Analysis
-
max time kernel
38s -
max time network
36s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17-03-2024 17:25
Static task
static1
Behavioral task
behavioral1
Sample
HwidWoofer.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
HwidWoofer.exe
Resource
win10v2004-20240226-en
General
-
Target
HwidWoofer.exe
-
Size
37KB
-
MD5
56956f15efc4b5c32c5b29c26f043c26
-
SHA1
5d8936716e7735235618fe2c8c8d813f3fab9684
-
SHA256
e45a223e95e8fbae17daa2b587f400231b720dfeaa30086bade38a2e0c037cd8
-
SHA512
b17406525d45dc938ccb24a6e7ac8388970e477d8c8b1863a5743af671a514d0772662a0fdf700898a55852e2710540b80b3a42990f9df813399daf66a2d01aa
-
SSDEEP
768:sWAyP38owL450RzHkAklLHp5zekO39cG:yykoAvRzEPLjsc
Malware Config
Signatures
-
Cerber 41 IoCs
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
Processes:
inertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeinertia.exeinertia.exeinertia.exetaskkill.exetaskkill.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exedescription ioc process Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe 4472 taskkill.exe 2628 taskkill.exe 936 taskkill.exe 4508 taskkill.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe 1304 taskkill.exe 3880 taskkill.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} inertia.exe -
Downloads MZ/PE file
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 35 IoCs
Processes:
inertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exepid process 2084 inertia.exe 3992 inertia.exe 4696 inertia.exe 4996 inertia.exe 4396 inertia.exe 3624 inertia.exe 4184 inertia.exe 2876 inertia.exe 2944 inertia.exe 1864 inertia.exe 2260 inertia.exe 2896 inertia.exe 3984 inertia.exe 4928 inertia.exe 4852 inertia.exe 3232 inertia.exe 912 inertia.exe 3720 inertia.exe 4340 inertia.exe 1720 inertia.exe 5112 inertia.exe 3392 inertia.exe 2056 inertia.exe 3244 inertia.exe 3832 inertia.exe 4508 inertia.exe 1944 inertia.exe 1792 inertia.exe 1500 inertia.exe 4552 inertia.exe 4548 inertia.exe 1304 inertia.exe 5056 inertia.exe 1580 inertia.exe 2028 inertia.exe -
Drops file in System32 directory 7 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR svchost.exe File opened for modification C:\Windows\system32\wbem\repository svchost.exe File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA svchost.exe -
Drops file in Windows directory 3 IoCs
Processes:
HwidWoofer.exedescription ioc process File created C:\Windows\SupaNiga\inertia.exe HwidWoofer.exe File created C:\Windows\SupaNiga\Solution64.sys HwidWoofer.exe File created C:\Windows\SupaNiga\spoof.bat HwidWoofer.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 2552 sc.exe 1616 sc.exe 4648 sc.exe 432 sc.exe -
Kills process with taskkill 6 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3880 taskkill.exe 936 taskkill.exe 4508 taskkill.exe 4472 taskkill.exe 2628 taskkill.exe 1304 taskkill.exe -
Runs net.exe
-
Suspicious behavior: LoadsDriver 35 IoCs
Processes:
pid process 656 656 656 656 656 656 656 656 656 656 656 656 656 656 656 656 656 656 656 656 656 656 656 656 656 656 656 656 656 656 656 656 656 656 656 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exesvchost.exedescription pid process Token: SeDebugPrivilege 3880 taskkill.exe Token: SeDebugPrivilege 936 taskkill.exe Token: SeDebugPrivilege 4508 taskkill.exe Token: SeDebugPrivilege 4472 taskkill.exe Token: SeDebugPrivilege 2628 taskkill.exe Token: SeDebugPrivilege 1304 taskkill.exe Token: SeAssignPrimaryTokenPrivilege 1436 svchost.exe Token: SeIncreaseQuotaPrivilege 1436 svchost.exe Token: SeSecurityPrivilege 1436 svchost.exe Token: SeTakeOwnershipPrivilege 1436 svchost.exe Token: SeLoadDriverPrivilege 1436 svchost.exe Token: SeSystemtimePrivilege 1436 svchost.exe Token: SeBackupPrivilege 1436 svchost.exe