ba59903b073da0b64d323479a7a605cf5cab47856f091a3dba31291a50494314

Analysis

max time kernel
43s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2022 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba59903b073da0b64d323479a7a605cf5cab47856f091a3dba31291a50494314.exe
Size

578KB
MD5

a23f296d9f08af1b07f9636a64bf80c6
SHA1

d893fe1df9e6ae6d5aa885916acdec37b936d36d
SHA256

ba59903b073da0b64d323479a7a605cf5cab47856f091a3dba31291a50494314
SHA512

4ff71a17ceb7565cb7e6ced92241822c957b0577b50fd1123202e765449238f9fcc7cdb818590ce3504a633f38680689cfe348fd17b7faee2b2dd190d31ad145
SSDEEP

12288:yaEUYQ3n1xmVr54me2hGUqNfmleqH3IaDZrU+1c4rMjvm0Ir:yaEU33n1Or7e2hG3NEBHY6ZD13rK+1r

Score

8^/10

persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WindowsUpdate = "C:\\Windows\\WindowsUpdate\\winupdate.exe.exe"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WindowsUpdate = "C:\\Windows\\WindowsUpdate\\winupdate.exe.exe"	iexplore.exe

Executes dropped EXE 2 IoCs

pid	Process
4980	ic6.exe
4952	Cerb.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{8567OR7O-3CDN-4BF3-31A4-C7L005NB4CB5}	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8567OR7O-3CDN-4BF3-31A4-C7L005NB4CB5}\StubPath = "C:\\Windows\\WindowsUpdate\\winupdate.exe.exe Restart"	iexplore.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e22-136.dat	upx
behavioral2/files/0x0006000000022e22-137.dat	upx
behavioral2/memory/4952-139-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral2/memory/4952-140-0x0000000010410000-0x00000000104D4000-memory.dmp	upx
behavioral2/memory/4952-308-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral2/memory/4952-501-0x0000000000400000-0x00000000004EA000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	ba59903b073da0b64d323479a7a605cf5cab47856f091a3dba31291a50494314.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Windows\\WindowsUpdate\\winupdate.exe.exe"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Windows\\WindowsUpdate\\winupdate.exe.exe"	iexplore.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\WindowsUpdate\winupdate.exe.exe	iexplore.exe
File opened for modification	C:\Windows\WindowsUpdate\winupdate.exe.exe	iexplore.exe
File opened for modification	C:\Windows\WindowsUpdate\plugin.dat	iexplore.exe
File opened for modification	C:\Windows\WindowsUpdate\	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4952	Cerb.exe
4952	Cerb.exe
4952	Cerb.exe
4952	Cerb.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4952	Cerb.exe
Token: SeDebugPrivilege	4952	Cerb.exe
Token: SeDebugPrivilege	4952	Cerb.exe
Token: SeDebugPrivilege	4952	Cerb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 4980	4724	ba59903b073da0b64d323479a7a605cf5cab47856f091a3dba31291a50494314.exe	82
PID 4724 wrote to memory of 4980	4724	ba59903b073da0b64d323479a7a605cf5cab47856f091a3dba31291a50494314.exe	82
PID 4724 wrote to memory of 4980	4724	ba59903b073da0b64d323479a7a605cf5cab47856f091a3dba31291a50494314.exe	82
PID 4724 wrote to memory of 4952	4724	ba59903b073da0b64d323479a7a605cf5cab47856f091a3dba31291a50494314.exe	83
PID 4724 wrote to memory of 4952	4724	ba59903b073da0b64d323479a7a605cf5cab47856f091a3dba31291a50494314.exe	83
PID 4724 wrote to memory of 4952	4724	ba59903b073da0b64d323479a7a605cf5cab47856f091a3dba31291a50494314.exe	83
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84
PID 4952 wrote to memory of 1744	4952	Cerb.exe	84

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:588
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:768
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:336

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2292

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:1748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:1308

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:2008

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1344

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1240

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:900

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:788

C:\Users\Admin\AppData\Local\Temp\ba59903b073da0b64d323479a7a605cf5cab47856f091a3dba31291a50494314.exe
"C:\Users\Admin\AppData\Local\Temp\ba59903b073da0b64d323479a7a605cf5cab47856f091a3dba31291a50494314.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Users\Admin\AppData\Local\Temp\nsxC069.tmp\ic6.exe
  "C:\Users\Admin\AppData\Local\Temp\nsxC069.tmp\ic6.exe"
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Users\Admin\AppData\Local\Temp\nsxC069.tmp\Cerb.exe
  "C:\Users\Admin\AppData\Local\Temp\nsxC069.tmp\Cerb.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsxC069.tmp\Cerb.exe

Filesize
635KB

MD5
ef1ae6524ed6d4c49c5f7509a800c29e

SHA1
5742b52356d9479aac13d26984c765278d3c83a6

SHA256
8828cd086182a51315e2e3c01c727b1ce4556a09ab7585464ff5449c5e3d1983

SHA512
a6802982303fb4d798d0d8ffe6d6469e376ea12ac5daeb3d6911247b473a5509338c1a0383d8252c89bc0d5a4f2c5ad07a646f7e08a0f11c131fcba9c6733079

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxC069.tmp\Cerb.exe

Filesize
635KB

MD5
ef1ae6524ed6d4c49c5f7509a800c29e

SHA1
5742b52356d9479aac13d26984c765278d3c83a6

SHA256
8828cd086182a51315e2e3c01c727b1ce4556a09ab7585464ff5449c5e3d1983

SHA512
a6802982303fb4d798d0d8ffe6d6469e376ea12ac5daeb3d6911247b473a5509338c1a0383d8252c89bc0d5a4f2c5ad07a646f7e08a0f11c131fcba9c6733079

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxC069.tmp\ic6.exe

Filesize
3KB

MD5
46e07fd3a40760fda18cf6b4fc691742

SHA1
53ee1a754bf5e94fa88a6ab8bb6120b4011afcfa

SHA256
bd7ca609d2fb63e14d08acab1091579c23e298b4fa2ac1e8d2daaff94fc107be

SHA512
ce13f6527cbd13002dca00b71ab38ab12e3f3f7138ada0780ad3f40e7c49946c018a00782ec957b1fd123fb439aabc0d9b3660829dabf10ddcebba08d6e2fbbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxC069.tmp\ic6.exe

Filesize
3KB

MD5
46e07fd3a40760fda18cf6b4fc691742

SHA1
53ee1a754bf5e94fa88a6ab8bb6120b4011afcfa

SHA256
bd7ca609d2fb63e14d08acab1091579c23e298b4fa2ac1e8d2daaff94fc107be

SHA512
ce13f6527cbd13002dca00b71ab38ab12e3f3f7138ada0780ad3f40e7c49946c018a00782ec957b1fd123fb439aabc0d9b3660829dabf10ddcebba08d6e2fbbd

Download Submit
memory/4952-158-0x0000000000970000-0x000000000097A000-memory.dmp

Filesize
40KB

Download
memory/4952-179-0x00000000009A0000-0x00000000009AA000-memory.dmp

Filesize
40KB

Download
memory/4952-139-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4952-140-0x0000000010410000-0x00000000104D4000-memory.dmp

Filesize
784KB

Download
memory/4952-144-0x0000000000950000-0x000000000095A000-memory.dmp

Filesize
40KB

Download
memory/4952-151-0x0000000000960000-0x000000000096A000-memory.dmp

Filesize
40KB

Download
memory/4952-501-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4952-165-0x0000000000980000-0x000000000098A000-memory.dmp

Filesize
40KB

Download
memory/4952-172-0x0000000000990000-0x000000000099A000-memory.dmp

Filesize
40KB

Download
memory/4952-186-0x00000000009B0000-0x00000000009BA000-memory.dmp

Filesize
40KB

Download
memory/4952-193-0x00000000104E0000-0x00000000104EA000-memory.dmp

Filesize
40KB

Download
memory/4952-200-0x0000000002470000-0x000000000247A000-memory.dmp

Filesize
40KB

Download
memory/4952-207-0x00000000104F0000-0x00000000104FA000-memory.dmp

Filesize
40KB

Download
memory/4952-214-0x0000000010500000-0x000000001050A000-memory.dmp

Filesize
40KB

Download
memory/4952-308-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download