Analysis
-
max time kernel
129s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
12-03-2024 03:53
General
-
Target
mw3reaper.rar
-
Size
13.2MB
-
MD5
c77fd8185dd3fe2ee5672a0531c4b3c7
-
SHA1
7e321783026506c06cd3c34dabdb2ec4f277d17b
-
SHA256
11c712b2b16eeb1652793fc8bad16d9177ef161398dceb95e136f8f2a349e56c
-
SHA512
b0c3696a406a34b5a1e7cf8413d416251959006162901a7934054f09f0b909e2e582ce215dd97b8f7170b47c5d054f95ea9109d1cbcff67c69844e89125dce7b
-
SSDEEP
393216:UN0mmXrXBwtGmoWtJVKSJgNn3TeGKLCM3v:UN8rXetGTWtJNJgNnDI/
Malware Config
Signatures
-
Cerber 5 IoCs
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 4 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: LoadsDriver 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\mw3reaper.rar1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\mw3reaper.rar"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zOC4CA27A7\tXauTiJr.exe"C:\Users\Admin\AppData\Local\Temp\7zOC4CA27A7\tXauTiJr.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM WmiPrvSE.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM WmiPrvSE.exe5⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS %RANDOM%%RANDOM%%RANDOM%4⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 3083229324110875⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV %RANDOM%%RANDOM%%RANDOM%4⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3083229324110875⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM WmiPrvSE.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM WmiPrvSE.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zOC4CD4708\OHT1k0.exe"C:\Users\Admin\AppData\Local\Temp\7zOC4CD4708\OHT1k0.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zOC4CD4708\UQoK.exeC:\Users\Admin\AppData\Local\Temp\7zOC4CD4708\UQoK.exe -asec -upd -rmf=433a2f55736572732f41646d696e2f417070446174612f4c6f63616c2f54656d702f377a4f43344344343730382f4f4854316b302e6578654⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\tXauTiJr.exe"C:\Users\Admin\Desktop\tXauTiJr.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM WmiPrvSE.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM WmiPrvSE.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS %RANDOM%%RANDOM%%RANDOM%2⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 3106716777193553⤵
- Cerber
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV %RANDOM%%RANDOM%%RANDOM%2⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 310712752544523⤵
- Cerber
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM WmiPrvSE.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM WmiPrvSE.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeFilesize
452KB
MD5c4d09d3b3516550ad2ded3b09e28c10c
SHA17a5e77bb9ba74cf57cb1d119325b0b7f64199824
SHA25666433a06884f28fdabb85a73c682d1587767e1dfa116907559ec00ed8d0919d3
SHA5122e7800aae592d38c4a6c854b11d0883de70f938b29d78e257ab47a8a2bbf09121145d0a9aea9b56c16e18cde31b693d31d7ebfcd0473b7c15df5d7ae6708bbd2
-
C:\ProgramData\Microsoft\Windows\amifldrv64.sysFilesize
18KB
MD5785045f8b25cd2e937ddc6b09debe01a
SHA1029c678674f482ababe8bbfdb93152392457109d
SHA25637073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba
SHA51240bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61Filesize
299B
MD55ae8478af8dd6eec7ad4edf162dd3df1
SHA155670b9fd39da59a9d7d0bb0aecb52324cbacc5a
SHA256fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca
SHA512a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD5d18149dc2bb5b2cf79500f710e8efad8
SHA1298d3fb5fe8759b21d4b86628e9a31fc19ac189e
SHA256a553877744f868dbfb1bb5925973d759be62981b29df117d9cc72663eb1cf6a1
SHA51224e15c2b263244fe9e10dd36ea04513d9470289285d8fa1bb0c7a9421c4ca3004e5de6fbfa543813746529a447562f0b142e98ff13a5c4b46a1ee66598be628c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61Filesize
192B
MD5769d83fdd270399eba8b64b100bb0df6
SHA1ec550e006b8ff1d07e9d71c21e99e85e873b1e20
SHA256a31fb500cf0585744ae32a4f4fd20dbb8e94f74204d87709ecc20477ab282072
SHA512a6bf1f3bdfe6ec1f1c88afcb8843fe373dc2085b14e4ab31995119ec0719aa7e4c3940f542618fb1f0a2714c5e563d393cf8e4bcbf4b88a61e42db4e11df1728
-
C:\Users\Admin\AppData\Local\Temp\7zOC4CA27A7\tXauTiJr.exeFilesize
521KB
MD5464c348f1bdf66a75c6b0d51256e916c
SHA1fa7f683e451ab0a0c6c18a4dde7b9bbdde72ff27
SHA256a58b1f94ba24a2d7f06c2b7a9840243c4e1b75b1b580cf1ce4c5d9af69cedc85
SHA512cb07284fd3d33eef29f761fd0d044a9143b9e934eff49a625290c4da23580c1b0bb1f4cd9d5e574c698fbf791d13aa476be2a550baebb4f925ef019015710233
-
C:\Users\Admin\AppData\Local\Temp\7zOC4CD4708\OHT1k0.exeFilesize
7.1MB
MD5fd35c43f08143bc15254636083e8c71c
SHA1695640894e59171cd37ffd51165470bc1299f063
SHA25693abb3ad34e9eb7f00499ba1bbb6c36ac90f4d4e141ecfe1c15cb64808ac82c8
SHA5122dbcab7c5f91169006b8476841b10a250e08b07a7c6ffc6d5187f4a426d04b5ed2acf586ceb4df6711212463faa8367b57b5f948ba5e745d38e058be3d063d70
-
C:\Users\Admin\AppData\Local\Temp\7zOC4CD4708\OHT1k0.exeFilesize
3.1MB
MD5036ff2ce88a8740a290249a8769a4009
SHA180d34b8cdfc4988fbd41fabfad9e2bc25592253e
SHA256fc0fcced5d2b95b0a32332025d6e52815223cfe728bc40ef9518f8576e97d46d
SHA512f1ff74c8c7c153d2a1c7582f75c3ea52b4c8df685bd89be72fabe22b9c239db092960f039e7a7e52d6cedf9fcf9fce4b6ee5e4d8b5e73e4116dd5e8a022d1e76
-
C:\Users\Admin\AppData\Local\Temp\7zOC4CD4708\OHT1k0.exeFilesize
3.1MB
MD555f9c3a4814f20c8ce9a03e0b5dd1acd
SHA1e23f03bac746378dd95324f490dfb55847129805
SHA25609447b9011c7cdc98a96f09dd5f84848e8bb0bdb651bf3ee70acd792db89f113
SHA512edce7bb853de162c71070fe32da0f29b82b9b788be1431f658ec8713b8a3271ad54750d8ccb49e5cabd77e94ca2a5d78b3b7741a9bed439b9a957b8637d903a3
-
C:\Users\Admin\AppData\Local\Temp\7zOC4CD4708\UQoK.exeFilesize
13.6MB
MD5fe89bbbdb1d4bb71b176370b26b4d628
SHA10c0ed731f44d79e767955c70e6bd88755eb2830d
SHA25644ea5761c003fb8d888a446c5f7f9cb135aac463deb2efb20003307516395b85
SHA512a0113e323ab6ed4bac345aaad68745b9894ff364dc7129fe434b342b6ecae86a46e70efba55a8a6da389b34ecd7e378f0ebcce874f00567ebf6e661b79936bdf
-
memory/3024-59-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/3024-65-0x00000000052B0000-0x00000000052B1000-memory.dmpFilesize
4KB
-
memory/3024-38-0x00000000035E0000-0x00000000037E2000-memory.dmpFilesize
2.0MB
-
memory/3024-40-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/3024-41-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/3024-42-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/3024-50-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/3024-49-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/3024-48-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/3024-47-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/3024-46-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/3024-45-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/3024-43-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/3024-51-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/3024-52-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/3024-44-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/3024-53-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/3024-54-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/3024-55-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/3024-57-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/3024-56-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/3024-31-0x0000000140000000-0x0000000143726000-memory.dmpFilesize
55.1MB
-
memory/3024-58-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/3024-62-0x00000000052B0000-0x00000000052B1000-memory.dmpFilesize
4KB
-
memory/3024-63-0x00000000052B0000-0x00000000052B1000-memory.dmpFilesize
4KB
-
memory/3024-61-0x00000000052B0000-0x00000000052B1000-memory.dmpFilesize
4KB
-
memory/3024-64-0x00000000052B0000-0x00000000052B1000-memory.dmpFilesize
4KB
-
memory/3024-36-0x0000000003190000-0x00000000035D2000-memory.dmpFilesize
4.3MB
-
memory/3024-67-0x00000000052B0000-0x00000000052B1000-memory.dmpFilesize
4KB
-
memory/3024-66-0x00000000052B0000-0x00000000052B1000-memory.dmpFilesize
4KB
-
memory/3024-68-0x00000000052B0000-0x00000000052B1000-memory.dmpFilesize
4KB
-
memory/3024-69-0x00000000052B0000-0x00000000052B1000-memory.dmpFilesize
4KB
-
memory/3024-70-0x00000000052B0000-0x00000000052B1000-memory.dmpFilesize
4KB
-
memory/3024-71-0x00000000052B0000-0x00000000052B1000-memory.dmpFilesize
4KB
-
memory/3024-72-0x00000000052B0000-0x00000000052B1000-memory.dmpFilesize
4KB
-
memory/3024-73-0x00000000052B0000-0x00000000052B1000-memory.dmpFilesize
4KB
-
memory/3024-74-0x00000000052B0000-0x00000000052B1000-memory.dmpFilesize
4KB
-
memory/3024-75-0x00000000052B0000-0x00000000052B1000-memory.dmpFilesize
4KB
-
memory/3024-76-0x00000000052B0000-0x00000000052B1000-memory.dmpFilesize
4KB
-
memory/3024-77-0x00000000052B0000-0x00000000052B1000-memory.dmpFilesize
4KB
-
memory/3024-79-0x00000000052C0000-0x00000000052C1000-memory.dmpFilesize
4KB
-
memory/3024-80-0x00000000052C0000-0x00000000052C1000-memory.dmpFilesize
4KB
-
memory/3024-82-0x00000000052C0000-0x00000000052C1000-memory.dmpFilesize
4KB
-
memory/3024-81-0x00000000052C0000-0x00000000052C1000-memory.dmpFilesize
4KB
-
memory/3024-83-0x00000000052C0000-0x00000000052C1000-memory.dmpFilesize
4KB
-
memory/3024-84-0x00000000052C0000-0x00000000052C1000-memory.dmpFilesize
4KB
-
memory/3024-85-0x00000000052C0000-0x00000000052C1000-memory.dmpFilesize
4KB
-
memory/3024-93-0x00000000052D0000-0x00000000052D1000-memory.dmpFilesize
4KB
-
memory/3024-92-0x00000000052D0000-0x00000000052D1000-memory.dmpFilesize
4KB
-
memory/3024-91-0x00000000052D0000-0x00000000052D1000-memory.dmpFilesize
4KB
-
memory/3024-30-0x00007FFFF4610000-0x00007FFFF4612000-memory.dmpFilesize
8KB
-
memory/3024-90-0x00000000052D0000-0x00000000052D1000-memory.dmpFilesize
4KB
-
memory/3024-89-0x00000000052D0000-0x00000000052D1000-memory.dmpFilesize
4KB
-
memory/3024-88-0x00000000052B0000-0x00000000052B1000-memory.dmpFilesize
4KB
-
memory/3024-87-0x00000000052D0000-0x00000000052D1000-memory.dmpFilesize
4KB