cerber | e45a223e95e8fbae17daa2b587f400231b720dfeaa30086bade38a2e0c037cd8

General

Target

HwidWoofer.exe
Size

37KB
MD5

56956f15efc4b5c32c5b29c26f043c26
SHA1

5d8936716e7735235618fe2c8c8d813f3fab9684
SHA256

e45a223e95e8fbae17daa2b587f400231b720dfeaa30086bade38a2e0c037cd8
SHA512

b17406525d45dc938ccb24a6e7ac8388970e477d8c8b1863a5743af671a514d0772662a0fdf700898a55852e2710540b80b3a42990f9df813399daf66a2d01aa
SSDEEP

768:sWAyP38owL450RzHkAklLHp5zekO39cG:yykoAvRzEPLjsc

Score

10^/10

cerber evasion ransomware

Malware Config

Signatures

Cerber 41 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

Processes:

inertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeinertia.exeinertia.exeinertia.exetaskkill.exetaskkill.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exe

description	ioc	process
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
4472	taskkill.exe
2628	taskkill.exe
936	taskkill.exe
4508	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
1304	taskkill.exe
3880	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	inertia.exe

Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 35 IoCs

Processes:

inertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exeinertia.exe

pid	process
2084	inertia.exe
3992	inertia.exe
4696	inertia.exe
4996	inertia.exe
4396	inertia.exe
3624	inertia.exe
4184	inertia.exe
2876	inertia.exe
2944	inertia.exe
1864	inertia.exe
2260	inertia.exe
2896	inertia.exe
3984	inertia.exe
4928	inertia.exe
4852	inertia.exe
3232	inertia.exe
912	inertia.exe
3720	inertia.exe
4340	inertia.exe
1720	inertia.exe
5112	inertia.exe
3392	inertia.exe
2056	inertia.exe
3244	inertia.exe
3832	inertia.exe
4508	inertia.exe
1944	inertia.exe
1792	inertia.exe
1500	inertia.exe
4552	inertia.exe
4548	inertia.exe
1304	inertia.exe
5056	inertia.exe
1580	inertia.exe
2028	inertia.exe

Drops file in System32 directory 7 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA	svchost.exe

Drops file in Windows directory 3 IoCs

Processes:

HwidWoofer.exe

description	ioc	process
File created	C:\Windows\SupaNiga\inertia.exe	HwidWoofer.exe
File created	C:\Windows\SupaNiga\Solution64.sys	HwidWoofer.exe
File created	C:\Windows\SupaNiga\spoof.bat	HwidWoofer.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2552 sc.exe
1616 sc.exe
4648 sc.exe
432 sc.exe
Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

3880 taskkill.exe
936 taskkill.exe
4508 taskkill.exe
4472 taskkill.exe
2628 taskkill.exe
1304 taskkill.exe
Runs net.exe
Suspicious behavior: LoadsDriver 35 IoCs

Processes:

pid process

656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656

pid	process
2552	sc.exe
1616	sc.exe
4648	sc.exe
432	sc.exe

pid	process
3880	taskkill.exe
936	taskkill.exe
4508	taskkill.exe
4472	taskkill.exe
2628	taskkill.exe
1304	taskkill.exe

pid	process
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	3880	taskkill.exe
Token: SeDebugPrivilege	936	taskkill.exe
Token: SeDebugPrivilege	4508	taskkill.exe
Token: SeDebugPrivilege	4472	taskkill.exe
Token: SeDebugPrivilege	2628	taskkill.exe
Token: SeDebugPrivilege	1304	taskkill.exe
Token: SeAssignPrimaryTokenPrivilege	1436	svchost.exe
Token: SeIncreaseQuotaPrivilege	1436	svchost.exe
Token: SeSecurityPrivilege	1436	svchost.exe
Token: SeTakeOwnershipPrivilege	1436	svchost.exe
Token: SeLoadDriverPrivilege	1436	svchost.exe
Token: SeSystemtimePrivilege	1436	svchost.exe
Token: SeBackupPrivilege	1436	svchost.exe
Token: SeRestorePrivilege	1436	svchost.exe
Token: SeShutdownPrivilege	1436	svchost.exe
Token: SeSystemEnvironmentPrivilege	1436	svchost.exe
Token: SeUndockPrivilege	1436	svchost.exe
Token: SeManageVolumePrivilege	1436	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1436	svchost.exe
Token: SeIncreaseQuotaPrivilege	1436	svchost.exe
Token: SeSecurityPrivilege	1436	svchost.exe
Token: SeTakeOwnershipPrivilege	1436	svchost.exe
Token: SeLoadDriverPrivilege	1436	svchost.exe
Token: SeSystemtimePrivilege	1436	svchost.exe
Token: SeBackupPrivilege	1436	svchost.exe
Token: SeRestorePrivilege	1436	svchost.exe
Token: SeShutdownPrivilege	1436	svchost.exe
Token: SeSystemEnvironmentPrivilege	1436	svchost.exe
Token: SeUndockPrivilege	1436	svchost.exe
Token: SeManageVolumePrivilege	1436	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1436	svchost.exe
Token: SeIncreaseQuotaPrivilege	1436	svchost.exe
Token: SeSecurityPrivilege	1436	svchost.exe
Token: SeTakeOwnershipPrivilege	1436	svchost.exe
Token: SeLoadDriverPrivilege	1436	svchost.exe
Token: SeBackupPrivilege	1436	svchost.exe
Token: SeRestorePrivilege	1436	svchost.exe
Token: SeShutdownPrivilege	1436	svchost.exe
Token: SeSystemEnvironmentPrivilege	1436	svchost.exe
Token: SeManageVolumePrivilege	1436	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1436	svchost.exe
Token: SeIncreaseQuotaPrivilege	1436	svchost.exe
Token: SeSecurityPrivilege	1436	svchost.exe
Token: SeTakeOwnershipPrivilege	1436	svchost.exe
Token: SeLoadDriverPrivilege	1436	svchost.exe
Token: SeSystemtimePrivilege	1436	svchost.exe
Token: SeBackupPrivilege	1436	svchost.exe
Token: SeRestorePrivilege	1436	svchost.exe
Token: SeShutdownPrivilege	1436	svchost.exe
Token: SeSystemEnvironmentPrivilege	1436	svchost.exe
Token: SeUndockPrivilege	1436	svchost.exe
Token: SeManageVolumePrivilege	1436	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1436	svchost.exe
Token: SeIncreaseQuotaPrivilege	1436	svchost.exe
Token: SeSecurityPrivilege	1436	svchost.exe
Token: SeTakeOwnershipPrivilege	1436	svchost.exe
Token: SeLoadDriverPrivilege	1436	svchost.exe
Token: SeSystemtimePrivilege	1436	svchost.exe
Token: SeBackupPrivilege	1436	svchost.exe
Token: SeRestorePrivilege	1436	svchost.exe
Token: SeShutdownPrivilege	1436	svchost.exe
Token: SeSystemEnvironmentPrivilege	1436	svchost.exe
Token: SeUndockPrivilege	1436	svchost.exe
Token: SeManageVolumePrivilege	1436	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

