Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 03:20
Static task
static1
Behavioral task
behavioral1
Sample
56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe
Resource
win10v2004-20220722-en
General
-
Target
56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe
-
Size
391KB
-
MD5
556f80cd43688a4207fdf1d3af8231cf
-
SHA1
1e284ecbc04e8448c5409eaa86fe6dd0f2005e52
-
SHA256
56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518
-
SHA512
61de644678fafa5cc7d75e070d0ec01ccca43d68f992de1b2628f0f8cbe5f74c75beaeac8ed798c4009ce7b596a6a02c340cb29c1fad6d84ab80fadae627ca6f
Malware Config
Signatures
-
suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata: ET MALWARE Ransomware/Cerber Checkin 2
-
Contacts a large (16388) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exeresmon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{38ECAD35-ED0B-5DA2-036D-E467331519A7}\\resmon.exe\"" 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{38ECAD35-ED0B-5DA2-036D-E467331519A7}\\resmon.exe\"" resmon.exe -
Executes dropped EXE 1 IoCs
Processes:
resmon.exepid process 3928 resmon.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
resmon.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation resmon.exe -
Drops startup file 1 IoCs
Processes:
56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\resmon.lnk 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exeresmon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\resmon = "\"C:\\Users\\Admin\\AppData\\Roaming\\{38ECAD35-ED0B-5DA2-036D-E467331519A7}\\resmon.exe\"" 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\resmon = "\"C:\\Users\\Admin\\AppData\\Roaming\\{38ECAD35-ED0B-5DA2-036D-E467331519A7}\\resmon.exe\"" 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows\CurrentVersion\Run resmon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\resmon = "\"C:\\Users\\Admin\\AppData\\Roaming\\{38ECAD35-ED0B-5DA2-036D-E467331519A7}\\resmon.exe\"" resmon.exe Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce resmon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\resmon = "\"C:\\Users\\Admin\\AppData\\Roaming\\{38ECAD35-ED0B-5DA2-036D-E467331519A7}\\resmon.exe\"" resmon.exe Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows\CurrentVersion\Run 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ipinfo.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2392 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1936 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
resmon.exe56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\Desktop resmon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{38ECAD35-ED0B-5DA2-036D-E467331519A7}\\resmon.exe\"" resmon.exe Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\Desktop 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{38ECAD35-ED0B-5DA2-036D-E467331519A7}\\resmon.exe\"" 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exeresmon.exetaskkill.exevssvc.exewmic.exedescription pid process Token: SeDebugPrivilege 2116 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe Token: SeDebugPrivilege 3928 resmon.exe Token: SeDebugPrivilege 1936 taskkill.exe Token: SeBackupPrivilege 4384 vssvc.exe Token: SeRestorePrivilege 4384 vssvc.exe Token: SeAuditPrivilege 4384 vssvc.exe Token: SeIncreaseQuotaPrivilege 4880 wmic.exe Token: SeSecurityPrivilege 4880 wmic.exe Token: SeTakeOwnershipPrivilege 4880 wmic.exe Token: SeLoadDriverPrivilege 4880 wmic.exe Token: SeSystemProfilePrivilege 4880 wmic.exe Token: SeSystemtimePrivilege 4880 wmic.exe Token: SeProfSingleProcessPrivilege 4880 wmic.exe Token: SeIncBasePriorityPrivilege 4880 wmic.exe Token: SeCreatePagefilePrivilege 4880 wmic.exe Token: SeBackupPrivilege 4880 wmic.exe Token: SeRestorePrivilege 4880 wmic.exe Token: SeShutdownPrivilege 4880 wmic.exe Token: SeDebugPrivilege 4880 wmic.exe Token: SeSystemEnvironmentPrivilege 4880 wmic.exe Token: SeRemoteShutdownPrivilege 4880 wmic.exe Token: SeUndockPrivilege 4880 wmic.exe Token: SeManageVolumePrivilege 4880 wmic.exe Token: 33 4880 wmic.exe Token: 34 4880 wmic.exe Token: 35 4880 wmic.exe Token: 36 4880 wmic.exe Token: SeIncreaseQuotaPrivilege 4880 wmic.exe Token: SeSecurityPrivilege 4880 wmic.exe Token: SeTakeOwnershipPrivilege 4880 wmic.exe Token: SeLoadDriverPrivilege 4880 wmic.exe Token: SeSystemProfilePrivilege 4880 wmic.exe Token: SeSystemtimePrivilege 4880 wmic.exe Token: SeProfSingleProcessPrivilege 4880 wmic.exe Token: SeIncBasePriorityPrivilege 4880 wmic.exe Token: SeCreatePagefilePrivilege 4880 wmic.exe Token: SeBackupPrivilege 4880 wmic.exe Token: SeRestorePrivilege 4880 wmic.exe Token: SeShutdownPrivilege 4880 wmic.exe Token: SeDebugPrivilege 4880 wmic.exe Token: SeSystemEnvironmentPrivilege 4880 wmic.exe Token: SeRemoteShutdownPrivilege 4880 wmic.exe Token: SeUndockPrivilege 4880 wmic.exe Token: SeManageVolumePrivilege 4880 wmic.exe Token: 33 4880 wmic.exe Token: 34 4880 wmic.exe Token: 35 4880 wmic.exe Token: 36 4880 wmic.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.execmd.exeresmon.exedescription pid process target process PID 2116 wrote to memory of 3928 2116 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe resmon.exe PID 2116 wrote to memory of 3928 2116 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe resmon.exe PID 2116 wrote to memory of 3928 2116 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe resmon.exe PID 2116 wrote to memory of 4140 2116 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe cmd.exe PID 2116 wrote to memory of 4140 2116 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe cmd.exe PID 2116 wrote to memory of 4140 2116 56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe cmd.exe PID 4140 wrote to memory of 1936 4140 cmd.exe taskkill.exe PID 4140 wrote to memory of 1936 4140 cmd.exe taskkill.exe PID 4140 wrote to memory of 1936 4140 cmd.exe taskkill.exe PID 4140 wrote to memory of 4760 4140 cmd.exe PING.EXE PID 4140 wrote to memory of 4760 4140 cmd.exe PING.EXE PID 4140 wrote to memory of 4760 4140 cmd.exe PING.EXE PID 3928 wrote to memory of 2392 3928 resmon.exe vssadmin.exe PID 3928 wrote to memory of 2392 3928 resmon.exe vssadmin.exe PID 3928 wrote to memory of 4880 3928 resmon.exe wmic.exe PID 3928 wrote to memory of 4880 3928 resmon.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe"C:\Users\Admin\AppData\Local\Temp\56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{38ECAD35-ED0B-5DA2-036D-E467331519A7}\resmon.exe"C:\Users\Admin\AppData\Roaming\{38ECAD35-ED0B-5DA2-036D-E467331519A7}\resmon.exe"2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe" > NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\resmon.lnkFilesize
1KB
MD5d59f32173761f46c24e99bd1b7049006
SHA1f12c0a8a3f5ba705110c0a1456574b822a644cca
SHA256c5a845f33b63875e4a0fd7e6c22a2f99687deab14ef58cbc336136eed7740398
SHA51294ac2edac658975fcd74b8a950a59340dc85257af9c912d64903d231e046a1e50c3871eeb0e438bdffc6ea1981f8ae3cd478a0926a19a366f5504e55d2049437
-
C:\Users\Admin\AppData\Roaming\{38ECAD35-ED0B-5DA2-036D-E467331519A7}\resmon.exeFilesize
391KB
MD5556f80cd43688a4207fdf1d3af8231cf
SHA11e284ecbc04e8448c5409eaa86fe6dd0f2005e52
SHA25656706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518
SHA51261de644678fafa5cc7d75e070d0ec01ccca43d68f992de1b2628f0f8cbe5f74c75beaeac8ed798c4009ce7b596a6a02c340cb29c1fad6d84ab80fadae627ca6f
-
C:\Users\Admin\AppData\Roaming\{38ECAD35-ED0B-5DA2-036D-E467331519A7}\resmon.exeFilesize
391KB
MD5556f80cd43688a4207fdf1d3af8231cf
SHA11e284ecbc04e8448c5409eaa86fe6dd0f2005e52
SHA25656706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518
SHA51261de644678fafa5cc7d75e070d0ec01ccca43d68f992de1b2628f0f8cbe5f74c75beaeac8ed798c4009ce7b596a6a02c340cb29c1fad6d84ab80fadae627ca6f
-
memory/1936-140-0x0000000000000000-mapping.dmp
-
memory/2116-133-0x0000000000400000-0x0000000000463000-memory.dmpFilesize
396KB
-
memory/2116-132-0x0000000000530000-0x000000000054F000-memory.dmpFilesize
124KB
-
memory/2116-139-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2392-142-0x0000000000000000-mapping.dmp
-
memory/3928-138-0x0000000000400000-0x0000000000463000-memory.dmpFilesize
396KB
-
memory/3928-134-0x0000000000000000-mapping.dmp
-
memory/3928-145-0x0000000000400000-0x0000000000463000-memory.dmpFilesize
396KB
-
memory/4140-137-0x0000000000000000-mapping.dmp
-
memory/4760-141-0x0000000000000000-mapping.dmp
-
memory/4880-143-0x0000000000000000-mapping.dmp