Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 11:31

General

  • Target

    f8146283aa95377f3db9735f5e54cb34b06f366f986465134bcb7ae8ae97fcf5.exe

  • Size

    88KB

  • MD5

    9c85eacb38e8ca80e97153bb3973816e

  • SHA1

    4a321cdb01818d436fed1034bad61274d13e4fdf

  • SHA256

    f8146283aa95377f3db9735f5e54cb34b06f366f986465134bcb7ae8ae97fcf5

  • SHA512

    bee00e6febacc089fe0938b5cbecf50b5dc1d533a0a8aa980e65dd4f73f5577f1e7d1f81259409a563e8e0e19b27a5d791d91e89a96ab2d906cee50d2b486603

  • SSDEEP

    1536:s8hz6IQ/JDHKa5LJW6/Z2NZQKvdmNmS/:NV6I8DHKuFOJvdN

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 27 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f8146283aa95377f3db9735f5e54cb34b06f366f986465134bcb7ae8ae97fcf5.exe
    "C:\Users\Admin\AppData\Local\Temp\f8146283aa95377f3db9735f5e54cb34b06f366f986465134bcb7ae8ae97fcf5.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:208
    • C:\Users\Admin\biaza.exe
      "C:\Users\Admin\biaza.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\biaza.exe

    Filesize

    88KB

    MD5

    59ca8b8e57b4a61669f9ba28c56ccb62

    SHA1

    845a6527b9eccef8597c6417d33f46688da41135

    SHA256

    04676b8c0fb81d3ba5f7fdf8188ae4fd23ed936a5be9d0b66750f89c50026070

    SHA512

    a6ad2a61c3d0b7b529e9ba45edabbdcb861a8bf3400e39871f609e7c1e069e466d4bc70da19d0b3644cd395df0cdf603851a41c10e1fe7683aaf9dd765ee8cef

  • memory/208-0-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/208-37-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/1576-34-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/1576-38-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB