c7a4aa6db8e6c69e619ddb517a4fb963d45fd9df325fff1361ec6c0a5b13580e

General

Target

c7a4aa6db8e6c69e619ddb517a4fb963d45fd9df325fff1361ec6c0a5b13580e.exe
Size

190KB
MD5

7a598e26d7959b528e9a7a875303d6ad
SHA1

8db87d3a73744f5426bd5aa23ce8ba03533c8686
SHA256

c7a4aa6db8e6c69e619ddb517a4fb963d45fd9df325fff1361ec6c0a5b13580e
SHA512

57a3dc9a500b5f0cc0868f9e455b6c385d1ed9aed350cd399a252734031f545a8906963a0e09914336e8ee2b3cac29167af120ddcf1708fb1f5774995f2f9ea2
SSDEEP

3072:No3ePTG8Gv6Sj9imee96c8Mkw1gimEVdWc3YyrXlIKqY:G3e109x96Yb1gimEF3xTlV

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
900	bie_kms.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\check.txt	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1216	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1320	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
900	bie_kms.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1216	taskkill.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 1324	1352	c7a4aa6db8e6c69e619ddb517a4fb963d45fd9df325fff1361ec6c0a5b13580e.exe	26
PID 1352 wrote to memory of 1324	1352	c7a4aa6db8e6c69e619ddb517a4fb963d45fd9df325fff1361ec6c0a5b13580e.exe	26
PID 1352 wrote to memory of 1324	1352	c7a4aa6db8e6c69e619ddb517a4fb963d45fd9df325fff1361ec6c0a5b13580e.exe	26
PID 1324 wrote to memory of 948	1324	cmd.exe	28
PID 1324 wrote to memory of 948	1324	cmd.exe	28
PID 1324 wrote to memory of 948	1324	cmd.exe	28
PID 1324 wrote to memory of 900	1324	cmd.exe	31
PID 1324 wrote to memory of 900	1324	cmd.exe	31
PID 1324 wrote to memory of 900	1324	cmd.exe	31
PID 1324 wrote to memory of 900	1324	cmd.exe	31
PID 1324 wrote to memory of 1616	1324	cmd.exe	29
PID 1324 wrote to memory of 1616	1324	cmd.exe	29
PID 1324 wrote to memory of 1616	1324	cmd.exe	29
PID 1324 wrote to memory of 1320	1324	cmd.exe	32
PID 1324 wrote to memory of 1320	1324	cmd.exe	32
PID 1324 wrote to memory of 1320	1324	cmd.exe	32
PID 1324 wrote to memory of 1760	1324	cmd.exe	33
PID 1324 wrote to memory of 1760	1324	cmd.exe	33
PID 1324 wrote to memory of 1760	1324	cmd.exe	33
PID 1324 wrote to memory of 436	1324	cmd.exe	34
PID 1324 wrote to memory of 436	1324	cmd.exe	34
PID 1324 wrote to memory of 436	1324	cmd.exe	34
PID 1324 wrote to memory of 1216	1324	cmd.exe	35
PID 1324 wrote to memory of 1216	1324	cmd.exe	35
PID 1324 wrote to memory of 1216	1324	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\c7a4aa6db8e6c69e619ddb517a4fb963d45fd9df325fff1361ec6c0a5b13580e.exe
"C:\Users\Admin\AppData\Local\Temp\c7a4aa6db8e6c69e619ddb517a4fb963d45fd9df325fff1361ec6c0a5b13580e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat" "
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\system32\cscript.exe
    cscript "C:\Program Files\Microsoft Office\Office14\ospp.vbs" /inpkey:VYBBJ-TRJPB-QFQRF-QFT4D-H3GVB
    3⤵
    PID:948
- - C:\Windows\system32\cscript.exe
    cscript "C:\Program Files\Microsoft Office\Office14\ospp.vbs" /sethst:127.0.0.1
    3⤵
    PID:1616
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\bie_kms.exe
    C:\Users\Admin\AppData\Local\Temp\RarSFX0\bie_kms.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:900
- - C:\Windows\system32\PING.EXE
    ping -n 16 localhost
    3⤵
    - Runs ping.exe
    PID:1320
- - C:\Windows\system32\cscript.exe
    cscript "C:\Program Files\Microsoft Office\Office14\ospp.vbs" /act
    3⤵
    PID:1760
- - C:\Windows\system32\findstr.exe
    findstr "Error" C:\Windows\check.txt
    3⤵
    PID:436
- - C:\Windows\system32\taskkill.exe
    taskkill.exe /F /IM bie_kms.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bie_kms.exe

Filesize
73KB

MD5
f4d6c55c7b137a1d8c16430287aedf40

SHA1
45d9902691fbcc295739764b96081b2a508311b7

SHA256
8a4286546d14e1edb583278ef4226ee6542515b55a258bbfbce6d303a090c8a7

SHA512
9f2e91a291ce4057fc67c4e91aaa7a9e696ce67cecec46e12372356e0b696dcfac56c6003d2c8bd897479603b8ba02aae9045399fe9648cfb838506a692d9d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bie_kms.exe

Filesize
73KB

MD5
f4d6c55c7b137a1d8c16430287aedf40

SHA1
45d9902691fbcc295739764b96081b2a508311b7

SHA256
8a4286546d14e1edb583278ef4226ee6542515b55a258bbfbce6d303a090c8a7

SHA512
9f2e91a291ce4057fc67c4e91aaa7a9e696ce67cecec46e12372356e0b696dcfac56c6003d2c8bd897479603b8ba02aae9045399fe9648cfb838506a692d9d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat

Filesize
887B

MD5
738046f172738daf6659288d163260f0

SHA1
6c300dd423f1e2951b1c320f6add5d5c722d6ab1

SHA256
a0f8fba0fc2b9b0625acc4213cbd43576191a861ce8fda662f8bea96e52ba803

SHA512
059d33c31c65b1eb57fd36753fafb9cd7c70517253c47ec535ca4bd4b0edfc51054bfdfde387c80f56914d2352556734cd709bb144d22b9d2ae098e7454e7f51

Download Submit
C:\Windows\check.txt

Filesize
202B

MD5
5ed266dcc77b62459cc3cbda204fc385

SHA1
c07c32f7bc4a4a3f5215f633afeaa87934588f24

SHA256
53c845efeb91789810004f333a904cdd3defd9037fe924e23f01a7724820563c

SHA512
92690ba158c04f1e2bbbbb02b612d0401f93ceb7ba32cd0ece2a20945ed200064ceae5e1508ec11cea06a38f7374dbc34ba8d7b8c27387102d198f44610864a6

Download Submit
memory/900-63-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1352-54-0x000007FEFB5E1000-0x000007FEFB5E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing