Malware Analysis Report

2024-09-22 22:00

Sample ID 240528-tm4t7sbd3z
Target svchost.exe
SHA256 042fb46c57a37d6e3a96aa82bc30e294ef04d43487ebfd80c81766d37c2a5fbe
Tags
bitrat persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

042fb46c57a37d6e3a96aa82bc30e294ef04d43487ebfd80c81766d37c2a5fbe

Threat Level: Known bad

The file svchost.exe was found to be: Known bad.

Malicious Activity Summary

bitrat persistence trojan upx

BitRAT

Checks computer location settings

Executes dropped EXE

UPX packed file

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-28 16:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-28 16:11

Reported

2024-05-28 16:12

Platform

win10-20240404-en

Max time kernel

59s

Max time network

38s

Command Line

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Signatures

BitRAT

trojan bitrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\system32\\Windows Update.exeĀ" C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\system32\\Windows Update.exe耀" C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\system32\\Windows Update.exe" C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\system32\\Windows Update.exe픀" C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Roaming\Windows Update.exe

"C:\Users\Admin\AppData\Roaming\Windows Update.exe"

Network

Country Destination Domain Proto
IT 158.58.168.61:1337 tcp
IT 158.58.168.61:1337 tcp

Files

memory/4920-0-0x0000000000400000-0x00000000015F4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 b37ec293e5bcb580d448da4965dffd54
SHA1 47b36a89cab289178f6d2ffd123ac0ca8431f0e8
SHA256 29556061e8bf4bc3805e4b52abae0b12b7ca445a5b792d3daa19bcf30aa3966e
SHA512 3358f3b8f1b42aa680075af9388906f0e93cb1cd4cc5ab15a9a07df61a1604e2e53d2acf3212c53613debf156e5d21680e7ba0ad52237006c29f877b04a23371

memory/3608-31-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3608-32-0x0000000074380000-0x00000000743BA000-memory.dmp

memory/3608-33-0x0000000074350000-0x000000007438A000-memory.dmp

memory/3608-34-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3608-35-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3608-37-0x0000000074350000-0x000000007438A000-memory.dmp

memory/3608-38-0x0000000000400000-0x00000000007E4000-memory.dmp