bitrat | da9365d6a36e9aac5c61c0a9c0fd53f2c3d03954e0e3b215f43435a5b638acf6

Analysis

max time kernel
149s
max time network
156s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/12/2024, 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
Size

7.8MB
MD5

b88ab587582517006609d2554572f9f4
SHA1

a557e11bc586713c1b79594d3ea2a2a37cab6886
SHA256

da9365d6a36e9aac5c61c0a9c0fd53f2c3d03954e0e3b215f43435a5b638acf6
SHA512

c33c47ecae4be3087a4cc77dcaf4ca69b40d158038061857f8cf936ac47b59f3503177845c51d0201bb67f7220fd35a7d8ade481bd4c0f1cb5f4d9e67a728b1b
SSDEEP

196608:yI1eP0fug8STYYxwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOfT+:yI1JiexwZ6v1CPwDv3uFteg2EeJUO9W/

Score

10^/10

bitrat discovery persistence trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.34

cu3g4cu35b3pz2pfnxmgk25kdj74tsefmalaz2lhfpvq6ghnbpf2tmad.onion:80

Attributes

communication_password
fd4035ba8f64b8e0500f15a70f6541d4
install_dir
AppData
install_file
prscrt.exe
tor_process
winscprt

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Bitrat family
bitrat

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000016d0e-20.dat	acprotect
behavioral1/files/0x0007000000016d42-24.dat	acprotect
behavioral1/files/0x0008000000016d21-27.dat	acprotect
behavioral1/files/0x0007000000016d31-29.dat	acprotect
behavioral1/files/0x0009000000016d4a-32.dat	acprotect
behavioral1/files/0x0007000000016d3a-35.dat	acprotect
behavioral1/files/0x00060000000186ea-38.dat	acprotect

Executes dropped EXE 5 IoCs

pid	Process
1100	winscprt.exe
2424	winscprt.exe
2296	winscprt.exe
2500	winscprt.exe
2268	winscprt.exe

Loads dropped DLL 41 IoCs

pid	Process
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1100	winscprt.exe
1100	winscprt.exe
1100	winscprt.exe
1100	winscprt.exe
1100	winscprt.exe
1100	winscprt.exe
1100	winscprt.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
2424	winscprt.exe
2424	winscprt.exe
2424	winscprt.exe
2424	winscprt.exe
2424	winscprt.exe
2424	winscprt.exe
2424	winscprt.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
2296	winscprt.exe
2296	winscprt.exe
2296	winscprt.exe
2296	winscprt.exe
2296	winscprt.exe
2296	winscprt.exe
2296	winscprt.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
2500	winscprt.exe
2500	winscprt.exe
2500	winscprt.exe
2500	winscprt.exe
2500	winscprt.exe
2500	winscprt.exe
2500	winscprt.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
2268	winscprt.exe
2268	winscprt.exe
2268	winscprt.exe
2268	winscprt.exe
2268	winscprt.exe
2268	winscprt.exe
2268	winscprt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\prscrt = "C:\\Users\\Admin\\AppData\\Local\\AppData\\prscrt.exe"	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
32	myexternalip.com
49	myexternalip.com
21	myexternalip.com
22	myexternalip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016d5e-11.dat	upx
behavioral1/memory/1100-21-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral1/files/0x0008000000016d0e-20.dat	upx
behavioral1/files/0x0007000000016d42-24.dat	upx
behavioral1/files/0x0008000000016d21-27.dat	upx
behavioral1/files/0x0007000000016d31-29.dat	upx
behavioral1/files/0x0009000000016d4a-32.dat	upx
behavioral1/memory/1100-36-0x00000000746F0000-0x0000000074778000-memory.dmp	upx
behavioral1/files/0x0007000000016d3a-35.dat	upx
behavioral1/memory/1100-33-0x0000000074040000-0x000000007414A000-memory.dmp	upx
behavioral1/memory/1100-30-0x0000000074150000-0x0000000074218000-memory.dmp	upx
behavioral1/memory/1100-26-0x0000000074780000-0x00000000747C9000-memory.dmp	upx
behavioral1/memory/1100-25-0x0000000074220000-0x00000000744EF000-memory.dmp	upx
behavioral1/files/0x00060000000186ea-38.dat	upx
behavioral1/memory/1100-42-0x0000000074820000-0x0000000074844000-memory.dmp	upx
behavioral1/memory/1100-39-0x0000000073F70000-0x000000007403E000-memory.dmp	upx
behavioral1/memory/1100-46-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral1/memory/1100-47-0x0000000074220000-0x00000000744EF000-memory.dmp	upx
behavioral1/memory/1100-48-0x0000000074780000-0x00000000747C9000-memory.dmp	upx
behavioral1/memory/1100-50-0x0000000074150000-0x0000000074218000-memory.dmp	upx
behavioral1/memory/1100-51-0x0000000074040000-0x000000007414A000-memory.dmp	upx
behavioral1/memory/1100-52-0x00000000746F0000-0x0000000074778000-memory.dmp	upx
behavioral1/memory/1100-53-0x0000000073F70000-0x000000007403E000-memory.dmp	upx
behavioral1/memory/1100-54-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral1/memory/1100-63-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral1/memory/1100-83-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral1/memory/1100-108-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral1/memory/1100-125-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral1/memory/2424-141-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral1/memory/2424-148-0x0000000074820000-0x0000000074844000-memory.dmp	upx
behavioral1/memory/2424-147-0x0000000073F70000-0x000000007403E000-memory.dmp	upx
behavioral1/memory/2424-146-0x0000000074040000-0x000000007414A000-memory.dmp	upx
behavioral1/memory/2424-145-0x00000000746F0000-0x0000000074778000-memory.dmp	upx
behavioral1/memory/2424-144-0x0000000074150000-0x0000000074218000-memory.dmp	upx
behavioral1/memory/2424-143-0x0000000074780000-0x00000000747C9000-memory.dmp	upx
behavioral1/memory/2424-142-0x0000000074220000-0x00000000744EF000-memory.dmp	upx
behavioral1/memory/2424-162-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral1/memory/2424-165-0x0000000073F70000-0x000000007403E000-memory.dmp	upx
behavioral1/memory/2424-164-0x0000000074150000-0x0000000074218000-memory.dmp	upx
behavioral1/memory/2424-163-0x0000000074220000-0x00000000744EF000-memory.dmp	upx
behavioral1/memory/2424-166-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral1/memory/2424-175-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral1/memory/2296-236-0x00000000746F0000-0x0000000074778000-memory.dmp	upx
behavioral1/memory/2296-238-0x0000000074820000-0x0000000074844000-memory.dmp	upx
behavioral1/memory/2296-237-0x0000000073F70000-0x000000007403E000-memory.dmp	upx
behavioral1/memory/2296-235-0x0000000074040000-0x000000007414A000-memory.dmp	upx
behavioral1/memory/2296-234-0x0000000074150000-0x0000000074218000-memory.dmp	upx
behavioral1/memory/2296-233-0x0000000074780000-0x00000000747C9000-memory.dmp	upx
behavioral1/memory/2296-232-0x0000000074220000-0x00000000744EF000-memory.dmp	upx
behavioral1/memory/2296-231-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral1/memory/1792-230-0x0000000005970000-0x0000000005D74000-memory.dmp	upx
behavioral1/memory/2424-229-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral1/memory/1792-247-0x0000000005970000-0x0000000005D74000-memory.dmp	upx
behavioral1/memory/2296-248-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral1/memory/2296-249-0x0000000074220000-0x00000000744EF000-memory.dmp	upx
behavioral1/memory/2296-251-0x0000000073F70000-0x000000007403E000-memory.dmp	upx
behavioral1/memory/2296-250-0x0000000074150000-0x0000000074218000-memory.dmp	upx
behavioral1/memory/2296-281-0x00000000013A0000-0x00000000017A4000-memory.dmp	upx
behavioral1/memory/2500-303-0x00000000747A0000-0x00000000747C4000-memory.dmp	upx
behavioral1/memory/2500-302-0x00000000741B0000-0x000000007427E000-memory.dmp	upx
behavioral1/memory/2500-301-0x0000000074280000-0x0000000074308000-memory.dmp	upx
behavioral1/memory/2500-300-0x0000000074310000-0x000000007441A000-memory.dmp	upx
behavioral1/memory/2500-299-0x0000000074420000-0x00000000744E8000-memory.dmp	upx
behavioral1/memory/2500-298-0x0000000074730000-0x0000000074779000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winscprt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winscprt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winscprt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winscprt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winscprt.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe

Suspicious behavior: RenamesItself 28 IoCs

pid	Process
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
Token: SeShutdownPrivilege	1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 1100	1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe	30
PID 1792 wrote to memory of 1100	1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe	30
PID 1792 wrote to memory of 1100	1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe	30
PID 1792 wrote to memory of 1100	1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe	30
PID 1792 wrote to memory of 2424	1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe	32
PID 1792 wrote to memory of 2424	1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe	32
PID 1792 wrote to memory of 2424	1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe	32
PID 1792 wrote to memory of 2424	1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe	32
PID 1792 wrote to memory of 2296	1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe	34
PID 1792 wrote to memory of 2296	1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe	34
PID 1792 wrote to memory of 2296	1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe	34
PID 1792 wrote to memory of 2296	1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe	34
PID 1792 wrote to memory of 2500	1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe	36
PID 1792 wrote to memory of 2500	1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe	36
PID 1792 wrote to memory of 2500	1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe	36
PID 1792 wrote to memory of 2500	1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe	36
PID 1792 wrote to memory of 2268	1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe	38
PID 1792 wrote to memory of 2268	1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe	38
PID 1792 wrote to memory of 2268	1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe	38
PID 1792 wrote to memory of 2268	1792	b88ab587582517006609d2554572f9f4_JaffaCakes118.exe	38

C:\Users\Admin\AppData\Local\Temp\b88ab587582517006609d2554572f9f4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b88ab587582517006609d2554572f9f4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\AppData\Local\89d22e83\tor\winscprt.exe
  "C:\Users\Admin\AppData\Local\89d22e83\tor\winscprt.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1100
- C:\Users\Admin\AppData\Local\89d22e83\tor\winscprt.exe
  "C:\Users\Admin\AppData\Local\89d22e83\tor\winscprt.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2424
- C:\Users\Admin\AppData\Local\89d22e83\tor\winscprt.exe
  "C:\Users\Admin\AppData\Local\89d22e83\tor\winscprt.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2296
- C:\Users\Admin\AppData\Local\89d22e83\tor\winscprt.exe
  "C:\Users\Admin\AppData\Local\89d22e83\tor\winscprt.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2500
- C:\Users\Admin\AppData\Local\89d22e83\tor\winscprt.exe
  "C:\Users\Admin\AppData\Local\89d22e83\tor\winscprt.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\89d22e83\tor\data\cached-certs

Filesize
20KB

MD5
4f85bfa3f905003b7f77309774653404

SHA1
3cf056921de5631d2df9b992c3b2d6169f23355a

SHA256
c00e96bb87763bc6d0ada5582afc7dba1217bfd1a83e8e3b01ad42a32e54fcea

SHA512
c9a501a930fd665b75728d8780568b11474a9ec5e65af26b3bcd1803c8b47919eab73e192e1e11460dd3c83278104dc2e40e44314869fed0e871d5f03883d14b

Download Submit
C:\Users\Admin\AppData\Local\89d22e83\tor\data\cached-microdesc-consensus.tmp

Filesize
2.8MB

MD5
0030ec38fb64384275255ed67bb74abe

SHA1
245c5b5fc9102f3fb73a442caad840663c3c98c2

SHA256
f48dc4b7791869e3d8a11420c100232a1f3ff3e95cfb4f926061c61a9ffccbda

SHA512
0d786a7786464006cb1d2d3740e1cd5da0aaba109d853fda92ce50bdd296667a140a1e81e614d612bb0a701324cf0b2ec514c2f932d585b836ebd3fb63552589

Download Submit
C:\Users\Admin\AppData\Local\89d22e83\tor\data\cached-microdescs

Filesize
20.4MB

MD5
8b0ab82b2b3fe5b9c3213b41e388a710

SHA1
4c8b24ba57517b53dfb6d3c404091fa8bcb69b8e

SHA256
8d96bf2e0d2a470891c835edbe5203f1ef3b88bebb49f06e78da272c89f8fe8c

SHA512
be9f7571c8c04671f380e2fedd18c5a3a79a11de8783d82b4ddcf66a733bf861d1474ac6f388f167e19d92af2ad4bc6230cb3c546de780c420680f8f0f7bece2

Download Submit
C:\Users\Admin\AppData\Local\89d22e83\tor\data\cached-microdescs.new

Filesize
20.4MB

MD5
90838f333af7b22b964bef8b22aade9f

SHA1
a57e48a416796297a41a4f6ecf086fa349d73696

SHA256
491dab0cac60477e170c80a8f65c90a9619e52a96a9cfb3a71cb5881154b5b75

SHA512
57fd8b9be4b88277aa17276077d8536b01d5d8c87878699f4ea30a20d4abbafba23a7c5778ee11cbb104aea3a3186b35b00ff7e80b60b5053a303f5c97e02691

Download Submit
C:\Users\Admin\AppData\Local\89d22e83\tor\data\cached-microdescs.new

Filesize
7.6MB

MD5
e9c41616912c34b6b59528779e5eb05f

SHA1
921709969c30880d31aaa1439f3d9e46d6d3e679

SHA256
94819c5ebbeb3b2aea240d3a908c49444e255341b87ee982caf41bb0f9c2e003

SHA512
ef3078a956158d264d723239349acff77e5b5a407de97ceeb25ea695cf10a728f280d662ecec746e28305692ab24cd3a7494384d9c1dcc6c9401157893fa3dae

Download Submit
C:\Users\Admin\AppData\Local\89d22e83\tor\data\state

Filesize
232B

MD5
d77472ffb7510c53967379874015c638

SHA1
d9850d931e85c88dbd5b2590fbd46d597c48d11b

SHA256
771e4f8dc6178fd7e117be8665467d2bbb48cfb625c1ad0b50f82fc83be9801b

SHA512
fdde1382fefad6804cbf9f86add6e9b5d69705f67e276dae4ec6e5aa703006c975eb45e37acbcbf90b88201d42a9f15ab69cdd6ebce19149b7112968308c5c31

Download Submit
C:\Users\Admin\AppData\Local\89d22e83\tor\data\state

Filesize
5KB

MD5
d43b3732d91e746d0c70c77176f4ddfa

SHA1
0030347845fa58489a934e14f56072d1aceb7a90

SHA256
5a5312ba3bdd16582e4a01b4cc48d8bab1974f5c1b7b222f9fda187e20fb9285

SHA512
78273f714277371af8093b508823154d4ebd0b9f5f34a97f4760f5d4406dec3defcae003a3c5a4bea3a3006ee6d77dd546363c7b0332c3df182a87ca35597fbc

Download Submit
C:\Users\Admin\AppData\Local\89d22e83\tor\data\state

Filesize
3KB

MD5
5bdbbff3fc3675e9e82b254c6a56f9b2

SHA1
13b422dc199b10f3adaf944551340a6e00515da4

SHA256
a04f4d5a8d4077420b88862e688aeed34637d7a24b6587150283a73c059677c1

SHA512
b952dcaf995d1916d6f276604bc541bf2ddfff16f5412f339c3db9c5eb4f13d0b3224cf6663d5a43734596ea717715e040fb4a3c09237a6fed214d03e6d6d9cf

Download Submit
C:\Users\Admin\AppData\Local\89d22e83\tor\libcrypto-1_1.dll

Filesize
1.7MB

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\89d22e83\tor\libevent-2-1-6.dll

Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\89d22e83\tor\libgcc_s_sjlj-1.dll

Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\89d22e83\tor\libssl-1_1.dll

Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\89d22e83\tor\libwinpthread-1.dll

Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\89d22e83\tor\torrc

Filesize
157B

MD5
644896c07049391168b23e7cbd46dcf0

SHA1
4dbdc7933b3984b6894ba5b05952de68586ef734

SHA256
a09a2fa3765c77e7dfdacc46f16da82448131b6d44754cdf984bc5b5aeb0d12f

SHA512
20faaa8ce578d9a11d4b86308a797a95d7d0757e120807b42d504b1a799dfc3131d3c3ab7610467cc4f4573ad35117c008b43b90996725b9f22647d5679decbb

Download Submit
C:\Users\Admin\AppData\Local\89d22e83\tor\zlib1.dll

Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
\Users\Admin\AppData\Local\89d22e83\tor\libssp-0.dll

Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
\Users\Admin\AppData\Local\89d22e83\tor\winscprt.exe

Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
memory/1100-63-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/1100-125-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/1100-39-0x0000000073F70000-0x000000007403E000-memory.dmp

Filesize
824KB

Download
memory/1100-21-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/1100-46-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/1100-47-0x0000000074220000-0x00000000744EF000-memory.dmp

Filesize
2.8MB

Download
memory/1100-48-0x0000000074780000-0x00000000747C9000-memory.dmp

Filesize
292KB

Download
memory/1100-50-0x0000000074150000-0x0000000074218000-memory.dmp

Filesize
800KB

Download
memory/1100-36-0x00000000746F0000-0x0000000074778000-memory.dmp

Filesize
544KB

Download
memory/1100-51-0x0000000074040000-0x000000007414A000-memory.dmp

Filesize
1.0MB

Download
memory/1100-52-0x00000000746F0000-0x0000000074778000-memory.dmp

Filesize
544KB

Download
memory/1100-53-0x0000000073F70000-0x000000007403E000-memory.dmp

Filesize
824KB

Download
memory/1100-54-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/1100-33-0x0000000074040000-0x000000007414A000-memory.dmp

Filesize
1.0MB

Download
memory/1100-30-0x0000000074150000-0x0000000074218000-memory.dmp

Filesize
800KB

Download
memory/1100-26-0x0000000074780000-0x00000000747C9000-memory.dmp

Filesize
292KB

Download
memory/1100-25-0x0000000074220000-0x00000000744EF000-memory.dmp

Filesize
2.8MB

Download
memory/1100-83-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/1100-42-0x0000000074820000-0x0000000074844000-memory.dmp

Filesize
144KB

Download
memory/1100-108-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/1792-367-0x0000000004D40000-0x0000000004D4A000-memory.dmp

Filesize
40KB

Download
memory/1792-139-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/1792-366-0x0000000004D40000-0x0000000004D4A000-memory.dmp

Filesize
40KB

Download
memory/1792-41-0x0000000004040000-0x0000000004444000-memory.dmp

Filesize
4.0MB

Download
memory/1792-295-0x0000000005970000-0x0000000005D74000-memory.dmp

Filesize
4.0MB

Download
memory/1792-357-0x0000000005970000-0x0000000005D74000-memory.dmp

Filesize
4.0MB

Download
memory/1792-18-0x0000000004040000-0x0000000004444000-memory.dmp

Filesize
4.0MB

Download
memory/1792-306-0x0000000004D40000-0x0000000004D4A000-memory.dmp

Filesize
40KB

Download
memory/1792-270-0x0000000004D40000-0x0000000004D4A000-memory.dmp

Filesize
40KB

Download
memory/1792-71-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/1792-230-0x0000000005970000-0x0000000005D74000-memory.dmp

Filesize
4.0MB

Download
memory/1792-62-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/1792-271-0x0000000004D40000-0x0000000004D4A000-memory.dmp

Filesize
40KB

Download
memory/1792-140-0x0000000004BE0000-0x0000000004FE4000-memory.dmp

Filesize
4.0MB

Download
memory/1792-161-0x0000000004BE0000-0x0000000004FE4000-memory.dmp

Filesize
4.0MB

Download
memory/1792-247-0x0000000005970000-0x0000000005D74000-memory.dmp

Filesize
4.0MB

Download
memory/1792-244-0x0000000000CD0000-0x0000000000CDA000-memory.dmp

Filesize
40KB

Download
memory/1792-243-0x0000000000CD0000-0x0000000000CDA000-memory.dmp

Filesize
40KB

Download
memory/1792-334-0x0000000004D40000-0x0000000004D4A000-memory.dmp

Filesize
40KB

Download
memory/1792-49-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/1792-311-0x0000000005970000-0x0000000005D74000-memory.dmp

Filesize
4.0MB

Download
memory/1792-193-0x0000000000CD0000-0x0000000000CDA000-memory.dmp

Filesize
40KB

Download
memory/1792-192-0x0000000000CD0000-0x0000000000CDA000-memory.dmp

Filesize
40KB

Download
memory/1792-0-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/1792-17-0x0000000004040000-0x0000000004444000-memory.dmp

