Analysis Overview
SHA256
a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449
Threat Level: Known bad
The file a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449 was found to be: Known bad.
Malicious Activity Summary
Bitrat family
BitRAT
UPX packed file
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
ACProtect 1.3x - 1.4x DLL software
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-07 12:28
Signatures
Bitrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-07 12:28
Reported
2024-05-07 12:31
Platform
win10v2004-20240426-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
BitRAT
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe
"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 77.247.181.164:443 | tcp | |
| US | 172.98.193.43:443 | tcp | |
| N/A | 127.0.0.1:57838 | tcp | |
| FR | 212.47.233.250:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| DE | 54.36.237.163:443 | tcp | |
| DE | 131.188.40.189:443 | tcp | |
| US | 8.8.8.8:53 | 189.40.188.131.in-addr.arpa | udp |
| DE | 194.13.83.131:9001 | tcp | |
| DE | 159.69.138.31:9001 | tcp | |
| US | 8.8.8.8:53 | 131.83.13.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.138.69.159.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 162.237.207.53:443 | tcp | |
| US | 8.8.8.8:53 | 53.207.237.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| DE | 159.69.138.31:9001 | tcp | |
| DE | 194.13.83.131:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 107.211.222.173.in-addr.arpa | udp |
| DE | 85.215.67.227:8443 | tcp | |
| DE | 202.61.205.33:9001 | tcp | |
| US | 8.8.8.8:53 | 227.67.215.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.205.61.202.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| N/A | 127.0.0.1:57998 | tcp | |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | myexternalip.com | udp |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| US | 8.8.8.8:53 | 44.118.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:58098 | tcp | |
| FR | 141.94.199.35:9001 | tcp | |
| CH | 85.195.230.249:9002 | tcp | |
| US | 8.8.8.8:53 | 35.199.94.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.230.195.85.in-addr.arpa | udp |
| DE | 185.94.29.162:9000 | tcp | |
| US | 8.8.8.8:53 | 162.29.94.185.in-addr.arpa | udp |
Files
memory/432-0-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/432-1-0x00000000743F0000-0x0000000074429000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
memory/1928-33-0x0000000073710000-0x0000000073734000-memory.dmp
memory/1928-32-0x0000000073740000-0x0000000073789000-memory.dmp
memory/1928-31-0x0000000073790000-0x000000007385E000-memory.dmp
memory/1928-30-0x0000000073860000-0x0000000073928000-memory.dmp
memory/1928-41-0x0000000001C60000-0x0000000001F2F000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\torrc
| MD5 | 439cd73927f46fde28540391feee8477 |
| SHA1 | ee7fb2aeb7708378abda293b03f5c9ffb6dbc742 |
| SHA256 | d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75 |
| SHA512 | c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319 |
memory/1928-40-0x00000000732A0000-0x000000007356F000-memory.dmp
memory/1928-39-0x0000000073570000-0x000000007367A000-memory.dmp
memory/1928-36-0x0000000073680000-0x0000000073708000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
memory/1928-22-0x00000000003D0000-0x00000000007D4000-memory.dmp
memory/432-45-0x0000000072F80000-0x0000000072FB9000-memory.dmp
memory/432-46-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1928-47-0x00000000003D0000-0x00000000007D4000-memory.dmp
memory/1928-54-0x00000000732A0000-0x000000007356F000-memory.dmp
memory/1928-53-0x0000000073570000-0x000000007367A000-memory.dmp
memory/1928-52-0x0000000073680000-0x0000000073708000-memory.dmp
memory/1928-51-0x0000000073710000-0x0000000073734000-memory.dmp
memory/1928-50-0x0000000073740000-0x0000000073789000-memory.dmp
memory/1928-49-0x0000000073790000-0x000000007385E000-memory.dmp
memory/1928-48-0x0000000073860000-0x0000000073928000-memory.dmp
memory/1928-56-0x00000000003D0000-0x00000000007D4000-memory.dmp
memory/432-55-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1928-57-0x00000000003D0000-0x00000000007D4000-memory.dmp
memory/1928-70-0x0000000001C60000-0x0000000001F2F000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp
| MD5 | 0ce4530144899e61e7151afe7810919f |
| SHA1 | f300561ff8bbd2b426926aced1e576bd2b91d001 |
| SHA256 | 59f1410ba288f348e46546682bc8ae589accfdb2abc49b0b59fed35ed9de32e5 |
| SHA512 | 595a94b645837f8627b703920cec6eda3e6103ae964c91c383679f00b712343b7f8d4656db6efdaceabe8c641cf45d6461ff77cc9fafa263880bc1a0763a83e6 |
memory/1928-77-0x00000000003D0000-0x00000000007D4000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 711d9a80e0479063a1e00173f4bb682a |
| SHA1 | 7a271691f18783c7386a858343c0891a62bcf78b |
| SHA256 | b30f315067406639b58cff0e307018baac9483f7d3799d5db5475ebd908b999d |
| SHA512 | 3686a690949ade1880af8e78bfc7298ae449b7afeb30e9d7e3aaa5666f0b69c7c609dd369cb5cd453a9f8bdf1e89eb273237b25f67dc20174eb5390f103e61e1 |
memory/1928-102-0x00000000003D0000-0x00000000007D4000-memory.dmp
memory/432-110-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/432-111-0x00000000743B0000-0x00000000743E9000-memory.dmp
memory/1928-112-0x00000000003D0000-0x00000000007D4000-memory.dmp
memory/432-120-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1928-121-0x00000000003D0000-0x00000000007D4000-memory.dmp
memory/1928-130-0x00000000003D0000-0x00000000007D4000-memory.dmp
memory/1928-157-0x00000000003D0000-0x00000000007D4000-memory.dmp
memory/2108-167-0x0000000073700000-0x00000000739CF000-memory.dmp
memory/2108-172-0x00000000733D0000-0x00000000734DA000-memory.dmp
memory/2108-173-0x0000000073340000-0x00000000733C8000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 5c1762600cce241bfc93fd92628e0c22 |
| SHA1 | 1a6cc241b07197f3fa3fb150bc7d99d7c63f8059 |
| SHA256 | 75f6a5312b23c8a172111054a66fb49c125f051d2410cd958f342ae1522a20bf |
| SHA512 | 92dc043082edd20b083b2327657aeacf1ca07c582b11d0a343f72abc20ec1e59f420bd0a71dba59e734f3e6f8bc2a5dbfa1ba6b41637a81ebd732bee76b3ea8e |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs
| MD5 | 6bd9135a5d8ed5955c255bc35926b090 |
| SHA1 | 661aaa5ce1bda17d23095de468883a61b5095023 |
| SHA256 | bff7ae43ed21cb81ccc9b8f1eace820091181a4ab496f5e2958f274889095994 |
| SHA512 | 92f0b33410bc7cca73d52027831a0dfb9f7cadabb95faa1b50a4b81b3285b84213a4f021cdf299db1e5f4c04d4ae505e254b46b8e9ae98386409787c87e5fb31 |
memory/2108-171-0x00000000734E0000-0x0000000073504000-memory.dmp
memory/2108-170-0x0000000073510000-0x0000000073559000-memory.dmp
memory/2108-169-0x0000000073560000-0x000000007362E000-memory.dmp
memory/2108-168-0x0000000073630000-0x00000000736F8000-memory.dmp
memory/2108-166-0x00000000003D0000-0x00000000007D4000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 592a4a63c6492c9fc610aa94dc0b6d4b |
| SHA1 | 09a1f0eff135d5f633ff9efc0c50f77ffa1052ec |
| SHA256 | f9fc02f3857047c3aafa3f5b2ddafc32009243dd4ce53023ab6d745087c14229 |
| SHA512 | 2913b0f3393c93ff7c40dbf7e76faad9a1df6890fa6373d04db41f9f233437956b50df95cea5cff9c434a7e79628339c33df9e576454b27562573b4d95152db7 |
memory/432-203-0x0000000072F10000-0x0000000072F49000-memory.dmp
memory/2108-204-0x00000000003D0000-0x00000000007D4000-memory.dmp
memory/2108-205-0x0000000073700000-0x00000000739CF000-memory.dmp
memory/2108-206-0x0000000073630000-0x00000000736F8000-memory.dmp
memory/2108-207-0x0000000073560000-0x000000007362E000-memory.dmp
memory/2108-241-0x00000000003D0000-0x00000000007D4000-memory.dmp
memory/5036-257-0x0000000073280000-0x00000000732A4000-memory.dmp
memory/5036-256-0x0000000072180000-0x0000000072208000-memory.dmp
memory/5036-255-0x0000000072210000-0x000000007231A000-memory.dmp
memory/5036-254-0x0000000073360000-0x00000000733A9000-memory.dmp
memory/5036-253-0x00000000733B0000-0x000000007347E000-memory.dmp
memory/5036-252-0x0000000073480000-0x0000000073548000-memory.dmp
memory/5036-251-0x0000000072320000-0x00000000725EF000-memory.dmp
memory/5036-250-0x00000000003D0000-0x00000000007D4000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | e32c935883aa01f7118b48e370f458e5 |
| SHA1 | b1955614f727a7e03d65b257059ce73d0c2ff6ea |
| SHA256 | 1296f55e714522efedd7a05bd8c15cc202a9bfe5c51c4e55aadf2f4e7f71f98a |
| SHA512 | cbbc9f6ce6081a31545b8e5e8bea966978b5457662527023a1d40fdb820bf34f8b9eef9ee42684b07f22bd26b5459c6581e1c98dc5daa0e8ff4ec8cbce608a25 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs
| MD5 | a473ebd7468228c7aeb34939a7403436 |
| SHA1 | ad8cfa55a333769f27278d120282c0c94a0452aa |
| SHA256 | fdf652419afcf8fdbe4b65458fc2dce310afa2dcf4b32f7b737fb0151decd357 |
| SHA512 | 880718f3a6c837f2fb241c73a809c4b403d75cf32c5508f2b1ae48be3703fda7df58894fbc035347f28375ef9824f2ca3475503831f59c303a4976d24fcee166 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-07 12:28
Reported
2024-05-07 12:31
Platform
win7-20240419-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
BitRAT
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe
"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49235 | tcp | |
| US | 50.7.74.171:9001 | tcp | |
| BG | 213.183.60.21:443 | tcp | |
| NL | 77.247.181.162:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| GB | 51.38.65.160:9001 | tcp | |
| NL | 45.66.33.45:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| IT | 95.141.32.124:44444 | tcp | |
| FR | 51.159.211.57:9001 | tcp | |
| N/A | 127.0.0.1:49332 | tcp | |
| CA | 158.69.205.92:9001 | tcp | |
| DE | 87.118.88.94:443 | tcp | |
| CA | 158.69.205.92:9001 | tcp | |
| DE | 87.118.88.94:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | myexternalip.com | udp |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| DE | 46.4.66.178:9001 | tcp | |
| N/A | 127.0.0.1:49433 | tcp | |
| CA | 158.69.205.92:9001 | tcp | |
| NO | 88.90.162.62:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:49525 | tcp | |
| DE | 51.68.185.82:8081 | tcp | |
| CA | 158.69.205.92:9001 | tcp | |
| DE | 46.4.66.178:9001 | tcp |
Files
memory/2052-0-0x0000000000400000-0x0000000000BD8000-memory.dmp
\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
memory/2052-17-0x0000000004000000-0x0000000004404000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
memory/2148-21-0x00000000000D0000-0x00000000004D4000-memory.dmp
memory/2052-20-0x0000000004000000-0x0000000004404000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
memory/2148-40-0x0000000073D50000-0x0000000073E1E000-memory.dmp
memory/2148-41-0x0000000074A20000-0x0000000074A44000-memory.dmp
memory/2148-36-0x0000000073E20000-0x0000000073EA8000-memory.dmp
memory/2148-33-0x0000000073EB0000-0x0000000073FBA000-memory.dmp
memory/2148-32-0x00000000744B0000-0x0000000074578000-memory.dmp
\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
memory/2148-26-0x0000000074580000-0x00000000745C9000-memory.dmp
memory/2148-25-0x0000000073FC0000-0x000000007428F000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\torrc
| MD5 | 439cd73927f46fde28540391feee8477 |
| SHA1 | ee7fb2aeb7708378abda293b03f5c9ffb6dbc742 |
| SHA256 | d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75 |
| SHA512 | c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319 |
memory/2052-45-0x0000000004000000-0x0000000004404000-memory.dmp
memory/2052-46-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2148-47-0x00000000000D0000-0x00000000004D4000-memory.dmp
memory/2148-48-0x0000000073FC0000-0x000000007428F000-memory.dmp
memory/2148-49-0x00000000000D0000-0x00000000004D4000-memory.dmp
memory/2148-55-0x0000000073D50000-0x0000000073E1E000-memory.dmp
memory/2148-54-0x0000000073E20000-0x0000000073EA8000-memory.dmp
memory/2148-53-0x0000000073EB0000-0x0000000073FBA000-memory.dmp
memory/2148-52-0x00000000744B0000-0x0000000074578000-memory.dmp
memory/2148-51-0x0000000074580000-0x00000000745C9000-memory.dmp
memory/2052-57-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2148-58-0x00000000000D0000-0x00000000004D4000-memory.dmp
memory/2052-71-0x0000000000400000-0x0000000000BD8000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp
| MD5 | 0ce4530144899e61e7151afe7810919f |
| SHA1 | f300561ff8bbd2b426926aced1e576bd2b91d001 |
| SHA256 | 59f1410ba288f348e46546682bc8ae589accfdb2abc49b0b59fed35ed9de32e5 |
| SHA512 | 595a94b645837f8627b703920cec6eda3e6103ae964c91c383679f00b712343b7f8d4656db6efdaceabe8c641cf45d6461ff77cc9fafa263880bc1a0763a83e6 |
memory/2148-79-0x00000000000D0000-0x00000000004D4000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 98a26515988b7c3c310efdc4433d92cc |
| SHA1 | 420384524eaae5e7fe05451e23253b103b5ec91d |
| SHA256 | 536634d2456cd69f078f57191aa7f65cea47b98e7812a6b6e8d5e23f7fc224b0 |
| SHA512 | bae51a706674017d00b126418cbd696e378e86e3a9fb2ef12a6fefe71261ce20f63059fc741a1fc4365e2c626d859bd73d0cabc493d677f6787a8e7bc44dc9dc |
memory/2148-89-0x00000000000D0000-0x00000000004D4000-memory.dmp
memory/2148-98-0x00000000000D0000-0x00000000004D4000-memory.dmp
memory/2336-127-0x00000000745A0000-0x00000000745C4000-memory.dmp
memory/2336-128-0x00000000000D0000-0x00000000004D4000-memory.dmp
memory/2336-126-0x0000000073FE0000-0x00000000740AE000-memory.dmp
memory/2336-125-0x00000000744A0000-0x0000000074528000-memory.dmp
memory/2336-124-0x00000000740B0000-0x00000000741BA000-memory.dmp
memory/2336-123-0x00000000741C0000-0x0000000074288000-memory.dmp
memory/2336-122-0x0000000074530000-0x0000000074579000-memory.dmp
memory/2336-121-0x0000000073CF0000-0x0000000073FBF000-memory.dmp
memory/2052-120-0x0000000004C60000-0x0000000005064000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs
| MD5 | f16e5c7e94620165f8a95d088e8a9081 |
| SHA1 | 7bd75e8c1fbf5de04f2740f16ddc800bc206a4dd |
| SHA256 | f758324bb62582d5d142314dc4e3d324ea30cd93fa627689ca3891fec0b6d2f8 |
| SHA512 | 890f3f5ea06296ef02b5cd263c26ec7187927c070bf133ef8fff7e895ccb89bb41cce4a8ac131af06d4b09cf0cb57c41331913616c5c3de3f248279656f90208 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 5c1762600cce241bfc93fd92628e0c22 |
| SHA1 | 1a6cc241b07197f3fa3fb150bc7d99d7c63f8059 |
| SHA256 | 75f6a5312b23c8a172111054a66fb49c125f051d2410cd958f342ae1522a20bf |
| SHA512 | 92dc043082edd20b083b2327657aeacf1ca07c582b11d0a343f72abc20ec1e59f420bd0a71dba59e734f3e6f8bc2a5dbfa1ba6b41637a81ebd732bee76b3ea8e |
memory/2052-142-0x0000000000400000-0x0000000000BD8000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | d8e824ab211f751aaa05b1300f60aa81 |
| SHA1 | 143efb4293afa189584ed2f4b62d379f9254b8ff |
| SHA256 | 729463208c17589439bc198ec6d0ead5288df831beb190750e5cf56b89a2b042 |
| SHA512 | 1c76d774b68579a1b644946cf332910ce87ddfd9f2a43f49bc54810727471d40d0b62045575478bf96ce54930520f5f6f08e4bd72ece6270b26d71b6dd091776 |
memory/2336-150-0x00000000741C0000-0x0000000074288000-memory.dmp
memory/2336-153-0x0000000073FE0000-0x00000000740AE000-memory.dmp
memory/2336-148-0x0000000073CF0000-0x0000000073FBF000-memory.dmp
memory/2336-147-0x00000000000D0000-0x00000000004D4000-memory.dmp
memory/2052-160-0x0000000004C60000-0x0000000005064000-memory.dmp
memory/2336-161-0x00000000000D0000-0x00000000004D4000-memory.dmp
memory/2052-179-0x0000000000BE0000-0x0000000000BEA000-memory.dmp
memory/2052-178-0x0000000000BE0000-0x0000000000BEA000-memory.dmp
memory/2336-205-0x00000000000D0000-0x00000000004D4000-memory.dmp
memory/2052-219-0x00000000058C0000-0x0000000005CC4000-memory.dmp
memory/2948-229-0x0000000074550000-0x0000000074574000-memory.dmp
memory/2948-228-0x0000000073EF0000-0x0000000073FBE000-memory.dmp
memory/2948-227-0x0000000074200000-0x0000000074288000-memory.dmp
memory/2948-226-0x0000000073FE0000-0x00000000740EA000-memory.dmp
memory/2948-225-0x00000000740F0000-0x00000000741B8000-memory.dmp
memory/2948-224-0x00000000744E0000-0x0000000074529000-memory.dmp
memory/2948-223-0x00000000731D0000-0x000000007349F000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 2a10ae3e2ab4d2bb6f16fa7807975406 |
| SHA1 | 6b5503f1c73b54c0a5ec39041589b85c1c55dbbf |
| SHA256 | 13ce2cbf7f1801d116d630ae2a2736fc02e16bc751c52432f8098f51b6fd19e7 |
| SHA512 | 0b31456c8759656ed8d408202a42713e17a4ccec62edbeab97539582bdf637d97c29f772dfd75107bd12e995dd9cb15a628a686403f79a892931a0860eb7a9da |
memory/2948-220-0x00000000000D0000-0x00000000004D4000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs
| MD5 | ac87b84bcb8d8734d72587dd6d86cba6 |
| SHA1 | e5a9017ddf7dcc9db5218e736bc212bf7bb62520 |
| SHA256 | f46ae5316facd896b2a556b77773a80dc469cc1d7dab9bca39a97f00fd6ef531 |
| SHA512 | 3667e8a7f4450e8ade06d46bfa3cffbcfe8d373ea26d8ffe877f4949f47f49c5ab4bc03451f008c02a49bfc51411ec63a8c9274fce88e4a0e452e36f4653fe63 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 997f1adef7365489f2e9d663f91b7f46 |
| SHA1 | 89ea20560e086b608f017af91351fc3e0e560b9f |
| SHA256 | c7bb985650e54e52f42f3d53c81b9c56c26b226b61a38d762a51658add621c05 |
| SHA512 | f1705dfdb93a6197a7924eb618cf96e1ed6072b935d162e583304a70234f817684a3a3f865767772c23d0d86bee49864f30716630e9302c3b273ca1b2698e83e |
memory/2052-248-0x0000000000BE0000-0x0000000000BEA000-memory.dmp
memory/2052-247-0x0000000000BE0000-0x0000000000BEA000-memory.dmp
memory/2052-258-0x00000000058C0000-0x0000000005CC4000-memory.dmp
memory/2948-259-0x00000000000D0000-0x00000000004D4000-memory.dmp
memory/2948-260-0x00000000731D0000-0x000000007349F000-memory.dmp
memory/2052-270-0x0000000003400000-0x000000000340A000-memory.dmp
memory/2948-289-0x00000000000D0000-0x00000000004D4000-memory.dmp
memory/2052-295-0x0000000005AC0000-0x0000000005EC4000-memory.dmp
memory/2840-313-0x0000000072E70000-0x000000007313F000-memory.dmp
memory/2840-312-0x0000000074500000-0x0000000074524000-memory.dmp
memory/2840-311-0x00000000732C0000-0x000000007338E000-memory.dmp
memory/2840-310-0x0000000074130000-0x00000000741B8000-memory.dmp
memory/2840-309-0x0000000073390000-0x000000007349A000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 3dfdfc6c07261c75ae63938c003b5eeb |
| SHA1 | 42e00c282186dce0ca8be68a85c59b3945dae5af |
| SHA256 | 5470ffe5d9af401d9b64348484af4354861fe62fe2215d8cade45ee9e279a8e5 |
| SHA512 | edfb4cf0be4da7a29b9b47e2d53756fd50e2e27cb9b417e04041c7e09f47df9b69d182f3b1613a96f841f688cfac008b65fa29047cd7e455963cbb94ffc604b9 |
memory/2840-307-0x0000000074020000-0x00000000740E8000-memory.dmp
memory/2840-305-0x0000000074240000-0x0000000074289000-memory.dmp
memory/2840-304-0x00000000000D0000-0x00000000004D4000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 3e0d20f28e2f31e8c8d2694ad5b72791 |
| SHA1 | 492f611f8494c75b03cf43b2210b96c9c751c2a0 |
| SHA256 | 6d5f7d6d4e85f333197b10197952bd1a56f34b72a53b3f59d6625202bd52a82a |
| SHA512 | df7946f0e065b10a90fa200feda2c4a0ebd3e02b5de11055d2a53fb1ffcf70a17360008f59118fbf6be135bf45e89b42263c93e4a3ac353eb780701a70d6ac4a |
memory/2052-333-0x0000000003400000-0x000000000340A000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-07 12:28
Reported
2024-05-07 12:31
Platform
win10-20240404-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
BitRAT
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1㐀" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1\uff00" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe
"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| FR | 93.115.97.242:9001 | tcp | |
| N/A | 127.0.0.1:49805 | tcp | |
| US | 8.8.8.8:53 | 242.97.115.93.in-addr.arpa | udp |
| FR | 37.187.20.59:443 | tcp | |
| US | 8.8.8.8:53 | 59.20.187.37.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| FR | 188.165.136.205:9001 | tcp | |
| FI | 95.217.231.111:9001 | tcp | |
| US | 8.8.8.8:53 | 111.231.217.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.136.165.188.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| FR | 188.165.136.205:9001 | tcp | |
| FI | 95.217.231.111:9001 | tcp | |
| NL | 185.67.45.99:9001 | tcp | |
| US | 8.8.8.8:53 | 99.45.67.185.in-addr.arpa | udp |
| AT | 37.252.190.176:443 | tcp | |
| US | 8.8.8.8:53 | 176.190.252.37.in-addr.arpa | udp |
| N/A | 127.0.0.1:49947 | tcp | |
| N/A | 127.0.0.1:45808 | tcp |
Files
memory/4864-0-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/4864-1-0x00000000739E0000-0x0000000073A1A000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
memory/3272-19-0x0000000000040000-0x0000000000444000-memory.dmp
memory/3272-33-0x0000000073930000-0x0000000073954000-memory.dmp
memory/3272-36-0x0000000072B60000-0x0000000072BE8000-memory.dmp
memory/3272-38-0x0000000073A60000-0x0000000073AA9000-memory.dmp
memory/3272-37-0x0000000072A50000-0x0000000072B5A000-memory.dmp
memory/3272-35-0x0000000072BF0000-0x0000000072EBF000-memory.dmp
memory/3272-34-0x00000000017B0000-0x0000000001A7F000-memory.dmp
memory/3272-32-0x0000000072EC0000-0x0000000072F88000-memory.dmp
memory/3272-31-0x0000000072F90000-0x000000007305E000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\torrc
| MD5 | 439cd73927f46fde28540391feee8477 |
| SHA1 | ee7fb2aeb7708378abda293b03f5c9ffb6dbc742 |
| SHA256 | d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75 |
| SHA512 | c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319 |
memory/4864-42-0x0000000072740000-0x000000007277A000-memory.dmp
memory/4864-43-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/3272-46-0x0000000072F90000-0x000000007305E000-memory.dmp
memory/3272-48-0x0000000073930000-0x0000000073954000-memory.dmp
memory/3272-49-0x0000000072BF0000-0x0000000072EBF000-memory.dmp
memory/3272-47-0x0000000072EC0000-0x0000000072F88000-memory.dmp
memory/3272-44-0x0000000000040000-0x0000000000444000-memory.dmp
memory/4864-52-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/3272-53-0x0000000000040000-0x0000000000444000-memory.dmp
memory/3272-54-0x0000000000040000-0x0000000000444000-memory.dmp
memory/3272-62-0x00000000017B0000-0x0000000001A7F000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp
| MD5 | 0ce4530144899e61e7151afe7810919f |
| SHA1 | f300561ff8bbd2b426926aced1e576bd2b91d001 |
| SHA256 | 59f1410ba288f348e46546682bc8ae589accfdb2abc49b0b59fed35ed9de32e5 |
| SHA512 | 595a94b645837f8627b703920cec6eda3e6103ae964c91c383679f00b712343b7f8d4656db6efdaceabe8c641cf45d6461ff77cc9fafa263880bc1a0763a83e6 |
memory/3272-75-0x0000000000040000-0x0000000000444000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | a5080c22bfb047d4be65e1b930272425 |
| SHA1 | e9bf86a44b9450bf61a7c8d6c271e5afec02db1a |
| SHA256 | 1784101a4dfc1ddad7683fdde42eea77634a6fd9ac76a9b171dd2f21606b558e |
| SHA512 | c671e09fbe58807f4f10591a952ca033c84aa8dd4afa361da5e96db4a8e6b5e3132d31763ca02d5d09f93e906f4fa03a45dfbdd56efb0f45decd3221ca6294d1 |
memory/3272-89-0x0000000000040000-0x0000000000444000-memory.dmp
memory/4864-97-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/4864-98-0x00000000732E0000-0x000000007331A000-memory.dmp
memory/3272-99-0x0000000000040000-0x0000000000444000-memory.dmp
memory/4864-107-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/3272-108-0x0000000000040000-0x0000000000444000-memory.dmp
memory/3272-117-0x0000000000040000-0x0000000000444000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs
| MD5 | 15a4cb517fea746fb46d2540c8534b38 |
| SHA1 | 066a5e43cc2fcbf3c97545c35cb2b0336d6f3544 |
| SHA256 | c734fb00197ded964ba2a468ee7feb9b1010eb76c5f648e5219abd2920932000 |
| SHA512 | 4f824ebec5140fb98a3fb7a76e2e2421786a9092a4fb3c5f94a1afd9df3d5a3f798534230e2d43e9d37580f7ad445d1e4cd3a47a69298e2b7d8097a45bcfddb2 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 61766f4549436bd039844c9aab81a1f3 |
| SHA1 | a928ef9167c5b6d9fc079dd89d2d5c15b0ac06c0 |
| SHA256 | 10b1311242be0fa7dc0a3f50aea370fa112569d8c29345af78e673baddef316b |
| SHA512 | ff84c2366e16e05afe22fc5b915324d743f4cf638d01ac762757a6ff44258850d30a0158a149dcccda504461a9aed0dbc0b25017a685e3e6251afdc362fe2d6a |
memory/3984-166-0x0000000072EC0000-0x0000000072F48000-memory.dmp
memory/3984-165-0x0000000073A60000-0x0000000073AA9000-memory.dmp
memory/3984-164-0x0000000073130000-0x00000000731FE000-memory.dmp
memory/3984-163-0x0000000073920000-0x00000000739E8000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 4a4b0257a1e446ce105f1d43fb6fbcac |
| SHA1 | 1d92a5ae3d69814a130d5454384513ba97d7ac52 |
| SHA256 | df657b314876fdc383344d9cdfbdd29e9477e4f53c71684a729ac75e64e4caaa |
| SHA512 | ba91eb5c9c864700dbea47b9e4f55b7964107b122a0ae02466178233b52e63f0fe7090d7d270042430fb731840ef00d0f9fa3428812ed9fcb5463b536217ed76 |
memory/3984-162-0x0000000073200000-0x00000000734CF000-memory.dmp
memory/3984-168-0x0000000073100000-0x0000000073124000-memory.dmp
memory/3984-167-0x0000000072F50000-0x000000007305A000-memory.dmp
memory/3984-161-0x0000000000040000-0x0000000000444000-memory.dmp
memory/3272-152-0x0000000000040000-0x0000000000444000-memory.dmp
memory/4864-203-0x0000000072C30000-0x0000000072C6A000-memory.dmp
memory/3984-204-0x0000000000040000-0x0000000000444000-memory.dmp
memory/3984-205-0x0000000073200000-0x00000000734CF000-memory.dmp
memory/3984-206-0x0000000073920000-0x00000000739E8000-memory.dmp
memory/3984-207-0x0000000073130000-0x00000000731FE000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-07 12:28
Reported
2024-05-07 12:31
Platform
win10v2004-20240419-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
BitRAT
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe
"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| DE | 94.130.186.5:443 | tcp | |
| US | 8.8.8.8:53 | 5.186.130.94.in-addr.arpa | udp |
| PL | 54.37.139.118:9001 | tcp | |
| N/A | 127.0.0.1:63416 | tcp | |
| FR | 95.128.43.164:443 | tcp | |
| US | 8.8.8.8:53 | 118.139.37.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.43.128.95.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| ES | 212.227.43.225:443 | tcp | |
| US | 89.117.145.38:443 | tcp | |
| US | 8.8.8.8:53 | 225.43.227.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.145.117.89.in-addr.arpa | udp |
| US | 89.117.145.38:443 | tcp | |
| ES | 212.227.43.225:443 | tcp | |
| DE | 195.90.210.137:9001 | tcp | |
| US | 8.8.8.8:53 | 137.210.90.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | myexternalip.com | udp |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| US | 8.8.8.8:53 | 44.118.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.190.18.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.251.17.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:63588 | tcp | |
| US | 147.135.65.87:8443 | tcp | |
| US | 8.8.8.8:53 | 87.65.135.147.in-addr.arpa | udp |
| DE | 178.254.44.163:5126 | tcp | |
| US | 8.8.8.8:53 | 163.44.254.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:63691 | tcp | |
| DE | 46.4.66.178:9001 | tcp |
Files
memory/1132-0-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1132-1-0x0000000074940000-0x0000000074979000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
memory/632-19-0x0000000000CB0000-0x00000000010B4000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
C:\Users\Admin\AppData\Local\d46500b0\tor\torrc
| MD5 | 439cd73927f46fde28540391feee8477 |
| SHA1 | ee7fb2aeb7708378abda293b03f5c9ffb6dbc742 |
| SHA256 | d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75 |
| SHA512 | c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
memory/632-37-0x0000000073E40000-0x0000000073E89000-memory.dmp
memory/632-38-0x0000000073D70000-0x0000000073E38000-memory.dmp
memory/632-42-0x0000000073AD0000-0x0000000073BDA000-memory.dmp
memory/632-41-0x0000000073BE0000-0x0000000073C04000-memory.dmp
memory/632-40-0x0000000073C10000-0x0000000073C98000-memory.dmp
memory/632-39-0x0000000073CA0000-0x0000000073D6E000-memory.dmp
memory/632-44-0x0000000073800000-0x0000000073ACF000-memory.dmp
memory/632-43-0x0000000001E90000-0x000000000215F000-memory.dmp
memory/1132-45-0x00000000733F0000-0x0000000073429000-memory.dmp
memory/1132-46-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/632-47-0x0000000000CB0000-0x00000000010B4000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp
| MD5 | 0ce4530144899e61e7151afe7810919f |
| SHA1 | f300561ff8bbd2b426926aced1e576bd2b91d001 |
| SHA256 | 59f1410ba288f348e46546682bc8ae589accfdb2abc49b0b59fed35ed9de32e5 |
| SHA512 | 595a94b645837f8627b703920cec6eda3e6103ae964c91c383679f00b712343b7f8d4656db6efdaceabe8c641cf45d6461ff77cc9fafa263880bc1a0763a83e6 |
memory/1132-64-0x0000000000400000-0x0000000000BD8000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 80ccc45b4a290d0707b8a57f0bb5fcad |
| SHA1 | 3d06dc63f241fddb04ceeab90a1ec5a28aa51877 |
| SHA256 | d21bb1ff393e87cc97ca5c26e7ef7e77eec828b89555c59fc1d446249fc3038a |
| SHA512 | 12fe4089f33bf31541877ec932f4e9417a6f011d5e1b92f9e745d5cd6bfa31d6fe6fb2bc8fbadc0fa20452eecabf7e3b12c2cd6d5548ecc202e7a46f42fb3391 |
memory/632-80-0x0000000000CB0000-0x00000000010B4000-memory.dmp
memory/632-88-0x0000000000CB0000-0x00000000010B4000-memory.dmp
memory/632-90-0x0000000000CB0000-0x00000000010B4000-memory.dmp
memory/1132-104-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/632-105-0x0000000000CB0000-0x00000000010B4000-memory.dmp
memory/1132-113-0x0000000073F70000-0x0000000073FA9000-memory.dmp
memory/1132-114-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/632-115-0x0000000000CB0000-0x00000000010B4000-memory.dmp
memory/632-124-0x0000000000CB0000-0x00000000010B4000-memory.dmp
memory/632-133-0x0000000000CB0000-0x00000000010B4000-memory.dmp
memory/632-159-0x0000000000CB0000-0x00000000010B4000-memory.dmp
memory/4264-168-0x0000000000CB0000-0x00000000010B4000-memory.dmp
memory/4264-174-0x0000000073890000-0x000000007399A000-memory.dmp
memory/4264-175-0x0000000073800000-0x0000000073888000-memory.dmp
memory/4264-173-0x00000000739A0000-0x00000000739C4000-memory.dmp
memory/4264-172-0x00000000739D0000-0x0000000073A19000-memory.dmp
memory/4264-171-0x0000000073A20000-0x0000000073AEE000-memory.dmp
memory/4264-170-0x0000000073AF0000-0x0000000073BB8000-memory.dmp
memory/4264-169-0x0000000073BC0000-0x0000000073E8F000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 5c1762600cce241bfc93fd92628e0c22 |
| SHA1 | 1a6cc241b07197f3fa3fb150bc7d99d7c63f8059 |
| SHA256 | 75f6a5312b23c8a172111054a66fb49c125f051d2410cd958f342ae1522a20bf |
| SHA512 | 92dc043082edd20b083b2327657aeacf1ca07c582b11d0a343f72abc20ec1e59f420bd0a71dba59e734f3e6f8bc2a5dbfa1ba6b41637a81ebd732bee76b3ea8e |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs
| MD5 | 21f6b2a7ddbfc05964c12b75b973d1ee |
| SHA1 | dc9a8eed49c0592d58a3f6a3d7ec7c41d0f8bbcc |
| SHA256 | 0ff1cd725ff7563eb48af796cd568bf800598aee049dd89b132a667d9b8dc3d0 |
| SHA512 | 097d2bbd1c295ca5da7bf564fa3e8a3d14bfb7d57ad2411b2bf9a950e4d0a5e9fc3e4e6510460188358aef38f840215cd948bf6c720e32d6be8f850caa4800b6 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 353d5d4866bbe0a58954bd22ee049208 |
| SHA1 | 6bc2f9870051e86fda9642542d29d763c90846c4 |
| SHA256 | 1a696e16262f7ccadf934a2a20f3818ab82366b56c4c9b9f01198940397b810e |
| SHA512 | 11b2807d2bfe85b6d5da527daeed9e04f7c53c7793ab9355ad62eb43d4291360f23bf79384786eadb1ea30efb998f9b8cf173ce24347316019e11a32626350f6 |
memory/4264-206-0x0000000000CB0000-0x00000000010B4000-memory.dmp
memory/4264-207-0x0000000073BC0000-0x0000000073E8F000-memory.dmp
memory/4264-208-0x0000000073AF0000-0x0000000073BB8000-memory.dmp
memory/4264-209-0x0000000073A20000-0x0000000073AEE000-memory.dmp
memory/4264-247-0x0000000000CB0000-0x00000000010B4000-memory.dmp
memory/2704-262-0x0000000073800000-0x0000000073824000-memory.dmp
memory/2704-261-0x0000000073830000-0x00000000738B8000-memory.dmp
memory/2704-260-0x00000000738C0000-0x00000000739CA000-memory.dmp
memory/2704-259-0x00000000739D0000-0x0000000073A19000-memory.dmp
memory/2704-258-0x0000000073A20000-0x0000000073AEE000-memory.dmp
memory/2704-257-0x0000000073AF0000-0x0000000073BB8000-memory.dmp
memory/2704-256-0x0000000073BC0000-0x0000000073E8F000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 3bc8fa90b6f5fdb0cf3f565b3f433a9c |
| SHA1 | 910dcf9e0ed9c21c07aa17c408e88f50b39812ae |
| SHA256 | 9408e4abfbceff87a78d493f489d77ce439c4487a62afaf0eb74ff73e310e6db |
| SHA512 | 3997a30851011d03dc74a3d9444cddf013e69f165652d46c625c99fb5a06e27ab6db33263c5e291be5571b9a65e702616d5bc3cd05f779f27097d09d2c4785dc |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs
| MD5 | 33a75ee9c268d52617d651608bd87549 |
| SHA1 | 3466eda6347e73845be732f748a8cb814b0ba083 |
| SHA256 | 2ce3419666cf4656b019455b05c24f79a0d1b0bebc2025319d28b0a67f68299b |
| SHA512 | ef39e065ba74c001dd812745ef821cbdda3dc9a868fbde744bb010c6f6000dd71e75a33ad8b28cb5a273534549ef69bc73541af2e7ec12ab14df1f417b4d2c39 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 87c702bce0c1961c03b02297952801fa |
| SHA1 | 5e26c2a800e467f83ca6379eb81f3a9fcdf42250 |
| SHA256 | 5c99a92f9619a8c44477629c7d0f5dee04e7fd706a00b2167e19de7c4c1334dc |
| SHA512 | c9b3ee64c242085b7be2341d4da795eabbbdc7483f26a5714aa23190362fa2be43d939861ffee2b98a14727f45cdc711f601e89ce7cf9e5bc06a40d627acbc5b |
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-07 12:28
Reported
2024-05-07 12:31
Platform
win11-20240419-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
BitRAT
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe
"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| FR | 185.13.39.197:443 | tcp | |
| N/A | 127.0.0.1:49779 | tcp | |
| US | 96.253.78.108:443 | tcp | |
| NL | 77.247.181.162:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| DE | 136.243.214.137:443 | tcp | |
| SE | 171.25.193.9:80 | tcp | |
| US | 8.8.8.8:53 | 9.193.25.171.in-addr.arpa | udp |
| DE | 51.89.17.143:8080 | tcp | |
| PL | 151.115.74.228:443 | tcp | |
| US | 8.8.8.8:53 | 143.17.89.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.74.115.151.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 15.204.226.3:443 | tcp | |
| CH | 77.109.152.87:143 | tcp | |
| N/A | 127.0.0.1:49895 | tcp | |
| CH | 77.109.152.87:143 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49979 | tcp | |
| DE | 181.214.99.212:9001 | tcp | |
| DE | 51.89.81.247:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp |
Files
memory/4560-0-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/4560-1-0x0000000074340000-0x000000007437C000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
memory/1484-17-0x00000000007E0000-0x0000000000BE4000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
memory/1484-29-0x00000000738A0000-0x0000000073968000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\torrc
| MD5 | 439cd73927f46fde28540391feee8477 |
| SHA1 | ee7fb2aeb7708378abda293b03f5c9ffb6dbc742 |
| SHA256 | d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75 |
| SHA512 | c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319 |
memory/1484-37-0x00000000735B0000-0x00000000735D4000-memory.dmp
memory/1484-36-0x00000000735E0000-0x0000000073668000-memory.dmp
memory/1484-35-0x0000000073780000-0x000000007384E000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
memory/1484-41-0x0000000001DE0000-0x00000000020AF000-memory.dmp
memory/1484-44-0x0000000073670000-0x000000007377A000-memory.dmp
memory/1484-43-0x0000000073850000-0x0000000073899000-memory.dmp
memory/1484-42-0x00000000732E0000-0x00000000735AF000-memory.dmp
memory/4560-45-0x0000000072FA0000-0x0000000072FDC000-memory.dmp
memory/4560-46-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1484-48-0x00000000738A0000-0x0000000073968000-memory.dmp
memory/1484-50-0x0000000073780000-0x000000007384E000-memory.dmp
memory/1484-47-0x00000000007E0000-0x0000000000BE4000-memory.dmp
memory/1484-56-0x00000000007E0000-0x0000000000BE4000-memory.dmp
memory/4560-55-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1484-65-0x0000000001DE0000-0x00000000020AF000-memory.dmp
memory/1484-57-0x00000000007E0000-0x0000000000BE4000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus
| MD5 | 0ce4530144899e61e7151afe7810919f |
| SHA1 | f300561ff8bbd2b426926aced1e576bd2b91d001 |
| SHA256 | 59f1410ba288f348e46546682bc8ae589accfdb2abc49b0b59fed35ed9de32e5 |
| SHA512 | 595a94b645837f8627b703920cec6eda3e6103ae964c91c383679f00b712343b7f8d4656db6efdaceabe8c641cf45d6461ff77cc9fafa263880bc1a0763a83e6 |
memory/4560-74-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1484-76-0x00000000007E0000-0x0000000000BE4000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | ca9baf607cc545d36c8d4870a941374a |
| SHA1 | 4f68e37abe6fc3141e5391e72d79b1d1f8e22252 |
| SHA256 | 6159db332c13ff164022bc2f3f542064e697fae03bd8cd6d09ae6802550838eb |
| SHA512 | b1f0dc7c86b8bf1b465c3d06e87f5eaa8be5445f5f01a91fff8cb28e6f4b851a5eb2e67a28fb1fa64472c1ff97f99ee4a8705c1ff055fb12c02898db701465c4 |
memory/1484-90-0x00000000007E0000-0x0000000000BE4000-memory.dmp
memory/1484-99-0x00000000007E0000-0x0000000000BE4000-memory.dmp
memory/1484-108-0x00000000007E0000-0x0000000000BE4000-memory.dmp
memory/1484-125-0x00000000007E0000-0x0000000000BE4000-memory.dmp
memory/3724-135-0x00000000007E0000-0x0000000000BE4000-memory.dmp
memory/4560-134-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/3724-142-0x0000000073350000-0x00000000733D8000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 61766f4549436bd039844c9aab81a1f3 |
| SHA1 | a928ef9167c5b6d9fc079dd89d2d5c15b0ac06c0 |
| SHA256 | 10b1311242be0fa7dc0a3f50aea370fa112569d8c29345af78e673baddef316b |
| SHA512 | ff84c2366e16e05afe22fc5b915324d743f4cf638d01ac762757a6ff44258850d30a0158a149dcccda504461a9aed0dbc0b25017a685e3e6251afdc362fe2d6a |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs
| MD5 | 26ace7611b0e251cbed0efab5c79db09 |
| SHA1 | dd145146ab0f820f15d5aa390f16191a39e2cdaf |
| SHA256 | 197b8355cce777e4d37d306c80a3de865034c9d7c18bfc29ed2b504723617be1 |
| SHA512 | 18dc6e1e6c4cd8e2c1884f1c6abf7de6e49f9ad8a5f40822523789b159a264adb07404a3a7d80de3a71fdc0312aeed152211c19315b6103f76c0c5cf0765a83d |
memory/3724-141-0x00000000733E0000-0x00000000734EA000-memory.dmp
memory/3724-140-0x00000000734F0000-0x0000000073514000-memory.dmp
memory/3724-139-0x0000000073520000-0x0000000073569000-memory.dmp
memory/3724-138-0x0000000073570000-0x000000007363E000-memory.dmp
memory/3724-137-0x0000000073640000-0x0000000073708000-memory.dmp
memory/3724-136-0x0000000073710000-0x00000000739DF000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | c87e9f056033e3959da3d02f75620bef |
| SHA1 | aec51d064c722002283356119816692572b89847 |
| SHA256 | 1b7c6f082e7a10eaad7f4c8137c30b01dc72b7d0f5812e5cef12afa40cbbf7a1 |
| SHA512 | a2560dd44da0855a1b0c1c53d7434b41843a9c9cfb637fd7e8085203c2b233612f6c57661627cf8343b76b1b7ffc3bb7a4f82822df8bca044137fb9401b8236b |
memory/4560-180-0x0000000072F30000-0x0000000072F6C000-memory.dmp
memory/3724-181-0x00000000007E0000-0x0000000000BE4000-memory.dmp
memory/3724-182-0x0000000073710000-0x00000000739DF000-memory.dmp
memory/3724-184-0x0000000073570000-0x000000007363E000-memory.dmp
memory/3724-183-0x0000000073640000-0x0000000073708000-memory.dmp
memory/3724-204-0x00000000007E0000-0x0000000000BE4000-memory.dmp
memory/2132-213-0x00000000007E0000-0x0000000000BE4000-memory.dmp
memory/2132-220-0x0000000073710000-0x00000000739DF000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 00d80fc49b6f49c468f3770e7bd396ce |
| SHA1 | dd882288fbb90c631f47518f291195704753f7da |
| SHA256 | eefeb0c85422357a46a135c77a7fd6483e03a0c9085bc699acb3807b73803c57 |
| SHA512 | 4f5cbfa0e764e481d56d8e4478dde3cd1e7fd61c5609c8595901025fc190147ee0f54bf2cac3ac4eb0a2e0ccc69dde5ee4e20061cbdcebd965f4766361c116d0 |
memory/2132-219-0x0000000073350000-0x00000000733D8000-memory.dmp
memory/2132-218-0x00000000733E0000-0x00000000734EA000-memory.dmp
memory/2132-217-0x00000000734F0000-0x0000000073514000-memory.dmp
memory/2132-216-0x0000000073520000-0x0000000073569000-memory.dmp
memory/2132-215-0x0000000073570000-0x000000007363E000-memory.dmp
memory/2132-214-0x0000000073640000-0x0000000073708000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs
| MD5 | ad3b82f59cba57d2041f7ce9723f9560 |
| SHA1 | 58316be683dbb0cdfa8e73f87289b1d50ae63d77 |
| SHA256 | 1961aeb3cb30e2753609ab483d862c53f3565e3314a0761e2d5c9c3b9d425e83 |
| SHA512 | 3a9aad2b0eeccabba0bc2d112d4b02e1fde3e0f176efe785ac20e21ccc179e03cad24fe8f86c20158c147fa29b66cb2d2819850509f2725f70ec32fb48c69149 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | b23d8a69b9fa74147bb1e8f038392da4 |
| SHA1 | 4cd5543f17f8a202d906121c6940efce9ad04318 |
| SHA256 | 94a63b62758f55ec54b2341273248cba6a205c32acd534fd3a80fcf6d4e05343 |
| SHA512 | deb972b5540132ba64a5aa7c3b4a9ac8971b81ffa8bdbd23197ad89dfedce695c6b302132ab9e1af484092686fe0f3d072d8079f044c82d6d8088121a09e748b |
memory/2132-240-0x00000000007E0000-0x0000000000BE4000-memory.dmp
memory/4560-251-0x0000000072F30000-0x0000000072F6C000-memory.dmp
memory/2132-250-0x0000000073570000-0x000000007363E000-memory.dmp
memory/2132-249-0x0000000073640000-0x0000000073708000-memory.dmp
memory/2132-252-0x0000000073710000-0x00000000739DF000-memory.dmp