Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 06:06
Static task
static1
Behavioral task
behavioral1
Sample
5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
Resource
win10v2004-20220721-en
General
-
Target
5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
-
Size
382KB
-
MD5
432ad4941c057927786e3b6646ecf2f3
-
SHA1
45babe449954544219054e327523de5812597eaa
-
SHA256
5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100
-
SHA512
8b8fa755cf8a18fe7a822edcb977e8d8ee7615ccc56f5eac5c4eb7113f1faa8c983a9da18a08923c7e14d1bc86f2cae7d0a98322e8fcb8fb180733c0e9b04ab3
Malware Config
Signatures
-
Cerber 2 IoCs
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
Processes:
5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exegpresult.exedescription ioc process Mutant opened shell.{A431E284-FF41-2B74-3E2C-52A35D2135D0} 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe Mutant created shell.{A431E284-FF41-2B74-3E2C-52A35D2135D0} gpresult.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exegpresult.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe Set value (int) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" gpresult.exe -
suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata: ET MALWARE Ransomware/Cerber Checkin 2
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2380 bcdedit.exe 3532 bcdedit.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exegpresult.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A2960505-E42D-C35E-0E5A-BF98F493D4A2}\\gpresult.exe\"" 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A2960505-E42D-C35E-0E5A-BF98F493D4A2}\\gpresult.exe\"" gpresult.exe -
Contacts a large (530) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
gpresult.exepid process 3096 gpresult.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
gpresult.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation gpresult.exe -
Drops startup file 1 IoCs
Processes:
5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\gpresult.lnk 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
gpresult.exe5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpresult = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A2960505-E42D-C35E-0E5A-BF98F493D4A2}\\gpresult.exe\"" gpresult.exe Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce gpresult.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gpresult = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A2960505-E42D-C35E-0E5A-BF98F493D4A2}\\gpresult.exe\"" gpresult.exe Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows\CurrentVersion\Run 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpresult = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A2960505-E42D-C35E-0E5A-BF98F493D4A2}\\gpresult.exe\"" 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gpresult = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A2960505-E42D-C35E-0E5A-BF98F493D4A2}\\gpresult.exe\"" 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows\CurrentVersion\Run gpresult.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com 548 ipinfo.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1380 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3800 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exegpresult.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A2960505-E42D-C35E-0E5A-BF98F493D4A2}\\gpresult.exe\"" 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\Desktop gpresult.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A2960505-E42D-C35E-0E5A-BF98F493D4A2}\\gpresult.exe\"" gpresult.exe Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\Desktop 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exetaskkill.exegpresult.exevssvc.exewmic.exedescription pid process Token: SeDebugPrivilege 1772 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe Token: SeDebugPrivilege 3800 taskkill.exe Token: SeDebugPrivilege 3096 gpresult.exe Token: SeBackupPrivilege 1052 vssvc.exe Token: SeRestorePrivilege 1052 vssvc.exe Token: SeAuditPrivilege 1052 vssvc.exe Token: SeIncreaseQuotaPrivilege 604 wmic.exe Token: SeSecurityPrivilege 604 wmic.exe Token: SeTakeOwnershipPrivilege 604 wmic.exe Token: SeLoadDriverPrivilege 604 wmic.exe Token: SeSystemProfilePrivilege 604 wmic.exe Token: SeSystemtimePrivilege 604 wmic.exe Token: SeProfSingleProcessPrivilege 604 wmic.exe Token: SeIncBasePriorityPrivilege 604 wmic.exe Token: SeCreatePagefilePrivilege 604 wmic.exe Token: SeBackupPrivilege 604 wmic.exe Token: SeRestorePrivilege 604 wmic.exe Token: SeShutdownPrivilege 604 wmic.exe Token: SeDebugPrivilege 604 wmic.exe Token: SeSystemEnvironmentPrivilege 604 wmic.exe Token: SeRemoteShutdownPrivilege 604 wmic.exe Token: SeUndockPrivilege 604 wmic.exe Token: SeManageVolumePrivilege 604 wmic.exe Token: 33 604 wmic.exe Token: 34 604 wmic.exe Token: 35 604 wmic.exe Token: 36 604 wmic.exe Token: SeIncreaseQuotaPrivilege 604 wmic.exe Token: SeSecurityPrivilege 604 wmic.exe Token: SeTakeOwnershipPrivilege 604 wmic.exe Token: SeLoadDriverPrivilege 604 wmic.exe Token: SeSystemProfilePrivilege 604 wmic.exe Token: SeSystemtimePrivilege 604 wmic.exe Token: SeProfSingleProcessPrivilege 604 wmic.exe Token: SeIncBasePriorityPrivilege 604 wmic.exe Token: SeCreatePagefilePrivilege 604 wmic.exe Token: SeBackupPrivilege 604 wmic.exe Token: SeRestorePrivilege 604 wmic.exe Token: SeShutdownPrivilege 604 wmic.exe Token: SeDebugPrivilege 604 wmic.exe Token: SeSystemEnvironmentPrivilege 604 wmic.exe Token: SeRemoteShutdownPrivilege 604 wmic.exe Token: SeUndockPrivilege 604 wmic.exe Token: SeManageVolumePrivilege 604 wmic.exe Token: 33 604 wmic.exe Token: 34 604 wmic.exe Token: 35 604 wmic.exe Token: 36 604 wmic.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.execmd.exegpresult.exedescription pid process target process PID 1772 wrote to memory of 3096 1772 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe gpresult.exe PID 1772 wrote to memory of 3096 1772 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe gpresult.exe PID 1772 wrote to memory of 3096 1772 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe gpresult.exe PID 1772 wrote to memory of 624 1772 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe cmd.exe PID 1772 wrote to memory of 624 1772 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe cmd.exe PID 1772 wrote to memory of 624 1772 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe cmd.exe PID 624 wrote to memory of 3800 624 cmd.exe taskkill.exe PID 624 wrote to memory of 3800 624 cmd.exe taskkill.exe PID 624 wrote to memory of 3800 624 cmd.exe taskkill.exe PID 624 wrote to memory of 4060 624 cmd.exe PING.EXE PID 624 wrote to memory of 4060 624 cmd.exe PING.EXE PID 624 wrote to memory of 4060 624 cmd.exe PING.EXE PID 3096 wrote to memory of 1380 3096 gpresult.exe vssadmin.exe PID 3096 wrote to memory of 1380 3096 gpresult.exe vssadmin.exe PID 3096 wrote to memory of 604 3096 gpresult.exe wmic.exe PID 3096 wrote to memory of 604 3096 gpresult.exe wmic.exe PID 3096 wrote to memory of 2380 3096 gpresult.exe bcdedit.exe PID 3096 wrote to memory of 2380 3096 gpresult.exe bcdedit.exe PID 3096 wrote to memory of 3532 3096 gpresult.exe bcdedit.exe PID 3096 wrote to memory of 3532 3096 gpresult.exe bcdedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe"C:\Users\Admin\AppData\Local\Temp\5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe"1⤵
- Cerber
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{A2960505-E42D-C35E-0E5A-BF98F493D4A2}\gpresult.exe"C:\Users\Admin\AppData\Roaming\{A2960505-E42D-C35E-0E5A-BF98F493D4A2}\gpresult.exe"2⤵
- Cerber
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /f /im "5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe" > NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ODIFJ91X\json[1].jsonFilesize
302B
MD58ea85462999d0b5942e53b071bd59ae4
SHA16b5b5dc3e4cc7245987c0b05809d4a78dbd09d21
SHA2561855b73d3c877b3812d32b5b8ee65953f59ddb7b4908ea7ca30b3205c7340e6b
SHA5127b7b1b58e2db79f9fc34684cd21d8223ab4206bc95566c40df5b8d1d3f11e437f3270021ed3ebc0f58282f24672cc8b21a4d378cc793149b6f2f5e1930eb1ed5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\gpresult.lnkFilesize
1KB
MD54323b367fdb4cf2599b2bb9e106a6c34
SHA1ad05b73551d7204feeaf462031702d64b486437f
SHA256bada440c4bb65c19fa89440600211d516e6cd0c453025a36fd693616bb5abb95
SHA512803dee08b3c0a04a498cdebe48a3b86dd57f9de2e2e10033c9a8073b1d4c36cfa478717c1268647fc3bdc747b630c246a04bccc32d9650a37101675130f90458
-
C:\Users\Admin\AppData\Roaming\{A2960505-E42D-C35E-0E5A-BF98F493D4A2}\gpresult.exeFilesize
382KB
MD5432ad4941c057927786e3b6646ecf2f3
SHA145babe449954544219054e327523de5812597eaa
SHA2565607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100
SHA5128b8fa755cf8a18fe7a822edcb977e8d8ee7615ccc56f5eac5c4eb7113f1faa8c983a9da18a08923c7e14d1bc86f2cae7d0a98322e8fcb8fb180733c0e9b04ab3
-
C:\Users\Admin\AppData\Roaming\{A2960505-E42D-C35E-0E5A-BF98F493D4A2}\gpresult.exeFilesize
382KB
MD5432ad4941c057927786e3b6646ecf2f3
SHA145babe449954544219054e327523de5812597eaa
SHA2565607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100
SHA5128b8fa755cf8a18fe7a822edcb977e8d8ee7615ccc56f5eac5c4eb7113f1faa8c983a9da18a08923c7e14d1bc86f2cae7d0a98322e8fcb8fb180733c0e9b04ab3
-
memory/604-144-0x0000000000000000-mapping.dmp
-
memory/624-136-0x0000000000000000-mapping.dmp
-
memory/1380-143-0x0000000000000000-mapping.dmp
-
memory/1772-131-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/1772-137-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1772-132-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/1772-130-0x00000000021B0000-0x00000000021E5000-memory.dmpFilesize
212KB
-
memory/2380-145-0x0000000000000000-mapping.dmp
-
memory/3096-142-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/3096-133-0x0000000000000000-mapping.dmp
-
memory/3096-141-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/3532-146-0x0000000000000000-mapping.dmp
-
memory/3800-139-0x0000000000000000-mapping.dmp
-
memory/4060-140-0x0000000000000000-mapping.dmp