Token: SeRestorePrivilege 1436 svchost.exe Token: SeShutdownPrivilege 1436 svchost.exe Token: SeSystemEnvironmentPrivilege 1436 svchost.exe Token: SeUndockPrivilege 1436 svchost.exe Token: SeManageVolumePrivilege 1436 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1436 svchost.exe Token: SeIncreaseQuotaPrivilege 1436 svchost.exe Token: SeSecurityPrivilege 1436 svchost.exe Token: SeTakeOwnershipPrivilege 1436 svchost.exe Token: SeLoadDriverPrivilege 1436 svchost.exe Token: SeSystemtimePrivilege 1436 svchost.exe Token: SeBackupPrivilege 1436 svchost.exe Token: SeRestorePrivilege 1436 svchost.exe Token: SeShutdownPrivilege 1436 svchost.exe Token: SeSystemEnvironmentPrivilege 1436 svchost.exe Token: SeUndockPrivilege 1436 svchost.exe Token: SeManageVolumePrivilege 1436 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1436 svchost.exe Token: SeIncreaseQuotaPrivilege 1436 svchost.exe Token: SeSecurityPrivilege 1436 svchost.exe Token: SeTakeOwnershipPrivilege 1436 svchost.exe Token: SeLoadDriverPrivilege 1436 svchost.exe Token: SeBackupPrivilege 1436 svchost.exe Token: SeRestorePrivilege 1436 svchost.exe Token: SeShutdownPrivilege 1436 svchost.exe Token: SeSystemEnvironmentPrivilege 1436 svchost.exe Token: SeManageVolumePrivilege 1436 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1436 svchost.exe Token: SeIncreaseQuotaPrivilege 1436 svchost.exe Token: SeSecurityPrivilege 1436 svchost.exe Token: SeTakeOwnershipPrivilege 1436 svchost.exe Token: SeLoadDriverPrivilege 1436 svchost.exe Token: SeSystemtimePrivilege 1436 svchost.exe Token: SeBackupPrivilege 1436 svchost.exe Token: SeRestorePrivilege 1436 svchost.exe Token: SeShutdownPrivilege 1436 svchost.exe Token: SeSystemEnvironmentPrivilege 1436 svchost.exe Token: SeUndockPrivilege 1436 svchost.exe Token: SeManageVolumePrivilege 1436 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1436 svchost.exe Token: SeIncreaseQuotaPrivilege 1436 svchost.exe Token: SeSecurityPrivilege 1436 svchost.exe Token: SeTakeOwnershipPrivilege 1436 svchost.exe Token: SeLoadDriverPrivilege 1436 svchost.exe Token: SeSystemtimePrivilege 1436 svchost.exe Token: SeBackupPrivilege 1436 svchost.exe Token: SeRestorePrivilege 1436 svchost.exe Token: SeShutdownPrivilege 1436 svchost.exe Token: SeSystemEnvironmentPrivilege 1436 svchost.exe Token: SeUndockPrivilege 1436 svchost.exe Token: SeManageVolumePrivilege 1436 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
HwidWoofer.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3344 wrote to memory of 3392 3344 HwidWoofer.exe cmd.exe PID 3344 wrote to memory of 3392 3344 HwidWoofer.exe cmd.exe PID 3392 wrote to memory of 3880 3392 cmd.exe taskkill.exe PID 3392 wrote to memory of 3880 3392 cmd.exe taskkill.exe PID 3344 wrote to memory of 4856 3344 HwidWoofer.exe cmd.exe PID 3344 wrote to memory of 4856 3344 HwidWoofer.exe cmd.exe PID 4856 wrote to memory of 936 4856 cmd.exe taskkill.exe PID 4856 wrote to memory of 936 4856 cmd.exe taskkill.exe PID 3344 wrote to memory of 2032 3344 HwidWoofer.exe cmd.exe PID 3344 wrote to memory of 2032 3344 HwidWoofer.exe cmd.exe PID 2032 wrote to memory of 4508 2032 cmd.exe taskkill.exe PID 2032 wrote to memory of 4508 2032 cmd.exe taskkill.exe PID 3344 wrote to memory of 4120 3344 HwidWoofer.exe cmd.exe PID 3344 wrote to memory of 4120 3344 HwidWoofer.exe cmd.exe PID 4120 wrote to memory of 4472 4120 cmd.exe taskkill.exe PID 4120 wrote to memory of 4472 4120 cmd.exe taskkill.exe PID 3344 wrote to memory of 4392 3344 HwidWoofer.exe cmd.exe PID 3344 wrote to memory of 4392 3344 HwidWoofer.exe cmd.exe PID 4392 wrote to memory of 2628 4392 cmd.exe taskkill.exe PID 4392 wrote to memory of 2628 4392 cmd.exe taskkill.exe PID 3344 wrote to memory of 4108 3344 HwidWoofer.exe cmd.exe PID 3344 wrote to memory of 4108 3344 HwidWoofer.exe cmd.exe PID 4108 wrote to memory of 1304 4108 cmd.exe taskkill.exe PID 4108 wrote to memory of 1304 4108 cmd.exe taskkill.exe PID 3344 wrote to memory of 3292 3344 HwidWoofer.exe cmd.exe PID 3344 wrote to memory of 3292 3344 HwidWoofer.exe cmd.exe PID 3292 wrote to memory of 4648 3292 cmd.exe sc.exe PID 3292 wrote to memory of 4648 3292 cmd.exe sc.exe PID 3344 wrote to memory of 3408 3344 HwidWoofer.exe cmd.exe PID 3344 wrote to memory of 3408 3344 HwidWoofer.exe cmd.exe PID 3408 wrote to memory of 432 3408 cmd.exe sc.exe PID 3408 wrote to memory of 432 3408 cmd.exe sc.exe PID 3344 wrote to memory of 3968 3344 HwidWoofer.exe cmd.exe PID 3344 wrote to memory of 3968 3344 HwidWoofer.exe cmd.exe PID 3968 wrote to memory of 2552 3968 cmd.exe sc.exe PID 3968 wrote to memory of 2552 3968 cmd.exe sc.exe PID 3344 wrote to memory of 4556 3344 HwidWoofer.exe cmd.exe PID 3344 wrote to memory of 4556 3344 HwidWoofer.exe cmd.exe PID 4556 wrote to memory of 1616 4556 cmd.exe sc.exe PID 4556 wrote to memory of 1616 4556 cmd.exe sc.exe PID 3344 wrote to memory of 4428 3344 HwidWoofer.exe cmd.exe PID 3344 wrote to memory of 4428 3344 HwidWoofer.exe cmd.exe PID 3344 wrote to memory of 4676 3344 HwidWoofer.exe cmd.exe PID 3344 wrote to memory of 4676 3344 HwidWoofer.exe cmd.exe PID 4676 wrote to memory of 2084 4676 cmd.exe inertia.exe PID 4676 wrote to memory of 2084 4676 cmd.exe inertia.exe PID 4676 wrote to memory of 3992 4676 cmd.exe inertia.exe PID 4676 wrote to memory of 3992 4676 cmd.exe inertia.exe PID 4676 wrote to memory of 4696 4676 cmd.exe inertia.exe PID 4676 wrote to memory of 4696 4676 cmd.exe inertia.exe PID 4676 wrote to memory of 4996 4676 cmd.exe inertia.exe PID 4676 wrote to memory of 4996 4676 cmd.exe inertia.exe PID 4676 wrote to memory of 4396 4676 cmd.exe inertia.exe PID 4676 wrote to memory of 4396 4676 cmd.exe inertia.exe PID 4676 wrote to memory of 3624 4676 cmd.exe inertia.exe PID 4676 wrote to memory of 3624 4676 cmd.exe inertia.exe PID 4676 wrote to memory of 4184 4676 cmd.exe inertia.exe PID 4676 wrote to memory of 4184 4676 cmd.exe inertia.exe PID 4676 wrote to memory of 2876 4676 cmd.exe inertia.exe PID 4676 wrote to memory of 2876 4676 cmd.exe inertia.exe PID 4676 wrote to memory of 2944 4676 cmd.exe inertia.exe PID 4676 wrote to memory of 2944 4676 cmd.exe inertia.exe PID 4676 wrote to memory of 1864 4676 cmd.exe inertia.exe PID 4676 wrote to memory of 1864 4676 cmd.exe inertia.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HwidWoofer.exe"C:\Users\Admin\AppData\Local\Temp\HwidWoofer.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM EpicGamesLauncher.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM EpicGamesLauncher.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM EasyAntiCheatLauncher.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM EasyAntiCheatLauncher.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM BEService.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM BEService.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM Fortnite.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM Fortnite.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM BattleEyeLauncher.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM BattleEyeLauncher.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM FortniteClient-Win64-Shipping.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM FortniteClient-Win64-Shipping.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop BEService >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop BEService3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop BEDaisy >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop BEDaisy3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop EasyAntiCheat >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop EasyAntiCheat3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop EasyAntiCheatSys >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop EasyAntiCheatSys3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:/Windows/SupaNiga/Spoof.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /IVN 6026-146513⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /IV 3967-56593⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /IV 29633-75083⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /SM 21563-253643⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /SP 28816-235393⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /SV 22640-308403⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /SS 9107-239633⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /SU AUTO3⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /SK 9899-108723⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /SF 29897-318973⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /BM 14604-121543⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /BP 4749-310233⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /BV 11493-218573⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /BS 25032-309623⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /BT 21636-71823⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /BLC 15972-54893⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /CM 6988-228223⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /CV 8196-158953⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /CS 28683-187103⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /CA 30450-290113⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /CSK 10631-126293⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /PSN 21848-43413⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /PAT 6490-306973⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /PPN 14516-219803⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /OS 1 16640-215493⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /OS 2 1926-99343⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /OS 3 23855-319533⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /OS 4 5963-221833⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /OS 5 15206-304983⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /OS 6 20143-35103⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /OS 7 3529-275323⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /OS 8 14335-251883⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /OS 9 12588-90533⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /OS 10 6109-258783⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\SupaNiga\inertia.exeinertia.exe /OS 11 6510-50673⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\system32\net.exenet stop winmgmt /Y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop winmgmt /Y4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SupaNiga\inertia.exeFilesize
453KB
MD57f118633f542014d65ee13eb8d4f702a
SHA1a59117813003390187a45eec4116337d5b695b09
SHA256e27be45f00bce92b6f3c12e37723295e5a5959ecb8185f06028f3cfb88de3bb6
SHA512cf004560d6e3ce5cbb142a91445427dce58199dd3d1a254d2ae6d2e41df709c90844edfe9eff711c0a042f05338d72588da25591149edfd90860a76e2b0c9ff8
-
C:\Windows\SupaNiga\spoof.batFilesize
1KB
MD5f3f7fadf5cdc4b050e4864d9ed2293dc
SHA142cc83a62dd6c5c12cce1eec03888caba03f2b44
SHA256acdf68856ff3b43cea509462a6d14c362eb2775ab3c145f511781b07c00c0729
SHA512cbbe68ba28f672364a40c343f8d429dd30552d5f500e184ba990e3cabe55fac6a247895daa640287d38db5dd2b37b83dec254ae277670fcbaa43ddf47d620c82