eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9

Analysis

max time kernel
209s
max time network
214s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Size

17.5MB
MD5

319d75130c5ba896f6f515b3f7c2d3f8
SHA1

d414c5bc6bcbd4a68229e71e9a1963bdf3fe6b1d
SHA256

eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9
SHA512

30ecaebb8059005b6a87ef3212059b5d6719e03cb84bdd41608f53ccb1d145ef5c3055e4614da7471d131d5ce75e49d76c4eadaf41a0fbd4aa17fbfe192ba516
SSDEEP

393216:wVg38yOX6vVrV4IeW1altTRFhURxNbqn9xWjZLm35Ijdv/L9omG:RVmGMtRFhUfMni0JIjdLOmG

Score

8^/10

evasion trojan

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
1220	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9 .exe
3660	biicit.exe
1116	biicit.exe
3700	biicit.exe
1928	biicit.exe
4948	biicit.exe
4344	biicit.exe

Loads dropped DLL 2 IoCs

pid	Process
1220	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9 .exe
1220	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9 .exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9 .exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	biicit.exe
File opened (read-only)	\??\J:	biicit.exe
File opened (read-only)	\??\L:	biicit.exe
File opened (read-only)	\??\j:	biicit.exe
File opened (read-only)	\??\A:	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
File opened (read-only)	\??\G:	biicit.exe
File opened (read-only)	\??\K:	biicit.exe
File opened (read-only)	\??\P:	biicit.exe
File opened (read-only)	\??\W:	biicit.exe
File opened (read-only)	\??\R:	biicit.exe
File opened (read-only)	\??\O:	biicit.exe
File opened (read-only)	\??\P:	biicit.exe
File opened (read-only)	\??\M:	biicit.exe
File opened (read-only)	\??\a:	biicit.exe
File opened (read-only)	\??\K:	biicit.exe
File opened (read-only)	\??\O:	biicit.exe
File opened (read-only)	\??\I:	biicit.exe
File opened (read-only)	\??\u:	biicit.exe
File opened (read-only)	\??\E:	biicit.exe
File opened (read-only)	\??\U:	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
File opened (read-only)	\??\X:	biicit.exe
File opened (read-only)	\??\E:	biicit.exe
File opened (read-only)	\??\r:	biicit.exe
File opened (read-only)	\??\B:	biicit.exe
File opened (read-only)	\??\A:	biicit.exe
File opened (read-only)	\??\U:	biicit.exe
File opened (read-only)	\??\W:	biicit.exe
File opened (read-only)	\??\R:	biicit.exe
File opened (read-only)	\??\E:	biicit.exe
File opened (read-only)	\??\f:	biicit.exe
File opened (read-only)	\??\X:	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
File opened (read-only)	\??\B:	biicit.exe
File opened (read-only)	\??\S:	biicit.exe
File opened (read-only)	\??\F:	biicit.exe
File opened (read-only)	\??\S:	biicit.exe
File opened (read-only)	\??\v:	biicit.exe
File opened (read-only)	\??\P:	biicit.exe
File opened (read-only)	\??\X:	biicit.exe
File opened (read-only)	\??\p:	biicit.exe
File opened (read-only)	\??\t:	biicit.exe
File opened (read-only)	\??\x:	biicit.exe
File opened (read-only)	\??\X:	biicit.exe
File opened (read-only)	\??\H:	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
File opened (read-only)	\??\G:	biicit.exe
File opened (read-only)	\??\P:	biicit.exe
File opened (read-only)	\??\K:	biicit.exe
File opened (read-only)	\??\A:	biicit.exe
File opened (read-only)	\??\Z:	biicit.exe
File opened (read-only)	\??\R:	biicit.exe
File opened (read-only)	\??\Q:	biicit.exe
File opened (read-only)	\??\T:	biicit.exe
File opened (read-only)	\??\N:	biicit.exe
File opened (read-only)	\??\T:	biicit.exe
File opened (read-only)	\??\S:	biicit.exe
File opened (read-only)	\??\I:	biicit.exe
File opened (read-only)	\??\m:	biicit.exe
File opened (read-only)	\??\w:	biicit.exe
File opened (read-only)	\??\F:	biicit.exe
File opened (read-only)	\??\G:	biicit.exe
File opened (read-only)	\??\H:	biicit.exe
File opened (read-only)	\??\H:	biicit.exe
File opened (read-only)	\??\a:	biicit.exe
File opened (read-only)	\??\h:	biicit.exe
File opened (read-only)	\??\Z:	biicit.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
62	icanhazip.com

Maps connected drives based on registry 3 TTPs 14 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	biicit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	biicit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	biicit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	biicit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	biicit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	biicit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	biicit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	biicit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	biicit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	biicit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	biicit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	biicit.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\IJUCHKAS.txt	biicit.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	biicit.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	biicit.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	biicit.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	biicit.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	biicit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	biicit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	biicit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	biicit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	biicit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	biicit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	biicit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	biicit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	biicit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	biicit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	biicit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	biicit.exe

Modifies data under HKEY_USERS 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	biicit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	biicit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	biicit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	biicit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	biicit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows	biicit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\AppCompat\DisablePCA = "1"	biicit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	biicit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	biicit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	biicit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History	biicit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P	biicit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\AppCompat	biicit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	biicit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	biicit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	biicit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	biicit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	biicit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	biicit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	biicit.exe

Modifies registry class 59 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\TiekEqmo\shell\open\command	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\.lnk	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\TiekEqmo\shell\runas\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\FoegEli\\biicit.exe\" /RUNAS /START \"%1\" %*"	biicit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\MoqeAkbeise\shell\runas\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\FoegEli\\biicit.exe\" /RUNAS /START \"%1\" %*"	biicit.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\MoqeAkbeise\shell	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\MoqeAkbeise\shell\open\command\IsolatedCommand = "\"C:\\Users\\Admin\\AppData\\Roaming\\FoegEli\\biicit.exe\" /START \"%1\" %*"	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\TiekEqmo\NeverShowExt	biicit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\TiekEqmo\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\FoegEli\\biicit.exe\" /START \"%1\" %*"	biicit.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\TiekEqmo\shell\runas\command	biicit.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\MoqeAkbeise\shell\runas\command	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\TiekEqmo\IsShortcut	biicit.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\TiekEqmo\shellex\IconHandler	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\MoqeAkbeise\ = "Application"	biicit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\MoqeAkbeise\shell\runas\command\IsolatedCommand = "\"C:\\Users\\Admin\\AppData\\Roaming\\FoegEli\\biicit.exe\" /RUNAS /START \"%1\" %*"	biicit.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\TiekEqmo\shell	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\TiekEqmo\shell\runas\command\IsolatedCommand = "\"C:\\Users\\Admin\\AppData\\Roaming\\FoegEli\\biicit.exe\" /RUNAS /START \"%1\" %*"	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\TiekEqmo\shell\runas\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\FoegEli\\biicit.exe\" /RUNAS /START \"%1\" %*"	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\TiekEqmo\shell\runas\command\IsolatedCommand = "\"C:\\Users\\Admin\\AppData\\Roaming\\FoegEli\\biicit.exe\" /RUNAS /START \"%1\" %*"	biicit.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\MoqeAkbeise\shell\open\command	biicit.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\MoqeAkbeise\shell\runas\command	biicit.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\TiekEqmo	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\TiekEqmo\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\FoegEli\\biicit.exe\" /START \"%1\" %*"	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\TiekEqmo\shell\open\command	biicit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\MoqeAkbeise\ = "Application"	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\TiekEqmo\shellex	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\MoqeAkbeise\shell\open	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\TiekEqmo\ = "Shortcut"	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\MoqeAkbeise\shell\runas\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\FoegEli\\biicit.exe\" /RUNAS /START \"%1\" %*"	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\TiekEqmo\shell\open	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\TiekEqmo\shellex\IconHandler	biicit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\MoqeAkbeise\DefaultIcon\ = "%1"	biicit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\MoqeAkbeise\DefaultIcon\ = "%1"	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\MoqeAkbeise\shell\open\command	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\MoqeAkbeise\shell\runas\command\IsolatedCommand = "\"C:\\Users\\Admin\\AppData\\Roaming\\FoegEli\\biicit.exe\" /RUNAS /START \"%1\" %*"	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\TiekEqmo	biicit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\MoqeAkbeise\shell\open\command\IsolatedCommand = "\"C:\\Users\\Admin\\AppData\\Roaming\\FoegEli\\biicit.exe\" /START \"%1\" %*"	biicit.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\TiekEqmo\shell\runas\command	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\.exe\ = "MoqeAkbeise"	biicit.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\MoqeAkbeise	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\MoqeAkbeise\shell\runas	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\TiekEqmo\IsShortcut	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\MoqeAkbeise	biicit.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\MoqeAkbeise\DefaultIcon	biicit.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\MoqeAkbeise\DefaultIcon	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\TiekEqmo\shellex\IconHandler\ = "{00021401-0000-0000-C000-000000000046}"	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\.lnk\ = "TiekEqmo"	biicit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\.lnk\ = "TiekEqmo"	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\TiekEqmo\shellex\IconHandler\ = "{00021401-0000-0000-C000-000000000046}"	biicit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\TiekEqmo\shell\open\command\IsolatedCommand = "\"C:\\Users\\Admin\\AppData\\Roaming\\FoegEli\\biicit.exe\" /START \"%1\" %*"	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\TiekEqmo\shell\open\command\IsolatedCommand = "\"C:\\Users\\Admin\\AppData\\Roaming\\FoegEli\\biicit.exe\" /START \"%1\" %*"	biicit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\MoqeAkbeise\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\FoegEli\\biicit.exe\" /START \"%1\" %*"	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\.exe	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\.exe	biicit.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\TiekEqmo\shell\runas	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\MoqeAkbeise\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\FoegEli\\biicit.exe\" /START \"%1\" %*"	biicit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\TiekEqmo\ = "Shortcut"	biicit.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\.lnk	biicit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\TiekEqmo\NeverShowExt	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\.exe\ = "MoqeAkbeise"	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1220	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9 .exe
1220	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9 .exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1260	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Token: SeIncBasePriorityPrivilege	1260	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
Token: SeIncBasePriorityPrivilege	3660	biicit.exe
Token: 33	2148	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2148	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3700	biicit.exe
Token: SeIncBasePriorityPrivilege	3700	biicit.exe
Token: SeIncBasePriorityPrivilege	3700	biicit.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1220	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9 .exe
1116	biicit.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 1220	1260	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe	82
PID 1260 wrote to memory of 1220	1260	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe	82
PID 1260 wrote to memory of 1220	1260	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe	82
PID 1260 wrote to memory of 1116	1260	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe	84
PID 1260 wrote to memory of 1116	1260	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe	84
PID 1260 wrote to memory of 1116	1260	eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe	84
PID 3660 wrote to memory of 3700	3660	biicit.exe	85
PID 3660 wrote to memory of 3700	3660	biicit.exe	85
PID 3660 wrote to memory of 3700	3660	biicit.exe	85
PID 3700 wrote to memory of 1928	3700	biicit.exe	90
PID 3700 wrote to memory of 1928	3700	biicit.exe	90
PID 3700 wrote to memory of 1928	3700	biicit.exe	90
PID 3700 wrote to memory of 4948	3700	biicit.exe	94
PID 3700 wrote to memory of 4948	3700	biicit.exe	94
PID 3700 wrote to memory of 4948	3700	biicit.exe	94
PID 3700 wrote to memory of 4344	3700	biicit.exe	97
PID 3700 wrote to memory of 4344	3700	biicit.exe	97
PID 3700 wrote to memory of 4344	3700	biicit.exe	97

C:\Users\Admin\AppData\Local\Temp\eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe
"C:\Users\Admin\AppData\Local\Temp\eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9.exe"
1⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9 .exe
  "C:\Users\Admin\AppData\Local\Temp\eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9 .exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1220
- C:\Users\Admin\AppData\Roaming\FoegEli\biicit.exe
  C:\Users\Admin\AppData\Roaming\FoegEli\biicit.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Maps connected drives based on registry
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1116

C:\Users\Admin\AppData\Roaming\FoegEli\biicit.exe
C:\Users\Admin\AppData\Roaming\FoegEli\biicit.exe
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3660
- C:\ProgramData\FoegEli\biicit.exe
  C:\ProgramData\FoegEli\biicit.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\ProgramData\FoegEli\biicit.exe
    "C:\ProgramData\FoegEli\biicit.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Maps connected drives based on registry
    - Checks processor information in registry
    PID:1928
- - C:\ProgramData\FoegEli\biicit.exe
    "C:\ProgramData\FoegEli\biicit.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Maps connected drives based on registry
    - Checks processor information in registry
    PID:4948
- - C:\ProgramData\FoegEli\biicit.exe
    "C:\ProgramData\FoegEli\biicit.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Maps connected drives based on registry
    - Checks processor information in registry
    PID:4344

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d8 0x468
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FoegEli\biicit.exe

Filesize
285KB

MD5
28b97d8c160e648f0eb1ed6e9ad92f61

SHA1
370554c76624d9a5d6474ef0f6c4960f5e4c1c65

SHA256
54be5c99dd9ba6ea7f6c667160e419cbfb4755a640a9736fcd2baaed9cb676d9

SHA512
277745c271986dbc81eba633e30a8b88ba8c02806e5a45dd5bf2d93d39af316eecd79c741108e2e4b0b04019093bfe81a74aa3805b479e9711fef13b9b556683

Download Submit
C:\ProgramData\FoegEli\biicit.exe

Filesize
285KB

MD5
28b97d8c160e648f0eb1ed6e9ad92f61

SHA1
370554c76624d9a5d6474ef0f6c4960f5e4c1c65

SHA256
54be5c99dd9ba6ea7f6c667160e419cbfb4755a640a9736fcd2baaed9cb676d9

SHA512
277745c271986dbc81eba633e30a8b88ba8c02806e5a45dd5bf2d93d39af316eecd79c741108e2e4b0b04019093bfe81a74aa3805b479e9711fef13b9b556683

Download Submit
C:\ProgramData\FoegEli\biicit.exe

Filesize
285KB

MD5
28b97d8c160e648f0eb1ed6e9ad92f61

SHA1
370554c76624d9a5d6474ef0f6c4960f5e4c1c65

SHA256
54be5c99dd9ba6ea7f6c667160e419cbfb4755a640a9736fcd2baaed9cb676d9

SHA512
277745c271986dbc81eba633e30a8b88ba8c02806e5a45dd5bf2d93d39af316eecd79c741108e2e4b0b04019093bfe81a74aa3805b479e9711fef13b9b556683

Download Submit
C:\ProgramData\FoegEli\biicit.exe

Filesize
285KB

MD5
28b97d8c160e648f0eb1ed6e9ad92f61

SHA1
370554c76624d9a5d6474ef0f6c4960f5e4c1c65

SHA256
54be5c99dd9ba6ea7f6c667160e419cbfb4755a640a9736fcd2baaed9cb676d9

SHA512
277745c271986dbc81eba633e30a8b88ba8c02806e5a45dd5bf2d93d39af316eecd79c741108e2e4b0b04019093bfe81a74aa3805b479e9711fef13b9b556683

Download Submit
C:\ProgramData\FoegEli\biicit.exe

Filesize
285KB

MD5
28b97d8c160e648f0eb1ed6e9ad92f61

SHA1
370554c76624d9a5d6474ef0f6c4960f5e4c1c65

SHA256
54be5c99dd9ba6ea7f6c667160e419cbfb4755a640a9736fcd2baaed9cb676d9

SHA512
277745c271986dbc81eba633e30a8b88ba8c02806e5a45dd5bf2d93d39af316eecd79c741108e2e4b0b04019093bfe81a74aa3805b479e9711fef13b9b556683

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9 .exe

Filesize
17.1MB

MD5
cbecf915dbea10364e418219ba02a651

SHA1
7e6cce8ae9ec5cf7031a63e1746a965a00076ab3

SHA256
17ec50dda2b146f7286e8aca2661789203e89170e6476286afc1da173991aabe

SHA512
911e9ae5b6848066403a93f28884769a9fe2eac40dcdc22badcae84491e6502ddee4c14591f962815e53f2048eed34f3c1e509e0d1bfbd255e3d91e4af3e2258

