Analysis
-
max time kernel
59s -
max time network
38s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
28-05-2024 16:11
General
-
Target
svchost.exe
-
Size
17.9MB
-
MD5
0dc5eec70a1c5d641f7e2ca2fdeb0c13
-
SHA1
045faba808f788827ac803ca23674703db202112
-
SHA256
042fb46c57a37d6e3a96aa82bc30e294ef04d43487ebfd80c81766d37c2a5fbe
-
SHA512
b8acbb5512a981aff7e05f7238c50880b601310910a6199afab7600bd365252da567f5414902d644c28920bfb07471f8579cc315f808ef8fc144019b69c175c3
-
SSDEEP
393216:60cJ5TXEFbFQoEi/2rUeP/xQAiNPDak9If:cDXEF+FRHxORDakw
Malware Config
Extracted
bitrat
1.38
158.58.168.61:1337
-
communication_password
2fdbb4b27758a54f27d8f8cbb485787b
-
install_dir
system32
-
install_file
Windows Update.exe
-
tor_process
tor
Signatures
-
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
1.4MB
MD5b37ec293e5bcb580d448da4965dffd54
SHA147b36a89cab289178f6d2ffd123ac0ca8431f0e8
SHA25629556061e8bf4bc3805e4b52abae0b12b7ca445a5b792d3daa19bcf30aa3966e
SHA5123358f3b8f1b42aa680075af9388906f0e93cb1cd4cc5ab15a9a07df61a1604e2e53d2acf3212c53613debf156e5d21680e7ba0ad52237006c29f877b04a23371
-
memory/3608-31-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/3608-32-0x0000000074380000-0x00000000743BA000-memory.dmpFilesize
232KB
-
memory/3608-33-0x0000000074350000-0x000000007438A000-memory.dmpFilesize
232KB
-
memory/3608-34-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/3608-35-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/3608-37-0x0000000074350000-0x000000007438A000-memory.dmpFilesize
232KB
-
memory/3608-38-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/4920-0-0x0000000000400000-0x00000000015F4000-memory.dmpFilesize
18.0MB