1494299ebb70bbb2198a6f02e76de555bcecc2742b3a2feb942b7fd6bd0eb215

Analysis

max time kernel
77s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/12/2022, 02:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1494299ebb70bbb2198a6f02e76de555bcecc2742b3a2feb942b7fd6bd0eb215.exe
Size

316KB
MD5

9abb8760b9e16e4f1c215e9cf23c7805
SHA1

3dc9d9acd34ee5d8195cd45c2a5133aeda62a399
SHA256

1494299ebb70bbb2198a6f02e76de555bcecc2742b3a2feb942b7fd6bd0eb215
SHA512

55fef478c7315afb0c18d42e8a2a129bc73509a253a2181652cde2e2d1728b0d14647faf33d98e12b8408eb74e832aa41b64ea0f7ad3ad2af7ba7c376a285b74
SSDEEP

3072:VZ2whpF3SpWufuEwuESamFi5eLb532qRgzqRe/aT4E1KZnBmaNtDvJRZ8Ng0ykdN:VZb3qb532qRmqRe/aT4EYDmaNtNRKNN

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	1494299ebb70bbb2198a6f02e76de555bcecc2742b3a2feb942b7fd6bd0eb215.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	biriy.exe

Executes dropped EXE 1 IoCs

pid	Process
848	biriy.exe

Loads dropped DLL 2 IoCs

pid	Process
2016	1494299ebb70bbb2198a6f02e76de555bcecc2742b3a2feb942b7fd6bd0eb215.exe
2016	1494299ebb70bbb2198a6f02e76de555bcecc2742b3a2feb942b7fd6bd0eb215.exe

Adds Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biriy = "C:\\Users\\Admin\\biriy.exe /l"	biriy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biriy = "C:\\Users\\Admin\\biriy.exe /x"	biriy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biriy = "C:\\Users\\Admin\\biriy.exe /h"	biriy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biriy = "C:\\Users\\Admin\\biriy.exe /q"	biriy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biriy = "C:\\Users\\Admin\\biriy.exe /y"	biriy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biriy = "C:\\Users\\Admin\\biriy.exe /u"	biriy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biriy = "C:\\Users\\Admin\\biriy.exe /o"	biriy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biriy = "C:\\Users\\Admin\\biriy.exe /v"	biriy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biriy = "C:\\Users\\Admin\\biriy.exe /p"	biriy.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	1494299ebb70bbb2198a6f02e76de555bcecc2742b3a2feb942b7fd6bd0eb215.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biriy = "C:\\Users\\Admin\\biriy.exe /a"	1494299ebb70bbb2198a6f02e76de555bcecc2742b3a2feb942b7fd6bd0eb215.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	biriy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biriy = "C:\\Users\\Admin\\biriy.exe /d"	biriy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biriy = "C:\\Users\\Admin\\biriy.exe /f"	biriy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biriy = "C:\\Users\\Admin\\biriy.exe /r"	biriy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biriy = "C:\\Users\\Admin\\biriy.exe /w"	biriy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biriy = "C:\\Users\\Admin\\biriy.exe /n"	biriy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biriy = "C:\\Users\\Admin\\biriy.exe /c"	biriy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biriy = "C:\\Users\\Admin\\biriy.exe /s"	biriy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biriy = "C:\\Users\\Admin\\biriy.exe /z"	biriy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biriy = "C:\\Users\\Admin\\biriy.exe /a"	biriy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biriy = "C:\\Users\\Admin\\biriy.exe /i"	biriy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biriy = "C:\\Users\\Admin\\biriy.exe /g"	biriy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biriy = "C:\\Users\\Admin\\biriy.exe /e"	biriy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biriy = "C:\\Users\\Admin\\biriy.exe /j"	biriy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biriy = "C:\\Users\\Admin\\biriy.exe /m"	biriy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biriy = "C:\\Users\\Admin\\biriy.exe /k"	biriy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\biriy = "C:\\Users\\Admin\\biriy.exe /t"	biriy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2016	1494299ebb70bbb2198a6f02e76de555bcecc2742b3a2feb942b7fd6bd0eb215.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe
848	biriy.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2016	1494299ebb70bbb2198a6f02e76de555bcecc2742b3a2feb942b7fd6bd0eb215.exe
848	biriy.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 848	2016	1494299ebb70bbb2198a6f02e76de555bcecc2742b3a2feb942b7fd6bd0eb215.exe	27
PID 2016 wrote to memory of 848	2016	1494299ebb70bbb2198a6f02e76de555bcecc2742b3a2feb942b7fd6bd0eb215.exe	27
PID 2016 wrote to memory of 848	2016	1494299ebb70bbb2198a6f02e76de555bcecc2742b3a2feb942b7fd6bd0eb215.exe	27
PID 2016 wrote to memory of 848	2016	1494299ebb70bbb2198a6f02e76de555bcecc2742b3a2feb942b7fd6bd0eb215.exe	27

C:\Users\Admin\AppData\Local\Temp\1494299ebb70bbb2198a6f02e76de555bcecc2742b3a2feb942b7fd6bd0eb215.exe
"C:\Users\Admin\AppData\Local\Temp\1494299ebb70bbb2198a6f02e76de555bcecc2742b3a2feb942b7fd6bd0eb215.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\biriy.exe
  "C:\Users\Admin\biriy.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\biriy.exe

Filesize
316KB

MD5
2fba2ce403282acd85e2ab6cb5d95b1d

SHA1
0b316b5369625c8febc8d5d9b168abfb4bd6aa27

SHA256
8d7337a369818ef9ab96e34b8bbb5967717f1ad8d4f155b260301f4a5a641063

SHA512
f7e880209d712303585cf995a71e5da3a23d75a224ae21ebee610343e37504bbadedbd074222a3f1046fd4e256053a1ac522a8e1a20bbf633372d540d5231560

Download Submit
C:\Users\Admin\biriy.exe

Filesize
316KB

MD5
2fba2ce403282acd85e2ab6cb5d95b1d

SHA1
0b316b5369625c8febc8d5d9b168abfb4bd6aa27

SHA256
8d7337a369818ef9ab96e34b8bbb5967717f1ad8d4f155b260301f4a5a641063

SHA512
f7e880209d712303585cf995a71e5da3a23d75a224ae21ebee610343e37504bbadedbd074222a3f1046fd4e256053a1ac522a8e1a20bbf633372d540d5231560

Download Submit
\Users\Admin\biriy.exe

Filesize
316KB

MD5
2fba2ce403282acd85e2ab6cb5d95b1d

SHA1
0b316b5369625c8febc8d5d9b168abfb4bd6aa27

SHA256
8d7337a369818ef9ab96e34b8bbb5967717f1ad8d4f155b260301f4a5a641063

SHA512
f7e880209d712303585cf995a71e5da3a23d75a224ae21ebee610343e37504bbadedbd074222a3f1046fd4e256053a1ac522a8e1a20bbf633372d540d5231560

Download Submit
\Users\Admin\biriy.exe

Filesize
316KB

MD5
2fba2ce403282acd85e2ab6cb5d95b1d

SHA1
0b316b5369625c8febc8d5d9b168abfb4bd6aa27

SHA256
8d7337a369818ef9ab96e34b8bbb5967717f1ad8d4f155b260301f4a5a641063

SHA512
f7e880209d712303585cf995a71e5da3a23d75a224ae21ebee610343e37504bbadedbd074222a3f1046fd4e256053a1ac522a8e1a20bbf633372d540d5231560

Download Submit
memory/2016-56-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download