5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1

General

Target

5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe
Size

211KB
MD5

3c9c3f967aafcae7e3831205a0118b9e
SHA1

1bd361aefbd04b84c48937a14b5318806897e4a5
SHA256

5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1
SHA512

165d4c457ca5a7a82c77ca3c98c42b76eb13cd4374c11a5895013b64c315ecefdd78dd978a16f0daac28289d21d2079629233f664849ef71e7284b783fe255ec

Score

10^/10

discovery ransomware spyware stealer suricata

Malware Config

Signatures

suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Contacts a large (512) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Loads dropped DLL 2 IoCs

Processes:

5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe

pid	process
1800	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe
1800	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe

description	pid	process	target process
PID 1800 set thread context of 1652	1800	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe

pid	process
1652	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe
1652	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe
1652	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe
1652	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1652	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe
Token: SeIncreaseQuotaPrivilege	1924	WMIC.exe
Token: SeSecurityPrivilege	1924	WMIC.exe
Token: SeTakeOwnershipPrivilege	1924	WMIC.exe
Token: SeLoadDriverPrivilege	1924	WMIC.exe
Token: SeSystemProfilePrivilege	1924	WMIC.exe
Token: SeSystemtimePrivilege	1924	WMIC.exe
Token: SeProfSingleProcessPrivilege	1924	WMIC.exe
Token: SeIncBasePriorityPrivilege	1924	WMIC.exe
Token: SeCreatePagefilePrivilege	1924	WMIC.exe
Token: SeBackupPrivilege	1924	WMIC.exe
Token: SeRestorePrivilege	1924	WMIC.exe
Token: SeShutdownPrivilege	1924	WMIC.exe
Token: SeDebugPrivilege	1924	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1924	WMIC.exe
Token: SeRemoteShutdownPrivilege	1924	WMIC.exe
Token: SeUndockPrivilege	1924	WMIC.exe
Token: SeManageVolumePrivilege	1924	WMIC.exe
Token: 33	1924	WMIC.exe
Token: 34	1924	WMIC.exe
Token: 35	1924	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1924	WMIC.exe
Token: SeSecurityPrivilege	1924	WMIC.exe
Token: SeTakeOwnershipPrivilege	1924	WMIC.exe
Token: SeLoadDriverPrivilege	1924	WMIC.exe
Token: SeSystemProfilePrivilege	1924	WMIC.exe
Token: SeSystemtimePrivilege	1924	WMIC.exe
Token: SeProfSingleProcessPrivilege	1924	WMIC.exe
Token: SeIncBasePriorityPrivilege	1924	WMIC.exe
Token: SeCreatePagefilePrivilege	1924	WMIC.exe
Token: SeBackupPrivilege	1924	WMIC.exe
Token: SeRestorePrivilege	1924	WMIC.exe
Token: SeShutdownPrivilege	1924	WMIC.exe
Token: SeDebugPrivilege	1924	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1924	WMIC.exe
Token: SeRemoteShutdownPrivilege	1924	WMIC.exe
Token: SeUndockPrivilege	1924	WMIC.exe
Token: SeManageVolumePrivilege	1924	WMIC.exe
Token: 33	1924	WMIC.exe
Token: 34	1924	WMIC.exe
Token: 35	1924	WMIC.exe
Token: SeBackupPrivilege	432	vssvc.exe
Token: SeRestorePrivilege	432	vssvc.exe
Token: SeAuditPrivilege	432	vssvc.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.execmd.exe

description	pid	process	target process
PID 1800 wrote to memory of 1652	1800	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe
PID 1800 wrote to memory of 1652	1800	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe
PID 1800 wrote to memory of 1652	1800	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe
PID 1800 wrote to memory of 1652	1800	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe
PID 1800 wrote to memory of 1652	1800	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe
PID 1800 wrote to memory of 1652	1800	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe
PID 1800 wrote to memory of 1652	1800	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe
PID 1800 wrote to memory of 1652	1800	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe
PID 1800 wrote to memory of 1652	1800	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe
PID 1800 wrote to memory of 1652	1800	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe
PID 1652 wrote to memory of 1996	1652	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe	cmd.exe
PID 1652 wrote to memory of 1996	1652	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe	cmd.exe
PID 1652 wrote to memory of 1996	1652	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe	cmd.exe
PID 1652 wrote to memory of 1996	1652	5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe	cmd.exe
PID 1996 wrote to memory of 1924	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 1924	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 1924	1996	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe
"C:\Users\Admin\AppData\Local\Temp\5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1800

C:\Users\Admin\AppData\Local\Temp\5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe
"C:\Users\Admin\AppData\Local\Temp\5668e6a044b5982f1c2e542dc6cbdb065c35bf0555cc684e374004ac67ba23a1.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

1

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Network Service Scanning

1

T1046

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\mutchkins.dll
Filesize
19KB

MD5
9954938c1b03564479e92d5d44251b26

SHA1
2e92b4f91cab000f68fcf13c90d1761a29c1919f

SHA256
8df28b7c0404c73fa43db4fc79da06b5128848e4188b7ab88bcd11ce7bf102ee

SHA512
c4b41518d2207b2b31fd3e9aa3ffa3bd11f1fa2490d918e4af1f8bd0be48f41dffd9aaf7a22531c4e3bc94a68cfbfc2c1469a8c1a5c7441231288c2a4b3832d2

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFE6E.tmp\System.dll
Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
memory/1652-61-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1652-57-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1652-58-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1652-59-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1652-63-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1652-65-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1652-66-0x0000000000402BDD-mapping.dmp

Download
memory/1652-69-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1652-70-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1652-73-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1800-54-0x0000000076291000-0x0000000076293000-memory.dmp

Filesize
8KB

Download
memory/1924-72-0x0000000000000000-mapping.dmp

Download
memory/1996-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads