb52d04dc20036dbd8313ed055

  • install_dir

    Install path

  • install_file

    Install name

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Detect ZGRat V1 34 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: RenamesItself 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Exmip.exe
    "C:\Users\Admin\AppData\Local\Temp\Exmip.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Users\Admin\AppData\Local\Temp\Exmip.exe
      C:\Users\Admin\AppData\Local\Temp\Exmip.exe
      2⤵
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1604

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Cab1ED8.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Tar1EEB.tmp
    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

    Download Submit
  • memory/1540-69-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-37-0x0000000006200000-0x000000000646E000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-1-0x0000000074810000-0x0000000074EFE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1540-71-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-38-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-39-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-51-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-53-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-49-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-47-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-0-0x0000000000CB0000-0x0000000000D02000-memory.dmp
    Filesize

    328KB

    Download
  • memory/1540-43-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-73-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-55-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-59-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-57-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-61-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-63-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-65-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-67-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-45-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-2-0x0000000004340000-0x0000000004380000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1540-41-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-75-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-77-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-79-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-81-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-83-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-85-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-87-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-89-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-91-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-93-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-95-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-97-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-99-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-101-0x0000000006200000-0x0000000006467000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1540-1152-0x0000000000510000-0x0000000000511000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1540-1153-0x00000000075F0000-0x00000000077E6000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/1540-1154-0x00000000007F0000-0x000000000083C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1540-1155-0x0000000074810000-0x0000000074EFE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1540-1156-0x0000000004340000-0x0000000004380000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1540-1172-0x0000000074810000-0x0000000074EFE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1604-1174-0x0000000000400000-0x00000000007CE000-memory.dmp
    Filesize

    3.8MB

    Download