Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 00:31
Static task
static1
Behavioral task
behavioral1
Sample
5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exe
Resource
win10v2004-20220721-en
General
-
Target
5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exe
-
Size
149KB
-
MD5
1d864d76040af03041850d855b3b4430
-
SHA1
136ffd632fde395f42db66d698ebd03c105ed78f
-
SHA256
5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f
-
SHA512
96ea45088713a4149cfb96034637d405ad78abba6d6332b3459fecc649e2fcdcfa0bee6acfeb8cd971bec88d2c2cd80ee4e6656d95ad95542c25f2f0c9232721
Malware Config
Signatures
-
suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata: ET MALWARE Ransomware/Cerber Checkin 2
-
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (2)
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (2)
-
Contacts a large (16396) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exeOposHost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1EE01B27-2F7F-6A70-886C-5FE2EB4CA709}\\OposHost.exe\"" 5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1EE01B27-2F7F-6A70-886C-5FE2EB4CA709}\\OposHost.exe\"" OposHost.exe -
Executes dropped EXE 1 IoCs
Processes:
OposHost.exepid process 4396 OposHost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
OposHost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation OposHost.exe -
Drops startup file 1 IoCs
Processes:
5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\OposHost.lnk 5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exeOposHost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OposHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1EE01B27-2F7F-6A70-886C-5FE2EB4CA709}\\OposHost.exe\"" 5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exe Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce 5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OposHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1EE01B27-2F7F-6A70-886C-5FE2EB4CA709}\\OposHost.exe\"" 5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exe Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Windows\CurrentVersion\Run OposHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OposHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1EE01B27-2F7F-6A70-886C-5FE2EB4CA709}\\OposHost.exe\"" OposHost.exe Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce OposHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OposHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1EE01B27-2F7F-6A70-886C-5FE2EB4CA709}\\OposHost.exe\"" OposHost.exe Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Windows\CurrentVersion\Run 5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ipinfo.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4336 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3232 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exeOposHost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1EE01B27-2F7F-6A70-886C-5FE2EB4CA709}\\OposHost.exe\"" 5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exe Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\Desktop OposHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{1EE01B27-2F7F-6A70-886C-5FE2EB4CA709}\\OposHost.exe\"" OposHost.exe Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\Desktop 5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exetaskkill.exeOposHost.exevssvc.exewmic.exedescription pid process Token: SeDebugPrivilege 784 5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exe Token: SeDebugPrivilege 3232 taskkill.exe Token: SeDebugPrivilege 4396 OposHost.exe Token: SeBackupPrivilege 836 vssvc.exe Token: SeRestorePrivilege 836 vssvc.exe Token: SeAuditPrivilege 836 vssvc.exe Token: SeIncreaseQuotaPrivilege 4536 wmic.exe Token: SeSecurityPrivilege 4536 wmic.exe Token: SeTakeOwnershipPrivilege 4536 wmic.exe Token: SeLoadDriverPrivilege 4536 wmic.exe Token: SeSystemProfilePrivilege 4536 wmic.exe Token: SeSystemtimePrivilege 4536 wmic.exe Token: SeProfSingleProcessPrivilege 4536 wmic.exe Token: SeIncBasePriorityPrivilege 4536 wmic.exe Token: SeCreatePagefilePrivilege 4536 wmic.exe Token: SeBackupPrivilege 4536 wmic.exe Token: SeRestorePrivilege 4536 wmic.exe Token: SeShutdownPrivilege 4536 wmic.exe Token: SeDebugPrivilege 4536 wmic.exe Token: SeSystemEnvironmentPrivilege 4536 wmic.exe Token: SeRemoteShutdownPrivilege 4536 wmic.exe Token: SeUndockPrivilege 4536 wmic.exe Token: SeManageVolumePrivilege 4536 wmic.exe Token: 33 4536 wmic.exe Token: 34 4536 wmic.exe Token: 35 4536 wmic.exe Token: 36 4536 wmic.exe Token: SeIncreaseQuotaPrivilege 4536 wmic.exe Token: SeSecurityPrivilege 4536 wmic.exe Token: SeTakeOwnershipPrivilege 4536 wmic.exe Token: SeLoadDriverPrivilege 4536 wmic.exe Token: SeSystemProfilePrivilege 4536 wmic.exe Token: SeSystemtimePrivilege 4536 wmic.exe Token: SeProfSingleProcessPrivilege 4536 wmic.exe Token: SeIncBasePriorityPrivilege 4536 wmic.exe Token: SeCreatePagefilePrivilege 4536 wmic.exe Token: SeBackupPrivilege 4536 wmic.exe Token: SeRestorePrivilege 4536 wmic.exe Token: SeShutdownPrivilege 4536 wmic.exe Token: SeDebugPrivilege 4536 wmic.exe Token: SeSystemEnvironmentPrivilege 4536 wmic.exe Token: SeRemoteShutdownPrivilege 4536 wmic.exe Token: SeUndockPrivilege 4536 wmic.exe Token: SeManageVolumePrivilege 4536 wmic.exe Token: 33 4536 wmic.exe Token: 34 4536 wmic.exe Token: 35 4536 wmic.exe Token: 36 4536 wmic.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.execmd.exeOposHost.exedescription pid process target process PID 784 wrote to memory of 4396 784 5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exe OposHost.exe PID 784 wrote to memory of 4396 784 5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exe OposHost.exe PID 784 wrote to memory of 4396 784 5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exe OposHost.exe PID 784 wrote to memory of 8 784 5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exe cmd.exe PID 784 wrote to memory of 8 784 5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exe cmd.exe PID 784 wrote to memory of 8 784 5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exe cmd.exe PID 8 wrote to memory of 3232 8 cmd.exe taskkill.exe PID 8 wrote to memory of 3232 8 cmd.exe taskkill.exe PID 8 wrote to memory of 3232 8 cmd.exe taskkill.exe PID 8 wrote to memory of 3164 8 cmd.exe PING.EXE PID 8 wrote to memory of 3164 8 cmd.exe PING.EXE PID 8 wrote to memory of 3164 8 cmd.exe PING.EXE PID 4396 wrote to memory of 4336 4396 OposHost.exe vssadmin.exe PID 4396 wrote to memory of 4336 4396 OposHost.exe vssadmin.exe PID 4396 wrote to memory of 4536 4396 OposHost.exe wmic.exe PID 4396 wrote to memory of 4536 4396 OposHost.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exe"C:\Users\Admin\AppData\Local\Temp\5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{1EE01B27-2F7F-6A70-886C-5FE2EB4CA709}\OposHost.exe"C:\Users\Admin\AppData\Roaming\{1EE01B27-2F7F-6A70-886C-5FE2EB4CA709}\OposHost.exe"2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exe" > NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "5729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\OposHost.lnkFilesize
1KB
MD5ce5c2dd9a481c0bb9430831822a0dae5
SHA1745fa85cd8c17a904bab6142eb9f3e09f90609b0
SHA256bee4890e81c205f3e2982382a90594a094b291a185427f68d5832d7da9e701f8
SHA512e925700a6188844490ebba8cb345b122d884305f58ad6ab46f02b9b6946b13411724961999dfc12a374c8d32ee3820c7e0dcb188f5e362062bdb608b5b9e4918
-
C:\Users\Admin\AppData\Roaming\{1EE01B27-2F7F-6A70-886C-5FE2EB4CA709}\OposHost.exeFilesize
149KB
MD51d864d76040af03041850d855b3b4430
SHA1136ffd632fde395f42db66d698ebd03c105ed78f
SHA2565729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f
SHA51296ea45088713a4149cfb96034637d405ad78abba6d6332b3459fecc649e2fcdcfa0bee6acfeb8cd971bec88d2c2cd80ee4e6656d95ad95542c25f2f0c9232721
-
C:\Users\Admin\AppData\Roaming\{1EE01B27-2F7F-6A70-886C-5FE2EB4CA709}\OposHost.exeFilesize
149KB
MD51d864d76040af03041850d855b3b4430
SHA1136ffd632fde395f42db66d698ebd03c105ed78f
SHA2565729b6172d5b65e39eefa0466fb7ab63eeda116e82250bcd4755e55dc932f34f
SHA51296ea45088713a4149cfb96034637d405ad78abba6d6332b3459fecc649e2fcdcfa0bee6acfeb8cd971bec88d2c2cd80ee4e6656d95ad95542c25f2f0c9232721
-
memory/8-135-0x0000000000000000-mapping.dmp
-
memory/784-131-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/784-137-0x0000000000A70000-0x0000000000A7A000-memory.dmpFilesize
40KB
-
memory/784-138-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/784-130-0x0000000000A70000-0x0000000000B53000-memory.dmpFilesize
908KB
-
memory/3164-139-0x0000000000000000-mapping.dmp
-
memory/3232-136-0x0000000000000000-mapping.dmp
-
memory/4336-141-0x0000000000000000-mapping.dmp
-
memory/4396-142-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/4396-140-0x00000000024D0000-0x00000000024E6000-memory.dmpFilesize
88KB
-
memory/4396-132-0x0000000000000000-mapping.dmp
-
memory/4396-145-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/4536-143-0x0000000000000000-mapping.dmp