cerber | 17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-02-2024 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Size

1.1MB
MD5

d76c44d8a9c03f21ad39d9a24649997a
SHA1

a3da6c3e8b4c9dc0e2f37541232220285c2ea556
SHA256

17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98
SHA512

bc6cd374978ab93fc1c8d1aaedfe0a1db57f6c281ee8e866073bd4f7131cadb92b61f9ba6a9171bff217ae9722259cb9381c91f826edd3cce3f958f9fd9a2437
SSDEEP

24576:NTRRgkObgBSIiAZQ18oVHA4zJcwPZTR51+Lcetl:NTznniAZFoVHA4d1Zt5A

Score

10^/10

cerber ransomware upx

Malware Config

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber

Executes dropped EXE 22 IoCs

Processes:

sg.tmp双击修改主板.exeAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXE

pid	process
2496	sg.tmp
2268	双击修改主板.exe
2244	AMIDEWINx64.EXE
2292	AMIDEWINx64.EXE
2716	AMIDEWINx64.EXE
2224	AMIDEWINx64.EXE
1728	AMIDEWINx64.EXE
584	AMIDEWINx64.EXE
2468	AMIDEWINx64.EXE
2464	AMIDEWINx64.EXE
2552	AMIDEWINx64.EXE
2556	AMIDEWINx64.EXE
2612	AMIDEWINx64.EXE
1592	AMIDEWINx64.EXE
1664	AMIDEWINx64.EXE
1716	AMIDEWINx64.EXE
1692	AMIDEWINx64.EXE
764	AMIDEWINx64.EXE
1992	AMIDEWINx64.EXE
1164	AMIDEWINx64.EXE
1872	AMIDEWINx64.EXE
1544	AMIDEWINx64.EXE

Loads dropped DLL 43 IoCs

Processes:

17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.execmd.exe

pid	process
2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe
2516	cmd.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2912-0-0x0000000000400000-0x000000000055F000-memory.dmp	upx
behavioral1/memory/2348-10-0x0000000000400000-0x000000000055F000-memory.dmp	upx
behavioral1/memory/2348-9-0x0000000000400000-0x000000000055F000-memory.dmp	upx
behavioral1/memory/2968-107-0x0000000000400000-0x000000000055F000-memory.dmp	upx
behavioral1/memory/2912-106-0x0000000000400000-0x000000000055F000-memory.dmp	upx
behavioral1/memory/2968-108-0x0000000000400000-0x000000000055F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

284 taskkill.exe
2204 taskkill.exe
3036 taskkill.exe
2848 taskkill.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe

pid process

2912 17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Suspicious behavior: LoadsDriver 20 IoCs

Processes:

pid process

464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464

pid	process
284	taskkill.exe
2204	taskkill.exe
3036	taskkill.exe
2848	taskkill.exe

pid	process
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exesg.tmptaskkill.exetaskkill.exetaskkill.exetaskkill.exe17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe

description	pid	process
Token: SeBackupPrivilege	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: SeRestorePrivilege	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: 33	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: SeIncBasePriorityPrivilege	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: 33	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: SeIncBasePriorityPrivilege	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: 33	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: SeIncBasePriorityPrivilege	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: SeBackupPrivilege	2348	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: SeRestorePrivilege	2348	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: 33	2348	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: SeIncBasePriorityPrivilege	2348	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: 33	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: SeIncBasePriorityPrivilege	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: SeRestorePrivilege	2496	sg.tmp
Token: 35	2496	sg.tmp
Token: SeSecurityPrivilege	2496	sg.tmp
Token: SeSecurityPrivilege	2496	sg.tmp
Token: 33	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: SeIncBasePriorityPrivilege	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: SeDebugPrivilege	284	taskkill.exe
Token: SeDebugPrivilege	2204	taskkill.exe
Token: SeDebugPrivilege	3036	taskkill.exe
Token: SeDebugPrivilege	2848	taskkill.exe
Token: SeDebugPrivilege	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: 33	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: SeIncBasePriorityPrivilege	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: SeBackupPrivilege	2968	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: SeRestorePrivilege	2968	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: 33	2968	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: SeIncBasePriorityPrivilege	2968	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe双击修改主板.execmd.exe

description	pid	process	target process
PID 2912 wrote to memory of 2116	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe	cmd.exe
PID 2912 wrote to memory of 2116	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe	cmd.exe
PID 2912 wrote to memory of 2116	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe	cmd.exe
PID 2912 wrote to memory of 2116	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe	cmd.exe
PID 2912 wrote to memory of 2348	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
PID 2912 wrote to memory of 2348	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
PID 2912 wrote to memory of 2348	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
PID 2912 wrote to memory of 2348	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
PID 2912 wrote to memory of 2496	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe	sg.tmp
PID 2912 wrote to memory of 2496	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe	sg.tmp
PID 2912 wrote to memory of 2496	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe	sg.tmp
PID 2912 wrote to memory of 2496	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe	sg.tmp
PID 2912 wrote to memory of 2268	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe	双击修改主板.exe
PID 2912 wrote to memory of 2268	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe	双击修改主板.exe
PID 2912 wrote to memory of 2268	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe	双击修改主板.exe
PID 2912 wrote to memory of 2268	2912	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe	双击修改主板.exe
PID 2268 wrote to memory of 2516	2268	双击修改主板.exe	cmd.exe
PID 2268 wrote to memory of 2516	2268	双击修改主板.exe	cmd.exe
PID 2268 wrote to memory of 2516	2268	双击修改主板.exe	cmd.exe
PID 2268 wrote to memory of 2516	2268	双击修改主板.exe	cmd.exe
PID 2516 wrote to memory of 2296	2516	cmd.exe	reg.exe
PID 2516 wrote to memory of 2296	2516	cmd.exe	reg.exe
PID 2516 wrote to memory of 2296	2516	cmd.exe	reg.exe
PID 2516 wrote to memory of 2244	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 2244	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 2244	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 2292	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 2292	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 2292	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 2716	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 2716	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 2716	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 2224	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 2224	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 2224	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 1728	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 1728	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 1728	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 584	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 584	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 584	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 2468	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 2468	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 2468	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 2464	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 2464	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 2464	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 2552	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 2552	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 2552	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 2556	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 2556	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 2556	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 2612	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 2612	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 2612	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 1592	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 1592	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 1592	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 1664	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 1664	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 1664	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 1716	2516	cmd.exe	AMIDEWINx64.EXE
PID 2516 wrote to memory of 1716	2516	cmd.exe	AMIDEWINx64.EXE

C:\Users\Admin\AppData\Local\Temp\17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
"C:\Users\Admin\AppData\Local\Temp\17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\system32\cmd.exe
cmd.exe /c set
2⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
PECMD**pecmd-cmd* PUTF -dd -skipb=951808 -len=155224 "C:\Users\Admin\AppData\Local\Temp\~611685326764730944.tmp",,C:\Users\Admin\AppData\Local\Temp\17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Users\Admin\AppData\Local\Temp\~252900264653471257~\sg.tmp
7zG_exe x "C:\Users\Admin\AppData\Local\Temp\~611685326764730944.tmp" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~8600868341866202821"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Users\Admin\AppData\Local\Temp\~8600868341866202821\双击修改主板.exe
"C:\Users\Admin\AppData\Local\Temp\~8600868341866202821\双击修改主板.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5199.tmp\51AA.tmp\51AB.bat C:\Users\Admin\AppData\Local\Temp\~8600868341866202821\双击修改主板.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\system32\reg.exe
REG.exe query "HKU\S-1-5-19"
4⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\~8600868341866202821\AMIDEWINx64.EXE
AMIDEWINx64.EXE /IVN "28698327165876"
4⤵
- Executes dropped EXE
PID:2244

C:\Users\Admin\AppData\Local\Temp\~8600868341866202821\AMIDEWINx64.EXE
AMIDEWINx64.EXE /IV "28698327165876"
4⤵
- Executes dropped EXE
PID:2292

C:\Users\Admin\AppData\Local\Temp\~8600868341866202821\AMIDEWINx64.EXE
AMIDEWINx64.EXE /ID "28698327165876"
4⤵
- Executes dropped EXE
PID:2716

C:\Users\Admin\AppData\Local\Temp\~8600868341866202821\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SS "28698327165876"
4⤵
- Executes dropped EXE
PID:2224

C:\Users\Admin\AppData\Local\Temp\~8600868341866202821\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SK "28698327165876"
4⤵
- Executes dropped EXE
PID:1728

C:\Users\Admin\AppData\Local\Temp\~8600868341866202821\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SF "28698327165876"
4⤵
- Executes dropped EXE
PID:584

C:\Users\Admin\AppData\Local\Temp\~8600868341866202821\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SU AUTO
4⤵
- Executes dropped EXE
PID:2468

C:\Users\Admin\AppData\Local\Temp\~8600868341866202821\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BM "28698327165876"
4⤵
- Executes dropped EXE
PID:2464

C:\Users\Admin\AppData\Local\Temp\~8600868341866202821\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BV "28698327165876"
4⤵
- Executes dropped EXE
PID:2552

C:\Users\Admin\AppData\Local\Temp\~8600868341866202821\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BS "28698327165876"
4⤵
- Executes dropped EXE
PID:2556

C:\Users\Admin\AppData\Local\Temp\~8600868341866202821\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BT "28698327165876"
4⤵
- Executes dropped EXE
PID:2612

C:\Users\Admin\AppData\Local\Temp\~8600868341866202821\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BLC "28698327165876"
4⤵
- Executes dropped EXE
PID:1592

C:\Users\Admin\AppData\Local\Temp\~8600868341866202821\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CM "28698327165876"
4⤵
- Executes dropped EXE
PID:1664

C:\Users\Admin\AppData\Local\Temp\~8600868341866202821\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CV "28698327165876"
4⤵
- Executes dropped EXE
PID:1716

C:\Users\Admin\AppData\Local\Temp\~8600868341866202821\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CA "28698327165876"
4⤵
- Executes dropped EXE
PID:1692

C:\Users\Admin\AppData\Local\Temp\~8600868341866202821\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CS "28698327165876"
4⤵
- Executes dropped EXE
PID:764

C:\Users\Admin\AppData\Local\Temp\~8600868341866202821\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CSK "28698327165876"
4⤵
- Executes dropped EXE
PID:1992

C:\Users\Admin\AppData\Local\Temp\~8600868341866202821\AMIDEWINx64.EXE
AMIDEWINx64.EXE /PPN "28698327165876"
4⤵
- Executes dropped EXE
PID:1164

C:\Users\Admin\AppData\Local\Temp\~8600868341866202821\AMIDEWINx64.EXE
AMIDEWINx64.EXE /PAT "28698327165876"
4⤵
- Executes dropped EXE
PID:1872

C:\Users\Admin\AppData\Local\Temp\~8600868341866202821\AMIDEWINx64.EXE
AMIDEWINx64.EXE /PSN "28698327165876"
4⤵
- Executes dropped EXE
PID:1544

C:\Windows\system32\taskkill.exe
taskkill /F /IM WmiPrvSE.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:284

C:\Windows\system32\taskkill.exe
taskkill /F /IM WmiPrvSE.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\system32\taskkill.exe
taskkill /F /IM WmiPrvSE.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Windows\system32\taskkill.exe
taskkill /F /IM WmiPrvSE.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Users\Admin\AppData\Local\Temp\17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
PECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~3350861552949792239.cmd"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\~3350861552949792239.cmd"
3⤵
PID:1064

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5199.tmp\51AA.tmp\51AB.bat
Filesize
1KB

MD5
81fa6f7db4a7b6684785a8777c137f9b

SHA1
42d0932587a150428d023b37eb20ab2334137c37

SHA256
238c78afb90eab713fe66bac997d2b37382aa6c746f92e0be1cc34d5dd96dff2

SHA512
8a1b3ac506587e1b04ee8689b6a9bf80dc95078cbd84c8a810b04b3e11d6680a7a11eab75ac890ee87cda128ca35a303572cee63c0d2077c8ad5ea1f27e5da16

Download Submit
C:\Users\Admin\AppData\Local\Temp\~252900264653471257~\sg.tmp
Filesize
19KB

MD5
34c2ea3b0ca571c83e71214e11f10eaa

SHA1
ae8a24420243de010d3ec9a361be41c007757d97

SHA256
db9eab5b74f9bc19bc16d377c1090ef88a98473230d14cbe3a812a383e69dd9f

SHA512
e71615ffc9d62a3662d36bc7edb328bb96cc647a34c6798a410ac7ad927d47015ae3c07cb75966723d8f5d41209b6d5fd301315c558a179c2a15102f19bde140

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3350861552949792239.cmd
Filesize
373B

MD5
d9ea65a2c547e2ba577b6eff3f8bc556

SHA1
8a078bc501c321e825cb5ced15ca31e2cd2392d7

SHA256
9a6912a0d75744c6e46d4de860716bae677dae67320515987aae3760953f043a

SHA512
bcd4da5cebdafc2645b53fb8154ff6875832e50f494956799342fdce447f6b5ead477a7899313f3a6dc5103c3a59dc5bbf8c9abc16696ccd4a089990d36362b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~611685326764730944.tmp
Filesize
151KB

MD5
763793b819f5c337ecd086d53db836bd

SHA1
f16842f911d2efc904a13d823a5569ddf3da2d65

SHA256
e8c1e5cc453dc233c1dcac0c39ed29cff9e788bd84763b7960c907ac2c58e126

SHA512
e76a16efd3e96c16c51e3a6f9c20fc8be431afc3bba63b86027ed36b6c2aed108363244de3727e1c065ff3d96cdbbe5fc539aa305868f6523c2675c3cc8c884f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~8600868341866202821\AMIDEWINx64.EXE
Filesize
284KB

MD5
23e834775ae85262f045db3d71907bc5

SHA1
03c0bc27affee28747cd02bb2458398e5b990fb5

SHA256
015752bcf091fe5b39ca14b7264e624d6241fe43530b5e9314e7ffdf9c7114e5

SHA512
ed9cdd21d7a61fe83f382bda8a0f3d1a4d61e19b1e1c304adf6a3f1238e2a7bec1e1149d7918582d3dfb7a1851d37b4a97b7904e731cac3b314742bd34bc536b

Download Submit
\Users\Admin\AppData\Local\Temp\~252900264653471257~\sg.tmp
Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
\Users\Admin\AppData\Local\Temp\~8600868341866202821\AMIDEWINx64.EXE
Filesize
377KB

MD5
64ae4aa4904d3b259dda8cc53769064f

SHA1
24be8fb54afd8182652819b9a307b6f66f3fc58d

SHA256
2c67fb6eb81630c917f08295e4ff3b5f777cb41b26f7b09dc36d79f089e61bc4

SHA512
6c16d2bc23c20a7456b4db7136e1bb5fcee9cbf83a73d8de507b7b3ffc618f81f020cde638d2cd1ef5f154541b745a2a0e27b4c654683a21571183f7a1bffd16

Download Submit
\Users\Admin\AppData\Local\Temp\~8600868341866202821\AMIDEWINx64.EXE
Filesize
288KB

MD5
218a04dcfc488376030c7dae22daed56

SHA1
f30e411677e763cadb01d6660d61600ac569bf15

SHA256
19902c1cdd8e663acac745b00e29894cd1ce11ac966239cbd6513e82c406bddf

SHA512
2769ad9f3f200f4e67f07dd6fd68503735ca325eb5a6c276c71980adaf925ab2a2b40bef6244b66c5d0e453b0a9680582390941d5f8a7096bac7884d73ba55b7

Download Submit
\Users\Admin\AppData\Local\Temp\~8600868341866202821\双击修改主板.exe
Filesize
90KB

MD5
54f98c6675a66ebcb26831a36f1baff9

SHA1
4dbb4292a73f851cc04bacd8a6caf97eccbb40c5

SHA256
ec9a545244858d738be6cf3d638b481d84b9d7bcaf60e7d5c8b759dc0ca27709

SHA512
a0fb991eceb7e428af53a6254420eb8a1c7f15ca07c8c7287985e0fdf56833163dddc13b910e8dd4875e80fe2477b616397b9ed09ef632e4453673d590a57154

Download Submit
memory/2348-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2348-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2912-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2912-106-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2912-7-0x0000000002750000-0x00000000028AF000-memory.dmp

Filesize
1.4MB

Download
memory/2968-107-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2968-108-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download

pid	process
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464

pid	process
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

pid	process
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464