HwidWoofer.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3344 wrote to memory of 3392	3344	HwidWoofer.exe	cmd.exe
PID 3344 wrote to memory of 3392	3344	HwidWoofer.exe	cmd.exe
PID 3392 wrote to memory of 3880	3392	cmd.exe	taskkill.exe
PID 3392 wrote to memory of 3880	3392	cmd.exe	taskkill.exe
PID 3344 wrote to memory of 4856	3344	HwidWoofer.exe	cmd.exe
PID 3344 wrote to memory of 4856	3344	HwidWoofer.exe	cmd.exe
PID 4856 wrote to memory of 936	4856	cmd.exe	taskkill.exe
PID 4856 wrote to memory of 936	4856	cmd.exe	taskkill.exe
PID 3344 wrote to memory of 2032	3344	HwidWoofer.exe	cmd.exe
PID 3344 wrote to memory of 2032	3344	HwidWoofer.exe	cmd.exe
PID 2032 wrote to memory of 4508	2032	cmd.exe	taskkill.exe
PID 2032 wrote to memory of 4508	2032	cmd.exe	taskkill.exe
PID 3344 wrote to memory of 4120	3344	HwidWoofer.exe	cmd.exe
PID 3344 wrote to memory of 4120	3344	HwidWoofer.exe	cmd.exe
PID 4120 wrote to memory of 4472	4120	cmd.exe	taskkill.exe
PID 4120 wrote to memory of 4472	4120	cmd.exe	taskkill.exe
PID 3344 wrote to memory of 4392	3344	HwidWoofer.exe	cmd.exe
PID 3344 wrote to memory of 4392	3344	HwidWoofer.exe	cmd.exe
PID 4392 wrote to memory of 2628	4392	cmd.exe	taskkill.exe
PID 4392 wrote to memory of 2628	4392	cmd.exe	taskkill.exe
PID 3344 wrote to memory of 4108	3344	HwidWoofer.exe	cmd.exe
PID 3344 wrote to memory of 4108	3344	HwidWoofer.exe	cmd.exe
PID 4108 wrote to memory of 1304	4108	cmd.exe	taskkill.exe
PID 4108 wrote to memory of 1304	4108	cmd.exe	taskkill.exe
PID 3344 wrote to memory of 3292	3344	HwidWoofer.exe	cmd.exe
PID 3344 wrote to memory of 3292	3344	HwidWoofer.exe	cmd.exe
PID 3292 wrote to memory of 4648	3292	cmd.exe	sc.exe
PID 3292 wrote to memory of 4648	3292	cmd.exe	sc.exe
PID 3344 wrote to memory of 3408	3344	HwidWoofer.exe	cmd.exe
PID 3344 wrote to memory of 3408	3344	HwidWoofer.exe	cmd.exe
PID 3408 wrote to memory of 432	3408	cmd.exe	sc.exe
PID 3408 wrote to memory of 432	3408	cmd.exe	sc.exe
PID 3344 wrote to memory of 3968	3344	HwidWoofer.exe	cmd.exe
PID 3344 wrote to memory of 3968	3344	HwidWoofer.exe	cmd.exe
PID 3968 wrote to memory of 2552	3968	cmd.exe	sc.exe
PID 3968 wrote to memory of 2552	3968	cmd.exe	sc.exe
PID 3344 wrote to memory of 4556	3344	HwidWoofer.exe	cmd.exe
PID 3344 wrote to memory of 4556	3344	HwidWoofer.exe	cmd.exe
PID 4556 wrote to memory of 1616	4556	cmd.exe	sc.exe
PID 4556 wrote to memory of 1616	4556	cmd.exe	sc.exe
PID 3344 wrote to memory of 4428	3344	HwidWoofer.exe	cmd.exe
PID 3344 wrote to memory of 4428	3344	HwidWoofer.exe	cmd.exe
PID 3344 wrote to memory of 4676	3344	HwidWoofer.exe	cmd.exe
PID 3344 wrote to memory of 4676	3344	HwidWoofer.exe	cmd.exe
PID 4676 wrote to memory of 2084	4676	cmd.exe	inertia.exe
PID 4676 wrote to memory of 2084	4676	cmd.exe	inertia.exe
PID 4676 wrote to memory of 3992	4676	cmd.exe	inertia.exe
PID 4676 wrote to memory of 3992	4676	cmd.exe	inertia.exe
PID 4676 wrote to memory of 4696	4676	cmd.exe	inertia.exe
PID 4676 wrote to memory of 4696	4676	cmd.exe	inertia.exe
PID 4676 wrote to memory of 4996	4676	cmd.exe	inertia.exe
PID 4676 wrote to memory of 4996	4676	cmd.exe	inertia.exe
PID 4676 wrote to memory of 4396	4676	cmd.exe	inertia.exe
PID 4676 wrote to memory of 4396	4676	cmd.exe	inertia.exe
PID 4676 wrote to memory of 3624	4676	cmd.exe	inertia.exe
PID 4676 wrote to memory of 3624	4676	cmd.exe	inertia.exe
PID 4676 wrote to memory of 4184	4676	cmd.exe	inertia.exe
PID 4676 wrote to memory of 4184	4676	cmd.exe	inertia.exe
PID 4676 wrote to memory of 2876	4676	cmd.exe	inertia.exe
PID 4676 wrote to memory of 2876	4676	cmd.exe	inertia.exe
PID 4676 wrote to memory of 2944	4676	cmd.exe	inertia.exe
PID 4676 wrote to memory of 2944	4676	cmd.exe	inertia.exe
PID 4676 wrote to memory of 1864	4676	cmd.exe	inertia.exe
PID 4676 wrote to memory of 1864	4676	cmd.exe	inertia.exe

