Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
25-07-2022 03:30
Static task
static1
Behavioral task
behavioral1
Sample
5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe
Resource
win10v2004-20220721-en
General
-
Target
5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe
-
Size
211KB
-
MD5
3c9c3f967aafcae7e3831205a0118b9e
-
SHA1
1bd361aefbd04b84c48937a14b5318806897e4a5
-
SHA256
5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1
-
SHA512
165d4c457ca5a7a82c77ca3c98c42b76eb13cd4374c11a5895013b64c315ecefdd78dd978a16f0daac28289d21d2079629233f664849ef71e7284b783fe255ec
Malware Config
Signatures
-
suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata: ET MALWARE Ransomware/Cerber Checkin 2
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Contacts a large (512) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Loads dropped DLL 2 IoCs
Processes:
5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exepid process 1800 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe 1800 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exedescription pid process target process PID 1800 set thread context of 1652 1800 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exepid process 1652 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe 1652 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe 1652 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe 1652 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 1652 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe Token: SeIncreaseQuotaPrivilege 1924 WMIC.exe Token: SeSecurityPrivilege 1924 WMIC.exe Token: SeTakeOwnershipPrivilege 1924 WMIC.exe Token: SeLoadDriverPrivilege 1924 WMIC.exe Token: SeSystemProfilePrivilege 1924 WMIC.exe Token: SeSystemtimePrivilege 1924 WMIC.exe Token: SeProfSingleProcessPrivilege 1924 WMIC.exe Token: SeIncBasePriorityPrivilege 1924 WMIC.exe Token: SeCreatePagefilePrivilege 1924 WMIC.exe Token: SeBackupPrivilege 1924 WMIC.exe Token: SeRestorePrivilege 1924 WMIC.exe Token: SeShutdownPrivilege 1924 WMIC.exe Token: SeDebugPrivilege 1924 WMIC.exe Token: SeSystemEnvironmentPrivilege 1924 WMIC.exe Token: SeRemoteShutdownPrivilege 1924 WMIC.exe Token: SeUndockPrivilege 1924 WMIC.exe Token: SeManageVolumePrivilege 1924 WMIC.exe Token: 33 1924 WMIC.exe Token: 34 1924 WMIC.exe Token: 35 1924 WMIC.exe Token: SeIncreaseQuotaPrivilege 1924 WMIC.exe Token: SeSecurityPrivilege 1924 WMIC.exe Token: SeTakeOwnershipPrivilege 1924 WMIC.exe Token: SeLoadDriverPrivilege 1924 WMIC.exe Token: SeSystemProfilePrivilege 1924 WMIC.exe Token: SeSystemtimePrivilege 1924 WMIC.exe Token: SeProfSingleProcessPrivilege 1924 WMIC.exe Token: SeIncBasePriorityPrivilege 1924 WMIC.exe Token: SeCreatePagefilePrivilege 1924 WMIC.exe Token: SeBackupPrivilege 1924 WMIC.exe Token: SeRestorePrivilege 1924 WMIC.exe Token: SeShutdownPrivilege 1924 WMIC.exe Token: SeDebugPrivilege 1924 WMIC.exe Token: SeSystemEnvironmentPrivilege 1924 WMIC.exe Token: SeRemoteShutdownPrivilege 1924 WMIC.exe Token: SeUndockPrivilege 1924 WMIC.exe Token: SeManageVolumePrivilege 1924 WMIC.exe Token: 33 1924 WMIC.exe Token: 34 1924 WMIC.exe Token: 35 1924 WMIC.exe Token: SeBackupPrivilege 432 vssvc.exe Token: SeRestorePrivilege 432 vssvc.exe Token: SeAuditPrivilege 432 vssvc.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.execmd.exedescription pid process target process PID 1800 wrote to memory of 1652 1800 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe PID 1800 wrote to memory of 1652 1800 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe PID 1800 wrote to memory of 1652 1800 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe PID 1800 wrote to memory of 1652 1800 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe PID 1800 wrote to memory of 1652 1800 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe PID 1800 wrote to memory of 1652 1800 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe PID 1800 wrote to memory of 1652 1800 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe PID 1800 wrote to memory of 1652 1800 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe PID 1800 wrote to memory of 1652 1800 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe PID 1800 wrote to memory of 1652 1800 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe PID 1652 wrote to memory of 1996 1652 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe cmd.exe PID 1652 wrote to memory of 1996 1652 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe cmd.exe PID 1652 wrote to memory of 1996 1652 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe cmd.exe PID 1652 wrote to memory of 1996 1652 5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe cmd.exe PID 1996 wrote to memory of 1924 1996 cmd.exe WMIC.exe PID 1996 wrote to memory of 1924 1996 cmd.exe WMIC.exe PID 1996 wrote to memory of 1924 1996 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe"C:\Users\Admin\AppData\Local\Temp\5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe"C:\Users\Admin\AppData\Local\Temp\5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\mutchkins.dllFilesize
19KB
MD59954938c1b03564479e92d5d44251b26
SHA12e92b4f91cab000f68fcf13c90d1761a29c1919f
SHA2568df28b7c0404c73fa43db4fc79da06b5128848e4188b7ab88bcd11ce7bf102ee
SHA512c4b41518d2207b2b31fd3e9aa3ffa3bd11f1fa2490d918e4af1f8bd0be48f41dffd9aaf7a22531c4e3bc94a68cfbfc2c1469a8c1a5c7441231288c2a4b3832d2
-
\Users\Admin\AppData\Local\Temp\nsyFE6E.tmp\System.dllFilesize
11KB
MD5a436db0c473a087eb61ff5c53c34ba27
SHA165ea67e424e75f5065132b539c8b2eda88aa0506
SHA25675ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49
SHA512908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d
-
memory/1652-61-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1652-57-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1652-58-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1652-59-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1652-63-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1652-65-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1652-66-0x0000000000402BDD-mapping.dmp
-
memory/1652-69-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1652-70-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1652-73-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1800-54-0x0000000076291000-0x0000000076293000-memory.dmpFilesize
8KB
-
memory/1924-72-0x0000000000000000-mapping.dmp
-
memory/1996-71-0x0000000000000000-mapping.dmp