16ea3a560415caf6b419c3146588674fe397c012bff7f1fdbff76e6c3b6668d7

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

463dc2b1f09823ebda97ee44d3c2c495.exe
Size

159KB
MD5

463dc2b1f09823ebda97ee44d3c2c495
SHA1

ad78c9abae002e3e4c73aef9c5827422682347ab
SHA256

16ea3a560415caf6b419c3146588674fe397c012bff7f1fdbff76e6c3b6668d7
SHA512

3d65d548ad464b7b3a6e1ed70c022be8c28bce7b41471b097cff0aedc397ab389a2614a0943a8c35050d0dfa995ab6812612818f3195164b6a5870c20d5a5d15
SSDEEP

3072:222ihA0m3BJf0ApvYhrOJAS3r2MHBjC4LHjsKgg6N9rbqYa:pA0m3T0ASZ7S3CMHFCQ1749rbq/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2136	biclient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2136	biclient.exe
2136	biclient.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2136	3004	463dc2b1f09823ebda97ee44d3c2c495.exe	20
PID 3004 wrote to memory of 2136	3004	463dc2b1f09823ebda97ee44d3c2c495.exe	20
PID 3004 wrote to memory of 2136	3004	463dc2b1f09823ebda97ee44d3c2c495.exe	20

C:\Users\Admin\AppData\Local\Temp\463dc2b1f09823ebda97ee44d3c2c495.exe
"C:\Users\Admin\AppData\Local\Temp\463dc2b1f09823ebda97ee44d3c2c495.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\biclient.exe
  "C:\Users\Admin\AppData\Local\Temp\biclient.exe" /initurl http://bi.bisrv.com/:affid:/:sid:/:uid:? /affid "ffonts" /id "matilde" /name "Matilde" /uniqid 463dc2b1f09823ebda97ee44d3c2c495
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biclient.exe

Filesize
156KB

MD5
1dfc2d2f2dcec06f41b77313ff9a056d

SHA1
17bae2150a975da5bbc49760be01ddc692e91028

SHA256
ff71267dcd562f34f21d042aa799d92f1f3aa1b08e3be4fbc1f66a2627c0fb90

SHA512
d90c0f1adafce8349f540d9fc583cfebea80e6f5182ff12e54f81346805d2ca91874011f931a31354d5790834648791aaa354413e4b0e6bc987c2e3aab8bb0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\biclient.exe

Filesize
219KB

MD5
c66293ccd7cbe84b1b8f393ca5e4e6d7

SHA1
c24089d407e6280b79bec86532e9de0118e4de71

SHA256
ffbae29e2f233767fd42909720497165ce3552427ef93efb2fc714fb4204755f

SHA512
7ff97aa71f182035f90ba10c3bf8087280e3f34bf717bda139d642f4e043c64aa2b98d82a90a32f1df4b76f9d7610af62390fe934e514c90c703381a421c00b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\biclient.exe

Filesize
150KB

MD5
59b984cfc04a92d3c4c6eb9675afc9b7

SHA1
15a58cc19c7eb2353d6edc9ad82628f1762b7f64

SHA256
f7f1e598022bd4c4f433198e48fb483e67f17b9690db8da41c1ae32add4fea0a

SHA512
265c4a4e418da1dd1e828aca9fef41b509f74b946bed0ce0d2b1e06c7413f9d40d7cf3938e805a5e2488f253b1942a77ce3b60403026c0a6e4f905953c64f632

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
77B

MD5
48618505fc30eb62afb8788c0c1a5218

SHA1
f0b5f441dac5d55637f16e61044e3a7ee6449371

SHA256
78878a10dcb2e6f2585e7ec1782c74a6d1ee27d36987256ae8bed8449bc9b524

SHA512
1f58846ef12bc06ae203dce8cca90084804b6d3ecda20b3d1e12b3ff66c6ebae5717ae06d10d8873130d86d028df28eda80a33ae5bd4c81e4197d2ff27da8fbb

Download Submit
memory/2136-15-0x00000000013D0000-0x00000000013D1000-memory.dmp

Filesize
4KB

Download
memory/2136-76-0x00000000013D0000-0x00000000013D1000-memory.dmp

Filesize
4KB

Download
memory/3004-14-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download