Analysis Overview
SHA256
1da5b144be7b321399e604ff0173fd831c9cd0588365f3dbf9f08a68d943b4d5
Threat Level: Known bad
The file 1da5b144be7b321399e604ff0173fd831c9cd0588365f3dbf9f08a68d943b4d5 was found to be: Known bad.
Malicious Activity Summary
BitRAT
Bitrat family
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-10 14:11
Signatures
Bitrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 14:11
Reported
2024-05-10 14:13
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
126s
Command Line
Signatures
BitRAT
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "C:\\Users\\Admin\\AppData\\Local\\chrome\\updaterЀ" | C:\Users\Admin\AppData\Local\Temp\1da5b144be7b321399e604ff0173fd831c9cd0588365f3dbf9f08a68d943b4d5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "C:\\Users\\Admin\\AppData\\Local\\chrome\\updater먀" | C:\Users\Admin\AppData\Local\Temp\1da5b144be7b321399e604ff0173fd831c9cd0588365f3dbf9f08a68d943b4d5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "C:\\Users\\Admin\\AppData\\Local\\chrome\\updater᐀" | C:\Users\Admin\AppData\Local\Temp\1da5b144be7b321399e604ff0173fd831c9cd0588365f3dbf9f08a68d943b4d5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "C:\\Users\\Admin\\AppData\\Local\\chrome\\updater" | C:\Users\Admin\AppData\Local\Temp\1da5b144be7b321399e604ff0173fd831c9cd0588365f3dbf9f08a68d943b4d5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "C:\\Users\\Admin\\AppData\\Local\\chrome\\updaterԀ" | C:\Users\Admin\AppData\Local\Temp\1da5b144be7b321399e604ff0173fd831c9cd0588365f3dbf9f08a68d943b4d5.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1da5b144be7b321399e604ff0173fd831c9cd0588365f3dbf9f08a68d943b4d5.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1da5b144be7b321399e604ff0173fd831c9cd0588365f3dbf9f08a68d943b4d5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1da5b144be7b321399e604ff0173fd831c9cd0588365f3dbf9f08a68d943b4d5.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1da5b144be7b321399e604ff0173fd831c9cd0588365f3dbf9f08a68d943b4d5.exe
"C:\Users\Admin\AppData\Local\Temp\1da5b144be7b321399e604ff0173fd831c9cd0588365f3dbf9f08a68d943b4d5.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rornfl12.duckdns.org | udp |
| N/A | 127.0.0.1:3072 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| N/A | 127.0.0.1:3072 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:3072 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| N/A | 127.0.0.1:3072 | tcp | |
| N/A | 127.0.0.1:3072 | tcp | |
| US | 8.8.8.8:53 | rornfl12.duckdns.org | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:3072 | tcp | |
| N/A | 127.0.0.1:3072 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| N/A | 127.0.0.1:3072 | tcp | |
| US | 8.8.8.8:53 | rornfl12.duckdns.org | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| N/A | 127.0.0.1:3072 | tcp | |
| N/A | 127.0.0.1:3072 | tcp |
Files
memory/4956-0-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4956-1-0x0000000074A10000-0x0000000074A49000-memory.dmp
memory/4956-2-0x00000000746D0000-0x0000000074709000-memory.dmp
memory/4956-3-0x00000000746D0000-0x0000000074709000-memory.dmp
memory/4956-4-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4956-6-0x00000000746D0000-0x0000000074709000-memory.dmp
memory/4956-7-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4956-9-0x00000000746D0000-0x0000000074709000-memory.dmp
memory/4956-10-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4956-11-0x00000000746D0000-0x0000000074709000-memory.dmp
memory/4956-12-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4956-14-0x00000000746D0000-0x0000000074709000-memory.dmp
memory/4956-15-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4956-17-0x00000000746D0000-0x0000000074709000-memory.dmp
memory/4956-18-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4956-19-0x00000000746D0000-0x0000000074709000-memory.dmp
memory/4956-20-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4956-22-0x00000000746D0000-0x0000000074709000-memory.dmp
memory/4956-23-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4956-25-0x00000000746D0000-0x0000000074709000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 14:11
Reported
2024-05-10 14:13
Platform
win11-20240419-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
BitRAT
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\updater = "C:\\Users\\Admin\\AppData\\Local\\chrome\\updaterԀ" | C:\Users\Admin\AppData\Local\Temp\1da5b144be7b321399e604ff0173fd831c9cd0588365f3dbf9f08a68d943b4d5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\updater = "C:\\Users\\Admin\\AppData\\Local\\chrome\\updater" | C:\Users\Admin\AppData\Local\Temp\1da5b144be7b321399e604ff0173fd831c9cd0588365f3dbf9f08a68d943b4d5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\updater = "C:\\Users\\Admin\\AppData\\Local\\chrome\\updaterЀ" | C:\Users\Admin\AppData\Local\Temp\1da5b144be7b321399e604ff0173fd831c9cd0588365f3dbf9f08a68d943b4d5.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1da5b144be7b321399e604ff0173fd831c9cd0588365f3dbf9f08a68d943b4d5.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1da5b144be7b321399e604ff0173fd831c9cd0588365f3dbf9f08a68d943b4d5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1da5b144be7b321399e604ff0173fd831c9cd0588365f3dbf9f08a68d943b4d5.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1da5b144be7b321399e604ff0173fd831c9cd0588365f3dbf9f08a68d943b4d5.exe
"C:\Users\Admin\AppData\Local\Temp\1da5b144be7b321399e604ff0173fd831c9cd0588365f3dbf9f08a68d943b4d5.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rornfl12.duckdns.org | udp |
| N/A | 127.0.0.1:3072 | tcp | |
| N/A | 127.0.0.1:3072 | tcp | |
| N/A | 127.0.0.1:3072 | tcp | |
| N/A | 127.0.0.1:3072 | tcp | |
| N/A | 127.0.0.1:3072 | tcp | |
| N/A | 127.0.0.1:3072 | tcp | |
| N/A | 127.0.0.1:3072 | tcp | |
| N/A | 127.0.0.1:3072 | tcp | |
| N/A | 127.0.0.1:3072 | tcp | |
| N/A | 127.0.0.1:3072 | tcp |
Files
memory/3008-0-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/3008-1-0x0000000074790000-0x00000000747CC000-memory.dmp
memory/3008-2-0x0000000074BD0000-0x0000000074C0C000-memory.dmp
memory/3008-3-0x0000000074BD0000-0x0000000074C0C000-memory.dmp
memory/3008-4-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/3008-6-0x0000000074BD0000-0x0000000074C0C000-memory.dmp
memory/3008-7-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/3008-9-0x0000000074BD0000-0x0000000074C0C000-memory.dmp
memory/3008-10-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/3008-11-0x0000000074BD0000-0x0000000074C0C000-memory.dmp
memory/3008-12-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/3008-14-0x0000000074BD0000-0x0000000074C0C000-memory.dmp
memory/3008-15-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/3008-17-0x0000000074BD0000-0x0000000074C0C000-memory.dmp
memory/3008-18-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/3008-19-0x0000000074BD0000-0x0000000074C0C000-memory.dmp
memory/3008-20-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/3008-22-0x0000000074BD0000-0x0000000074C0C000-memory.dmp
memory/3008-23-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/3008-25-0x0000000074BD0000-0x0000000074C0C000-memory.dmp