04f94a66095aad5ded26cd46ce96b72ea17d37d32d1b0b8b57e573a69d762abd

Analysis

max time kernel
153s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 18:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

04f94a66095aad5ded26cd46ce96b72ea17d37d32d1b0b8b57e573a69d762abd.exe
Size

158KB
MD5

dd638f5a22ef0ab019ff56ba0f5d973a
SHA1

5409ade6eb49601ab32e295a8b72a00d87e69a82
SHA256

04f94a66095aad5ded26cd46ce96b72ea17d37d32d1b0b8b57e573a69d762abd
SHA512

307e0c1713f9f0944add684833997b7298037313eadf6ac9523987cfdef34673b7e3c5b776e43e20eacf2f00c577b068bfa1250a0f355b9bd3b3a9ffd67e9063
SSDEEP

3072:b22ihA0m3BJP0voxM9moNnHKz2yhJDp9GGbW+Q9l:0A0m3D0vgMlWzDp9GGydl

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3932	biclient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3932	biclient.exe
3932	biclient.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 3932	208	04f94a66095aad5ded26cd46ce96b72ea17d37d32d1b0b8b57e573a69d762abd.exe	89
PID 208 wrote to memory of 3932	208	04f94a66095aad5ded26cd46ce96b72ea17d37d32d1b0b8b57e573a69d762abd.exe	89
PID 208 wrote to memory of 3932	208	04f94a66095aad5ded26cd46ce96b72ea17d37d32d1b0b8b57e573a69d762abd.exe	89

C:\Users\Admin\AppData\Local\Temp\04f94a66095aad5ded26cd46ce96b72ea17d37d32d1b0b8b57e573a69d762abd.exe
"C:\Users\Admin\AppData\Local\Temp\04f94a66095aad5ded26cd46ce96b72ea17d37d32d1b0b8b57e573a69d762abd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:208
- C:\Users\Admin\AppData\Local\Temp\biclient.exe
  "C:\Users\Admin\AppData\Local\Temp\biclient.exe" /url bi.bisrv.com /affid "awth7zip24816" /id "7zip" /name "7-Zip" /browser ie
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biclient.exe

Filesize
217KB

MD5
1bdf5e5015efcaa68b05cec0a79be484

SHA1
d22ad1dc1deeb043b4668c5f6b9b59e8b64cbea7

SHA256
f613d98031efc7359c708b9d8a11573526c49e4b60d2614e56747927fa6c2d7b

SHA512
9844b43738b1bae5fb326be8910e9d5a7cf7c6a5838c7ddddb2a04dc72794eff9da87922bc57a228f90ed563e768e56fb5d944a57a452f568272392d0a7d1830

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
79B

MD5
a335c1d9d8bd4f30aba49a05d6f73be5

SHA1
e5c901c2abd2131fbb373043aa38cdae3676b266

SHA256
b6b3817dea3b86436a0f5b7dd7ee3b2428af4d6d55fa5a7516fa89c315c5a3a0

SHA512
7eeccade6ff10bc05d7bfae0cf22e5085d3bb6511d2882d591da64de4239a1c0ab47f4a4bbe07feeb91c35a50f5dddac22c12f4c5ad4d5c98fc1c30dd5d6a57f

Download Submit
memory/208-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3932-15-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3932-100-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download