Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    10s
  • max time network
    12s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/07/2023, 15:22

General

  • Target

    bios.exe

  • Size

    11KB

  • MD5

    4947bbea7829d84e405306175cb159fa

  • SHA1

    b3b8f5b43e41ecbba35f04c16b964578b5c1c083

  • SHA256

    4ac03a28ad39f04b02cabc654b1946b431ada3c5198a13e07515933f82c80be3

  • SHA512

    265ff6398d64015da2da70f512c5f1386a98245ce4d6ac09a623aa805fadcb602453fa05c3a260cbc9eea18f13f443d0c2769851858392e38b92ae2c29d591f8

  • SSDEEP

    192:QFrTzy8k0JMmx8O3napbCCePC1Eq8stYcFwVc03KY:uzrMmapbCCeUEqptYcFwVc03K

Score
10/10

Malware Config

Signatures

  • Cerber 16 IoCs

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 7 IoCs
  • Suspicious behavior: LoadsDriver 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bios.exe
    "C:\Users\Admin\AppData\Local\Temp\bios.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:228
    • C:\Windows\IME\biosshit.exe
      "C:\Windows\IME\biosshit.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1512
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:800
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
          4⤵
          • Cerber
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4264
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2980
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im FortniteClient-Win64-Shipping.exe
          4⤵
          • Cerber
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1960
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4460
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
          4⤵
          • Cerber
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2132
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4472
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im FortniteLauncher.exe
          4⤵
          • Cerber
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2660
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2280
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im EpicGamesLauncher.exe
          4⤵
          • Cerber
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3968
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /f /im OneDrive.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3340
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im OneDrive.exe
          4⤵
          • Cerber
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2164
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /f /im BEservice.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2596
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im BEservice.exe
          4⤵
          • Cerber
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2664
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\KernelMapper.exe /IV %random%%random%%random%%random%%random%%random%%random%%random%%random%
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1140
        • C:\Windows\KernelMapper.exe
          C:\Windows\KernelMapper.exe /IV 275082863202117290931119057126473115820261
          4⤵
          • Cerber
          • Executes dropped EXE
          PID:648
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\KernelMapper.exe /ID %random%%random%%random%%random%%random%%random%%random%%random%%random%
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4228
        • C:\Windows\KernelMapper.exe
          C:\Windows\KernelMapper.exe /ID 2751213612530731353196262298415759282314005
          4⤵
          • Cerber
          • Executes dropped EXE
          PID:3056
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\KernelMapper.exe /SP %random%%random%%random%%random%%random%%random%%random%%random%%random%
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2504
        • C:\Windows\KernelMapper.exe
          C:\Windows\KernelMapper.exe /SP 2751213612530731353196262298415759282314005
          4⤵
          • Cerber
          • Executes dropped EXE
          PID:2844
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\KernelMapper.exe /SV %random%%random%%random%%random%%random%%random%%random%%random%%random%
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:856
        • C:\Windows\KernelMapper.exe
          C:\Windows\KernelMapper.exe /SV 2751213612530731353196262298415759282314005
          4⤵
          • Cerber
          • Executes dropped EXE
          PID:1312
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\KernelMapper.exe /SS %random%%random%%random%%random%%random%%random%%random%%random%%random%
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3944
        • C:\Windows\KernelMapper.exe
          C:\Windows\KernelMapper.exe /SS 2751213612530731353196262298415759282314005
          4⤵
          • Cerber
          • Executes dropped EXE
          PID:4788
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\KernelMapper.exe /SU %random%%random%%random%%random%%random%%random%%random%%random%%random%
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2224
        • C:\Windows\KernelMapper.exe
          C:\Windows\KernelMapper.exe /SU 2751213612530731353196262298415759282314005
          4⤵
          • Cerber
          • Executes dropped EXE
          PID:1620
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\KernelMapper.exe /SK %random%%random%%random%%random%%random%%random%%random%%random%%random%
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3872
        • C:\Windows\KernelMapper.exe
          C:\Windows\KernelMapper.exe /SK 2751213612530731353196262298415759282314005
          4⤵
          • Cerber
          • Executes dropped EXE
          PID:4768
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\KernelMapper.exe /BM %random%%random%%random%%random%%random%%random%%random%%random%%random%
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4300
        • C:\Windows\KernelMapper.exe
          C:\Windows\KernelMapper.exe /BM 275152436023171226492994126910188722530420517
          4⤵
          • Cerber
          • Executes dropped EXE
          PID:3408
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\KernelMapper.exe /BP %random%%random%%random%%random%%random%%random%%random%%random%%random%
        3⤵
          PID:4856
          • C:\Windows\KernelMapper.exe
            C:\Windows\KernelMapper.exe /BP 275152436023171226492994126910188722530420517
            4⤵
            • Cerber
            • Executes dropped EXE
            PID:4436
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Windows\KernelMapper.exe /BV %random%%random%%random%%random%%random%%random%%random%%random%%random%
          3⤵
            PID:4328

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\IME\biosshit.exe

        Filesize

        27KB

        MD5

        61c8d9663c6a4e039841a457ecba3880

        SHA1

        c9e5ca30c1c52cba7db337e9d57c03ca56a3436a

        SHA256

        9f7e4c4687941125afd36792fe884d78a0fb96db304445e4bc9a404b2529a8ce

        SHA512

        0b27a8e05e34002619540c5679df0ff7ed4422e7f9bbcef9128ab840f77c73fc983ffcd898181e3cae70944c542be55b69ba296f99704072d27b538307db3b03

      • C:\Windows\IME\biosshit.exe

        Filesize

        27KB

        MD5

        61c8d9663c6a4e039841a457ecba3880

        SHA1

        c9e5ca30c1c52cba7db337e9d57c03ca56a3436a

        SHA256

        9f7e4c4687941125afd36792fe884d78a0fb96db304445e4bc9a404b2529a8ce

        SHA512

        0b27a8e05e34002619540c5679df0ff7ed4422e7f9bbcef9128ab840f77c73fc983ffcd898181e3cae70944c542be55b69ba296f99704072d27b538307db3b03

      • C:\Windows\IME\biosshit.exe

        Filesize

        27KB

        MD5

        61c8d9663c6a4e039841a457ecba3880

        SHA1

        c9e5ca30c1c52cba7db337e9d57c03ca56a3436a

        SHA256

        9f7e4c4687941125afd36792fe884d78a0fb96db304445e4bc9a404b2529a8ce

        SHA512

        0b27a8e05e34002619540c5679df0ff7ed4422e7f9bbcef9128ab840f77c73fc983ffcd898181e3cae70944c542be55b69ba296f99704072d27b538307db3b03

      • C:\Windows\KernelMapper.exe

        Filesize

        453KB

        MD5

        6a6505b2413d2c7b16c6d059448db9e5

        SHA1

        dfe6c6b6051c26326a12dc9d0d5701cb4728266c

        SHA256

        53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955

        SHA512

        1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3

      • C:\Windows\KernelMapper.exe

        Filesize

        453KB

        MD5

        6a6505b2413d2c7b16c6d059448db9e5

        SHA1

        dfe6c6b6051c26326a12dc9d0d5701cb4728266c

        SHA256

        53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955

        SHA512

        1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3

      • C:\Windows\KernelMapper.exe

        Filesize

        453KB

        MD5

        6a6505b2413d2c7b16c6d059448db9e5

        SHA1

        dfe6c6b6051c26326a12dc9d0d5701cb4728266c

        SHA256

        53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955

        SHA512

        1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3

      • C:\Windows\KernelMapper.exe

        Filesize

        453KB

        MD5

        6a6505b2413d2c7b16c6d059448db9e5

        SHA1

        dfe6c6b6051c26326a12dc9d0d5701cb4728266c

        SHA256

        53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955

        SHA512

        1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3

      • C:\Windows\KernelMapper.exe

        Filesize

        453KB

        MD5

        6a6505b2413d2c7b16c6d059448db9e5

        SHA1

        dfe6c6b6051c26326a12dc9d0d5701cb4728266c

        SHA256

        53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955

        SHA512

        1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3

      • C:\Windows\KernelMapper.exe

        Filesize

        453KB

        MD5

        6a6505b2413d2c7b16c6d059448db9e5

        SHA1

        dfe6c6b6051c26326a12dc9d0d5701cb4728266c

        SHA256

        53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955

        SHA512

        1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3

      • C:\Windows\KernelMapper.exe

        Filesize

        453KB

        MD5

        6a6505b2413d2c7b16c6d059448db9e5

        SHA1

        dfe6c6b6051c26326a12dc9d0d5701cb4728266c

        SHA256

        53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955

        SHA512

        1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3

      • C:\Windows\KernelMapper.exe

        Filesize

        453KB

        MD5

        6a6505b2413d2c7b16c6d059448db9e5

        SHA1

        dfe6c6b6051c26326a12dc9d0d5701cb4728266c

        SHA256

        53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955

        SHA512

        1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3

      • C:\Windows\KernelMapper.exe

        Filesize

        453KB

        MD5

        6a6505b2413d2c7b16c6d059448db9e5

        SHA1

        dfe6c6b6051c26326a12dc9d0d5701cb4728266c

        SHA256

        53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955

        SHA512

        1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3

      • C:\Windows\KernelMapper.exe

        Filesize

        453KB

        MD5

        6a6505b2413d2c7b16c6d059448db9e5

        SHA1

        dfe6c6b6051c26326a12dc9d0d5701cb4728266c

        SHA256

        53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955

        SHA512

        1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3

      • C:\Windows\KernelMapper.exe

        Filesize

        453KB

        MD5

        6a6505b2413d2c7b16c6d059448db9e5

        SHA1

        dfe6c6b6051c26326a12dc9d0d5701cb4728266c

        SHA256

        53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955

        SHA512

        1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3

      • C:\Windows\amifldrv64.sys

        Filesize

        18KB

        MD5

        785045f8b25cd2e937ddc6b09debe01a

        SHA1

        029c678674f482ababe8bbfdb93152392457109d

        SHA256

        37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba

        SHA512

        40bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9

      • memory/228-134-0x0000000004E20000-0x0000000004E30000-memory.dmp

        Filesize

        64KB

      • memory/228-133-0x0000000000400000-0x0000000000408000-memory.dmp

        Filesize

        32KB