56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518

General

Target

56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe
Size

391KB
MD5

556f80cd43688a4207fdf1d3af8231cf
SHA1

1e284ecbc04e8448c5409eaa86fe6dd0f2005e52
SHA256

56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518
SHA512

61de644678fafa5cc7d75e070d0ec01ccca43d68f992de1b2628f0f8cbe5f74c75beaeac8ed798c4009ce7b596a6a02c340cb29c1fad6d84ab80fadae627ca6f

Score

10^/10

discovery persistence ransomware spyware stealer suricata

Malware Config

Signatures

suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata
Contacts a large (16388) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exeresmon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{38ECAD35-ED0B-5DA2-036D-E467331519A7}\\resmon.exe\""	56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{38ECAD35-ED0B-5DA2-036D-E467331519A7}\\resmon.exe\""	resmon.exe

Executes dropped EXE 1 IoCs

Processes:

resmon.exe

pid process

3928 resmon.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

resmon.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation resmon.exe

pid	process
3928	resmon.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	resmon.exe

Drops startup file 1 IoCs

Processes:

56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\resmon.lnk	56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exeresmon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\resmon = "\"C:\\Users\\Admin\\AppData\\Roaming\\{38ECAD35-ED0B-5DA2-036D-E467331519A7}\\resmon.exe\""	56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\resmon = "\"C:\\Users\\Admin\\AppData\\Roaming\\{38ECAD35-ED0B-5DA2-036D-E467331519A7}\\resmon.exe\""	56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows\CurrentVersion\Run	resmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\resmon = "\"C:\\Users\\Admin\\AppData\\Roaming\\{38ECAD35-ED0B-5DA2-036D-E467331519A7}\\resmon.exe\""	resmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	resmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\resmon = "\"C:\\Users\\Admin\\AppData\\Roaming\\{38ECAD35-ED0B-5DA2-036D-E467331519A7}\\resmon.exe\""	resmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows\CurrentVersion\Run	56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ipinfo.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2392 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1936 taskkill.exe

flow	ioc
1	ipinfo.io

pid	process
2392	vssadmin.exe

pid	process
1936	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

Processes:

resmon.exe56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\Desktop	resmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{38ECAD35-ED0B-5DA2-036D-E467331519A7}\\resmon.exe\""	resmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\Desktop	56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{38ECAD35-ED0B-5DA2-036D-E467331519A7}\\resmon.exe\""	56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4760 PING.EXE

pid	process
4760	PING.EXE

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exeresmon.exetaskkill.exevssvc.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	2116	56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe
Token: SeDebugPrivilege	3928	resmon.exe
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeBackupPrivilege	4384	vssvc.exe
Token: SeRestorePrivilege	4384	vssvc.exe
Token: SeAuditPrivilege	4384	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4880	wmic.exe
Token: SeSecurityPrivilege	4880	wmic.exe
Token: SeTakeOwnershipPrivilege	4880	wmic.exe
Token: SeLoadDriverPrivilege	4880	wmic.exe
Token: SeSystemProfilePrivilege	4880	wmic.exe
Token: SeSystemtimePrivilege	4880	wmic.exe
Token: SeProfSingleProcessPrivilege	4880	wmic.exe
Token: SeIncBasePriorityPrivilege	4880	wmic.exe
Token: SeCreatePagefilePrivilege	4880	wmic.exe
Token: SeBackupPrivilege	4880	wmic.exe
Token: SeRestorePrivilege	4880	wmic.exe
Token: SeShutdownPrivilege	4880	wmic.exe
Token: SeDebugPrivilege	4880	wmic.exe
Token: SeSystemEnvironmentPrivilege	4880	wmic.exe
Token: SeRemoteShutdownPrivilege	4880	wmic.exe
Token: SeUndockPrivilege	4880	wmic.exe
Token: SeManageVolumePrivilege	4880	wmic.exe
Token: 33	4880	wmic.exe
Token: 34	4880	wmic.exe
Token: 35	4880	wmic.exe
Token: 36	4880	wmic.exe
Token: SeIncreaseQuotaPrivilege	4880	wmic.exe
Token: SeSecurityPrivilege	4880	wmic.exe
Token: SeTakeOwnershipPrivilege	4880	wmic.exe
Token: SeLoadDriverPrivilege	4880	wmic.exe
Token: SeSystemProfilePrivilege	4880	wmic.exe
Token: SeSystemtimePrivilege	4880	wmic.exe
Token: SeProfSingleProcessPrivilege	4880	wmic.exe
Token: SeIncBasePriorityPrivilege	4880	wmic.exe
Token: SeCreatePagefilePrivilege	4880	wmic.exe
Token: SeBackupPrivilege	4880	wmic.exe
Token: SeRestorePrivilege	4880	wmic.exe
Token: SeShutdownPrivilege	4880	wmic.exe
Token: SeDebugPrivilege	4880	wmic.exe
Token: SeSystemEnvironmentPrivilege	4880	wmic.exe
Token: SeRemoteShutdownPrivilege	4880	wmic.exe
Token: SeUndockPrivilege	4880	wmic.exe
Token: SeManageVolumePrivilege	4880	wmic.exe
Token: 33	4880	wmic.exe
Token: 34	4880	wmic.exe
Token: 35	4880	wmic.exe
Token: 36	4880	wmic.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.execmd.exeresmon.exe

