Analysis
-
max time kernel
142s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17-03-2024 01:08
Behavioral task
behavioral1
Sample
7ev3n.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7ev3n.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Annabelle.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Annabelle.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
BadRabbit.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
BadRabbit.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Birele.exe
Resource
win10v2004-20240226-en
General
-
Target
Birele.exe
-
Size
116KB
-
MD5
41789c704a0eecfdd0048b4b4193e752
-
SHA1
fb1e8385691fa3293b7cbfb9b2656cf09f20e722
-
SHA256
b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23
-
SHA512
76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea
-
SSDEEP
3072:pYV/aVHN9ySTn34w33FVTyuGAxsvBLSqAKZqoqrxy031l3y:8adNlltyu3Pa5gr33
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Birele.exe" Birele.exe -
resource yara_rule behavioral7/memory/4268-0-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral7/memory/4268-2-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral7/memory/4268-5-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral7/memory/4268-4-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral7/memory/4268-6-0x0000000000400000-0x0000000000438000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Birele.exe" Birele.exe -
Kills process with taskkill 1 IoCs
pid Process 2472 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2472 taskkill.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4268 wrote to memory of 2472 4268 Birele.exe 88 PID 4268 wrote to memory of 2472 4268 Birele.exe 88 PID 4268 wrote to memory of 2472 4268 Birele.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\Birele.exe"C:\Users\Admin\AppData\Local\Temp\Birele.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM explorer.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2472
-