Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
25-07-2022 01:38
Static task
static1
Behavioral task
behavioral1
Sample
56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe
Resource
win10v2004-20220721-en
General
-
Target
56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe
-
Size
261KB
-
MD5
143f1e1c988be32c56b6f3d8544a4e3c
-
SHA1
b1f558b4b7c77e934ab9bb3257f5256457ca43ae
-
SHA256
56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb
-
SHA512
97892c773e998253277a0a388665d8c84cac6e9d4f487b7b84e06b488112e288638d91721079ca6321491562534c54671ce8369e63ad8c5fe80a9d461a80090e
Malware Config
Signatures
-
suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata: ET MALWARE Ransomware/Cerber Checkin 2
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Contacts a large (512) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Loads dropped DLL 3 IoCs
Processes:
56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exepid process 1304 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe 1304 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe 1304 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exedescription pid process target process PID 1304 set thread context of 628 1304 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe -
Drops file in Windows directory 1 IoCs
Processes:
56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exedescription ioc process File opened for modification C:\Windows\Akela 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exepid process 628 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe 628 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe 628 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe 628 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe 628 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe 628 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 628 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe Token: SeIncreaseQuotaPrivilege 1108 WMIC.exe Token: SeSecurityPrivilege 1108 WMIC.exe Token: SeTakeOwnershipPrivilege 1108 WMIC.exe Token: SeLoadDriverPrivilege 1108 WMIC.exe Token: SeSystemProfilePrivilege 1108 WMIC.exe Token: SeSystemtimePrivilege 1108 WMIC.exe Token: SeProfSingleProcessPrivilege 1108 WMIC.exe Token: SeIncBasePriorityPrivilege 1108 WMIC.exe Token: SeCreatePagefilePrivilege 1108 WMIC.exe Token: SeBackupPrivilege 1108 WMIC.exe Token: SeRestorePrivilege 1108 WMIC.exe Token: SeShutdownPrivilege 1108 WMIC.exe Token: SeDebugPrivilege 1108 WMIC.exe Token: SeSystemEnvironmentPrivilege 1108 WMIC.exe Token: SeRemoteShutdownPrivilege 1108 WMIC.exe Token: SeUndockPrivilege 1108 WMIC.exe Token: SeManageVolumePrivilege 1108 WMIC.exe Token: 33 1108 WMIC.exe Token: 34 1108 WMIC.exe Token: 35 1108 WMIC.exe Token: SeIncreaseQuotaPrivilege 1108 WMIC.exe Token: SeSecurityPrivilege 1108 WMIC.exe Token: SeTakeOwnershipPrivilege 1108 WMIC.exe Token: SeLoadDriverPrivilege 1108 WMIC.exe Token: SeSystemProfilePrivilege 1108 WMIC.exe Token: SeSystemtimePrivilege 1108 WMIC.exe Token: SeProfSingleProcessPrivilege 1108 WMIC.exe Token: SeIncBasePriorityPrivilege 1108 WMIC.exe Token: SeCreatePagefilePrivilege 1108 WMIC.exe Token: SeBackupPrivilege 1108 WMIC.exe Token: SeRestorePrivilege 1108 WMIC.exe Token: SeShutdownPrivilege 1108 WMIC.exe Token: SeDebugPrivilege 1108 WMIC.exe Token: SeSystemEnvironmentPrivilege 1108 WMIC.exe Token: SeRemoteShutdownPrivilege 1108 WMIC.exe Token: SeUndockPrivilege 1108 WMIC.exe Token: SeManageVolumePrivilege 1108 WMIC.exe Token: 33 1108 WMIC.exe Token: 34 1108 WMIC.exe Token: 35 1108 WMIC.exe Token: SeBackupPrivilege 760 vssvc.exe Token: SeRestorePrivilege 760 vssvc.exe Token: SeAuditPrivilege 760 vssvc.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.execmd.exedescription pid process target process PID 1304 wrote to memory of 628 1304 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe PID 1304 wrote to memory of 628 1304 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe PID 1304 wrote to memory of 628 1304 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe PID 1304 wrote to memory of 628 1304 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe PID 1304 wrote to memory of 628 1304 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe PID 1304 wrote to memory of 628 1304 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe PID 1304 wrote to memory of 628 1304 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe PID 1304 wrote to memory of 628 1304 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe PID 1304 wrote to memory of 628 1304 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe PID 1304 wrote to memory of 628 1304 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe PID 628 wrote to memory of 1444 628 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe cmd.exe PID 628 wrote to memory of 1444 628 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe cmd.exe PID 628 wrote to memory of 1444 628 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe cmd.exe PID 628 wrote to memory of 1444 628 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe cmd.exe PID 1444 wrote to memory of 1108 1444 cmd.exe WMIC.exe PID 1444 wrote to memory of 1108 1444 cmd.exe WMIC.exe PID 1444 wrote to memory of 1108 1444 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe"C:\Users\Admin\AppData\Local\Temp\56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe"C:\Users\Admin\AppData\Local\Temp\56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:760
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nst6106.tmp\System.dllFilesize
11KB
MD5a436db0c473a087eb61ff5c53c34ba27
SHA165ea67e424e75f5065132b539c8b2eda88aa0506
SHA25675ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49
SHA512908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d
-
\Users\Admin\AppData\Local\Temp\nst6106.tmp\System.dllFilesize
11KB
MD5a436db0c473a087eb61ff5c53c34ba27
SHA165ea67e424e75f5065132b539c8b2eda88aa0506
SHA25675ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49
SHA512908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d
-
\Users\Admin\AppData\Roaming\HelpButton.dllFilesize
44KB
MD5ffeedeecd5f9a12c939c85c156363a90
SHA1567c056b8ab705b8a6c36f82edf8f2762f095799
SHA256aedc72bb46231c69e1347d161b4a0f0b9c484bb9194a652ba25860dde7d9dc0e
SHA5129bd6a4664e344a196d42675ba3ef11bc12799f37f0b0b975e165f63f60579e74880df9dc3895a250add32a1389ce1abd284b325b8fe183f3327d7f7cb995355d
-
memory/628-71-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/628-67-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/628-59-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/628-60-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/628-61-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/628-63-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/628-65-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/628-75-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/628-68-0x00000000004028CF-mapping.dmp
-
memory/628-72-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1108-74-0x0000000000000000-mapping.dmp
-
memory/1304-54-0x0000000075A61000-0x0000000075A63000-memory.dmpFilesize
8KB
-
memory/1304-58-0x00000000003F0000-0x00000000003FB000-memory.dmpFilesize
44KB
-
memory/1444-73-0x0000000000000000-mapping.dmp