description	pid	process	target process
PID 2116 wrote to memory of 3928	2116	56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe	resmon.exe
PID 2116 wrote to memory of 3928	2116	56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe	resmon.exe
PID 2116 wrote to memory of 3928	2116	56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe	resmon.exe
PID 2116 wrote to memory of 4140	2116	56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe	cmd.exe
PID 2116 wrote to memory of 4140	2116	56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe	cmd.exe
PID 2116 wrote to memory of 4140	2116	56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe	cmd.exe
PID 4140 wrote to memory of 1936	4140	cmd.exe	taskkill.exe
PID 4140 wrote to memory of 1936	4140	cmd.exe	taskkill.exe
PID 4140 wrote to memory of 1936	4140	cmd.exe	taskkill.exe
PID 4140 wrote to memory of 4760	4140	cmd.exe	PING.EXE
PID 4140 wrote to memory of 4760	4140	cmd.exe	PING.EXE
PID 4140 wrote to memory of 4760	4140	cmd.exe	PING.EXE
PID 3928 wrote to memory of 2392	3928	resmon.exe	vssadmin.exe
PID 3928 wrote to memory of 2392	3928	resmon.exe	vssadmin.exe
PID 3928 wrote to memory of 4880	3928	resmon.exe	wmic.exe
PID 3928 wrote to memory of 4880	3928	resmon.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe
"C:\Users\Admin\AppData\Local\Temp\56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116

C:\Users\Admin\AppData\Roaming\{38ECAD35-ED0B-5DA2-036D-E467331519A7}\resmon.exe
"C:\Users\Admin\AppData\Roaming\{38ECAD35-ED0B-5DA2-036D-E467331519A7}\resmon.exe"
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\system32\vssadmin.exe
"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2392

C:\Windows\system32\wbem\wmic.exe
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\SysWOW64\cmd.exe
/d /c taskkill /t /f /im "56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe" > NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:4140

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /im "56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\SysWOW64\PING.EXE
ping -n 1 127.0.0.1
3⤵
- Runs ping.exe
PID:4760

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Network Service Scanning

2

T1046

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\resmon.lnk
Filesize
1KB

MD5
d59f32173761f46c24e99bd1b7049006

SHA1
f12c0a8a3f5ba705110c0a1456574b822a644cca

SHA256
c5a845f33b63875e4a0fd7e6c22a2f99687deab14ef58cbc336136eed7740398

SHA512
94ac2edac658975fcd74b8a950a59340dc85257af9c912d64903d231e046a1e50c3871eeb0e438bdffc6ea1981f8ae3cd478a0926a19a366f5504e55d2049437

Download Submit
C:\Users\Admin\AppData\Roaming\{38ECAD35-ED0B-5DA2-036D-E467331519A7}\resmon.exe
Filesize
391KB

MD5
556f80cd43688a4207fdf1d3af8231cf

SHA1
1e284ecbc04e8448c5409eaa86fe6dd0f2005e52

SHA256
56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518

SHA512
61de644678fafa5cc7d75e070d0ec01ccca43d68f992de1b2628f0f8cbe5f74c75beaeac8ed798c4009ce7b596a6a02c340cb29c1fad6d84ab80fadae627ca6f

Download Submit
C:\Users\Admin\AppData\Roaming\{38ECAD35-ED0B-5DA2-036D-E467331519A7}\resmon.exe
Filesize
391KB

MD5
556f80cd43688a4207fdf1d3af8231cf

SHA1
1e284ecbc04e8448c5409eaa86fe6dd0f2005e52

SHA256
56706dfc3005ed7c30c1b1e23b2ee2f7e6596671e566985ae18e47486e6ee518

SHA512
61de644678fafa5cc7d75e070d0ec01ccca43d68f992de1b2628f0f8cbe5f74c75beaeac8ed798c4009ce7b596a6a02c340cb29c1fad6d84ab80fadae627ca6f

Download Submit
memory/1936-140-0x0000000000000000-mapping.dmp

Download
memory/2116-133-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2116-132-0x0000000000530000-0x000000000054F000-memory.dmp

Filesize
124KB

Download
memory/2116-139-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2392-142-0x0000000000000000-mapping.dmp

Download
memory/3928-138-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3928-134-0x0000000000000000-mapping.dmp

Download
memory/3928-145-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4140-137-0x0000000000000000-mapping.dmp

Download
memory/4760-141-0x0000000000000000-mapping.dmp

Download
memory/4880-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads