bitrat | bc28a9c3ab8c1e7e13f6634c1eff7bed34d3dec2f5979f25101270303e69d06e

Analysis

max time kernel
146s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe
Size

11.0MB
MD5

3d70017a2b6d0c6859d7004b651a5d7a
SHA1

f954835541b5a2e7863091a626007f3df181a3ed
SHA256

bc28a9c3ab8c1e7e13f6634c1eff7bed34d3dec2f5979f25101270303e69d06e
SHA512

6fa6f871e61ce7294db6e1dee046b62fd4cf515c615fb5d63a1db207f5d976c41720e9124f607b7a928b058dff93bd2056b84eef955a8c01baa7767244ca6140
SSDEEP

196608:EVFLHg8HxKtyCTFdynneMeR5U8kB1eLOPwdrhEVSL2v8hpffR5vSGRNJpoEzoCDh:OgQxiyKunnQDQBPw5aVSLo8phZS0yEEG

Score

10^/10

bitrat execution persistence trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.34

23.105.131.220:4898

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

UPX dump on OEP (original entry point) 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Feedback71379\ChromeFeedback.exe	UPX
behavioral1/memory/2236-86-0x0000000000400000-0x00000000007E4000-memory.dmp	UPX
behavioral1/memory/2236-111-0x0000000000400000-0x00000000007E4000-memory.dmp	UPX
behavioral1/memory/2236-113-0x0000000000400000-0x00000000007E4000-memory.dmp	UPX
behavioral1/memory/2236-117-0x0000000000400000-0x00000000007E4000-memory.dmp	UPX
behavioral1/memory/2236-120-0x0000000000400000-0x00000000007E4000-memory.dmp	UPX

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2680 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

ChromeFeedback.exe

pid process

2236 ChromeFeedback.exe

pid	process
2680	powershell.exe

pid	process
2236	ChromeFeedback.exe

Loads dropped DLL 14 IoCs

Processes:

2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe

pid	process
2624	2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe
2624	2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe
2624	2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe
2624	2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe
2624	2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe
2624	2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe
2624	2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe
2624	2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe
2624	2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe
2624	2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe
2624	2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe
2624	2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe
2624	2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe
2624	2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Feedback71379\ChromeFeedback.exe	upx
behavioral1/memory/2236-86-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2236-111-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2236-113-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2236-117-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2236-120-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleFeedback = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe"	2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

ChromeFeedback.exe

pid process

2236 ChromeFeedback.exe
2236 ChromeFeedback.exe
2236 ChromeFeedback.exe
2236 ChromeFeedback.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

ChromeFeedback.exe

pid process

2236 ChromeFeedback.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2680 powershell.exe

pid	process
2236	ChromeFeedback.exe
2236	ChromeFeedback.exe
2236	ChromeFeedback.exe
2236	ChromeFeedback.exe

pid	process
2236	ChromeFeedback.exe

pid	process
2680	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exeChromeFeedback.exe

description	pid	process
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2236	ChromeFeedback.exe
Token: SeShutdownPrivilege	2236	ChromeFeedback.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ChromeFeedback.exe

pid process

2236 ChromeFeedback.exe
2236 ChromeFeedback.exe

pid	process
2236	ChromeFeedback.exe
2236	ChromeFeedback.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.execmd.exe

description	pid	process	target process
PID 1440 wrote to memory of 2624	1440	2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe	2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe
PID 1440 wrote to memory of 2624	1440	2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe	2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe
PID 1440 wrote to memory of 2624	1440	2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe	2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe
PID 2624 wrote to memory of 2680	2624	2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe	powershell.exe
PID 2624 wrote to memory of 2680	2624	2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe	powershell.exe
PID 2624 wrote to memory of 2680	2624	2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe	powershell.exe
PID 2624 wrote to memory of 2604	2624	2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe	cmd.exe
PID 2624 wrote to memory of 2604	2624	2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe	cmd.exe
PID 2624 wrote to memory of 2604	2624	2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe	cmd.exe
PID 2604 wrote to memory of 2236	2604	cmd.exe	ChromeFeedback.exe
PID 2604 wrote to memory of 2236	2604	cmd.exe	ChromeFeedback.exe
PID 2604 wrote to memory of 2236	2604	cmd.exe	ChromeFeedback.exe
PID 2604 wrote to memory of 2236	2604	cmd.exe	ChromeFeedback.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Users\Admin\AppData\Local\Temp\2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-05-10_3d70017a2b6d0c6859d7004b651a5d7a_ryuk.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /c Add-MpPreference -ExclusionPath 'c:\users\admin\appdata\local\temp\Feedback71379'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start /b ChromeFeedback.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\Feedback71379\ChromeFeedback.exe
      ChromeFeedback.exe
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Feedback71379\ChromeFeedback.exe

Filesize
1.4MB

MD5
dd8a1809e34323c3077c1535e1665773

SHA1
7e0a2425222bfa964bae67e190025a78439ed3b0

SHA256
3286282e3001adaef2f975c176a7f4b998707cfc0a813caeb54fe0bd01ab15db

SHA512
72d3f4802b59efb0f273d6e7054ef5ba97e58e0674278af0c5a522a463f02ad3fa29cae30e9876629565f84fbafdf799b97da0b20618b5e5d8097b132b3b0dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14402\MSVCR90.dll

Filesize
629KB

MD5
552cf56353af11ce8e0d10ee12fdcd85

SHA1
6ab062b709f851a9576685fe0410ff9f1a4af670

SHA256
e88299ea1a140ff758163dfff179fff3bc5e90e7cfbbd178d0c886dbad184012

SHA512
122f389e7047b728b27f3c964d34b9c8bcae7c36177122e6aa997a6edadad20b14552879f60667a084d34727cb2c85dd5534b6fa7a451f0ab33555b315335457

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14402\python27.dll

Filesize
3.3MB

MD5
4fc438493188550ea7dfb0cc153b4983

SHA1
2e7e79cee5ca14a584c49d7222cecd4a53beac41

SHA256
2ae1f70a99a8f760d3883258f0f69ae759b48270b07036e41b1e887add0c3cfc

SHA512
5f91ddf65fa94129c2e483400327d564a8ce3e3b9dea3a5294fdb6bbd5ee599f89003da8922d1f3904dbab7bd0d4b23fc355f1854e6b34a7f012c1065e88053e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14402\stub.exe.manifest

Filesize
1KB

MD5
70866f37887816cd3fc40eefbceee02d

SHA1
f87d16fe31656f361afab5a9e005fc37189b53d8

SHA256
3a81c3f88bc70a0c97ea2955d5267c6529ac054cd48e2587d3b835428a4725a8

SHA512
a5c9c99bed00d89ea430534e186ca32eef33dbd84da4be30e396917b0821b3fc4d5fb0616944e4f1a31ba5ec26e5a813c1826ba5eb5a3391a8da58e77fa16692

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14~1\_cffi_backend.pyd

Filesize
169KB

MD5
acd2c9a776a26eed771c3070d16bfb22

SHA1
e2e43e88bcb90a07f0bfce239f55f50144354c87

SHA256
b50fb7daf92337d0ca2a73fe4b438dc623e29ccea9a480893735bf9d9956f945

SHA512
e1f18f773f62ddda8d9f93b67f8df4b07d7008dc67f39350392994bdc5f19a1cd8bbd2701273be5e492065567a64b5445948b97d6b79b689f5e89d8ec7de01ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14~1\_hashlib.pyd

Filesize
1.6MB

MD5
6f784c403e2097d11331f8778f6d9d2c

SHA1
64ecd6ee875f89a88204e673acae9547992fd085

SHA256
cda9a6478417629cb40809aad57bd5a884f183333506d00008d16e47368fd633

SHA512
c1fbd548f03a46ee19cd003831bcb53df204cd1c71ab672955a2ff19267c523a17970f8fb9586e712665c09b54c19338037a38a425dacb857aae5b6162fa282c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14~1\_socket.pyd

Filesize
50KB

MD5
f28dc3a4451c29fea272d7ae063425c5

SHA1
ece376146a7115cd5b1ad141a59fff25b6da6a5d

SHA256
a75aa54781de3c97f5b4c2e0389d5ad39602cda6fcd5a3810667a4cf24f4286a

SHA512
746b1b608c457cdf8aa784683533e1220c60dd689f7f5266013f1194e9fd091123eb11d697119b9de65686019176062eb9aba04d2845930369829182a399b5e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14~1\_ssl.pyd

Filesize
2.0MB

MD5
9c6d526768f8395aecff0af0d27f0063

SHA1
a580e2782c31ffb9365ea31dce8b337aae9eee07

SHA256
2c4cb4459c37a2152698e19f27350a7dbf56c51509689b1d7a65c60fb5a75751

SHA512
52bc14aa9f6bb6822740b7be98187fba1adf86f484e130ac6df3fad6e456b41288cbb9c8abf9d7af8730e9c0f7438ed362582ee7f39a5cab9cf471bb5b84b9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14~1\bz2.pyd

Filesize
90KB

MD5
51fdb7790e680a394e9936498d3a73fa

SHA1
fab9f97feee68fbd9225de051349ac3258920fa2

SHA256
985902e0813564981059c2f57282614f5a907dc3df0273ba7bef2ad64123c921

SHA512
594153dd913a3369d310980b0e53bc6a10174e18b0b416dc1b86b2401b4bd94546bee9fbde7421e102490ccba4c8a8d7b91b3df5e3c0506cc98b51bc63e15c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14~1\cryptography.hazmat.bindings._openssl.pyd

Filesize
2.9MB

MD5
66bf25813d69a9b4bb06981c10668297

SHA1
023292b47bef8b79baec632c0781d238229d57a0

SHA256
4988832e7ca44409dbd14be25e975999d57a9e3a0d1ec85a3b981db0895c8443

SHA512
cba9a18838a985ff7146b8e063bd7f76c544d95fb96d91f888307393f809d98a4f5d72cd600d957f69301f8263554691b4df25f4c63b9203ff4c1f0199ea69ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14~1\cryptography.hazmat.bindings._padding.pyd

Filesize
9KB

MD5
7f61f37bd763aa32dc7770281333bc5b

SHA1
df119f5ef64122b6e8378ffb1c513ac1a2d4325a

SHA256
72cfea68038945bcb4069453fa5072bc0cb0c78a1a57b95013925711fa0280da

SHA512
f500382c669f06367e50cce5c95a1afe28fdc50c1d9da2986ec9f33911419448e8f18e5a1a07cff7e506baf1d7e4e5ca34e8e6e180078d675b6022a699e55082

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14~1\pythoncom27.dll

Filesize
537KB

MD5
175b37a400e879e09006d3687c741a98

SHA1
4db47da99d839487920e4a5c93433e6fd6345a70

SHA256
2aecf1ab948d3de9e213cd3248593c7d486d0939302b1a87aaeafd70d2d1ff50

SHA512
d5772bf9d7276f0cd29eccb0437f1d0e9a924ef65078ac2c68458bfca40a5e59d68e7b9b6c3df2115440afc031fefb4dcc90eb4a4e6ea23904d85dae3c643b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14~1\pywintypes27.dll

Filesize
135KB

MD5
9db2c540bcad7b91a6bc09d3d5e71204

SHA1
a9213bec75751f3fc6ea7993f0c3432286e732a7

SHA256
cdf44ce54415aba1fad74eecbbee716372ce8e8d75b9ea9559103f2794a4b325

SHA512
9185bc4c66e067909303c17564a634769faca4247e9124792cee9670c585aa788c007576b529131f66e96fa798a3f2b78b7b91e9c0ac0631ba0e6686673fcc7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14~1\win32api.pyd

Filesize
127KB

MD5
3f889f9a8a4f8cc29b517eaeb9053cca

SHA1
778a65edd208e6dcccc27b33a8b09a298f59d42d

SHA256
eb1d362015f2a200377f9e8efdc42b72d9f70a71f98e96bc6b990920e817af32

SHA512
775b9fb7217fa050adc80c6c279eb2180411b4c6fa018619306ff580492083f0e9420378cba2d7cc825dc1184d9b06e9cf8fc29342dc9164b37fbb1823cd63cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14~1\win32com.shell.shell.pyd

Filesize
525KB

MD5
f6d8cbe92d6718c9b82dc430d9f2dc2c

SHA1
17799d60eb0f7fa0d6b62e4675d6c0804a741f06

SHA256
1eee192f89b464cbe549880ac996b682f1f08b0ef0da3e121de56c39b274c2b9

SHA512
44c36a53a22a2f5b439603fd3a1f2b97b9bb19ce0e50d5694a181322e37926ccaee3691aee92620efcc84ceaee5e892a28e5ef7751f351e47f164b6a2cf3869a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI14~1\_ctypes.pyd

Filesize
119KB

MD5
28e5d05ab42adb1e7ada35f1eef1b32b

SHA1
0792867716c8a933305455a2c7f39d30807dad65

SHA256
a93e3bfe62afa5062c6257a7f347d715af346ac3aec7999b8d86a9f2580ec176

SHA512
0cb08ec46068e20a2df3fc0e69bceba5b8a807aeb580002e846d9272fea7a6ee24b8f2c571571677b61dd8c58eb998c26a656193798de5075c6943f6d701c569

Download Submit
memory/2236-120-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2236-117-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2236-113-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2236-111-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2236-86-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2680-72-0x000007FEF52EE000-0x000007FEF52EF000-memory.dmp

Filesize
4KB

Download
memory/2680-80-0x000007FEF5030000-0x000007FEF59CD000-memory.dmp

Filesize
9.6MB

Download
memory/2680-79-0x000007FEF5030000-0x000007FEF59CD000-memory.dmp

Filesize
9.6MB

Download
memory/2680-78-0x000007FEF5030000-0x000007FEF59CD000-memory.dmp

Filesize
9.6MB

Download
memory/2680-77-0x000007FEF5030000-0x000007FEF59CD000-memory.dmp

Filesize
9.6MB

Download
memory/2680-73-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/2680-76-0x000007FEF5030000-0x000007FEF59CD000-memory.dmp

Filesize
9.6MB

Download
memory/2680-74-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2680-75-0x000007FEF5030000-0x000007FEF59CD000-memory.dmp

Filesize
9.6MB

Download