562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8

General

Target

562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
Size

253KB
MD5

504095753fec8c61d54b4f5f6c1e3b1b
SHA1

97292439666f783373cdfc32c911daadc2f64650
SHA256

562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8
SHA512

52d5494d2e564ac62db419cf70735d9923b1641cb20482bf4529619651539cd3e8ca0ac6068418149e9947f905af270ce7df76909ecc38344c1f82d902a94345

Score

10^/10

discovery ransomware spyware stealer suricata

Malware Config

Signatures

suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (9)
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (9)
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Contacts a large (512) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\SaveRegister.tiff	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe

Loads dropped DLL 1 IoCs

Processes:

562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe

pid process

880 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
880	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpC80.bmp"	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe

description	pid	process	target process
PID 880 set thread context of 1940	880	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe

Drops file in Program Files directory 6 IoCs

Processes:

562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\README.hta	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe

pid	process
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe

pid process

880 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe

pid	process
880	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exeWMIC.exevssvc.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
Token: SeIncreaseQuotaPrivilege	2028	WMIC.exe
Token: SeSecurityPrivilege	2028	WMIC.exe
Token: SeTakeOwnershipPrivilege	2028	WMIC.exe
Token: SeLoadDriverPrivilege	2028	WMIC.exe
Token: SeSystemProfilePrivilege	2028	WMIC.exe
Token: SeSystemtimePrivilege	2028	WMIC.exe
Token: SeProfSingleProcessPrivilege	2028	WMIC.exe
Token: SeIncBasePriorityPrivilege	2028	WMIC.exe
Token: SeCreatePagefilePrivilege	2028	WMIC.exe
Token: SeBackupPrivilege	2028	WMIC.exe
Token: SeRestorePrivilege	2028	WMIC.exe
Token: SeShutdownPrivilege	2028	WMIC.exe
Token: SeDebugPrivilege	2028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2028	WMIC.exe
Token: SeRemoteShutdownPrivilege	2028	WMIC.exe
Token: SeUndockPrivilege	2028	WMIC.exe
Token: SeManageVolumePrivilege	2028	WMIC.exe
Token: 33	2028	WMIC.exe
Token: 34	2028	WMIC.exe
Token: 35	2028	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2028	WMIC.exe
Token: SeSecurityPrivilege	2028	WMIC.exe
Token: SeTakeOwnershipPrivilege	2028	WMIC.exe
Token: SeLoadDriverPrivilege	2028	WMIC.exe
Token: SeSystemProfilePrivilege	2028	WMIC.exe
Token: SeSystemtimePrivilege	2028	WMIC.exe
Token: SeProfSingleProcessPrivilege	2028	WMIC.exe
Token: SeIncBasePriorityPrivilege	2028	WMIC.exe
Token: SeCreatePagefilePrivilege	2028	WMIC.exe
Token: SeBackupPrivilege	2028	WMIC.exe
Token: SeRestorePrivilege	2028	WMIC.exe
Token: SeShutdownPrivilege	2028	WMIC.exe
Token: SeDebugPrivilege	2028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2028	WMIC.exe
Token: SeRemoteShutdownPrivilege	2028	WMIC.exe
Token: SeUndockPrivilege	2028	WMIC.exe
Token: SeManageVolumePrivilege	2028	WMIC.exe
Token: 33	2028	WMIC.exe
Token: 34	2028	WMIC.exe
Token: 35	2028	WMIC.exe
Token: SeBackupPrivilege	1732	vssvc.exe
Token: SeRestorePrivilege	1732	vssvc.exe
Token: SeAuditPrivilege	1732	vssvc.exe
Token: 33	308	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	308	AUDIODG.EXE
Token: 33	308	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	308	AUDIODG.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.execmd.exe

description	pid	process	target process
PID 880 wrote to memory of 1940	880	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
PID 880 wrote to memory of 1940	880	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
PID 880 wrote to memory of 1940	880	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
PID 880 wrote to memory of 1940	880	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
PID 880 wrote to memory of 1940	880	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
PID 1940 wrote to memory of 1124	1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe	cmd.exe
PID 1940 wrote to memory of 1124	1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe	cmd.exe
PID 1940 wrote to memory of 1124	1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe	cmd.exe
PID 1940 wrote to memory of 1124	1940	562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe	cmd.exe
PID 1124 wrote to memory of 2028	1124	cmd.exe	WMIC.exe
PID 1124 wrote to memory of 2028	1124	cmd.exe	WMIC.exe
PID 1124 wrote to memory of 2028	1124	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
"C:\Users\Admin\AppData\Local\Temp\562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:880

C:\Users\Admin\AppData\Local\Temp\562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
"C:\Users\Admin\AppData\Local\Temp\562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe"
2⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:1604

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1d8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

1

T1107

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Network Service Scanning

1

T1046

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1

T1490

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsiFF48.tmp\System.dll
Filesize
11KB

MD5
3e6bf00b3ac976122f982ae2aadb1c51

SHA1
caab188f7fdc84d3fdcb2922edeeb5ed576bd31d

SHA256
4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe

SHA512
1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

Download Submit
memory/880-54-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download
memory/880-56-0x00000000004D0000-0x00000000004D4000-memory.dmp

Filesize
16KB

Download
memory/880-59-0x00000000004D0000-0x00000000004D4000-memory.dmp

Filesize
16KB

Download
memory/1124-61-0x0000000000000000-mapping.dmp

Download
memory/1940-57-0x00000000004028CF-mapping.dmp

Download
memory/1940-60-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1940-63-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2028-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads