cerber | 17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-02-2024 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Size

1.1MB
MD5

d76c44d8a9c03f21ad39d9a24649997a
SHA1

a3da6c3e8b4c9dc0e2f37541232220285c2ea556
SHA256

17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98
SHA512

bc6cd374978ab93fc1c8d1aaedfe0a1db57f6c281ee8e866073bd4f7131cadb92b61f9ba6a9171bff217ae9722259cb9381c91f826edd3cce3f958f9fd9a2437
SSDEEP

24576:NTRRgkObgBSIiAZQ18oVHA4zJcwPZTR51+Lcetl:NTznniAZFoVHA4d1Zt5A

Score

10^/10

cerber ransomware upx

Malware Config

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber

Executes dropped EXE 22 IoCs

Processes:

sg.tmp双击修改主板.exeAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXEAMIDEWINx64.EXE

pid	process
3904	sg.tmp
4284	双击修改主板.exe
792	AMIDEWINx64.EXE
4336	AMIDEWINx64.EXE
1388	AMIDEWINx64.EXE
5040	AMIDEWINx64.EXE
4476	AMIDEWINx64.EXE
532	AMIDEWINx64.EXE
3948	AMIDEWINx64.EXE
2380	AMIDEWINx64.EXE
4672	AMIDEWINx64.EXE
1600	AMIDEWINx64.EXE
3092	AMIDEWINx64.EXE
1716	AMIDEWINx64.EXE
2644	AMIDEWINx64.EXE
2848	AMIDEWINx64.EXE
2012	AMIDEWINx64.EXE
3528	AMIDEWINx64.EXE
4488	AMIDEWINx64.EXE
3144	AMIDEWINx64.EXE
3728	AMIDEWINx64.EXE
3524	AMIDEWINx64.EXE

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3548-0-0x0000000000400000-0x000000000055F000-memory.dmp	upx
behavioral2/memory/3420-7-0x0000000000400000-0x000000000055F000-memory.dmp	upx
behavioral2/memory/3420-9-0x0000000000400000-0x000000000055F000-memory.dmp	upx
behavioral2/memory/3548-30-0x0000000000400000-0x000000000055F000-memory.dmp	upx
behavioral2/memory/3548-73-0x0000000000400000-0x000000000055F000-memory.dmp	upx
behavioral2/memory/1956-74-0x0000000000400000-0x000000000055F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2384 taskkill.exe
3560 taskkill.exe
3504 taskkill.exe
3108 taskkill.exe

pid	process
2384	taskkill.exe
3560	taskkill.exe
3504	taskkill.exe
3108	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe

pid	process
3548	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
3548	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe

Suspicious behavior: LoadsDriver 20 IoCs

Processes:

pid process

656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656

pid	process
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exesg.tmptaskkill.exetaskkill.exetaskkill.exetaskkill.exe17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe

description	pid	process
Token: SeBackupPrivilege	3548	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: SeRestorePrivilege	3548	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: 33	3548	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: SeIncBasePriorityPrivilege	3548	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: 33	3548	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: SeIncBasePriorityPrivilege	3548	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: 33	3548	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: SeIncBasePriorityPrivilege	3548	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: SeBackupPrivilege	3420	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: SeRestorePrivilege	3420	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: 33	3420	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: SeIncBasePriorityPrivilege	3420	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: 33	3548	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: SeIncBasePriorityPrivilege	3548	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: SeRestorePrivilege	3904	sg.tmp
Token: 35	3904	sg.tmp
Token: SeSecurityPrivilege	3904	sg.tmp
Token: SeSecurityPrivilege	3904	sg.tmp
Token: 33	3548	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: SeIncBasePriorityPrivilege	3548	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: SeDebugPrivilege	2384	taskkill.exe
Token: SeDebugPrivilege	3560	taskkill.exe
Token: SeDebugPrivilege	3504	taskkill.exe
Token: SeDebugPrivilege	3108	taskkill.exe
Token: SeDebugPrivilege	3548	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: 33	3548	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: SeIncBasePriorityPrivilege	3548	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: SeBackupPrivilege	1956	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: SeRestorePrivilege	1956	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: 33	1956	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
Token: SeIncBasePriorityPrivilege	1956	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe双击修改主板.execmd.exe

description	pid	process	target process
PID 3548 wrote to memory of 1460	3548	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe	cmd.exe
PID 3548 wrote to memory of 1460	3548	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe	cmd.exe
PID 3548 wrote to memory of 3420	3548	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
PID 3548 wrote to memory of 3420	3548	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
PID 3548 wrote to memory of 3420	3548	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
PID 3548 wrote to memory of 3904	3548	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe	sg.tmp
PID 3548 wrote to memory of 3904	3548	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe	sg.tmp
PID 3548 wrote to memory of 3904	3548	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe	sg.tmp
PID 3548 wrote to memory of 4284	3548	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe	双击修改主板.exe
PID 3548 wrote to memory of 4284	3548	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe	双击修改主板.exe
PID 3548 wrote to memory of 4284	3548	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe	双击修改主板.exe
PID 4284 wrote to memory of 3544	4284	双击修改主板.exe	cmd.exe
PID 4284 wrote to memory of 3544	4284	双击修改主板.exe	cmd.exe
PID 3544 wrote to memory of 3612	3544	cmd.exe	reg.exe
PID 3544 wrote to memory of 3612	3544	cmd.exe	reg.exe
PID 3544 wrote to memory of 792	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 792	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 4336	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 4336	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 1388	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 1388	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 5040	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 5040	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 4476	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 4476	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 532	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 532	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 3948	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 3948	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 2380	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 2380	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 4672	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 4672	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 1600	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 1600	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 3092	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 3092	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 1716	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 1716	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 2644	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 2644	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 2848	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 2848	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 2012	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 2012	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 3528	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 3528	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 4488	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 4488	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 3144	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 3144	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 3728	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 3728	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 3524	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 3524	3544	cmd.exe	AMIDEWINx64.EXE
PID 3544 wrote to memory of 2384	3544	cmd.exe	taskkill.exe
PID 3544 wrote to memory of 2384	3544	cmd.exe	taskkill.exe
PID 3544 wrote to memory of 3560	3544	cmd.exe	taskkill.exe
PID 3544 wrote to memory of 3560	3544	cmd.exe	taskkill.exe
PID 3544 wrote to memory of 3504	3544	cmd.exe	taskkill.exe
PID 3544 wrote to memory of 3504	3544	cmd.exe	taskkill.exe
PID 3544 wrote to memory of 3108	3544	cmd.exe	taskkill.exe
PID 3544 wrote to memory of 3108	3544	cmd.exe	taskkill.exe
PID 3548 wrote to memory of 1956	3548	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe	17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe

C:\Users\Admin\AppData\Local\Temp\17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
"C:\Users\Admin\AppData\Local\Temp\17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c set
2⤵
PID:1460

C:\Users\Admin\AppData\Local\Temp\17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
PECMD**pecmd-cmd* PUTF -dd -skipb=951808 -len=155224 "C:\Users\Admin\AppData\Local\Temp\~4286784954481499659.tmp",,C:\Users\Admin\AppData\Local\Temp\17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Users\Admin\AppData\Local\Temp\~1495685311610645764~\sg.tmp
7zG_exe x "C:\Users\Admin\AppData\Local\Temp\~4286784954481499659.tmp" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~1644521046334486442"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Users\Admin\AppData\Local\Temp\~1644521046334486442\双击修改主板.exe
"C:\Users\Admin\AppData\Local\Temp\~1644521046334486442\双击修改主板.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\D97.tmp\D98.tmp\D99.bat C:\Users\Admin\AppData\Local\Temp\~1644521046334486442\双击修改主板.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3544

C:\Windows\system32\reg.exe
REG.exe query "HKU\S-1-5-19"
4⤵
PID:3612

C:\Users\Admin\AppData\Local\Temp\~1644521046334486442\AMIDEWINx64.EXE
AMIDEWINx64.EXE /IVN "28731912820678"
4⤵
- Executes dropped EXE
PID:792

C:\Users\Admin\AppData\Local\Temp\~1644521046334486442\AMIDEWINx64.EXE
AMIDEWINx64.EXE /IV "28731912820678"
4⤵
- Executes dropped EXE
PID:4336

C:\Users\Admin\AppData\Local\Temp\~1644521046334486442\AMIDEWINx64.EXE
AMIDEWINx64.EXE /ID "28731912820678"
4⤵
- Executes dropped EXE
PID:1388

C:\Users\Admin\AppData\Local\Temp\~1644521046334486442\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SS "28731912820678"
4⤵
- Executes dropped EXE
PID:5040

C:\Users\Admin\AppData\Local\Temp\~1644521046334486442\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SK "28731912820678"
4⤵
- Executes dropped EXE
PID:4476

C:\Users\Admin\AppData\Local\Temp\~1644521046334486442\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SF "28731912820678"
4⤵
- Executes dropped EXE
PID:532

C:\Users\Admin\AppData\Local\Temp\~1644521046334486442\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SU AUTO
4⤵
- Executes dropped EXE
PID:3948

C:\Users\Admin\AppData\Local\Temp\~1644521046334486442\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BM "28731912820678"
4⤵
- Executes dropped EXE
PID:2380

C:\Users\Admin\AppData\Local\Temp\~1644521046334486442\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BV "28731912820678"
4⤵
- Executes dropped EXE
PID:4672

C:\Users\Admin\AppData\Local\Temp\~1644521046334486442\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BS "28731912820678"
4⤵
- Executes dropped EXE
PID:1600

C:\Users\Admin\AppData\Local\Temp\~1644521046334486442\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BT "28731912820678"
4⤵
- Executes dropped EXE
PID:3092

C:\Users\Admin\AppData\Local\Temp\~1644521046334486442\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BLC "28731912820678"
4⤵
- Executes dropped EXE
PID:1716

C:\Users\Admin\AppData\Local\Temp\~1644521046334486442\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CM "28731912820678"
4⤵
- Executes dropped EXE
PID:2644

C:\Users\Admin\AppData\Local\Temp\~1644521046334486442\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CV "28731912820678"
4⤵
- Executes dropped EXE
PID:2848

C:\Users\Admin\AppData\Local\Temp\~1644521046334486442\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CA "28731912820678"
4⤵
- Executes dropped EXE
PID:2012

C:\Users\Admin\AppData\Local\Temp\~1644521046334486442\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CS "28731912820678"
4⤵
- Executes dropped EXE
PID:3528

C:\Users\Admin\AppData\Local\Temp\~1644521046334486442\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CSK "28731912820678"
4⤵
- Executes dropped EXE
PID:4488

C:\Users\Admin\AppData\Local\Temp\~1644521046334486442\AMIDEWINx64.EXE
AMIDEWINx64.EXE /PPN "28731912820678"
4⤵
- Executes dropped EXE
PID:3144

C:\Users\Admin\AppData\Local\Temp\~1644521046334486442\AMIDEWINx64.EXE
AMIDEWINx64.EXE /PAT "28731912820678"
4⤵
- Executes dropped EXE
PID:3728

C:\Users\Admin\AppData\Local\Temp\~1644521046334486442\AMIDEWINx64.EXE
AMIDEWINx64.EXE /PSN "28731912820678"
4⤵
- Executes dropped EXE
PID:3524

C:\Windows\system32\taskkill.exe
taskkill /F /IM WmiPrvSE.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Windows\system32\taskkill.exe
taskkill /F /IM WmiPrvSE.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3560

C:\Windows\system32\taskkill.exe
taskkill /F /IM WmiPrvSE.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Windows\system32\taskkill.exe
taskkill /F /IM WmiPrvSE.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Users\Admin\AppData\Local\Temp\17b6f13f7f0d6ba2965c68c9e7e66dab30879d1b61d286d03a41b7a183b2be98.exe
PECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~8331117316167684894.cmd"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\SYSTEM32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\~8331117316167684894.cmd"
3⤵
PID:4724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D97.tmp\D98.tmp\D99.bat
Filesize
1KB

MD5
81fa6f7db4a7b6684785a8777c137f9b

SHA1
42d0932587a150428d023b37eb20ab2334137c37

SHA256
238c78afb90eab713fe66bac997d2b37382aa6c746f92e0be1cc34d5dd96dff2

SHA512
8a1b3ac506587e1b04ee8689b6a9bf80dc95078cbd84c8a810b04b3e11d6680a7a11eab75ac890ee87cda128ca35a303572cee63c0d2077c8ad5ea1f27e5da16

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1495685311610645764~\sg.tmp
Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1644521046334486442\AMIDEWINx64.EXE
Filesize
377KB

MD5
64ae4aa4904d3b259dda8cc53769064f

SHA1
24be8fb54afd8182652819b9a307b6f66f3fc58d

SHA256
2c67fb6eb81630c917f08295e4ff3b5f777cb41b26f7b09dc36d79f089e61bc4

SHA512
6c16d2bc23c20a7456b4db7136e1bb5fcee9cbf83a73d8de507b7b3ffc618f81f020cde638d2cd1ef5f154541b745a2a0e27b4c654683a21571183f7a1bffd16

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1644521046334486442\AMIDEWINx64.EXE
Filesize
357KB

MD5
8a363433be438493454638b37c72c35b

SHA1
809ba188569f2f8d8a012745f0d1b3ebd58bf7fb

SHA256
86c236669e83f72160b3c009dcad1cc8540cc66c5f2aa6093293c3edbe7386ac

SHA512
f1dc81241a0907852be2e20ec13c719c226a31d71a705b4fde52755f21ab03545e4968376c3d57d7d1faa363d3252af241d2eee30341b8ce05af389b48eb72e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1644521046334486442\amifldrv64.sys
Filesize
28KB

