Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
26-02-2024 08:21
Static task
static1
Behavioral task
behavioral1
Sample
2017-01-01-pseudoDarkleech-Rig-V-payload-Cerber-radA2306.tmp.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2017-01-01-pseudoDarkleech-Rig-V-payload-Cerber-radA2306.tmp.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240221-en
General
-
Target
2017-01-01-pseudoDarkleech-Rig-V-payload-Cerber-radA2306.tmp.exe
-
Size
226KB
-
MD5
5325d9eabaad0ae40d2c586e6bae6467
-
SHA1
1b3a32c10ea3034f1229faa5fc4b6c9fc7b687b0
-
SHA256
aceac1915f214f9d075751092dd8c4ea3ebde5da355ebeffce5ddee6c3e4fe48
-
SHA512
452fa48a4b1622eb9d32460917918efb0e4dd8ef0304ee435650c5df6ccd85e3c1b94d5bebf0d84b821f210d628ad75b9e6a1eb1cdca266c089696c937c11104
-
SSDEEP
3072:MAe+3aJpgWXTBucMzjrRe5bklV1CZXYXFQzg1Yl0xiR/EU1KsIdoWxMBWNQ3ZJJ0:PB+pgUubguVcrcm0u/10/dRgdzs/j73
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
2017-01-01-pseudoDarkleech-Rig-V-payload-Cerber-radA2306.tmp.exepid process 1712 2017-01-01-pseudoDarkleech-Rig-V-payload-Cerber-radA2306.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3504 1712 WerFault.exe 2017-01-01-pseudoDarkleech-Rig-V-payload-Cerber-radA2306.tmp.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2017-01-01-pseudoDarkleech-Rig-V-payload-Cerber-radA2306.tmp.exedescription pid process target process PID 1712 wrote to memory of 2184 1712 2017-01-01-pseudoDarkleech-Rig-V-payload-Cerber-radA2306.tmp.exe 2017-01-01-pseudoDarkleech-Rig-V-payload-Cerber-radA2306.tmp.exe PID 1712 wrote to memory of 2184 1712 2017-01-01-pseudoDarkleech-Rig-V-payload-Cerber-radA2306.tmp.exe 2017-01-01-pseudoDarkleech-Rig-V-payload-Cerber-radA2306.tmp.exe PID 1712 wrote to memory of 2184 1712 2017-01-01-pseudoDarkleech-Rig-V-payload-Cerber-radA2306.tmp.exe 2017-01-01-pseudoDarkleech-Rig-V-payload-Cerber-radA2306.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2017-01-01-pseudoDarkleech-Rig-V-payload-Cerber-radA2306.tmp.exe"C:\Users\Admin\AppData\Local\Temp\2017-01-01-pseudoDarkleech-Rig-V-payload-Cerber-radA2306.tmp.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2017-01-01-pseudoDarkleech-Rig-V-payload-Cerber-radA2306.tmp.exe"C:\Users\Admin\AppData\Local\Temp\2017-01-01-pseudoDarkleech-Rig-V-payload-Cerber-radA2306.tmp.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 9362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1712 -ip 17121⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nss73DA.tmp\System.dllFilesize
11KB
MD5a4dd044bcd94e9b3370ccf095b31f896
SHA117c78201323ab2095bc53184aa8267c9187d5173
SHA2562e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA51287335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a
-
memory/1712-12-0x0000000004830000-0x000000000485D000-memory.dmpFilesize
180KB
-
memory/1712-14-0x0000000004830000-0x000000000485D000-memory.dmpFilesize
180KB