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0a5411171e2858b32cc5eab75387f1c44b5e7d5df6597ae8f3cf32ed4f5ce9 .exe

Filesize
17.1MB

MD5
cbecf915dbea10364e418219ba02a651

SHA1
7e6cce8ae9ec5cf7031a63e1746a965a00076ab3

SHA256
17ec50dda2b146f7286e8aca2661789203e89170e6476286afc1da173991aabe

SHA512
911e9ae5b6848066403a93f28884769a9fe2eac40dcdc22badcae84491e6502ddee4c14591f962815e53f2048eed34f3c1e509e0d1bfbd255e3d91e4af3e2258

Download Submit
C:\Users\Admin\AppData\Local\Temp\{963124A3-0899-4A24-A57B-1847307F24CA}\fpb.tmp

Filesize
835KB

MD5
84e63a75fe60db21ca4690683dfd7293

SHA1
326943796ae6c3cbb012b27f2c4f8f0d0b3f9b6b

SHA256
17915acdfaa0e1c0486c0164520bca64e419978d134c4172c756a91970f37cb4

SHA512
9164020af855125c598cc0a638be55658715697b0c9de7c1698cd1a140af6c31c233dd27cc2fe8f96365fecad70492058b6675cfa5d6be1fbce4ac37044c6ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D1F11036-FDFC-4A0A-9C39-B90A78CC574C}\fpb.tmp

Filesize
503KB

MD5
3a34cf39fb84031f445e3c68b75fe75f

SHA1
f183e3650d711d7ec7f4d49dc3b60816500dc03c

SHA256
af73aa8c2dc89e156e6d1a435088ab63fe61d6a8346ad59798cc87bc7bbb2807

SHA512
a2ca316e097bac7b00f3c6707791487984f5f84a83221c1059b5454aaed5b25d9feebd450838fe6974162bace9fe4338fef15a68a549010e676d7fe86c63dbc2

Download Submit
C:\Users\Admin\AppData\Roaming\FoegEli\biicit.exe

Filesize
285KB

MD5
28b97d8c160e648f0eb1ed6e9ad92f61

SHA1
370554c76624d9a5d6474ef0f6c4960f5e4c1c65

SHA256
54be5c99dd9ba6ea7f6c667160e419cbfb4755a640a9736fcd2baaed9cb676d9

SHA512
277745c271986dbc81eba633e30a8b88ba8c02806e5a45dd5bf2d93d39af316eecd79c741108e2e4b0b04019093bfe81a74aa3805b479e9711fef13b9b556683

Download Submit
C:\Users\Admin\AppData\Roaming\FoegEli\biicit.exe

Filesize
285KB

MD5
28b97d8c160e648f0eb1ed6e9ad92f61

SHA1
370554c76624d9a5d6474ef0f6c4960f5e4c1c65

SHA256
54be5c99dd9ba6ea7f6c667160e419cbfb4755a640a9736fcd2baaed9cb676d9

SHA512
277745c271986dbc81eba633e30a8b88ba8c02806e5a45dd5bf2d93d39af316eecd79c741108e2e4b0b04019093bfe81a74aa3805b479e9711fef13b9b556683

Download Submit
C:\Users\Admin\AppData\Roaming\FoegEli\biicit.exe

Filesize
285KB

MD5
28b97d8c160e648f0eb1ed6e9ad92f61

SHA1
370554c76624d9a5d6474ef0f6c4960f5e4c1c65

SHA256
54be5c99dd9ba6ea7f6c667160e419cbfb4755a640a9736fcd2baaed9cb676d9

SHA512
277745c271986dbc81eba633e30a8b88ba8c02806e5a45dd5bf2d93d39af316eecd79c741108e2e4b0b04019093bfe81a74aa3805b479e9711fef13b9b556683

Download Submit
memory/1116-156-0x0000000072860000-0x0000000072899000-memory.dmp

Filesize
228KB

Download
memory/1260-132-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download
memory/3660-140-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download