MD5
0dff47f3b14fb1c1bad47cc517f0581a

SHA1
db3538f324f9e52defaba7be1ab991008e43d012

SHA256
20f11a64bc4548f4edb47e3d3418da0f6d54a83158224b71662a6292bf45b5fb

SHA512
f572e741b5a7e854353420bfe072f4e8d10ea61bd0be06a48f3b07bb58e98987761a4cbd77423bf1ab4a9a79b599b824b6b2951bae9e8ad16bca98c84c72b0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1644521046334486442\amigendrv64.sys
Filesize
33KB

MD5
119f0656ab4bb872f79ee5d421e2b9f9

SHA1
e35969966769e7760094cbcffb294d0d04a09db6

SHA256
38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20

SHA512
428c2a7db1559cb39a882a7dce5a0559efd9d83c2e86ca94bbe3c10c9989fe63c160ab7f475db0400a2ed016ab21f00faa9d0e0b7fdba5e3c34daadab24e71f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1644521046334486442\华硕主板教程.txt
Filesize
236B

MD5
9999d5f56dff017cdaa2fd7c5c67cd7b

SHA1
2c50fa92933eb756c0c01f6a86c1c163dda12f21

SHA256
d2bcc2549eac34ab13218ddcca1a476a1a604daa62519190dc4194300c21e913

SHA512
854d52ea6547f1c866af61c26df299d1267968580c8337a3316bf146fea24a7d4766d904978f8d02e6e0146e3a4f9d7b15bb5731b5c876e9c45ba114d4b43483

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1644521046334486442\双击修改主板.exe
Filesize
90KB

MD5
54f98c6675a66ebcb26831a36f1baff9

SHA1
4dbb4292a73f851cc04bacd8a6caf97eccbb40c5

SHA256
ec9a545244858d738be6cf3d638b481d84b9d7bcaf60e7d5c8b759dc0ca27709

SHA512
a0fb991eceb7e428af53a6254420eb8a1c7f15ca07c8c7287985e0fdf56833163dddc13b910e8dd4875e80fe2477b616397b9ed09ef632e4453673d590a57154

Download Submit
C:\Users\Admin\AppData\Local\Temp\~4286784954481499659.tmp
Filesize
102KB

MD5
09829047261a15d890cc9d38a9d6c0db

SHA1
e03301f3837fcfd9c0d18bad3f833fcdea9c84f2

SHA256
7eac21e6ff49a37db444ce44e4a73dd1270181389b4f62f2f2dd712f14535ccd

SHA512
cedb77a1150c8c2ea16e6c8030a76d12ff67ba71b23e1a5ab3111f8c50e8f639f30f4fb6c6cdca9ccc6ab662859e670eaa5f095b7346f0a49942029e590a410d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~4286784954481499659.tmp
Filesize
151KB

MD5
763793b819f5c337ecd086d53db836bd

SHA1
f16842f911d2efc904a13d823a5569ddf3da2d65

SHA256
e8c1e5cc453dc233c1dcac0c39ed29cff9e788bd84763b7960c907ac2c58e126

SHA512
e76a16efd3e96c16c51e3a6f9c20fc8be431afc3bba63b86027ed36b6c2aed108363244de3727e1c065ff3d96cdbbe5fc539aa305868f6523c2675c3cc8c884f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~8331117316167684894.cmd
Filesize
373B

MD5
ee841bb8cd10eee88ad70c86be094f71

SHA1
cf9cb3250b66fc4c97a9be6d705c25b431939210

SHA256
74ac4ee687be755f1c49f999483994a88b44f280c05281f865ce7543b41b3af2

SHA512
7f1c41d82cecce8f2253d30ddd818208c503b86665d09051b3eabc2cacd673d881662d23833359be919d328b2aea22bf91827d9d4a54c43c71aa5df1cbbfde1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~~3105555683292518324.tmp
Filesize
118B

MD5
a47b258e3108e67367937dd0413f24ed

SHA1
247cf9c87605c74beea6651278a937c735065f69

SHA256
d4476c16a9624a68be6721ae2f85b52703b5f1e984988f0bcdcdb75143e2bf9a

SHA512
8bcf3fbbec7665cb8dfeb948d87842e01274385fcb2f82bbb1f78ee68ba2ef0333c86af3ffdc35686561c7aebc9793f6ebdb1b457654fd8d737738a0c416fd93

Download Submit
memory/1956-74-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3420-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3420-7-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3548-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3548-30-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3548-73-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download

pid	process
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656

pid	process
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656

pid	process
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656