Filesize
4.0MB

Download
memory/1792-308-0x0000000004D40000-0x0000000004D4A000-memory.dmp

Filesize
40KB

Download
memory/2268-359-0x0000000074220000-0x00000000744EF000-memory.dmp

Filesize
2.8MB

Download
memory/2268-363-0x00000000746F0000-0x0000000074778000-memory.dmp

Filesize
544KB

Download
memory/2268-360-0x0000000074780000-0x00000000747C9000-memory.dmp

Filesize
292KB

Download
memory/2268-361-0x0000000074150000-0x0000000074218000-memory.dmp

Filesize
800KB

Download
memory/2268-362-0x0000000074040000-0x000000007414A000-memory.dmp

Filesize
1.0MB

Download
memory/2268-364-0x0000000073F70000-0x000000007403E000-memory.dmp

Filesize
824KB

Download
memory/2268-365-0x0000000074820000-0x0000000074844000-memory.dmp

Filesize
144KB

Download
memory/2268-358-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/2296-236-0x00000000746F0000-0x0000000074778000-memory.dmp

Filesize
544KB

Download
memory/2296-238-0x0000000074820000-0x0000000074844000-memory.dmp

Filesize
144KB

Download
memory/2296-237-0x0000000073F70000-0x000000007403E000-memory.dmp

Filesize
824KB

Download
memory/2296-235-0x0000000074040000-0x000000007414A000-memory.dmp

Filesize
1.0MB

Download
memory/2296-248-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/2296-249-0x0000000074220000-0x00000000744EF000-memory.dmp

Filesize
2.8MB

Download
memory/2296-251-0x0000000073F70000-0x000000007403E000-memory.dmp

Filesize
824KB

Download
memory/2296-250-0x0000000074150000-0x0000000074218000-memory.dmp

Filesize
800KB

Download
memory/2296-234-0x0000000074150000-0x0000000074218000-memory.dmp

Filesize
800KB

Download
memory/2296-231-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/2296-281-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/2296-232-0x0000000074220000-0x00000000744EF000-memory.dmp

Filesize
2.8MB

Download
memory/2296-233-0x0000000074780000-0x00000000747C9000-memory.dmp

Filesize
292KB

Download
memory/2424-166-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/2424-144-0x0000000074150000-0x0000000074218000-memory.dmp

Filesize
800KB

Download
memory/2424-141-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/2424-148-0x0000000074820000-0x0000000074844000-memory.dmp

Filesize
144KB

Download
memory/2424-147-0x0000000073F70000-0x000000007403E000-memory.dmp

Filesize
824KB

Download
memory/2424-146-0x0000000074040000-0x000000007414A000-memory.dmp

Filesize
1.0MB

Download
memory/2424-145-0x00000000746F0000-0x0000000074778000-memory.dmp

Filesize
544KB

Download
memory/2424-163-0x0000000074220000-0x00000000744EF000-memory.dmp

Filesize
2.8MB

Download
memory/2424-143-0x0000000074780000-0x00000000747C9000-memory.dmp

Filesize
292KB

Download
memory/2424-229-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/2424-175-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/2424-142-0x0000000074220000-0x00000000744EF000-memory.dmp

Filesize
2.8MB

Download
memory/2424-162-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/2424-165-0x0000000073F70000-0x000000007403E000-memory.dmp

Filesize
824KB

Download
memory/2424-164-0x0000000074150000-0x0000000074218000-memory.dmp

Filesize
800KB

Download
memory/2500-302-0x00000000741B0000-0x000000007427E000-memory.dmp

Filesize
824KB

Download
memory/2500-344-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/2500-313-0x0000000073120000-0x00000000733EF000-memory.dmp

Filesize
2.8MB

Download
memory/2500-315-0x00000000741B0000-0x000000007427E000-memory.dmp

Filesize
824KB

Download
memory/2500-314-0x0000000074420000-0x00000000744E8000-memory.dmp

Filesize
800KB

Download
memory/2500-312-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/2500-303-0x00000000747A0000-0x00000000747C4000-memory.dmp

Filesize
144KB

Download
memory/2500-300-0x0000000074310000-0x000000007441A000-memory.dmp

Filesize
1.0MB

Download
memory/2500-301-0x0000000074280000-0x0000000074308000-memory.dmp

Filesize
544KB

Download
memory/2500-296-0x00000000013A0000-0x00000000017A4000-memory.dmp

Filesize
4.0MB

Download
memory/2500-297-0x0000000073120000-0x00000000733EF000-memory.dmp

Filesize
2.8MB

Download
memory/2500-298-0x0000000074730000-0x0000000074779000-memory.dmp

Filesize
292KB

Download
memory/2500-299-0x0000000074420000-0x00000000744E8000-memory.dmp

Filesize
800KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads