Analysis
-
max time kernel
79s -
max time network
80s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
20-10-2024 02:07
General
-
Target
WinLocker Builder (test version).exe
-
Size
5.1MB
-
MD5
fb344b1c20c3d4b66efe7194fdc7299c
-
SHA1
c36ff3e29f450a7ffc58979cd51360d6db04e854
-
SHA256
f3fa585e7418f8b33bb279c72461d1822d0da9c0da673d158acfeecfd0ca6017
-
SHA512
44aad18a62c554cfa9a21dc4fe58db4f09d68d70252c59385fe54fe007e4e79172110719547e2cfd784ee98f8604561e185a0c3c05dd2443cf5cd76e92725bdb
-
SSDEEP
98304:Ex3MI+PNSOdHfY5JX+2pgGXRNe14VMAjizLIi2tEXuDS2MTozg:EE5Ri5pgGXyp0SIi2tEXu+Px
Malware Config
Extracted
bitrat
1.38
current-necessity.at.ply.gg:49446
-
communication_password
c5e4e64cc9384fda09aa232c1811af0e
-
install_dir
MsSystemDriver
-
install_file
MsMpEng.exe
-
tor_process
tor
Signatures
-
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
NTFS ADS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: RenamesItself 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe"C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
1Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
12.7MB
-
Filesize
8KB
-
Filesize
12.7MB
-
Filesize
12.7MB
-
Filesize
12.7MB
-
Filesize
12.7MB
-
Filesize
12.7MB
-
Filesize
228KB
-
Filesize
12.7MB
-
Filesize
12.7MB
-
Filesize
12.7MB
-
Filesize
228KB
-
Filesize
12.7MB
-
Filesize
12.7MB
-
Filesize
12.7MB
-
Filesize
228KB
-
Filesize
12.7MB
-
Filesize
12.7MB
-
Filesize
12.7MB
-
Filesize
228KB
-
Filesize
12.7MB