c7a4aa6db8e6c69e619ddb517a4fb963d45fd9df325fff1361ec6c0a5b13580e

General

Target

c7a4aa6db8e6c69e619ddb517a4fb963d45fd9df325fff1361ec6c0a5b13580e.exe
Size

190KB
MD5

7a598e26d7959b528e9a7a875303d6ad
SHA1

8db87d3a73744f5426bd5aa23ce8ba03533c8686
SHA256

c7a4aa6db8e6c69e619ddb517a4fb963d45fd9df325fff1361ec6c0a5b13580e
SHA512

57a3dc9a500b5f0cc0868f9e455b6c385d1ed9aed350cd399a252734031f545a8906963a0e09914336e8ee2b3cac29167af120ddcf1708fb1f5774995f2f9ea2
SSDEEP

3072:No3ePTG8Gv6Sj9imee96c8Mkw1gimEVdWc3YyrXlIKqY:G3e109x96Yb1gimEF3xTlV

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
952	bie_kms.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	c7a4aa6db8e6c69e619ddb517a4fb963d45fd9df325fff1361ec6c0a5b13580e.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\check.txt	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2032	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4264	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	taskkill.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 2188	1336	c7a4aa6db8e6c69e619ddb517a4fb963d45fd9df325fff1361ec6c0a5b13580e.exe	80
PID 1336 wrote to memory of 2188	1336	c7a4aa6db8e6c69e619ddb517a4fb963d45fd9df325fff1361ec6c0a5b13580e.exe	80
PID 2188 wrote to memory of 1484	2188	cmd.exe	82
PID 2188 wrote to memory of 1484	2188	cmd.exe	82
PID 2188 wrote to memory of 952	2188	cmd.exe	83
PID 2188 wrote to memory of 952	2188	cmd.exe	83
PID 2188 wrote to memory of 952	2188	cmd.exe	83
PID 2188 wrote to memory of 1896	2188	cmd.exe	84
PID 2188 wrote to memory of 1896	2188	cmd.exe	84
PID 2188 wrote to memory of 4264	2188	cmd.exe	86
PID 2188 wrote to memory of 4264	2188	cmd.exe	86
PID 2188 wrote to memory of 4288	2188	cmd.exe	89
PID 2188 wrote to memory of 4288	2188	cmd.exe	89
PID 2188 wrote to memory of 1368	2188	cmd.exe	90
PID 2188 wrote to memory of 1368	2188	cmd.exe	90
PID 2188 wrote to memory of 2032	2188	cmd.exe	91
PID 2188 wrote to memory of 2032	2188	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\c7a4aa6db8e6c69e619ddb517a4fb963d45fd9df325fff1361ec6c0a5b13580e.exe
"C:\Users\Admin\AppData\Local\Temp\c7a4aa6db8e6c69e619ddb517a4fb963d45fd9df325fff1361ec6c0a5b13580e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat" "
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\system32\cscript.exe
    cscript "C:\Program Files\Microsoft Office\Office14\ospp.vbs" /inpkey:VYBBJ-TRJPB-QFQRF-QFT4D-H3GVB
    3⤵
    PID:1484
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\bie_kms.exe
    C:\Users\Admin\AppData\Local\Temp\RarSFX0\bie_kms.exe
    3⤵
    - Executes dropped EXE
    PID:952
- - C:\Windows\system32\cscript.exe
    cscript "C:\Program Files\Microsoft Office\Office14\ospp.vbs" /sethst:127.0.0.1
    3⤵
    PID:1896
- - C:\Windows\system32\PING.EXE
    ping -n 16 localhost
    3⤵
    - Runs ping.exe
    PID:4264
- - C:\Windows\system32\cscript.exe
    cscript "C:\Program Files\Microsoft Office\Office14\ospp.vbs" /act
    3⤵
    PID:4288
- - C:\Windows\system32\findstr.exe
    findstr "Error" C:\Windows\check.txt
    3⤵
    PID:1368
- - C:\Windows\system32\taskkill.exe
    taskkill.exe /F /IM bie_kms.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bie_kms.exe

Filesize
73KB

MD5
f4d6c55c7b137a1d8c16430287aedf40

SHA1
45d9902691fbcc295739764b96081b2a508311b7

SHA256
8a4286546d14e1edb583278ef4226ee6542515b55a258bbfbce6d303a090c8a7

SHA512
9f2e91a291ce4057fc67c4e91aaa7a9e696ce67cecec46e12372356e0b696dcfac56c6003d2c8bd897479603b8ba02aae9045399fe9648cfb838506a692d9d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bie_kms.exe

Filesize
73KB

MD5
f4d6c55c7b137a1d8c16430287aedf40

SHA1
45d9902691fbcc295739764b96081b2a508311b7

SHA256
8a4286546d14e1edb583278ef4226ee6542515b55a258bbfbce6d303a090c8a7

SHA512
9f2e91a291ce4057fc67c4e91aaa7a9e696ce67cecec46e12372356e0b696dcfac56c6003d2c8bd897479603b8ba02aae9045399fe9648cfb838506a692d9d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat

Filesize
887B

MD5
738046f172738daf6659288d163260f0

SHA1
6c300dd423f1e2951b1c320f6add5d5c722d6ab1

SHA256
a0f8fba0fc2b9b0625acc4213cbd43576191a861ce8fda662f8bea96e52ba803

SHA512
059d33c31c65b1eb57fd36753fafb9cd7c70517253c47ec535ca4bd4b0edfc51054bfdfde387c80f56914d2352556734cd709bb144d22b9d2ae098e7454e7f51

Download Submit
C:\Windows\check.txt

Filesize
204B

MD5
3dc8b9bbc1a308839540d12159283a41

SHA1
50be27ca8e4f53cbe6ac859fb929ceaa05a7374b

SHA256
b9d7f82ff2537d84c632f01fa96acad61039e1c4c229e14c3c694aa989e192d4

SHA512
0e0d9826573132f4b90d399ffb489ad1ca14c14a3a9502ae995c7750b12bd9e11da4aaffc5a84c3aae18a9d69f0834d4611e332b77b37b60f76f4a176f298247

Download Submit
memory/952-139-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/952-145-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing