5b731e23be406f4b0e0908bccfba25798fa5fff5695191de760fe385a538688b

Analysis

max time kernel
443s
max time network
360s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20-07-2024 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BitchTits Ransomware [VIP].exe
Size

564KB
MD5

b0ab2ac4595df2a276f5485d549783a7
SHA1

383eca2859577e658d484084922dadf4191dd7c7
SHA256

d2a74e0837a55dbfeffd504b3fd0b2decc332d7c7724ed23b85266c95e0fac58
SHA512

3e134c8707e94b423dd7fc48056aaf9975fad406bfa12e061e749312b8507afd312cfe5e36500eb6239c9acf2842e552216162dff204c3b08a20a7b9b5528031
SSDEEP

6144:/slLxiHV+n32Z6kus2jmjvHBYJLxskckBUIrb271uvERPh5qe7/JFB7XYdjSYGiB:ue4GZ6Kjvmdnb2hpRP2e7/JFTD1Ut3

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 6 IoCs

Processes:

soft.exe 11.exe 22.exe 11.exe 22.exeaGjObFe04300.exe

pid process

2964 soft.exe
1112 11.exe
1992 22.exe
2200 11.exe
2712 22.exe
1792 aGjObFe04300.exe

pid	process
2964	soft.exe
1112	11.exe
1992	22.exe
2200	11.exe
2712	22.exe
1792	aGjObFe04300.exe

Loads dropped DLL 15 IoCs

Processes:

BitchTits Ransomware [VIP].exe 11.exe 22.exeWerFault.exe soft.exe

pid	process
816	BitchTits Ransomware [VIP].exe
816	BitchTits Ransomware [VIP].exe
816	BitchTits Ransomware [VIP].exe
816	BitchTits Ransomware [VIP].exe
816	BitchTits Ransomware [VIP].exe
816	BitchTits Ransomware [VIP].exe
1112	11.exe
1992	22.exe
2912	WerFault.exe
2912	WerFault.exe
2912	WerFault.exe
2912	WerFault.exe
2912	WerFault.exe
2964	soft.exe
2964	soft.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ 11.exe	upx
\Users\Admin\AppData\Local\Temp\ 22.exe	upx
behavioral1/memory/2964-34-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral1/memory/2964-32-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral1/memory/1112-21-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral1/memory/2964-38-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral1/memory/1992-36-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/1992-57-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/1112-59-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral1/memory/2964-87-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral1/memory/1792-90-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral1/memory/2964-97-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral1/memory/1792-101-0x0000000000400000-0x00000000004B4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

aGjObFe04300.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aGjObFe04300 = "C:\\ProgramData\\aGjObFe04300\\aGjObFe04300.exe"	aGjObFe04300.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

11.exe 22.exe

description pid process target process

PID 1112 set thread context of 2200 1112 11.exe 11.exe
PID 1992 set thread context of 2712 1992 22.exe 22.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2912 2200 WerFault.exe 11.exe

description	pid	process	target process
PID 1112 set thread context of 2200	1112	11.exe	11.exe
PID 1992 set thread context of 2712	1992	22.exe	22.exe

pid	pid_target	process	target process
2912	2200	WerFault.exe	11.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

aGjObFe04300.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	aGjObFe04300.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

soft.exeaGjObFe04300.exe

description pid process

Token: SeDebugPrivilege 2964 soft.exe
Token: SeDebugPrivilege 1792 aGjObFe04300.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

DllHost.exeaGjObFe04300.exe

pid process

2724 DllHost.exe
1792 aGjObFe04300.exe
1792 aGjObFe04300.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

aGjObFe04300.exe

pid process

1792 aGjObFe04300.exe
1792 aGjObFe04300.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

22.exe 11.exeaGjObFe04300.exe

pid process

1992 22.exe
1112 11.exe
1792 aGjObFe04300.exe
1792 aGjObFe04300.exe

description	pid	process
Token: SeDebugPrivilege	2964	soft.exe
Token: SeDebugPrivilege	1792	aGjObFe04300.exe

pid	process
2724	DllHost.exe
1792	aGjObFe04300.exe
1792	aGjObFe04300.exe

pid	process
1792	aGjObFe04300.exe
1792	aGjObFe04300.exe

pid	process
1992	22.exe
1112	11.exe
1792	aGjObFe04300.exe
1792	aGjObFe04300.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

BitchTits Ransomware [VIP].exe 11.exe 22.exe 11.exe soft.exe

description	pid	process	target process
PID 816 wrote to memory of 2964	816	BitchTits Ransomware [VIP].exe	soft.exe
PID 816 wrote to memory of 2964	816	BitchTits Ransomware [VIP].exe	soft.exe
PID 816 wrote to memory of 2964	816	BitchTits Ransomware [VIP].exe	soft.exe
PID 816 wrote to memory of 2964	816	BitchTits Ransomware [VIP].exe	soft.exe
PID 816 wrote to memory of 1112	816	BitchTits Ransomware [VIP].exe	11.exe
PID 816 wrote to memory of 1112	816	BitchTits Ransomware [VIP].exe	11.exe
PID 816 wrote to memory of 1112	816	BitchTits Ransomware [VIP].exe	11.exe
PID 816 wrote to memory of 1112	816	BitchTits Ransomware [VIP].exe	11.exe
PID 816 wrote to memory of 1992	816	BitchTits Ransomware [VIP].exe	22.exe
PID 816 wrote to memory of 1992	816	BitchTits Ransomware [VIP].exe	22.exe
PID 816 wrote to memory of 1992	816	BitchTits Ransomware [VIP].exe	22.exe
PID 816 wrote to memory of 1992	816	BitchTits Ransomware [VIP].exe	22.exe
PID 1112 wrote to memory of 2200	1112	11.exe	11.exe
PID 1112 wrote to memory of 2200	1112	11.exe	11.exe
PID 1112 wrote to memory of 2200	1112	11.exe	11.exe
PID 1112 wrote to memory of 2200	1112	11.exe	11.exe
PID 1112 wrote to memory of 2200	1112	11.exe	11.exe
PID 1112 wrote to memory of 2200	1112	11.exe	11.exe
PID 1112 wrote to memory of 2200	1112	11.exe	11.exe
PID 1112 wrote to memory of 2200	1112	11.exe	11.exe
PID 1112 wrote to memory of 2200	1112	11.exe	11.exe
PID 1112 wrote to memory of 2200	1112	11.exe	11.exe
PID 1112 wrote to memory of 2200	1112	11.exe	11.exe
PID 1112 wrote to memory of 2200	1112	11.exe	11.exe
PID 1112 wrote to memory of 2200	1112	11.exe	11.exe
PID 1112 wrote to memory of 2200	1112	11.exe	11.exe
PID 1112 wrote to memory of 2200	1112	11.exe	11.exe
PID 1992 wrote to memory of 2712	1992	22.exe	22.exe
PID 1992 wrote to memory of 2712	1992	22.exe	22.exe
PID 1992 wrote to memory of 2712	1992	22.exe	22.exe
PID 1992 wrote to memory of 2712	1992	22.exe	22.exe
PID 1992 wrote to memory of 2712	1992	22.exe	22.exe
PID 1992 wrote to memory of 2712	1992	22.exe	22.exe
PID 1992 wrote to memory of 2712	1992	22.exe	22.exe
PID 1992 wrote to memory of 2712	1992	22.exe	22.exe
PID 1992 wrote to memory of 2712	1992	22.exe	22.exe
PID 2200 wrote to memory of 2912	2200	11.exe	WerFault.exe
PID 2200 wrote to memory of 2912	2200	11.exe	WerFault.exe
PID 2200 wrote to memory of 2912	2200	11.exe	WerFault.exe
PID 2200 wrote to memory of 2912	2200	11.exe	WerFault.exe
PID 1992 wrote to memory of 2712	1992	22.exe	22.exe
PID 2964 wrote to memory of 1792	2964	soft.exe	aGjObFe04300.exe
PID 2964 wrote to memory of 1792	2964	soft.exe	aGjObFe04300.exe
PID 2964 wrote to memory of 1792	2964	soft.exe	aGjObFe04300.exe
PID 2964 wrote to memory of 1792	2964	soft.exe	aGjObFe04300.exe

C:\Users\Admin\AppData\Local\Temp\BitchTits Ransomware [VIP].exe
"C:\Users\Admin\AppData\Local\Temp\BitchTits Ransomware [VIP].exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:816

C:\Users\Admin\AppData\Local\Temp\ soft.exe
"C:\Users\Admin\AppData\Local\Temp\ soft.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964

C:\ProgramData\aGjObFe04300\aGjObFe04300.exe
"C:\ProgramData\aGjObFe04300\aGjObFe04300.exe" "C:\Users\Admin\AppData\Local\Temp\ soft.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1792

C:\Users\Admin\AppData\Local\Temp\ 11.exe
"C:\Users\Admin\AppData\Local\Temp\ 11.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Local\Temp\ 11.exe
"C:\Users\Admin\AppData\Local\Temp\ 11.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 160
4⤵
- Loads dropped DLL
- Program crash
PID:2912

C:\Users\Admin\AppData\Local\Temp\ 22.exe
"C:\Users\Admin\AppData\Local\Temp\ 22.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\ 22.exe
"C:\Users\Admin\AppData\Local\Temp\ 22.exe"
3⤵
- Executes dropped EXE
PID:2712

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2724

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ 11.exe
Filesize
78KB

MD5
1cd239662af510e804cb69e6b60c1901

SHA1
4ee9fccb718df863bf9bb91290abd3cca0c7ded4

SHA256
23bfb25e5a73fead98d068f67dfa58d8e04ba7e24ffd0af867d2d4926cd58ba2

SHA512
11f4d213d0ee4e8811416b2c8062eabba4641938e0de184260d5798ce4981611c159cbbab846a0899d306736f76a50cbc786217cd5a577e3b21889b09cdc430e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ 4.JPG
Filesize
11KB

MD5
8e203d40d1ebcc03d4150efbd29185c4

SHA1
ae05a0e6fcf3a5234e7ce61aa9eea3d848b90e9e

SHA256
bbf70479a5d4453651bfe490760d29e7b8ec37fcdafb203cddd92c1f16aa76c5

SHA512
b986639abbf5b7be48cefd6521d38f09e3397e2bc5a7c6fc1c834d03305d6183a43982d083632abde55a570cc5f6bc0ba6d2a21cc53a2a60d0eaade478da3b15

Download Submit
\ProgramData\aGjObFe04300\aGjObFe04300.exe
Filesize
317KB

MD5
4d75b1a87be61dfcefc257a5f46fa1e0

SHA1
60570aefa2c8f9b4a645880452af21d74c6637cf

SHA256
0505d930c8158b8949bff94e139be5a3ada5a83225421cccc4c7f9b0876721e6

SHA512
28d44a90bcf8f70d197bcb8e02d8194845cd881b9efca30c78a2959a991f80d323f350eb9711c269a23587be075c325ec437b2aca9a015dc4097d04ffda6bbbb

Download Submit
\Users\Admin\AppData\Local\Temp\ 22.exe
Filesize
147KB

MD5
48b9c63d4f54e7ef4136ab9c8c1735ce

SHA1
00b0d62607cc680bebec2f8008c3f9784d7e7117

SHA256
ce1028ce2e79e92622cd0e79fa1f3c0a0cc16ee14be73d8eed46c15f93722f43

SHA512
8286eba463f021de6893f8b4e552b43a954acedc5e7de19825f956cb53185cad20b888d6bd3643fc6ec1dc1397e527d1bb0155b09fbfe49e5188d5890171ae3f

Download Submit
\Users\Admin\AppData\Local\Temp\ soft.exe
Filesize
317KB

MD5
121983ae0fa936d61d86d07847cd552d

SHA1
25796eeb26d747edfb1719e9178a34370d7718d1

SHA256
a7d7c2beca12c03b0a5b256c3bbbd7970a55e5713756b32d9805f1cb28bcebef

SHA512
dbcfe34daf7338d98a61bec7234a92e1aa2355871dd410367d88e17d188a6303e1006e14c39f2e7e4b1cc12f63ee437ed0bfb711f40a388194ec8baab77e192b

Download Submit
memory/816-28-0x0000000002B20000-0x0000000002B68000-memory.dmp

Filesize
288KB

Download
memory/816-20-0x0000000002B20000-0x0000000002B48000-memory.dmp

Filesize
160KB

Download
memory/816-64-0x0000000002590000-0x0000000002592000-memory.dmp

Filesize
8KB

Download
memory/1112-21-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1112-50-0x0000000000230000-0x0000000000258000-memory.dmp

Filesize
160KB

Download
memory/1112-59-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1792-90-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1792-101-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1992-36-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1992-57-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2200-47-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2200-51-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2200-88-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2712-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-67-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2724-65-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/2964-38-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2964-87-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2964-35-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2964-37-0x0000000000401000-0x0000000000468000-memory.dmp

Filesize
412KB

Download
memory/2964-32-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2964-96-0x0000000000401000-0x0000000000468000-memory.dmp

Filesize
412KB

Download
memory/2964-97-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2964-98-0x0000000000401000-0x0000000000468000-memory.dmp

Filesize
412KB

Download
memory/2964-34-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download