Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
25-07-2022 05:08
Static task
static1
Behavioral task
behavioral1
Sample
562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
Resource
win10v2004-20220721-en
General
-
Target
562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe
-
Size
253KB
-
MD5
504095753fec8c61d54b4f5f6c1e3b1b
-
SHA1
97292439666f783373cdfc32c911daadc2f64650
-
SHA256
562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8
-
SHA512
52d5494d2e564ac62db419cf70735d9923b1641cb20482bf4529619651539cd3e8ca0ac6068418149e9947f905af270ce7df76909ecc38344c1f82d902a94345
Malware Config
Signatures
-
suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata: ET MALWARE Ransomware/Cerber Checkin 2
-
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (9)
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (9)
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Contacts a large (512) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\SaveRegister.tiff 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe -
Loads dropped DLL 1 IoCs
Processes:
562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exepid process 880 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpC80.bmp" 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exedescription pid process target process PID 880 set thread context of 1940 880 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe -
Drops file in Program Files directory 6 IoCs
Processes:
562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\README.hta 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exepid process 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exepid process 880 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exeWMIC.exevssvc.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe Token: SeIncreaseQuotaPrivilege 2028 WMIC.exe Token: SeSecurityPrivilege 2028 WMIC.exe Token: SeTakeOwnershipPrivilege 2028 WMIC.exe Token: SeLoadDriverPrivilege 2028 WMIC.exe Token: SeSystemProfilePrivilege 2028 WMIC.exe Token: SeSystemtimePrivilege 2028 WMIC.exe Token: SeProfSingleProcessPrivilege 2028 WMIC.exe Token: SeIncBasePriorityPrivilege 2028 WMIC.exe Token: SeCreatePagefilePrivilege 2028 WMIC.exe Token: SeBackupPrivilege 2028 WMIC.exe Token: SeRestorePrivilege 2028 WMIC.exe Token: SeShutdownPrivilege 2028 WMIC.exe Token: SeDebugPrivilege 2028 WMIC.exe Token: SeSystemEnvironmentPrivilege 2028 WMIC.exe Token: SeRemoteShutdownPrivilege 2028 WMIC.exe Token: SeUndockPrivilege 2028 WMIC.exe Token: SeManageVolumePrivilege 2028 WMIC.exe Token: 33 2028 WMIC.exe Token: 34 2028 WMIC.exe Token: 35 2028 WMIC.exe Token: SeIncreaseQuotaPrivilege 2028 WMIC.exe Token: SeSecurityPrivilege 2028 WMIC.exe Token: SeTakeOwnershipPrivilege 2028 WMIC.exe Token: SeLoadDriverPrivilege 2028 WMIC.exe Token: SeSystemProfilePrivilege 2028 WMIC.exe Token: SeSystemtimePrivilege 2028 WMIC.exe Token: SeProfSingleProcessPrivilege 2028 WMIC.exe Token: SeIncBasePriorityPrivilege 2028 WMIC.exe Token: SeCreatePagefilePrivilege 2028 WMIC.exe Token: SeBackupPrivilege 2028 WMIC.exe Token: SeRestorePrivilege 2028 WMIC.exe Token: SeShutdownPrivilege 2028 WMIC.exe Token: SeDebugPrivilege 2028 WMIC.exe Token: SeSystemEnvironmentPrivilege 2028 WMIC.exe Token: SeRemoteShutdownPrivilege 2028 WMIC.exe Token: SeUndockPrivilege 2028 WMIC.exe Token: SeManageVolumePrivilege 2028 WMIC.exe Token: 33 2028 WMIC.exe Token: 34 2028 WMIC.exe Token: 35 2028 WMIC.exe Token: SeBackupPrivilege 1732 vssvc.exe Token: SeRestorePrivilege 1732 vssvc.exe Token: SeAuditPrivilege 1732 vssvc.exe Token: 33 308 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 308 AUDIODG.EXE Token: 33 308 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 308 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.execmd.exedescription pid process target process PID 880 wrote to memory of 1940 880 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe PID 880 wrote to memory of 1940 880 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe PID 880 wrote to memory of 1940 880 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe PID 880 wrote to memory of 1940 880 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe PID 880 wrote to memory of 1940 880 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe PID 1940 wrote to memory of 1124 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe cmd.exe PID 1940 wrote to memory of 1124 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe cmd.exe PID 1940 wrote to memory of 1124 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe cmd.exe PID 1940 wrote to memory of 1124 1940 562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe cmd.exe PID 1124 wrote to memory of 2028 1124 cmd.exe WMIC.exe PID 1124 wrote to memory of 2028 1124 cmd.exe WMIC.exe PID 1124 wrote to memory of 2028 1124 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe"C:\Users\Admin\AppData\Local\Temp\562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe"C:\Users\Admin\AppData\Local\Temp\562f127b835531599169a09bde0a87ecaea2fc56eb12746766c14dc6e607ade8.exe"2⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1d81⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsiFF48.tmp\System.dllFilesize
11KB
MD53e6bf00b3ac976122f982ae2aadb1c51
SHA1caab188f7fdc84d3fdcb2922edeeb5ed576bd31d
SHA2564ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe
SHA5121286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706
-
memory/880-54-0x00000000762D1000-0x00000000762D3000-memory.dmpFilesize
8KB
-
memory/880-56-0x00000000004D0000-0x00000000004D4000-memory.dmpFilesize
16KB
-
memory/880-59-0x00000000004D0000-0x00000000004D4000-memory.dmpFilesize
16KB
-
memory/1124-61-0x0000000000000000-mapping.dmp
-
memory/1940-57-0x00000000004028CF-mapping.dmp
-
memory/1940-60-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1940-63-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2028-62-0x0000000000000000-mapping.dmp