Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 11:31
Static task
static1
Behavioral task
behavioral1
Sample
f8146283aa95377f3db9735f5e54cb34b06f366f986465134bcb7ae8ae97fcf5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f8146283aa95377f3db9735f5e54cb34b06f366f986465134bcb7ae8ae97fcf5.exe
Resource
win10v2004-20240508-en
General
-
Target
f8146283aa95377f3db9735f5e54cb34b06f366f986465134bcb7ae8ae97fcf5.exe
-
Size
88KB
-
MD5
9c85eacb38e8ca80e97153bb3973816e
-
SHA1
4a321cdb01818d436fed1034bad61274d13e4fdf
-
SHA256
f8146283aa95377f3db9735f5e54cb34b06f366f986465134bcb7ae8ae97fcf5
-
SHA512
bee00e6febacc089fe0938b5cbecf50b5dc1d533a0a8aa980e65dd4f73f5577f1e7d1f81259409a563e8e0e19b27a5d791d91e89a96ab2d906cee50d2b486603
-
SSDEEP
1536:s8hz6IQ/JDHKa5LJW6/Z2NZQKvdmNmS/:NV6I8DHKuFOJvdN
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" f8146283aa95377f3db9735f5e54cb34b06f366f986465134bcb7ae8ae97fcf5.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" biaza.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation f8146283aa95377f3db9735f5e54cb34b06f366f986465134bcb7ae8ae97fcf5.exe -
Executes dropped EXE 1 IoCs
pid Process 1576 biaza.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biaza = "C:\\Users\\Admin\\biaza.exe /c" f8146283aa95377f3db9735f5e54cb34b06f366f986465134bcb7ae8ae97fcf5.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biaza = "C:\\Users\\Admin\\biaza.exe /q" biaza.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biaza = "C:\\Users\\Admin\\biaza.exe /s" biaza.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biaza = "C:\\Users\\Admin\\biaza.exe /j" biaza.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biaza = "C:\\Users\\Admin\\biaza.exe /g" biaza.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biaza = "C:\\Users\\Admin\\biaza.exe /b" biaza.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biaza = "C:\\Users\\Admin\\biaza.exe /k" biaza.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biaza = "C:\\Users\\Admin\\biaza.exe /z" biaza.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biaza = "C:\\Users\\Admin\\biaza.exe /y" biaza.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biaza = "C:\\Users\\Admin\\biaza.exe /h" biaza.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biaza = "C:\\Users\\Admin\\biaza.exe /p" biaza.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biaza = "C:\\Users\\Admin\\biaza.exe /a" biaza.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biaza = "C:\\Users\\Admin\\biaza.exe /d" biaza.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biaza = "C:\\Users\\Admin\\biaza.exe /m" biaza.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biaza = "C:\\Users\\Admin\\biaza.exe /w" biaza.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biaza = "C:\\Users\\Admin\\biaza.exe /r" biaza.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biaza = "C:\\Users\\Admin\\biaza.exe /o" biaza.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biaza = "C:\\Users\\Admin\\biaza.exe /l" biaza.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biaza = "C:\\Users\\Admin\\biaza.exe /v" biaza.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biaza = "C:\\Users\\Admin\\biaza.exe /f" biaza.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biaza = "C:\\Users\\Admin\\biaza.exe /i" biaza.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biaza = "C:\\Users\\Admin\\biaza.exe /t" biaza.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biaza = "C:\\Users\\Admin\\biaza.exe /c" biaza.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biaza = "C:\\Users\\Admin\\biaza.exe /x" biaza.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biaza = "C:\\Users\\Admin\\biaza.exe /u" biaza.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biaza = "C:\\Users\\Admin\\biaza.exe /n" biaza.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\biaza = "C:\\Users\\Admin\\biaza.exe /e" biaza.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 208 f8146283aa95377f3db9735f5e54cb34b06f366f986465134bcb7ae8ae97fcf5.exe 208 f8146283aa95377f3db9735f5e54cb34b06f366f986465134bcb7ae8ae97fcf5.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe 1576 biaza.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 208 f8146283aa95377f3db9735f5e54cb34b06f366f986465134bcb7ae8ae97fcf5.exe 1576 biaza.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 208 wrote to memory of 1576 208 f8146283aa95377f3db9735f5e54cb34b06f366f986465134bcb7ae8ae97fcf5.exe 91 PID 208 wrote to memory of 1576 208 f8146283aa95377f3db9735f5e54cb34b06f366f986465134bcb7ae8ae97fcf5.exe 91 PID 208 wrote to memory of 1576 208 f8146283aa95377f3db9735f5e54cb34b06f366f986465134bcb7ae8ae97fcf5.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8146283aa95377f3db9735f5e54cb34b06f366f986465134bcb7ae8ae97fcf5.exe"C:\Users\Admin\AppData\Local\Temp\f8146283aa95377f3db9735f5e54cb34b06f366f986465134bcb7ae8ae97fcf5.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Users\Admin\biaza.exe"C:\Users\Admin\biaza.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1576
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD559ca8b8e57b4a61669f9ba28c56ccb62
SHA1845a6527b9eccef8597c6417d33f46688da41135
SHA25604676b8c0fb81d3ba5f7fdf8188ae4fd23ed936a5be9d0b66750f89c50026070
SHA512a6ad2a61c3d0b7b529e9ba45edabbdcb861a8bf3400e39871f609e7c1e069e466d4bc70da19d0b3644cd395df0cdf603851a41c10e1fe7683aaf9dd765ee8cef