3740b6123a88eeadbc5ed60124727b4ae4ff89a8598d03a142a774bf1036ff99

Analysis

max time kernel
150s
max time network
47s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan-Ransom.Win32.Birele.exe
Size

76KB
MD5

7d5a119c7430c6ec0703653f54c434ea
SHA1

6534365f546c2e3883f5503908351a3a9dbd9f0d
SHA256

3740b6123a88eeadbc5ed60124727b4ae4ff89a8598d03a142a774bf1036ff99
SHA512

3522aac91336ad62aedb59f7058e0678a8eaf6a9a41386280d8e49e3b172121297238762cd94a20c9e78c8eb5e785ae52de25c9b1509cd2fb47d73bc87b8d582
SSDEEP

1536:uf1mb6zZJMVsZYLYmDmGUKGiLqpPADs+MD7+mTA:uwWHYGiLqFCMD7+mT

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1716-68-0x0000000000400000-0x0000000000428600-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nlhsz.lnk	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1716 set thread context of 1284	1716	Trojan-Ransom.Win32.Birele.exe	27

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1716	Trojan-Ransom.Win32.Birele.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 1284	1716	Trojan-Ransom.Win32.Birele.exe	27
PID 1716 wrote to memory of 1284	1716	Trojan-Ransom.Win32.Birele.exe	27
PID 1716 wrote to memory of 1284	1716	Trojan-Ransom.Win32.Birele.exe	27
PID 1716 wrote to memory of 1284	1716	Trojan-Ransom.Win32.Birele.exe	27
PID 1716 wrote to memory of 1284	1716	Trojan-Ransom.Win32.Birele.exe	27
PID 1716 wrote to memory of 1284	1716	Trojan-Ransom.Win32.Birele.exe	27
PID 1716 wrote to memory of 1284	1716	Trojan-Ransom.Win32.Birele.exe	27
PID 1716 wrote to memory of 1284	1716	Trojan-Ransom.Win32.Birele.exe	27
PID 1716 wrote to memory of 1284	1716	Trojan-Ransom.Win32.Birele.exe	27
PID 1716 wrote to memory of 1284	1716	Trojan-Ransom.Win32.Birele.exe	27
PID 1284 wrote to memory of 808	1284	Trojan-Ransom.Win32.Birele.exe	28
PID 1284 wrote to memory of 808	1284	Trojan-Ransom.Win32.Birele.exe	28
PID 1284 wrote to memory of 808	1284	Trojan-Ransom.Win32.Birele.exe	28
PID 1284 wrote to memory of 808	1284	Trojan-Ransom.Win32.Birele.exe	28

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Birele.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Birele.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Birele.exe
  "C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Birele.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\czyac.vbs"
    3⤵
    - Drops startup file
    PID:808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\czyac.vbs

Filesize
5KB

MD5
c0098640e58307be43d5fffca6808617

SHA1
5879945cd47a1bad05f5df12c675e442e7c07fbc

SHA256
e592f1b8b7d89f35a226c572b919f64d6479aa975dec2f1969f55146db3a94d5

SHA512
9ec5d88284d94b8564b8d70e3a5417332cf605dd29e53ccbca759648483d6c525bcc144906d4c13c4ff1b968f41e3163f6d12434d0e4dbcdc731ecb95d1e69fa

Download Submit
memory/1284-56-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1284-57-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1284-59-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1284-61-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1284-62-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1284-64-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1284-67-0x00000000765B1000-0x00000000765B3000-memory.dmp

Filesize
8KB

Download
memory/1284-72-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1716-68-0x0000000000400000-0x0000000000428600-memory.dmp

Filesize
161KB

Download