Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
12-05-2024 00:56
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
4d26e12d17a42568aa1f7d4b2f36aa3c.exe
Resource
win7-20240215-en
windows7-x64
10 signatures
150 seconds
General
-
Target
4d26e12d17a42568aa1f7d4b2f36aa3c.exe
-
Size
2.0MB
-
MD5
4d26e12d17a42568aa1f7d4b2f36aa3c
-
SHA1
c65c6120cb491c683d28cd7d913e062ca71acdf4
-
SHA256
c3bf75a13d38a48c126476948c06bdfca08ee0bb706a39c5d97f77e6c63fb8ae
-
SHA512
5dbecb961fd21062cc9fab5ea4ebb22563331bbfb6210b06ef38f9cf5620f26862f1e954659859afcc58d5fdf0a95e2ac968cb574618ae346f167c0e1909d2dd
-
SSDEEP
49152:ZTvC/MTQYxsWR7afXmpqVyBl8VaLH4QxP6Xw:ljTQYxsWR+mpqVA2YD466X
Malware Config
Extracted
Family
bitrat
Version
1.38
C2
MyBtrpub.dynuddns.com:8889
Attributes
-
communication_password
cba52b50d9cf77a308a6bedcd075f95e
-
tor_process
tor
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 2 drive.google.com 4 drive.google.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 2132 RegSvcs.exe 2132 RegSvcs.exe 2132 RegSvcs.exe 2132 RegSvcs.exe 2132 RegSvcs.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1288 set thread context of 0 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe PID 1288 set thread context of 0 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe PID 1288 set thread context of 2132 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 32 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2132 RegSvcs.exe Token: SeShutdownPrivilege 2132 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2132 RegSvcs.exe 2132 RegSvcs.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 1288 wrote to memory of 2696 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 29 PID 1288 wrote to memory of 2696 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 29 PID 1288 wrote to memory of 2696 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 29 PID 1288 wrote to memory of 2696 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 29 PID 1288 wrote to memory of 2696 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 29 PID 1288 wrote to memory of 2696 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 29 PID 1288 wrote to memory of 2696 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 29 PID 1288 wrote to memory of 2696 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 29 PID 1288 wrote to memory of 2360 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 30 PID 1288 wrote to memory of 2360 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 30 PID 1288 wrote to memory of 2360 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 30 PID 1288 wrote to memory of 2360 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 30 PID 1288 wrote to memory of 2360 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 30 PID 1288 wrote to memory of 2360 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 30 PID 1288 wrote to memory of 2360 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 30 PID 1288 wrote to memory of 2360 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 30 PID 1288 wrote to memory of 2360 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 30 PID 1288 wrote to memory of 2464 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 31 PID 1288 wrote to memory of 2464 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 31 PID 1288 wrote to memory of 2464 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 31 PID 1288 wrote to memory of 2464 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 31 PID 1288 wrote to memory of 2464 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 31 PID 1288 wrote to memory of 2464 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 31 PID 1288 wrote to memory of 2464 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 31 PID 1288 wrote to memory of 2464 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 31 PID 1288 wrote to memory of 2464 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 31 PID 1288 wrote to memory of 2132 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 32 PID 1288 wrote to memory of 2132 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 32 PID 1288 wrote to memory of 2132 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 32 PID 1288 wrote to memory of 2132 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 32 PID 1288 wrote to memory of 2132 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 32 PID 1288 wrote to memory of 2132 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 32 PID 1288 wrote to memory of 2132 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 32 PID 1288 wrote to memory of 2132 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 32 PID 1288 wrote to memory of 2132 1288 4d26e12d17a42568aa1f7d4b2f36aa3c.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d26e12d17a42568aa1f7d4b2f36aa3c.exe"C:\Users\Admin\AppData\Local\Temp\4d26e12d17a42568aa1f7d4b2f36aa3c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2360
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2464
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2132
-