56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb

General

Target

56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe
Size

261KB
MD5

143f1e1c988be32c56b6f3d8544a4e3c
SHA1

b1f558b4b7c77e934ab9bb3257f5256457ca43ae
SHA256

56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb
SHA512

97892c773e998253277a0a388665d8c84cac6e9d4f487b7b84e06b488112e288638d91721079ca6321491562534c54671ce8369e63ad8c5fe80a9d461a80090e

Score

10^/10

discovery ransomware spyware stealer suricata

Malware Config

Signatures

suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Contacts a large (512) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Loads dropped DLL 3 IoCs

Processes:

56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe

pid	process
1304	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe
1304	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe
1304	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe

description	pid	process	target process
PID 1304 set thread context of 628	1304	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe

Drops file in Windows directory 1 IoCs

Processes:

56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe

description ioc process

File opened for modification C:\Windows\Akela 56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Akela	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe

pid	process
628	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe
628	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe
628	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe
628	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe
628	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe
628	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	628	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe
Token: SeIncreaseQuotaPrivilege	1108	WMIC.exe
Token: SeSecurityPrivilege	1108	WMIC.exe
Token: SeTakeOwnershipPrivilege	1108	WMIC.exe
Token: SeLoadDriverPrivilege	1108	WMIC.exe
Token: SeSystemProfilePrivilege	1108	WMIC.exe
Token: SeSystemtimePrivilege	1108	WMIC.exe
Token: SeProfSingleProcessPrivilege	1108	WMIC.exe
Token: SeIncBasePriorityPrivilege	1108	WMIC.exe
Token: SeCreatePagefilePrivilege	1108	WMIC.exe
Token: SeBackupPrivilege	1108	WMIC.exe
Token: SeRestorePrivilege	1108	WMIC.exe
Token: SeShutdownPrivilege	1108	WMIC.exe
Token: SeDebugPrivilege	1108	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1108	WMIC.exe
Token: SeRemoteShutdownPrivilege	1108	WMIC.exe
Token: SeUndockPrivilege	1108	WMIC.exe
Token: SeManageVolumePrivilege	1108	WMIC.exe
Token: 33	1108	WMIC.exe
Token: 34	1108	WMIC.exe
Token: 35	1108	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1108	WMIC.exe
Token: SeSecurityPrivilege	1108	WMIC.exe
Token: SeTakeOwnershipPrivilege	1108	WMIC.exe
Token: SeLoadDriverPrivilege	1108	WMIC.exe
Token: SeSystemProfilePrivilege	1108	WMIC.exe
Token: SeSystemtimePrivilege	1108	WMIC.exe
Token: SeProfSingleProcessPrivilege	1108	WMIC.exe
Token: SeIncBasePriorityPrivilege	1108	WMIC.exe
Token: SeCreatePagefilePrivilege	1108	WMIC.exe
Token: SeBackupPrivilege	1108	WMIC.exe
Token: SeRestorePrivilege	1108	WMIC.exe
Token: SeShutdownPrivilege	1108	WMIC.exe
Token: SeDebugPrivilege	1108	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1108	WMIC.exe
Token: SeRemoteShutdownPrivilege	1108	WMIC.exe
Token: SeUndockPrivilege	1108	WMIC.exe
Token: SeManageVolumePrivilege	1108	WMIC.exe
Token: 33	1108	WMIC.exe
Token: 34	1108	WMIC.exe
Token: 35	1108	WMIC.exe
Token: SeBackupPrivilege	760	vssvc.exe
Token: SeRestorePrivilege	760	vssvc.exe
Token: SeAuditPrivilege	760	vssvc.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.execmd.exe

description	pid	process	target process
PID 1304 wrote to memory of 628	1304	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe
PID 1304 wrote to memory of 628	1304	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe
PID 1304 wrote to memory of 628	1304	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe
PID 1304 wrote to memory of 628	1304	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe
PID 1304 wrote to memory of 628	1304	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe
PID 1304 wrote to memory of 628	1304	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe
PID 1304 wrote to memory of 628	1304	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe
PID 1304 wrote to memory of 628	1304	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe
PID 1304 wrote to memory of 628	1304	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe
PID 1304 wrote to memory of 628	1304	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe
PID 628 wrote to memory of 1444	628	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe	cmd.exe
PID 628 wrote to memory of 1444	628	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe	cmd.exe
PID 628 wrote to memory of 1444	628	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe	cmd.exe
PID 628 wrote to memory of 1444	628	56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe	cmd.exe
PID 1444 wrote to memory of 1108	1444	cmd.exe	WMIC.exe
PID 1444 wrote to memory of 1108	1444	cmd.exe	WMIC.exe
PID 1444 wrote to memory of 1108	1444	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe
"C:\Users\Admin\AppData\Local\Temp\56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Local\Temp\56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe
"C:\Users\Admin\AppData\Local\Temp\56cea55f1b3c776895f6fc2097abbd48685b13e120adb1b2f8349405313081bb.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

1

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Network Service Scanning

1

T1046

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nst6106.tmp\System.dll
Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
\Users\Admin\AppData\Local\Temp\nst6106.tmp\System.dll
Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
\Users\Admin\AppData\Roaming\HelpButton.dll
Filesize
44KB

MD5
ffeedeecd5f9a12c939c85c156363a90

SHA1
567c056b8ab705b8a6c36f82edf8f2762f095799

SHA256
aedc72bb46231c69e1347d161b4a0f0b9c484bb9194a652ba25860dde7d9dc0e

SHA512
9bd6a4664e344a196d42675ba3ef11bc12799f37f0b0b975e165f63f60579e74880df9dc3895a250add32a1389ce1abd284b325b8fe183f3327d7f7cb995355d

Download Submit
memory/628-71-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/628-67-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/628-59-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/628-60-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/628-61-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/628-63-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/628-65-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/628-75-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/628-68-0x00000000004028CF-mapping.dmp

Download
memory/628-72-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1108-74-0x0000000000000000-mapping.dmp

Download
memory/1304-54-0x0000000075A61000-0x0000000075A63000-memory.dmp

Filesize
8KB

Download
memory/1304-58-0x00000000003F0000-0x00000000003FB000-memory.dmp

Filesize
44KB

Download
memory/1444-73-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads