Overview

overview

10

Static

static

5729b6172d...4f.exe

windows7-x64

10

5729b6172d...4f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2022 00:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exe

  • Size

    149KB

  • MD5

    1d864d76040af03041850d855b3b4430

  • SHA1

    136ffd632fde395f42db66d698ebd03c105ed78f

  • SHA256

    5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f

  • SHA512

    96ea45088713a4149cfb96034637d405ad78abba6d6332b3459fecc649e2fcdcfa0bee6acfeb8cd971bec88d2c2cd80ee4e6656d95ad95542c25f2f0c9232721

Score
10/10
discoverypersistenceransomwarespywarestealersuricata

Malware Config

Signatures

  • suricata: ET MALWARE Ransomware/Cerber Checkin 2

    suricata: ET MALWARE Ransomware/Cerber Checkin 2

    suricata
  • suricata: ET MALWARE Ransomware/Cerber Checkin M3 (2)

    suricata: ET MALWARE Ransomware/Cerber Checkin M3 (2)

    suricata
  • Contacts a large (16396) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Control Panel 4 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exe
    "C:\Users\Admin\AppData\Local\Temp\5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Adds Run key to start application
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:784
    • C:\Users\Admin\AppData\Roaming\{1EE01B27-2F7F-6A70-886C-5FE2EB4CA709}\OposHost.exe
      "C:\Users\Admin\AppData\Roaming\{1EE01B27-2F7F-6A70-886C-5FE2EB4CA709}\OposHost.exe"
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Modifies Control Panel
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4396
      • C:\Windows\system32\vssadmin.exe
        "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:4336
      • C:\Windows\system32\wbem\wmic.exe
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4536
    • C:\Windows\SysWOW64\cmd.exe
      /d /c taskkill /t /f /im "5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exe" > NUL
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:8
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /t /f /im "5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exe"
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3232
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 1 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:3164
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Network Service Scanning

2
T1046

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\OposHost.lnk
    Filesize

    1KB

    MD5

    ce5c2dd9a481c0bb9430831822a0dae5

    SHA1

    745fa85cd8c17a904bab6142eb9f3e09f90609b0

    SHA256

    bee4890e81c205f3e2982382a90594a094b291a185427f68d5832d7da9e701f8

    SHA512

    e925700a6188844490ebba8cb345b122d884305f58ad6ab46f02b9b6946b13411724961999dfc12a374c8d32ee3820c7e0dcb188f5e362062bdb608b5b9e4918

    Download Submit
  • C:\Users\Admin\AppData\Roaming\{1EE01B27-2F7F-6A70-886C-5FE2EB4CA709}\OposHost.exe
    Filesize

    149KB

    MD5

    1d864d76040af03041850d855b3b4430

    SHA1

    136ffd632fde395f42db66d698ebd03c105ed78f

    SHA256

    5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f

    SHA512

    96ea45088713a4149cfb96034637d405ad78abba6d6332b3459fecc649e2fcdcfa0bee6acfeb8cd971bec88d2c2cd80ee4e6656d95ad95542c25f2f0c9232721

    Download Submit
  • C:\Users\Admin\AppData\Roaming\{1EE01B27-2F7F-6A70-886C-5FE2EB4CA709}\OposHost.exe
    Filesize

    149KB

    MD5

    1d864d76040af03041850d855b3b4430

    SHA1

    136ffd632fde395f42db66d698ebd03c105ed78f

    SHA256

    5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f

    SHA512

    96ea45088713a4149cfb96034637d405ad78abba6d6332b3459fecc649e2fcdcfa0bee6acfeb8cd971bec88d2c2cd80ee4e6656d95ad95542c25f2f0c9232721

    Download Submit
  • memory/8-135-0x0000000000000000-mapping.dmp
    Download
  • memory/784-131-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/784-137-0x0000000000A70000-0x0000000000A7A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/784-138-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/784-130-0x0000000000A70000-0x0000000000B53000-memory.dmp
    Filesize

    908KB

    Download
  • memory/3164-139-0x0000000000000000-mapping.dmp
    Download
  • memory/3232-136-0x0000000000000000-mapping.dmp
    Download
  • memory/4336-141-0x0000000000000000-mapping.dmp
    Download
  • memory/4396-142-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/4396-140-0x00000000024D0000-0x00000000024E6000-memory.dmp
    Filesize

    88KB

    Download
  • memory/4396-132-0x0000000000000000-mapping.dmp
    Download
  • memory/4396-145-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/4536-143-0x0000000000000000-mapping.dmp
    Download