Malware Analysis Report

2024-09-22 21:58

Sample ID 240507-pnawasff7w
Target a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449
SHA256 a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449
Tags
bitrat persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449

Threat Level: Known bad

The file a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449 was found to be: Known bad.

Malicious Activity Summary

bitrat persistence trojan upx

Bitrat family

BitRAT

UPX packed file

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

ACProtect 1.3x - 1.4x DLL software

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-07 12:28

Signatures

Bitrat family

bitrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 12:28

Reported

2024-05-07 12:31

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 432 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 432 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 432 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 432 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 432 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 432 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 432 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 432 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 432 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 77.247.181.164:443 tcp
US 172.98.193.43:443 tcp
N/A 127.0.0.1:57838 tcp
FR 212.47.233.250:9001 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
DE 54.36.237.163:443 tcp
DE 131.188.40.189:443 tcp
US 8.8.8.8:53 189.40.188.131.in-addr.arpa udp
DE 194.13.83.131:9001 tcp
DE 159.69.138.31:9001 tcp
US 8.8.8.8:53 131.83.13.194.in-addr.arpa udp
US 8.8.8.8:53 31.138.69.159.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 162.237.207.53:443 tcp
US 8.8.8.8:53 53.207.237.162.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
DE 159.69.138.31:9001 tcp
DE 194.13.83.131:9001 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
DE 85.215.67.227:8443 tcp
DE 202.61.205.33:9001 tcp
US 8.8.8.8:53 227.67.215.85.in-addr.arpa udp
US 8.8.8.8:53 33.205.61.202.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
N/A 127.0.0.1:57998 tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.117.118.44:443 myexternalip.com tcp
US 8.8.8.8:53 44.118.117.34.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
N/A 127.0.0.1:58098 tcp
FR 141.94.199.35:9001 tcp
CH 85.195.230.249:9002 tcp
US 8.8.8.8:53 35.199.94.141.in-addr.arpa udp
US 8.8.8.8:53 249.230.195.85.in-addr.arpa udp
DE 185.94.29.162:9000 tcp
US 8.8.8.8:53 162.29.94.185.in-addr.arpa udp

Files

memory/432-0-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/432-1-0x00000000743F0000-0x0000000074429000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/1928-33-0x0000000073710000-0x0000000073734000-memory.dmp

memory/1928-32-0x0000000073740000-0x0000000073789000-memory.dmp

memory/1928-31-0x0000000073790000-0x000000007385E000-memory.dmp

memory/1928-30-0x0000000073860000-0x0000000073928000-memory.dmp

memory/1928-41-0x0000000001C60000-0x0000000001F2F000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

memory/1928-40-0x00000000732A0000-0x000000007356F000-memory.dmp

memory/1928-39-0x0000000073570000-0x000000007367A000-memory.dmp

memory/1928-36-0x0000000073680000-0x0000000073708000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

memory/1928-22-0x00000000003D0000-0x00000000007D4000-memory.dmp

memory/432-45-0x0000000072F80000-0x0000000072FB9000-memory.dmp

memory/432-46-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/1928-47-0x00000000003D0000-0x00000000007D4000-memory.dmp

memory/1928-54-0x00000000732A0000-0x000000007356F000-memory.dmp

memory/1928-53-0x0000000073570000-0x000000007367A000-memory.dmp

memory/1928-52-0x0000000073680000-0x0000000073708000-memory.dmp

memory/1928-51-0x0000000073710000-0x0000000073734000-memory.dmp

memory/1928-50-0x0000000073740000-0x0000000073789000-memory.dmp

memory/1928-49-0x0000000073790000-0x000000007385E000-memory.dmp

memory/1928-48-0x0000000073860000-0x0000000073928000-memory.dmp

memory/1928-56-0x00000000003D0000-0x00000000007D4000-memory.dmp

memory/432-55-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/1928-57-0x00000000003D0000-0x00000000007D4000-memory.dmp

memory/1928-70-0x0000000001C60000-0x0000000001F2F000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp

MD5 0ce4530144899e61e7151afe7810919f
SHA1 f300561ff8bbd2b426926aced1e576bd2b91d001
SHA256 59f1410ba288f348e46546682bc8ae589accfdb2abc49b0b59fed35ed9de32e5
SHA512 595a94b645837f8627b703920cec6eda3e6103ae964c91c383679f00b712343b7f8d4656db6efdaceabe8c641cf45d6461ff77cc9fafa263880bc1a0763a83e6

memory/1928-77-0x00000000003D0000-0x00000000007D4000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 711d9a80e0479063a1e00173f4bb682a
SHA1 7a271691f18783c7386a858343c0891a62bcf78b
SHA256 b30f315067406639b58cff0e307018baac9483f7d3799d5db5475ebd908b999d
SHA512 3686a690949ade1880af8e78bfc7298ae449b7afeb30e9d7e3aaa5666f0b69c7c609dd369cb5cd453a9f8bdf1e89eb273237b25f67dc20174eb5390f103e61e1

memory/1928-102-0x00000000003D0000-0x00000000007D4000-memory.dmp

memory/432-110-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/432-111-0x00000000743B0000-0x00000000743E9000-memory.dmp

memory/1928-112-0x00000000003D0000-0x00000000007D4000-memory.dmp

memory/432-120-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/1928-121-0x00000000003D0000-0x00000000007D4000-memory.dmp

memory/1928-130-0x00000000003D0000-0x00000000007D4000-memory.dmp

memory/1928-157-0x00000000003D0000-0x00000000007D4000-memory.dmp

memory/2108-167-0x0000000073700000-0x00000000739CF000-memory.dmp

memory/2108-172-0x00000000733D0000-0x00000000734DA000-memory.dmp

memory/2108-173-0x0000000073340000-0x00000000733C8000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 5c1762600cce241bfc93fd92628e0c22
SHA1 1a6cc241b07197f3fa3fb150bc7d99d7c63f8059
SHA256 75f6a5312b23c8a172111054a66fb49c125f051d2410cd958f342ae1522a20bf
SHA512 92dc043082edd20b083b2327657aeacf1ca07c582b11d0a343f72abc20ec1e59f420bd0a71dba59e734f3e6f8bc2a5dbfa1ba6b41637a81ebd732bee76b3ea8e

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs

MD5 6bd9135a5d8ed5955c255bc35926b090
SHA1 661aaa5ce1bda17d23095de468883a61b5095023
SHA256 bff7ae43ed21cb81ccc9b8f1eace820091181a4ab496f5e2958f274889095994
SHA512 92f0b33410bc7cca73d52027831a0dfb9f7cadabb95faa1b50a4b81b3285b84213a4f021cdf299db1e5f4c04d4ae505e254b46b8e9ae98386409787c87e5fb31

memory/2108-171-0x00000000734E0000-0x0000000073504000-memory.dmp

memory/2108-170-0x0000000073510000-0x0000000073559000-memory.dmp

memory/2108-169-0x0000000073560000-0x000000007362E000-memory.dmp

memory/2108-168-0x0000000073630000-0x00000000736F8000-memory.dmp

memory/2108-166-0x00000000003D0000-0x00000000007D4000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 592a4a63c6492c9fc610aa94dc0b6d4b
SHA1 09a1f0eff135d5f633ff9efc0c50f77ffa1052ec
SHA256 f9fc02f3857047c3aafa3f5b2ddafc32009243dd4ce53023ab6d745087c14229
SHA512 2913b0f3393c93ff7c40dbf7e76faad9a1df6890fa6373d04db41f9f233437956b50df95cea5cff9c434a7e79628339c33df9e576454b27562573b4d95152db7

memory/432-203-0x0000000072F10000-0x0000000072F49000-memory.dmp

memory/2108-204-0x00000000003D0000-0x00000000007D4000-memory.dmp

memory/2108-205-0x0000000073700000-0x00000000739CF000-memory.dmp

memory/2108-206-0x0000000073630000-0x00000000736F8000-memory.dmp

memory/2108-207-0x0000000073560000-0x000000007362E000-memory.dmp

memory/2108-241-0x00000000003D0000-0x00000000007D4000-memory.dmp

memory/5036-257-0x0000000073280000-0x00000000732A4000-memory.dmp

memory/5036-256-0x0000000072180000-0x0000000072208000-memory.dmp

memory/5036-255-0x0000000072210000-0x000000007231A000-memory.dmp

memory/5036-254-0x0000000073360000-0x00000000733A9000-memory.dmp

memory/5036-253-0x00000000733B0000-0x000000007347E000-memory.dmp

memory/5036-252-0x0000000073480000-0x0000000073548000-memory.dmp

memory/5036-251-0x0000000072320000-0x00000000725EF000-memory.dmp

memory/5036-250-0x00000000003D0000-0x00000000007D4000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 e32c935883aa01f7118b48e370f458e5
SHA1 b1955614f727a7e03d65b257059ce73d0c2ff6ea
SHA256 1296f55e714522efedd7a05bd8c15cc202a9bfe5c51c4e55aadf2f4e7f71f98a
SHA512 cbbc9f6ce6081a31545b8e5e8bea966978b5457662527023a1d40fdb820bf34f8b9eef9ee42684b07f22bd26b5459c6581e1c98dc5daa0e8ff4ec8cbce608a25

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs

MD5 a473ebd7468228c7aeb34939a7403436
SHA1 ad8cfa55a333769f27278d120282c0c94a0452aa
SHA256 fdf652419afcf8fdbe4b65458fc2dce310afa2dcf4b32f7b737fb0151decd357
SHA512 880718f3a6c837f2fb241c73a809c4b403d75cf32c5508f2b1ae48be3703fda7df58894fbc035347f28375ef9824f2ca3475503831f59c303a4976d24fcee166

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-07 12:28

Reported

2024-05-07 12:31

Platform

win7-20240419-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2052 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2052 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2052 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2052 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2052 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2052 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2052 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2052 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2052 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2052 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2052 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2052 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2052 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2052 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2052 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 2052 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

Network

Country Destination Domain Proto
N/A 127.0.0.1:49235 tcp
US 50.7.74.171:9001 tcp
BG 213.183.60.21:443 tcp
NL 77.247.181.162:443 tcp
N/A 127.0.0.1:45808 tcp
GB 51.38.65.160:9001 tcp
NL 45.66.33.45:443 tcp
N/A 127.0.0.1:45808 tcp
IT 95.141.32.124:44444 tcp
FR 51.159.211.57:9001 tcp
N/A 127.0.0.1:49332 tcp
CA 158.69.205.92:9001 tcp
DE 87.118.88.94:443 tcp
CA 158.69.205.92:9001 tcp
DE 87.118.88.94:443 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.117.118.44:443 myexternalip.com tcp
DE 46.4.66.178:9001 tcp
N/A 127.0.0.1:49433 tcp
CA 158.69.205.92:9001 tcp
NO 88.90.162.62:443 tcp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:49525 tcp
DE 51.68.185.82:8081 tcp
CA 158.69.205.92:9001 tcp
DE 46.4.66.178:9001 tcp

Files

memory/2052-0-0x0000000000400000-0x0000000000BD8000-memory.dmp

\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/2052-17-0x0000000004000000-0x0000000004404000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/2148-21-0x00000000000D0000-0x00000000004D4000-memory.dmp

memory/2052-20-0x0000000004000000-0x0000000004404000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

memory/2148-40-0x0000000073D50000-0x0000000073E1E000-memory.dmp

memory/2148-41-0x0000000074A20000-0x0000000074A44000-memory.dmp

memory/2148-36-0x0000000073E20000-0x0000000073EA8000-memory.dmp

memory/2148-33-0x0000000073EB0000-0x0000000073FBA000-memory.dmp

memory/2148-32-0x00000000744B0000-0x0000000074578000-memory.dmp

\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

memory/2148-26-0x0000000074580000-0x00000000745C9000-memory.dmp

memory/2148-25-0x0000000073FC0000-0x000000007428F000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

memory/2052-45-0x0000000004000000-0x0000000004404000-memory.dmp

memory/2052-46-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2148-47-0x00000000000D0000-0x00000000004D4000-memory.dmp

memory/2148-48-0x0000000073FC0000-0x000000007428F000-memory.dmp

memory/2148-49-0x00000000000D0000-0x00000000004D4000-memory.dmp

memory/2148-55-0x0000000073D50000-0x0000000073E1E000-memory.dmp

memory/2148-54-0x0000000073E20000-0x0000000073EA8000-memory.dmp

memory/2148-53-0x0000000073EB0000-0x0000000073FBA000-memory.dmp

memory/2148-52-0x00000000744B0000-0x0000000074578000-memory.dmp

memory/2148-51-0x0000000074580000-0x00000000745C9000-memory.dmp

memory/2052-57-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2148-58-0x00000000000D0000-0x00000000004D4000-memory.dmp

memory/2052-71-0x0000000000400000-0x0000000000BD8000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp

MD5 0ce4530144899e61e7151afe7810919f
SHA1 f300561ff8bbd2b426926aced1e576bd2b91d001
SHA256 59f1410ba288f348e46546682bc8ae589accfdb2abc49b0b59fed35ed9de32e5
SHA512 595a94b645837f8627b703920cec6eda3e6103ae964c91c383679f00b712343b7f8d4656db6efdaceabe8c641cf45d6461ff77cc9fafa263880bc1a0763a83e6

memory/2148-79-0x00000000000D0000-0x00000000004D4000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 98a26515988b7c3c310efdc4433d92cc
SHA1 420384524eaae5e7fe05451e23253b103b5ec91d
SHA256 536634d2456cd69f078f57191aa7f65cea47b98e7812a6b6e8d5e23f7fc224b0
SHA512 bae51a706674017d00b126418cbd696e378e86e3a9fb2ef12a6fefe71261ce20f63059fc741a1fc4365e2c626d859bd73d0cabc493d677f6787a8e7bc44dc9dc

memory/2148-89-0x00000000000D0000-0x00000000004D4000-memory.dmp

memory/2148-98-0x00000000000D0000-0x00000000004D4000-memory.dmp

memory/2336-127-0x00000000745A0000-0x00000000745C4000-memory.dmp

memory/2336-128-0x00000000000D0000-0x00000000004D4000-memory.dmp

memory/2336-126-0x0000000073FE0000-0x00000000740AE000-memory.dmp

memory/2336-125-0x00000000744A0000-0x0000000074528000-memory.dmp

memory/2336-124-0x00000000740B0000-0x00000000741BA000-memory.dmp

memory/2336-123-0x00000000741C0000-0x0000000074288000-memory.dmp

memory/2336-122-0x0000000074530000-0x0000000074579000-memory.dmp

memory/2336-121-0x0000000073CF0000-0x0000000073FBF000-memory.dmp

memory/2052-120-0x0000000004C60000-0x0000000005064000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs

MD5 f16e5c7e94620165f8a95d088e8a9081
SHA1 7bd75e8c1fbf5de04f2740f16ddc800bc206a4dd
SHA256 f758324bb62582d5d142314dc4e3d324ea30cd93fa627689ca3891fec0b6d2f8
SHA512 890f3f5ea06296ef02b5cd263c26ec7187927c070bf133ef8fff7e895ccb89bb41cce4a8ac131af06d4b09cf0cb57c41331913616c5c3de3f248279656f90208

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 5c1762600cce241bfc93fd92628e0c22
SHA1 1a6cc241b07197f3fa3fb150bc7d99d7c63f8059
SHA256 75f6a5312b23c8a172111054a66fb49c125f051d2410cd958f342ae1522a20bf
SHA512 92dc043082edd20b083b2327657aeacf1ca07c582b11d0a343f72abc20ec1e59f420bd0a71dba59e734f3e6f8bc2a5dbfa1ba6b41637a81ebd732bee76b3ea8e

memory/2052-142-0x0000000000400000-0x0000000000BD8000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 d8e824ab211f751aaa05b1300f60aa81
SHA1 143efb4293afa189584ed2f4b62d379f9254b8ff
SHA256 729463208c17589439bc198ec6d0ead5288df831beb190750e5cf56b89a2b042
SHA512 1c76d774b68579a1b644946cf332910ce87ddfd9f2a43f49bc54810727471d40d0b62045575478bf96ce54930520f5f6f08e4bd72ece6270b26d71b6dd091776

memory/2336-150-0x00000000741C0000-0x0000000074288000-memory.dmp

memory/2336-153-0x0000000073FE0000-0x00000000740AE000-memory.dmp

memory/2336-148-0x0000000073CF0000-0x0000000073FBF000-memory.dmp

memory/2336-147-0x00000000000D0000-0x00000000004D4000-memory.dmp

memory/2052-160-0x0000000004C60000-0x0000000005064000-memory.dmp

memory/2336-161-0x00000000000D0000-0x00000000004D4000-memory.dmp

memory/2052-179-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

memory/2052-178-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

memory/2336-205-0x00000000000D0000-0x00000000004D4000-memory.dmp

memory/2052-219-0x00000000058C0000-0x0000000005CC4000-memory.dmp

memory/2948-229-0x0000000074550000-0x0000000074574000-memory.dmp

memory/2948-228-0x0000000073EF0000-0x0000000073FBE000-memory.dmp

memory/2948-227-0x0000000074200000-0x0000000074288000-memory.dmp

memory/2948-226-0x0000000073FE0000-0x00000000740EA000-memory.dmp

memory/2948-225-0x00000000740F0000-0x00000000741B8000-memory.dmp

memory/2948-224-0x00000000744E0000-0x0000000074529000-memory.dmp

memory/2948-223-0x00000000731D0000-0x000000007349F000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 2a10ae3e2ab4d2bb6f16fa7807975406
SHA1 6b5503f1c73b54c0a5ec39041589b85c1c55dbbf
SHA256 13ce2cbf7f1801d116d630ae2a2736fc02e16bc751c52432f8098f51b6fd19e7
SHA512 0b31456c8759656ed8d408202a42713e17a4ccec62edbeab97539582bdf637d97c29f772dfd75107bd12e995dd9cb15a628a686403f79a892931a0860eb7a9da

memory/2948-220-0x00000000000D0000-0x00000000004D4000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs

MD5 ac87b84bcb8d8734d72587dd6d86cba6
SHA1 e5a9017ddf7dcc9db5218e736bc212bf7bb62520
SHA256 f46ae5316facd896b2a556b77773a80dc469cc1d7dab9bca39a97f00fd6ef531
SHA512 3667e8a7f4450e8ade06d46bfa3cffbcfe8d373ea26d8ffe877f4949f47f49c5ab4bc03451f008c02a49bfc51411ec63a8c9274fce88e4a0e452e36f4653fe63

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 997f1adef7365489f2e9d663f91b7f46
SHA1 89ea20560e086b608f017af91351fc3e0e560b9f
SHA256 c7bb985650e54e52f42f3d53c81b9c56c26b226b61a38d762a51658add621c05
SHA512 f1705dfdb93a6197a7924eb618cf96e1ed6072b935d162e583304a70234f817684a3a3f865767772c23d0d86bee49864f30716630e9302c3b273ca1b2698e83e

memory/2052-248-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

memory/2052-247-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

memory/2052-258-0x00000000058C0000-0x0000000005CC4000-memory.dmp

memory/2948-259-0x00000000000D0000-0x00000000004D4000-memory.dmp

memory/2948-260-0x00000000731D0000-0x000000007349F000-memory.dmp

memory/2052-270-0x0000000003400000-0x000000000340A000-memory.dmp

memory/2948-289-0x00000000000D0000-0x00000000004D4000-memory.dmp

memory/2052-295-0x0000000005AC0000-0x0000000005EC4000-memory.dmp

memory/2840-313-0x0000000072E70000-0x000000007313F000-memory.dmp

memory/2840-312-0x0000000074500000-0x0000000074524000-memory.dmp

memory/2840-311-0x00000000732C0000-0x000000007338E000-memory.dmp

memory/2840-310-0x0000000074130000-0x00000000741B8000-memory.dmp

memory/2840-309-0x0000000073390000-0x000000007349A000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 3dfdfc6c07261c75ae63938c003b5eeb
SHA1 42e00c282186dce0ca8be68a85c59b3945dae5af
SHA256 5470ffe5d9af401d9b64348484af4354861fe62fe2215d8cade45ee9e279a8e5
SHA512 edfb4cf0be4da7a29b9b47e2d53756fd50e2e27cb9b417e04041c7e09f47df9b69d182f3b1613a96f841f688cfac008b65fa29047cd7e455963cbb94ffc604b9

memory/2840-307-0x0000000074020000-0x00000000740E8000-memory.dmp

memory/2840-305-0x0000000074240000-0x0000000074289000-memory.dmp

memory/2840-304-0x00000000000D0000-0x00000000004D4000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 3e0d20f28e2f31e8c8d2694ad5b72791
SHA1 492f611f8494c75b03cf43b2210b96c9c751c2a0
SHA256 6d5f7d6d4e85f333197b10197952bd1a56f34b72a53b3f59d6625202bd52a82a
SHA512 df7946f0e065b10a90fa200feda2c4a0ebd3e02b5de11055d2a53fb1ffcf70a17360008f59118fbf6be135bf45e89b42263c93e4a3ac353eb780701a70d6ac4a

memory/2052-333-0x0000000003400000-0x000000000340A000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-07 12:28

Reported

2024-05-07 12:31

Platform

win10-20240404-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1㐀" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1\uff00" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

Network

Country Destination Domain Proto
FR 93.115.97.242:9001 tcp
N/A 127.0.0.1:49805 tcp
US 8.8.8.8:53 242.97.115.93.in-addr.arpa udp
FR 37.187.20.59:443 tcp
US 8.8.8.8:53 59.20.187.37.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
FR 188.165.136.205:9001 tcp
FI 95.217.231.111:9001 tcp
US 8.8.8.8:53 111.231.217.95.in-addr.arpa udp
US 8.8.8.8:53 205.136.165.188.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
FR 188.165.136.205:9001 tcp
FI 95.217.231.111:9001 tcp
NL 185.67.45.99:9001 tcp
US 8.8.8.8:53 99.45.67.185.in-addr.arpa udp
AT 37.252.190.176:443 tcp
US 8.8.8.8:53 176.190.252.37.in-addr.arpa udp
N/A 127.0.0.1:49947 tcp
N/A 127.0.0.1:45808 tcp

Files

memory/4864-0-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4864-1-0x00000000739E0000-0x0000000073A1A000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

memory/3272-19-0x0000000000040000-0x0000000000444000-memory.dmp

memory/3272-33-0x0000000073930000-0x0000000073954000-memory.dmp

memory/3272-36-0x0000000072B60000-0x0000000072BE8000-memory.dmp

memory/3272-38-0x0000000073A60000-0x0000000073AA9000-memory.dmp

memory/3272-37-0x0000000072A50000-0x0000000072B5A000-memory.dmp

memory/3272-35-0x0000000072BF0000-0x0000000072EBF000-memory.dmp

memory/3272-34-0x00000000017B0000-0x0000000001A7F000-memory.dmp

memory/3272-32-0x0000000072EC0000-0x0000000072F88000-memory.dmp

memory/3272-31-0x0000000072F90000-0x000000007305E000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

memory/4864-42-0x0000000072740000-0x000000007277A000-memory.dmp

memory/4864-43-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/3272-46-0x0000000072F90000-0x000000007305E000-memory.dmp

memory/3272-48-0x0000000073930000-0x0000000073954000-memory.dmp

memory/3272-49-0x0000000072BF0000-0x0000000072EBF000-memory.dmp

memory/3272-47-0x0000000072EC0000-0x0000000072F88000-memory.dmp

memory/3272-44-0x0000000000040000-0x0000000000444000-memory.dmp

memory/4864-52-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/3272-53-0x0000000000040000-0x0000000000444000-memory.dmp

memory/3272-54-0x0000000000040000-0x0000000000444000-memory.dmp

memory/3272-62-0x00000000017B0000-0x0000000001A7F000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp

MD5 0ce4530144899e61e7151afe7810919f
SHA1 f300561ff8bbd2b426926aced1e576bd2b91d001
SHA256 59f1410ba288f348e46546682bc8ae589accfdb2abc49b0b59fed35ed9de32e5
SHA512 595a94b645837f8627b703920cec6eda3e6103ae964c91c383679f00b712343b7f8d4656db6efdaceabe8c641cf45d6461ff77cc9fafa263880bc1a0763a83e6

memory/3272-75-0x0000000000040000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 a5080c22bfb047d4be65e1b930272425
SHA1 e9bf86a44b9450bf61a7c8d6c271e5afec02db1a
SHA256 1784101a4dfc1ddad7683fdde42eea77634a6fd9ac76a9b171dd2f21606b558e
SHA512 c671e09fbe58807f4f10591a952ca033c84aa8dd4afa361da5e96db4a8e6b5e3132d31763ca02d5d09f93e906f4fa03a45dfbdd56efb0f45decd3221ca6294d1

memory/3272-89-0x0000000000040000-0x0000000000444000-memory.dmp

memory/4864-97-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4864-98-0x00000000732E0000-0x000000007331A000-memory.dmp

memory/3272-99-0x0000000000040000-0x0000000000444000-memory.dmp

memory/4864-107-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/3272-108-0x0000000000040000-0x0000000000444000-memory.dmp

memory/3272-117-0x0000000000040000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs

MD5 15a4cb517fea746fb46d2540c8534b38
SHA1 066a5e43cc2fcbf3c97545c35cb2b0336d6f3544
SHA256 c734fb00197ded964ba2a468ee7feb9b1010eb76c5f648e5219abd2920932000
SHA512 4f824ebec5140fb98a3fb7a76e2e2421786a9092a4fb3c5f94a1afd9df3d5a3f798534230e2d43e9d37580f7ad445d1e4cd3a47a69298e2b7d8097a45bcfddb2

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 61766f4549436bd039844c9aab81a1f3
SHA1 a928ef9167c5b6d9fc079dd89d2d5c15b0ac06c0
SHA256 10b1311242be0fa7dc0a3f50aea370fa112569d8c29345af78e673baddef316b
SHA512 ff84c2366e16e05afe22fc5b915324d743f4cf638d01ac762757a6ff44258850d30a0158a149dcccda504461a9aed0dbc0b25017a685e3e6251afdc362fe2d6a

memory/3984-166-0x0000000072EC0000-0x0000000072F48000-memory.dmp

memory/3984-165-0x0000000073A60000-0x0000000073AA9000-memory.dmp

memory/3984-164-0x0000000073130000-0x00000000731FE000-memory.dmp

memory/3984-163-0x0000000073920000-0x00000000739E8000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 4a4b0257a1e446ce105f1d43fb6fbcac
SHA1 1d92a5ae3d69814a130d5454384513ba97d7ac52
SHA256 df657b314876fdc383344d9cdfbdd29e9477e4f53c71684a729ac75e64e4caaa
SHA512 ba91eb5c9c864700dbea47b9e4f55b7964107b122a0ae02466178233b52e63f0fe7090d7d270042430fb731840ef00d0f9fa3428812ed9fcb5463b536217ed76

memory/3984-162-0x0000000073200000-0x00000000734CF000-memory.dmp

memory/3984-168-0x0000000073100000-0x0000000073124000-memory.dmp

memory/3984-167-0x0000000072F50000-0x000000007305A000-memory.dmp

memory/3984-161-0x0000000000040000-0x0000000000444000-memory.dmp

memory/3272-152-0x0000000000040000-0x0000000000444000-memory.dmp

memory/4864-203-0x0000000072C30000-0x0000000072C6A000-memory.dmp

memory/3984-204-0x0000000000040000-0x0000000000444000-memory.dmp

memory/3984-205-0x0000000073200000-0x00000000734CF000-memory.dmp

memory/3984-206-0x0000000073920000-0x00000000739E8000-memory.dmp

memory/3984-207-0x0000000073130000-0x00000000731FE000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-07 12:28

Reported

2024-05-07 12:31

Platform

win10v2004-20240419-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1132 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 1132 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 1132 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 1132 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 1132 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 1132 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 1132 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 1132 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 1132 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
DE 94.130.186.5:443 tcp
US 8.8.8.8:53 5.186.130.94.in-addr.arpa udp
PL 54.37.139.118:9001 tcp
N/A 127.0.0.1:63416 tcp
FR 95.128.43.164:443 tcp
US 8.8.8.8:53 118.139.37.54.in-addr.arpa udp
US 8.8.8.8:53 164.43.128.95.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
ES 212.227.43.225:443 tcp
US 89.117.145.38:443 tcp
US 8.8.8.8:53 225.43.227.212.in-addr.arpa udp
US 8.8.8.8:53 38.145.117.89.in-addr.arpa udp
US 89.117.145.38:443 tcp
ES 212.227.43.225:443 tcp
DE 195.90.210.137:9001 tcp
US 8.8.8.8:53 137.210.90.195.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 myexternalip.com udp
US 34.117.118.44:443 myexternalip.com tcp
US 8.8.8.8:53 44.118.117.34.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
N/A 127.0.0.1:63588 tcp
US 147.135.65.87:8443 tcp
US 8.8.8.8:53 87.65.135.147.in-addr.arpa udp
DE 178.254.44.163:5126 tcp
US 8.8.8.8:53 163.44.254.178.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 34.117.118.44:443 myexternalip.com tcp
N/A 127.0.0.1:63691 tcp
DE 46.4.66.178:9001 tcp

Files

memory/1132-0-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/1132-1-0x0000000074940000-0x0000000074979000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/632-19-0x0000000000CB0000-0x00000000010B4000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

memory/632-37-0x0000000073E40000-0x0000000073E89000-memory.dmp

memory/632-38-0x0000000073D70000-0x0000000073E38000-memory.dmp

memory/632-42-0x0000000073AD0000-0x0000000073BDA000-memory.dmp

memory/632-41-0x0000000073BE0000-0x0000000073C04000-memory.dmp

memory/632-40-0x0000000073C10000-0x0000000073C98000-memory.dmp

memory/632-39-0x0000000073CA0000-0x0000000073D6E000-memory.dmp

memory/632-44-0x0000000073800000-0x0000000073ACF000-memory.dmp

memory/632-43-0x0000000001E90000-0x000000000215F000-memory.dmp

memory/1132-45-0x00000000733F0000-0x0000000073429000-memory.dmp

memory/1132-46-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/632-47-0x0000000000CB0000-0x00000000010B4000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp

MD5 0ce4530144899e61e7151afe7810919f
SHA1 f300561ff8bbd2b426926aced1e576bd2b91d001
SHA256 59f1410ba288f348e46546682bc8ae589accfdb2abc49b0b59fed35ed9de32e5
SHA512 595a94b645837f8627b703920cec6eda3e6103ae964c91c383679f00b712343b7f8d4656db6efdaceabe8c641cf45d6461ff77cc9fafa263880bc1a0763a83e6

memory/1132-64-0x0000000000400000-0x0000000000BD8000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 80ccc45b4a290d0707b8a57f0bb5fcad
SHA1 3d06dc63f241fddb04ceeab90a1ec5a28aa51877
SHA256 d21bb1ff393e87cc97ca5c26e7ef7e77eec828b89555c59fc1d446249fc3038a
SHA512 12fe4089f33bf31541877ec932f4e9417a6f011d5e1b92f9e745d5cd6bfa31d6fe6fb2bc8fbadc0fa20452eecabf7e3b12c2cd6d5548ecc202e7a46f42fb3391

memory/632-80-0x0000000000CB0000-0x00000000010B4000-memory.dmp

memory/632-88-0x0000000000CB0000-0x00000000010B4000-memory.dmp

memory/632-90-0x0000000000CB0000-0x00000000010B4000-memory.dmp

memory/1132-104-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/632-105-0x0000000000CB0000-0x00000000010B4000-memory.dmp

memory/1132-113-0x0000000073F70000-0x0000000073FA9000-memory.dmp

memory/1132-114-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/632-115-0x0000000000CB0000-0x00000000010B4000-memory.dmp

memory/632-124-0x0000000000CB0000-0x00000000010B4000-memory.dmp

memory/632-133-0x0000000000CB0000-0x00000000010B4000-memory.dmp

memory/632-159-0x0000000000CB0000-0x00000000010B4000-memory.dmp

memory/4264-168-0x0000000000CB0000-0x00000000010B4000-memory.dmp

memory/4264-174-0x0000000073890000-0x000000007399A000-memory.dmp

memory/4264-175-0x0000000073800000-0x0000000073888000-memory.dmp

memory/4264-173-0x00000000739A0000-0x00000000739C4000-memory.dmp

memory/4264-172-0x00000000739D0000-0x0000000073A19000-memory.dmp

memory/4264-171-0x0000000073A20000-0x0000000073AEE000-memory.dmp

memory/4264-170-0x0000000073AF0000-0x0000000073BB8000-memory.dmp

memory/4264-169-0x0000000073BC0000-0x0000000073E8F000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 5c1762600cce241bfc93fd92628e0c22
SHA1 1a6cc241b07197f3fa3fb150bc7d99d7c63f8059
SHA256 75f6a5312b23c8a172111054a66fb49c125f051d2410cd958f342ae1522a20bf
SHA512 92dc043082edd20b083b2327657aeacf1ca07c582b11d0a343f72abc20ec1e59f420bd0a71dba59e734f3e6f8bc2a5dbfa1ba6b41637a81ebd732bee76b3ea8e

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs

MD5 21f6b2a7ddbfc05964c12b75b973d1ee
SHA1 dc9a8eed49c0592d58a3f6a3d7ec7c41d0f8bbcc
SHA256 0ff1cd725ff7563eb48af796cd568bf800598aee049dd89b132a667d9b8dc3d0
SHA512 097d2bbd1c295ca5da7bf564fa3e8a3d14bfb7d57ad2411b2bf9a950e4d0a5e9fc3e4e6510460188358aef38f840215cd948bf6c720e32d6be8f850caa4800b6

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 353d5d4866bbe0a58954bd22ee049208
SHA1 6bc2f9870051e86fda9642542d29d763c90846c4
SHA256 1a696e16262f7ccadf934a2a20f3818ab82366b56c4c9b9f01198940397b810e
SHA512 11b2807d2bfe85b6d5da527daeed9e04f7c53c7793ab9355ad62eb43d4291360f23bf79384786eadb1ea30efb998f9b8cf173ce24347316019e11a32626350f6

memory/4264-206-0x0000000000CB0000-0x00000000010B4000-memory.dmp

memory/4264-207-0x0000000073BC0000-0x0000000073E8F000-memory.dmp

memory/4264-208-0x0000000073AF0000-0x0000000073BB8000-memory.dmp

memory/4264-209-0x0000000073A20000-0x0000000073AEE000-memory.dmp

memory/4264-247-0x0000000000CB0000-0x00000000010B4000-memory.dmp

memory/2704-262-0x0000000073800000-0x0000000073824000-memory.dmp

memory/2704-261-0x0000000073830000-0x00000000738B8000-memory.dmp

memory/2704-260-0x00000000738C0000-0x00000000739CA000-memory.dmp

memory/2704-259-0x00000000739D0000-0x0000000073A19000-memory.dmp

memory/2704-258-0x0000000073A20000-0x0000000073AEE000-memory.dmp

memory/2704-257-0x0000000073AF0000-0x0000000073BB8000-memory.dmp

memory/2704-256-0x0000000073BC0000-0x0000000073E8F000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 3bc8fa90b6f5fdb0cf3f565b3f433a9c
SHA1 910dcf9e0ed9c21c07aa17c408e88f50b39812ae
SHA256 9408e4abfbceff87a78d493f489d77ce439c4487a62afaf0eb74ff73e310e6db
SHA512 3997a30851011d03dc74a3d9444cddf013e69f165652d46c625c99fb5a06e27ab6db33263c5e291be5571b9a65e702616d5bc3cd05f779f27097d09d2c4785dc

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs

MD5 33a75ee9c268d52617d651608bd87549
SHA1 3466eda6347e73845be732f748a8cb814b0ba083
SHA256 2ce3419666cf4656b019455b05c24f79a0d1b0bebc2025319d28b0a67f68299b
SHA512 ef39e065ba74c001dd812745ef821cbdda3dc9a868fbde744bb010c6f6000dd71e75a33ad8b28cb5a273534549ef69bc73541af2e7ec12ab14df1f417b4d2c39

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 87c702bce0c1961c03b02297952801fa
SHA1 5e26c2a800e467f83ca6379eb81f3a9fcdf42250
SHA256 5c99a92f9619a8c44477629c7d0f5dee04e7fd706a00b2167e19de7c4c1334dc
SHA512 c9b3ee64c242085b7be2341d4da795eabbbdc7483f26a5714aa23190362fa2be43d939861ffee2b98a14727f45cdc711f601e89ce7cf9e5bc06a40d627acbc5b

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-07 12:28

Reported

2024-05-07 12:31

Platform

win11-20240419-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4560 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4560 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4560 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4560 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4560 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4560 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4560 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4560 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
PID 4560 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe

"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc

Network

Country Destination Domain Proto
FR 185.13.39.197:443 tcp
N/A 127.0.0.1:49779 tcp
US 96.253.78.108:443 tcp
NL 77.247.181.162:443 tcp
N/A 127.0.0.1:45808 tcp
DE 136.243.214.137:443 tcp
SE 171.25.193.9:80 tcp
US 8.8.8.8:53 9.193.25.171.in-addr.arpa udp
DE 51.89.17.143:8080 tcp
PL 151.115.74.228:443 tcp
US 8.8.8.8:53 143.17.89.51.in-addr.arpa udp
US 8.8.8.8:53 228.74.115.151.in-addr.arpa udp
N/A 127.0.0.1:45808 tcp
US 15.204.226.3:443 tcp
CH 77.109.152.87:143 tcp
N/A 127.0.0.1:49895 tcp
CH 77.109.152.87:143 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49979 tcp
DE 181.214.99.212:9001 tcp
DE 51.89.81.247:443 tcp
N/A 127.0.0.1:45808 tcp

Files

memory/4560-0-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/4560-1-0x0000000074340000-0x000000007437C000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/1484-17-0x00000000007E0000-0x0000000000BE4000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

memory/1484-29-0x00000000738A0000-0x0000000073968000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\torrc

MD5 439cd73927f46fde28540391feee8477
SHA1 ee7fb2aeb7708378abda293b03f5c9ffb6dbc742
SHA256 d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75
SHA512 c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319

memory/1484-37-0x00000000735B0000-0x00000000735D4000-memory.dmp

memory/1484-36-0x00000000735E0000-0x0000000073668000-memory.dmp

memory/1484-35-0x0000000073780000-0x000000007384E000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

memory/1484-41-0x0000000001DE0000-0x00000000020AF000-memory.dmp

memory/1484-44-0x0000000073670000-0x000000007377A000-memory.dmp

memory/1484-43-0x0000000073850000-0x0000000073899000-memory.dmp

memory/1484-42-0x00000000732E0000-0x00000000735AF000-memory.dmp

memory/4560-45-0x0000000072FA0000-0x0000000072FDC000-memory.dmp

memory/4560-46-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/1484-48-0x00000000738A0000-0x0000000073968000-memory.dmp

memory/1484-50-0x0000000073780000-0x000000007384E000-memory.dmp

memory/1484-47-0x00000000007E0000-0x0000000000BE4000-memory.dmp

memory/1484-56-0x00000000007E0000-0x0000000000BE4000-memory.dmp

memory/4560-55-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/1484-65-0x0000000001DE0000-0x00000000020AF000-memory.dmp

memory/1484-57-0x00000000007E0000-0x0000000000BE4000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus

MD5 0ce4530144899e61e7151afe7810919f
SHA1 f300561ff8bbd2b426926aced1e576bd2b91d001
SHA256 59f1410ba288f348e46546682bc8ae589accfdb2abc49b0b59fed35ed9de32e5
SHA512 595a94b645837f8627b703920cec6eda3e6103ae964c91c383679f00b712343b7f8d4656db6efdaceabe8c641cf45d6461ff77cc9fafa263880bc1a0763a83e6

memory/4560-74-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/1484-76-0x00000000007E0000-0x0000000000BE4000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 ca9baf607cc545d36c8d4870a941374a
SHA1 4f68e37abe6fc3141e5391e72d79b1d1f8e22252
SHA256 6159db332c13ff164022bc2f3f542064e697fae03bd8cd6d09ae6802550838eb
SHA512 b1f0dc7c86b8bf1b465c3d06e87f5eaa8be5445f5f01a91fff8cb28e6f4b851a5eb2e67a28fb1fa64472c1ff97f99ee4a8705c1ff055fb12c02898db701465c4

memory/1484-90-0x00000000007E0000-0x0000000000BE4000-memory.dmp

memory/1484-99-0x00000000007E0000-0x0000000000BE4000-memory.dmp

memory/1484-108-0x00000000007E0000-0x0000000000BE4000-memory.dmp

memory/1484-125-0x00000000007E0000-0x0000000000BE4000-memory.dmp

memory/3724-135-0x00000000007E0000-0x0000000000BE4000-memory.dmp

memory/4560-134-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/3724-142-0x0000000073350000-0x00000000733D8000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 61766f4549436bd039844c9aab81a1f3
SHA1 a928ef9167c5b6d9fc079dd89d2d5c15b0ac06c0
SHA256 10b1311242be0fa7dc0a3f50aea370fa112569d8c29345af78e673baddef316b
SHA512 ff84c2366e16e05afe22fc5b915324d743f4cf638d01ac762757a6ff44258850d30a0158a149dcccda504461a9aed0dbc0b25017a685e3e6251afdc362fe2d6a

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs

MD5 26ace7611b0e251cbed0efab5c79db09
SHA1 dd145146ab0f820f15d5aa390f16191a39e2cdaf
SHA256 197b8355cce777e4d37d306c80a3de865034c9d7c18bfc29ed2b504723617be1
SHA512 18dc6e1e6c4cd8e2c1884f1c6abf7de6e49f9ad8a5f40822523789b159a264adb07404a3a7d80de3a71fdc0312aeed152211c19315b6103f76c0c5cf0765a83d

memory/3724-141-0x00000000733E0000-0x00000000734EA000-memory.dmp

memory/3724-140-0x00000000734F0000-0x0000000073514000-memory.dmp

memory/3724-139-0x0000000073520000-0x0000000073569000-memory.dmp

memory/3724-138-0x0000000073570000-0x000000007363E000-memory.dmp

memory/3724-137-0x0000000073640000-0x0000000073708000-memory.dmp

memory/3724-136-0x0000000073710000-0x00000000739DF000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 c87e9f056033e3959da3d02f75620bef
SHA1 aec51d064c722002283356119816692572b89847
SHA256 1b7c6f082e7a10eaad7f4c8137c30b01dc72b7d0f5812e5cef12afa40cbbf7a1
SHA512 a2560dd44da0855a1b0c1c53d7434b41843a9c9cfb637fd7e8085203c2b233612f6c57661627cf8343b76b1b7ffc3bb7a4f82822df8bca044137fb9401b8236b

memory/4560-180-0x0000000072F30000-0x0000000072F6C000-memory.dmp

memory/3724-181-0x00000000007E0000-0x0000000000BE4000-memory.dmp

memory/3724-182-0x0000000073710000-0x00000000739DF000-memory.dmp

memory/3724-184-0x0000000073570000-0x000000007363E000-memory.dmp

memory/3724-183-0x0000000073640000-0x0000000073708000-memory.dmp

memory/3724-204-0x00000000007E0000-0x0000000000BE4000-memory.dmp

memory/2132-213-0x00000000007E0000-0x0000000000BE4000-memory.dmp

memory/2132-220-0x0000000073710000-0x00000000739DF000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\state

MD5 00d80fc49b6f49c468f3770e7bd396ce
SHA1 dd882288fbb90c631f47518f291195704753f7da
SHA256 eefeb0c85422357a46a135c77a7fd6483e03a0c9085bc699acb3807b73803c57
SHA512 4f5cbfa0e764e481d56d8e4478dde3cd1e7fd61c5609c8595901025fc190147ee0f54bf2cac3ac4eb0a2e0ccc69dde5ee4e20061cbdcebd965f4766361c116d0

memory/2132-219-0x0000000073350000-0x00000000733D8000-memory.dmp

memory/2132-218-0x00000000733E0000-0x00000000734EA000-memory.dmp

memory/2132-217-0x00000000734F0000-0x0000000073514000-memory.dmp

memory/2132-216-0x0000000073520000-0x0000000073569000-memory.dmp

memory/2132-215-0x0000000073570000-0x000000007363E000-memory.dmp

memory/2132-214-0x0000000073640000-0x0000000073708000-memory.dmp

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs

MD5 ad3b82f59cba57d2041f7ce9723f9560
SHA1 58316be683dbb0cdfa8e73f87289b1d50ae63d77
SHA256 1961aeb3cb30e2753609ab483d862c53f3565e3314a0761e2d5c9c3b9d425e83
SHA512 3a9aad2b0eeccabba0bc2d112d4b02e1fde3e0f176efe785ac20e21ccc179e03cad24fe8f86c20158c147fa29b66cb2d2819850509f2725f70ec32fb48c69149

C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new

MD5 b23d8a69b9fa74147bb1e8f038392da4
SHA1 4cd5543f17f8a202d906121c6940efce9ad04318
SHA256 94a63b62758f55ec54b2341273248cba6a205c32acd534fd3a80fcf6d4e05343
SHA512 deb972b5540132ba64a5aa7c3b4a9ac8971b81ffa8bdbd23197ad89dfedce695c6b302132ab9e1af484092686fe0f3d072d8079f044c82d6d8088121a09e748b

memory/2132-240-0x00000000007E0000-0x0000000000BE4000-memory.dmp

memory/4560-251-0x0000000072F30000-0x0000000072F6C000-memory.dmp

memory/2132-250-0x0000000073570000-0x000000007363E000-memory.dmp

memory/2132-249-0x0000000073640000-0x0000000073708000-memory.dmp

memory/2132-252-0x0000000073710000-0x00000000739DF000-memory.dmp