575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4

General

Target

575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe
Size

268KB
MD5

0680cff012a9f043fb831ab21244f7ee
SHA1

017a0dd7d4e5ec693a3e20592957b46c3840b7fc
SHA256

575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4
SHA512

770d51eea1194d86882f9e28800a4e0d654ac083e49d5db32fb347ad6e722432be7acb4031468cdcbbe52ad7c90b81fbe3b751055a9a7ef6d8926faa563360f3

Score

10^/10

discovery ransomware spyware stealer suricata

Malware Config

Signatures

suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (15)
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (15)
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Contacts a large (512) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Loads dropped DLL 3 IoCs

Processes:

575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe

pid	process
1948	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe
1948	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe
1948	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe

description	pid	process	target process
PID 1948 set thread context of 1408	1948	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe

pid	process
1408	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe
1408	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe
1408	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe
1408	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1408	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe
Token: SeIncreaseQuotaPrivilege	636	WMIC.exe
Token: SeSecurityPrivilege	636	WMIC.exe
Token: SeTakeOwnershipPrivilege	636	WMIC.exe
Token: SeLoadDriverPrivilege	636	WMIC.exe
Token: SeSystemProfilePrivilege	636	WMIC.exe
Token: SeSystemtimePrivilege	636	WMIC.exe
Token: SeProfSingleProcessPrivilege	636	WMIC.exe
Token: SeIncBasePriorityPrivilege	636	WMIC.exe
Token: SeCreatePagefilePrivilege	636	WMIC.exe
Token: SeBackupPrivilege	636	WMIC.exe
Token: SeRestorePrivilege	636	WMIC.exe
Token: SeShutdownPrivilege	636	WMIC.exe
Token: SeDebugPrivilege	636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	636	WMIC.exe
Token: SeRemoteShutdownPrivilege	636	WMIC.exe
Token: SeUndockPrivilege	636	WMIC.exe
Token: SeManageVolumePrivilege	636	WMIC.exe
Token: 33	636	WMIC.exe
Token: 34	636	WMIC.exe
Token: 35	636	WMIC.exe
Token: SeIncreaseQuotaPrivilege	636	WMIC.exe
Token: SeSecurityPrivilege	636	WMIC.exe
Token: SeTakeOwnershipPrivilege	636	WMIC.exe
Token: SeLoadDriverPrivilege	636	WMIC.exe
Token: SeSystemProfilePrivilege	636	WMIC.exe
Token: SeSystemtimePrivilege	636	WMIC.exe
Token: SeProfSingleProcessPrivilege	636	WMIC.exe
Token: SeIncBasePriorityPrivilege	636	WMIC.exe
Token: SeCreatePagefilePrivilege	636	WMIC.exe
Token: SeBackupPrivilege	636	WMIC.exe
Token: SeRestorePrivilege	636	WMIC.exe
Token: SeShutdownPrivilege	636	WMIC.exe
Token: SeDebugPrivilege	636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	636	WMIC.exe
Token: SeRemoteShutdownPrivilege	636	WMIC.exe
Token: SeUndockPrivilege	636	WMIC.exe
Token: SeManageVolumePrivilege	636	WMIC.exe
Token: 33	636	WMIC.exe
Token: 34	636	WMIC.exe
Token: 35	636	WMIC.exe
Token: SeBackupPrivilege	1172	vssvc.exe
Token: SeRestorePrivilege	1172	vssvc.exe
Token: SeAuditPrivilege	1172	vssvc.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.execmd.exe

description	pid	process	target process
PID 1948 wrote to memory of 1408	1948	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe
PID 1948 wrote to memory of 1408	1948	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe
PID 1948 wrote to memory of 1408	1948	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe
PID 1948 wrote to memory of 1408	1948	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe
PID 1948 wrote to memory of 1408	1948	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe
PID 1948 wrote to memory of 1408	1948	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe
PID 1948 wrote to memory of 1408	1948	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe
PID 1948 wrote to memory of 1408	1948	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe
PID 1948 wrote to memory of 1408	1948	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe
PID 1948 wrote to memory of 1408	1948	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe
PID 1408 wrote to memory of 1964	1408	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe	cmd.exe
PID 1408 wrote to memory of 1964	1408	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe	cmd.exe
PID 1408 wrote to memory of 1964	1408	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe	cmd.exe
PID 1408 wrote to memory of 1964	1408	575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe	cmd.exe
PID 1964 wrote to memory of 636	1964	cmd.exe	WMIC.exe
PID 1964 wrote to memory of 636	1964	cmd.exe	WMIC.exe
PID 1964 wrote to memory of 636	1964	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe
"C:\Users\Admin\AppData\Local\Temp\575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Local\Temp\575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe
"C:\Users\Admin\AppData\Local\Temp\575a2d86b2ce4748295486e6e23577115a3865c9599f2f10fd89d295da824cb4.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

1

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Network Service Scanning

1

T1046

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsyFCB.tmp\System.dll
Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFCB.tmp\System.dll
Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
\Users\Admin\AppData\Roaming\OpenCandy.dll
Filesize
102KB

MD5
0fcebb9ef2376e8b9d9843c92812fc8b

SHA1
7d43d520884acd3fab51efa7343c8cee136a1627

SHA256
cf1e175115951204857fdbb970516bfcc45f70648a6077edf189c9995f19fd8a

SHA512
232c1c6b7a19e00a3d4bcca212f8a036baa585b1ffb6567a2de5542aad8d2e0add9a4f84efe69de409e16acf3bd5ad16eb2a2b2f5692cb957d72fb7f1e06bde8

Download Submit
memory/636-73-0x0000000000000000-mapping.dmp

Download
memory/1408-64-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1408-59-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1408-60-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1408-62-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1408-66-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1408-67-0x00000000004028CF-mapping.dmp

Download
memory/1408-70-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1408-71-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1408-58-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1408-74-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1948-54-0x0000000075301000-0x0000000075303000-memory.dmp

Filesize
8KB

Download
memory/1964-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads