ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933

Analysis

max time kernel
151s
max time network
46s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
14-10-2022 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe
Size

224KB
MD5

06bbc53b49018d32dc7fc9e200b625aa
SHA1

d80629f062ab296613f0d9874ade0b34c64fcf8a
SHA256

ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933
SHA512

2d5d9875d582df84dd35100295574c9b6906d95d6fc1813b52d48eac6df20d8e0dc9a693999155b9b63dba1901d2b1b4dcd1250934ace8e5ede65fed9649caed
SSDEEP

3072:3XyqNsMoBu5ZVpl2mclbj4Uvx+8ysNOu+2eRcKksU61JkkX39RLrw4ySKUbax2+l:yqN5Np4LnbmlrZW

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	biulek.exe

Executes dropped EXE 1 IoCs

pid	Process
1012	biulek.exe

Loads dropped DLL 2 IoCs

pid	Process
1000	ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe
1000	ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\biulek = "C:\\Users\\Admin\\biulek.exe /w"	biulek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\biulek = "C:\\Users\\Admin\\biulek.exe /n"	biulek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\biulek = "C:\\Users\\Admin\\biulek.exe /n"	ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\biulek = "C:\\Users\\Admin\\biulek.exe /f"	biulek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\biulek = "C:\\Users\\Admin\\biulek.exe /e"	biulek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\biulek = "C:\\Users\\Admin\\biulek.exe /m"	biulek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\biulek = "C:\\Users\\Admin\\biulek.exe /z"	biulek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\biulek = "C:\\Users\\Admin\\biulek.exe /q"	biulek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\biulek = "C:\\Users\\Admin\\biulek.exe /y"	biulek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\biulek = "C:\\Users\\Admin\\biulek.exe /g"	biulek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\biulek = "C:\\Users\\Admin\\biulek.exe /i"	biulek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\biulek = "C:\\Users\\Admin\\biulek.exe /u"	biulek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\biulek = "C:\\Users\\Admin\\biulek.exe /c"	biulek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\biulek = "C:\\Users\\Admin\\biulek.exe /x"	biulek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\biulek = "C:\\Users\\Admin\\biulek.exe /j"	biulek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\biulek = "C:\\Users\\Admin\\biulek.exe /r"	biulek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\biulek = "C:\\Users\\Admin\\biulek.exe /l"	biulek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\biulek = "C:\\Users\\Admin\\biulek.exe /t"	biulek.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	biulek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\biulek = "C:\\Users\\Admin\\biulek.exe /p"	biulek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\biulek = "C:\\Users\\Admin\\biulek.exe /o"	biulek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\biulek = "C:\\Users\\Admin\\biulek.exe /b"	biulek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\biulek = "C:\\Users\\Admin\\biulek.exe /s"	biulek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\biulek = "C:\\Users\\Admin\\biulek.exe /d"	biulek.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\biulek = "C:\\Users\\Admin\\biulek.exe /k"	biulek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\biulek = "C:\\Users\\Admin\\biulek.exe /v"	biulek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\biulek = "C:\\Users\\Admin\\biulek.exe /h"	biulek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\biulek = "C:\\Users\\Admin\\biulek.exe /a"	biulek.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1000	ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe
1012	biulek.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1000	ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe
1012	biulek.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 1012	1000	ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe	27
PID 1000 wrote to memory of 1012	1000	ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe	27
PID 1000 wrote to memory of 1012	1000	ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe	27
PID 1000 wrote to memory of 1012	1000	ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe	27

C:\Users\Admin\AppData\Local\Temp\ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe
"C:\Users\Admin\AppData\Local\Temp\ce0e0ddd931275dd46cf2b9e5340710d4a8dd35b9329bc80dcf5c5a03c6de933.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Users\Admin\biulek.exe
  "C:\Users\Admin\biulek.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\biulek.exe

Filesize
224KB

MD5
6e3ead37f329b24d863a1a8bce4d6eba

SHA1
1c158cfb1be0605170c14c1237acc24aefe7775b

SHA256
7b1544b0f51179238f40d146bcb6844077e60d6cd94c33378d37637af535b1a9

SHA512
c74d383c3e75aa53f6e54b54b6a56b5d43182902d8fa0af0ddd351668a3ee354cb09b88365ab8c53a46ca3ae05235731f230ca3a8f118886ff9fd577317549bb

Download Submit
C:\Users\Admin\biulek.exe

Filesize
224KB

MD5
6e3ead37f329b24d863a1a8bce4d6eba

SHA1
1c158cfb1be0605170c14c1237acc24aefe7775b

SHA256
7b1544b0f51179238f40d146bcb6844077e60d6cd94c33378d37637af535b1a9

SHA512
c74d383c3e75aa53f6e54b54b6a56b5d43182902d8fa0af0ddd351668a3ee354cb09b88365ab8c53a46ca3ae05235731f230ca3a8f118886ff9fd577317549bb

Download Submit
\Users\Admin\biulek.exe

Filesize
224KB

MD5
6e3ead37f329b24d863a1a8bce4d6eba

SHA1
1c158cfb1be0605170c14c1237acc24aefe7775b

SHA256
7b1544b0f51179238f40d146bcb6844077e60d6cd94c33378d37637af535b1a9

SHA512
c74d383c3e75aa53f6e54b54b6a56b5d43182902d8fa0af0ddd351668a3ee354cb09b88365ab8c53a46ca3ae05235731f230ca3a8f118886ff9fd577317549bb

Download Submit
\Users\Admin\biulek.exe

Filesize
224KB

MD5
6e3ead37f329b24d863a1a8bce4d6eba

SHA1
1c158cfb1be0605170c14c1237acc24aefe7775b

SHA256
7b1544b0f51179238f40d146bcb6844077e60d6cd94c33378d37637af535b1a9

SHA512
c74d383c3e75aa53f6e54b54b6a56b5d43182902d8fa0af0ddd351668a3ee354cb09b88365ab8c53a46ca3ae05235731f230ca3a8f118886ff9fd577317549bb

Download Submit
memory/1000-56-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download
memory/1012-59-0x0000000000000000-mapping.dmp

Download