C:\Users\Admin\AppData\Local\Temp\HwidWoofer.exe
"C:\Users\Admin\AppData\Local\Temp\HwidWoofer.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /F /IM EpicGamesLauncher.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3392

C:\Windows\system32\taskkill.exe
taskkill /F /IM EpicGamesLauncher.exe
3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /F /IM EasyAntiCheatLauncher.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4856

C:\Windows\system32\taskkill.exe
taskkill /F /IM EasyAntiCheatLauncher.exe
3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /F /IM BEService.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\system32\taskkill.exe
taskkill /F /IM BEService.exe
3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /F /IM Fortnite.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4120

C:\Windows\system32\taskkill.exe
taskkill /F /IM Fortnite.exe
3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /F /IM BattleEyeLauncher.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4392

C:\Windows\system32\taskkill.exe
taskkill /F /IM BattleEyeLauncher.exe
3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /F /IM FortniteClient-Win64-Shipping.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4108

C:\Windows\system32\taskkill.exe
taskkill /F /IM FortniteClient-Win64-Shipping.exe
3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop BEService >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3292

C:\Windows\system32\sc.exe
sc stop BEService
3⤵
- Launches sc.exe
PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop BEDaisy >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\system32\sc.exe
sc stop BEDaisy
3⤵
- Launches sc.exe
PID:432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop EasyAntiCheat >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\system32\sc.exe
sc stop EasyAntiCheat
3⤵
- Launches sc.exe
PID:2552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop EasyAntiCheatSys >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\system32\sc.exe
sc stop EasyAntiCheatSys
3⤵
- Launches sc.exe
PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:/Windows/SupaNiga/Spoof.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\SupaNiga\inertia.exe
inertia.exe /IVN 6026-14651
3⤵
- Cerber
- Executes dropped EXE
PID:2084

C:\Windows\SupaNiga\inertia.exe
inertia.exe /IV 3967-5659
3⤵
- Cerber
- Executes dropped EXE
PID:3992

C:\Windows\SupaNiga\inertia.exe
inertia.exe /IV 29633-7508
3⤵
- Cerber
- Executes dropped EXE
PID:4696

C:\Windows\SupaNiga\inertia.exe
inertia.exe /SM 21563-25364
3⤵
- Cerber
- Executes dropped EXE
PID:4996

C:\Windows\SupaNiga\inertia.exe
inertia.exe /SP 28816-23539
3⤵
- Cerber
- Executes dropped EXE
PID:4396

C:\Windows\SupaNiga\inertia.exe
inertia.exe /SV 22640-30840
3⤵
- Cerber
- Executes dropped EXE
PID:3624

C:\Windows\SupaNiga\inertia.exe
inertia.exe /SS 9107-23963
3⤵
- Cerber
- Executes dropped EXE
PID:4184

C:\Windows\SupaNiga\inertia.exe
inertia.exe /SU AUTO
3⤵
- Cerber
- Executes dropped EXE
PID:2876

C:\Windows\SupaNiga\inertia.exe
inertia.exe /SK 9899-10872
3⤵
- Cerber
- Executes dropped EXE
PID:2944

C:\Windows\SupaNiga\inertia.exe
inertia.exe /SF 29897-31897
3⤵
- Cerber
- Executes dropped EXE
PID:1864

C:\Windows\SupaNiga\inertia.exe
inertia.exe /BM 14604-12154
3⤵
- Cerber
- Executes dropped EXE
PID:2260

C:\Windows\SupaNiga\inertia.exe
inertia.exe /BP 4749-31023
3⤵
- Cerber
- Executes dropped EXE
PID:2896

C:\Windows\SupaNiga\inertia.exe
inertia.exe /BV 11493-21857
3⤵
- Cerber
- Executes dropped EXE
PID:3984

C:\Windows\SupaNiga\inertia.exe
inertia.exe /BS 25032-30962
3⤵
- Cerber
- Executes dropped EXE
PID:4928

C:\Windows\SupaNiga\inertia.exe
inertia.exe /BT 21636-7182
3⤵
- Cerber
- Executes dropped EXE
PID:4852

C:\Windows\SupaNiga\inertia.exe
inertia.exe /BLC 15972-5489
3⤵
- Cerber
- Executes dropped EXE
PID:3232

C:\Windows\SupaNiga\inertia.exe
inertia.exe /CM 6988-22822
3⤵
- Cerber
- Executes dropped EXE
PID:912

C:\Windows\SupaNiga\inertia.exe
inertia.exe /CV 8196-15895
3⤵
- Cerber
- Executes dropped EXE
PID:3720

C:\Windows\SupaNiga\inertia.exe
inertia.exe /CS 28683-18710
3⤵
- Cerber
- Executes dropped EXE
PID:4340

C:\Windows\SupaNiga\inertia.exe
inertia.exe /CA 30450-29011
3⤵
- Cerber
- Executes dropped EXE
PID:1720

C:\Windows\SupaNiga\inertia.exe
inertia.exe /CSK 10631-12629
3⤵
- Cerber
- Executes dropped EXE
PID:5112

C:\Windows\SupaNiga\inertia.exe
inertia.exe /PSN 21848-4341
3⤵
- Cerber
- Executes dropped EXE
PID:3392

C:\Windows\SupaNiga\inertia.exe
inertia.exe /PAT 6490-30697
3⤵
- Cerber
- Executes dropped EXE
PID:2056

C:\Windows\SupaNiga\inertia.exe
inertia.exe /PPN 14516-21980
3⤵
- Cerber
- Executes dropped EXE
PID:3244

C:\Windows\SupaNiga\inertia.exe
inertia.exe /OS 1 16640-21549
3⤵
- Cerber
- Executes dropped EXE
PID:3832

C:\Windows\SupaNiga\inertia.exe
inertia.exe /OS 2 1926-9934
3⤵
- Cerber
- Executes dropped EXE
PID:4508

C:\Windows\SupaNiga\inertia.exe
inertia.exe /OS 3 23855-31953
3⤵
- Cerber
- Executes dropped EXE
PID:1944

C:\Windows\SupaNiga\inertia.exe
inertia.exe /OS 4 5963-22183
3⤵
- Cerber
- Executes dropped EXE
PID:1792

C:\Windows\SupaNiga\inertia.exe
inertia.exe /OS 5 15206-30498
3⤵
- Cerber
- Executes dropped EXE
PID:1500

C:\Windows\SupaNiga\inertia.exe
inertia.exe /OS 6 20143-3510
3⤵
- Cerber
- Executes dropped EXE
PID:4552

C:\Windows\SupaNiga\inertia.exe
inertia.exe /OS 7 3529-27532
3⤵
- Cerber
- Executes dropped EXE
PID:4548

C:\Windows\SupaNiga\inertia.exe
inertia.exe /OS 8 14335-25188
3⤵
- Cerber
- Executes dropped EXE
PID:1304

C:\Windows\SupaNiga\inertia.exe
inertia.exe /OS 9 12588-9053
3⤵
- Cerber
- Executes dropped EXE
PID:5056

C:\Windows\SupaNiga\inertia.exe
inertia.exe /OS 10 6109-25878
3⤵
- Cerber
- Executes dropped EXE
PID:1580

C:\Windows\SupaNiga\inertia.exe
inertia.exe /OS 11 6510-5067
3⤵
- Cerber
- Executes dropped EXE
PID:2028

C:\Windows\system32\net.exe
net stop winmgmt /Y
3⤵
PID:2188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop winmgmt /Y
4⤵
PID:4772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1436

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SupaNiga\inertia.exe
Filesize
453KB

MD5
7f118633f542014d65ee13eb8d4f702a

SHA1
a59117813003390187a45eec4116337d5b695b09

SHA256
e27be45f00bce92b6f3c12e37723295e5a5959ecb8185f06028f3cfb88de3bb6

SHA512
cf004560d6e3ce5cbb142a91445427dce58199dd3d1a254d2ae6d2e41df709c90844edfe9eff711c0a042f05338d72588da25591149edfd90860a76e2b0c9ff8

Download Submit
C:\Windows\SupaNiga\spoof.bat
Filesize
1KB

MD5
f3f7fadf5cdc4b050e4864d9ed2293dc

SHA1
42cc83a62dd6c5c12cce1eec03888caba03f2b44

SHA256
acdf68856ff3b43cea509462a6d14c362eb2775ab3c145f511781b07c00c0729

SHA512
cbbe68ba28f672364a40c343f8d429dd30552d5f500e184ba990e3cabe55fac6a247895daa640287d38db5dd2b37b83dec254ae277670fcbaa43ddf47d620c82

Download Submit

pid	process
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656

pid	process
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

pid	process
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656