Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
24-07-2022 23:13
Static task
static1
Behavioral task
behavioral1
Sample
575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe
Resource
win10v2004-20220721-en
General
-
Target
575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe
-
Size
268KB
-
MD5
0680cff012a9f043fb831ab21244f7ee
-
SHA1
017a0dd7d4e5ec693a3e20592957b46c3840b7fc
-
SHA256
575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4
-
SHA512
770d51eea1194d86882f9e28800a4e0d654ac083e49d5db32fb347ad6e722432be7acb4031468cdcbbe52ad7c90b81fbe3b751055a9a7ef6d8926faa563360f3
Malware Config
Signatures
-
suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata: ET MALWARE Ransomware/Cerber Checkin 2
-
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (15)
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (15)
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Contacts a large (512) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Loads dropped DLL 3 IoCs
Processes:
575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exepid process 1948 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe 1948 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe 1948 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exedescription pid process target process PID 1948 set thread context of 1408 1948 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exepid process 1408 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe 1408 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe 1408 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe 1408 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 1408 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe Token: SeIncreaseQuotaPrivilege 636 WMIC.exe Token: SeSecurityPrivilege 636 WMIC.exe Token: SeTakeOwnershipPrivilege 636 WMIC.exe Token: SeLoadDriverPrivilege 636 WMIC.exe Token: SeSystemProfilePrivilege 636 WMIC.exe Token: SeSystemtimePrivilege 636 WMIC.exe Token: SeProfSingleProcessPrivilege 636 WMIC.exe Token: SeIncBasePriorityPrivilege 636 WMIC.exe Token: SeCreatePagefilePrivilege 636 WMIC.exe Token: SeBackupPrivilege 636 WMIC.exe Token: SeRestorePrivilege 636 WMIC.exe Token: SeShutdownPrivilege 636 WMIC.exe Token: SeDebugPrivilege 636 WMIC.exe Token: SeSystemEnvironmentPrivilege 636 WMIC.exe Token: SeRemoteShutdownPrivilege 636 WMIC.exe Token: SeUndockPrivilege 636 WMIC.exe Token: SeManageVolumePrivilege 636 WMIC.exe Token: 33 636 WMIC.exe Token: 34 636 WMIC.exe Token: 35 636 WMIC.exe Token: SeIncreaseQuotaPrivilege 636 WMIC.exe Token: SeSecurityPrivilege 636 WMIC.exe Token: SeTakeOwnershipPrivilege 636 WMIC.exe Token: SeLoadDriverPrivilege 636 WMIC.exe Token: SeSystemProfilePrivilege 636 WMIC.exe Token: SeSystemtimePrivilege 636 WMIC.exe Token: SeProfSingleProcessPrivilege 636 WMIC.exe Token: SeIncBasePriorityPrivilege 636 WMIC.exe Token: SeCreatePagefilePrivilege 636 WMIC.exe Token: SeBackupPrivilege 636 WMIC.exe Token: SeRestorePrivilege 636 WMIC.exe Token: SeShutdownPrivilege 636 WMIC.exe Token: SeDebugPrivilege 636 WMIC.exe Token: SeSystemEnvironmentPrivilege 636 WMIC.exe Token: SeRemoteShutdownPrivilege 636 WMIC.exe Token: SeUndockPrivilege 636 WMIC.exe Token: SeManageVolumePrivilege 636 WMIC.exe Token: 33 636 WMIC.exe Token: 34 636 WMIC.exe Token: 35 636 WMIC.exe Token: SeBackupPrivilege 1172 vssvc.exe Token: SeRestorePrivilege 1172 vssvc.exe Token: SeAuditPrivilege 1172 vssvc.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.execmd.exedescription pid process target process PID 1948 wrote to memory of 1408 1948 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe PID 1948 wrote to memory of 1408 1948 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe PID 1948 wrote to memory of 1408 1948 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe PID 1948 wrote to memory of 1408 1948 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe PID 1948 wrote to memory of 1408 1948 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe PID 1948 wrote to memory of 1408 1948 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe PID 1948 wrote to memory of 1408 1948 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe PID 1948 wrote to memory of 1408 1948 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe PID 1948 wrote to memory of 1408 1948 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe PID 1948 wrote to memory of 1408 1948 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe PID 1408 wrote to memory of 1964 1408 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe cmd.exe PID 1408 wrote to memory of 1964 1408 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe cmd.exe PID 1408 wrote to memory of 1964 1408 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe cmd.exe PID 1408 wrote to memory of 1964 1408 575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe cmd.exe PID 1964 wrote to memory of 636 1964 cmd.exe WMIC.exe PID 1964 wrote to memory of 636 1964 cmd.exe WMIC.exe PID 1964 wrote to memory of 636 1964 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe"C:\Users\Admin\AppData\Local\Temp\575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe"C:\Users\Admin\AppData\Local\Temp\575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsyFCB.tmp\System.dllFilesize
11KB
MD5a436db0c473a087eb61ff5c53c34ba27
SHA165ea67e424e75f5065132b539c8b2eda88aa0506
SHA25675ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49
SHA512908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d
-
\Users\Admin\AppData\Local\Temp\nsyFCB.tmp\System.dllFilesize
11KB
MD5a436db0c473a087eb61ff5c53c34ba27
SHA165ea67e424e75f5065132b539c8b2eda88aa0506
SHA25675ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49
SHA512908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d
-
\Users\Admin\AppData\Roaming\OpenCandy.dllFilesize
102KB
MD50fcebb9ef2376e8b9d9843c92812fc8b
SHA17d43d520884acd3fab51efa7343c8cee136a1627
SHA256cf1e175115951204857fdbb970516bfcc45f70648a6077edf189c9995f19fd8a
SHA512232c1c6b7a19e00a3d4bcca212f8a036baa585b1ffb6567a2de5542aad8d2e0add9a4f84efe69de409e16acf3bd5ad16eb2a2b2f5692cb957d72fb7f1e06bde8
-
memory/636-73-0x0000000000000000-mapping.dmp
-
memory/1408-64-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1408-59-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1408-60-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1408-62-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1408-66-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1408-67-0x00000000004028CF-mapping.dmp
-
memory/1408-70-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1408-71-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1408-58-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1408-74-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1948-54-0x0000000075301000-0x0000000075303000-memory.dmpFilesize
8KB
-
memory/1964-72-0x0000000000000000-mapping.dmp