Analysis
-
max time kernel
152s -
max time network
79s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
14-10-2022 10:15
Static task
static1
Behavioral task
behavioral1
Sample
79185e03c6c3ae5a2de42e96a4f9458761e093ae4a21c6a59e0c7fe2340f3f1f.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
79185e03c6c3ae5a2de42e96a4f9458761e093ae4a21c6a59e0c7fe2340f3f1f.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
79185e03c6c3ae5a2de42e96a4f9458761e093ae4a21c6a59e0c7fe2340f3f1f.exe
-
Size
108KB
-
MD5
68ce83a99796f379209b4f12e72e3bde
-
SHA1
26521cba4561702867f70a633a7415133d430ede
-
SHA256
79185e03c6c3ae5a2de42e96a4f9458761e093ae4a21c6a59e0c7fe2340f3f1f
-
SHA512
e3203ab14321fc4099989efebd405c187265a7ee1689357fc99d27c544efb425447b5f4f4ed487d78a1fb045a955177fb9dcdfb55331e76717fd2a77263a3c96
-
SSDEEP
1536:gXq8iAuismywsTQLw0wF9MGM9K/oKtNgCMbA1bL3N+NM5UfRvNIjnZjU:zTQ/KLOM52vCnh
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 79185e03c6c3ae5a2de42e96a4f9458761e093ae4a21c6a59e0c7fe2340f3f1f.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" biipiq.exe -
Executes dropped EXE 1 IoCs
pid Process 960 biipiq.exe -
Loads dropped DLL 2 IoCs
pid Process 1848 79185e03c6c3ae5a2de42e96a4f9458761e093ae4a21c6a59e0c7fe2340f3f1f.exe 1848 79185e03c6c3ae5a2de42e96a4f9458761e093ae4a21c6a59e0c7fe2340f3f1f.exe -
Adds Run key to start application 2 TTPs 54 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /l" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /r" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /W" biipiq.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /V" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /a" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /N" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /C" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /O" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /B" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /R" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /t" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /w" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /K" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /j" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /p" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /q" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /F" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /I" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /o" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /i" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /H" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /v" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /G" biipiq.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 79185e03c6c3ae5a2de42e96a4f9458761e093ae4a21c6a59e0c7fe2340f3f1f.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /X" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /Z" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /m" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /d" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /M" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /Y" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /E" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /s" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /f" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /u" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /n" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /Q" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /A" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /D" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /e" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /T" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /k" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /z" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /P" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /U" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /h" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /g" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /Z" 79185e03c6c3ae5a2de42e96a4f9458761e093ae4a21c6a59e0c7fe2340f3f1f.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /L" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /J" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /x" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /b" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /c" biipiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biipiq = "C:\\Users\\Admin\\biipiq.exe /S" biipiq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1848 79185e03c6c3ae5a2de42e96a4f9458761e093ae4a21c6a59e0c7fe2340f3f1f.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe 960 biipiq.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1848 79185e03c6c3ae5a2de42e96a4f9458761e093ae4a21c6a59e0c7fe2340f3f1f.exe 960 biipiq.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1848 wrote to memory of 960 1848 79185e03c6c3ae5a2de42e96a4f9458761e093ae4a21c6a59e0c7fe2340f3f1f.exe 28 PID 1848 wrote to memory of 960 1848 79185e03c6c3ae5a2de42e96a4f9458761e093ae4a21c6a59e0c7fe2340f3f1f.exe 28 PID 1848 wrote to memory of 960 1848 79185e03c6c3ae5a2de42e96a4f9458761e093ae4a21c6a59e0c7fe2340f3f1f.exe 28 PID 1848 wrote to memory of 960 1848 79185e03c6c3ae5a2de42e96a4f9458761e093ae4a21c6a59e0c7fe2340f3f1f.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\79185e03c6c3ae5a2de42e96a4f9458761e093ae4a21c6a59e0c7fe2340f3f1f.exe"C:\Users\Admin\AppData\Local\Temp\79185e03c6c3ae5a2de42e96a4f9458761e093ae4a21c6a59e0c7fe2340f3f1f.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\biipiq.exe"C:\Users\Admin\biipiq.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:960
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108KB
MD50733766c2e023cbdc2d0ce7e1066baa7
SHA145a2c592820ba79770515b72d79af2048461820f
SHA25604dedc0c26d71ee654583188a4c42b70ccbe2c6ace0245ba7e953d1406ad0f49
SHA512b5831da4120da6e0bda8058424bdb15f84f40371076682e2fe6a392dd3c6da068adcad36bf380189455837fbe0037886913ca99d2335451949544d6317e2154b
-
Filesize
108KB
MD50733766c2e023cbdc2d0ce7e1066baa7
SHA145a2c592820ba79770515b72d79af2048461820f
SHA25604dedc0c26d71ee654583188a4c42b70ccbe2c6ace0245ba7e953d1406ad0f49
SHA512b5831da4120da6e0bda8058424bdb15f84f40371076682e2fe6a392dd3c6da068adcad36bf380189455837fbe0037886913ca99d2335451949544d6317e2154b
-
Filesize
108KB
MD50733766c2e023cbdc2d0ce7e1066baa7
SHA145a2c592820ba79770515b72d79af2048461820f
SHA25604dedc0c26d71ee654583188a4c42b70ccbe2c6ace0245ba7e953d1406ad0f49
SHA512b5831da4120da6e0bda8058424bdb15f84f40371076682e2fe6a392dd3c6da068adcad36bf380189455837fbe0037886913ca99d2335451949544d6317e2154b
-
Filesize
108KB
MD50733766c2e023cbdc2d0ce7e1066baa7
SHA145a2c592820ba79770515b72d79af2048461820f
SHA25604dedc0c26d71ee654583188a4c42b70ccbe2c6ace0245ba7e953d1406ad0f49
SHA512b5831da4120da6e0bda8058424bdb15f84f40371076682e2fe6a392dd3c6da068adcad36bf380189455837fbe0037886913ca99d2335451949544d6317e2154b