Analysis
-
max time kernel
143s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 07:58
Static task
static1
Behavioral task
behavioral1
Sample
0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe
Resource
win10v2004-20240226-en
General
-
Target
0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe
-
Size
597KB
-
MD5
20d9fa474fa2628a6abe5485d35ee7e0
-
SHA1
a28af73bcfd4ebe2fe29242c07fec15e0578ec8a
-
SHA256
0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f
-
SHA512
2301c6c44797d16067e2b8e0336e897929de071246d87d54f88ec9c4f217bcb2f1388837fb9f3f5a915a0f0b3651dd93b3ed13c6ce85e7dd33dd957ade571387
-
SSDEEP
12288:mm0+bjvfBp6pOcQmqtPxGKw3genar9XW6Y:Awn6UcQmEPx2wem9XWf
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\_README_.hta
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 3 IoCs
Processes:
mshta.exeflow pid process 2184 1368 mshta.exe 2186 1368 mshta.exe 2188 1368 mshta.exe -
Contacts a large (1093) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2804 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpE762.bmp" 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe -
Drops file in Program Files directory 6 IoCs
Processes:
0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\_README_.hta 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1640 taskkill.exe -
Processes:
mshta.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exepid process 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exeWMIC.exevssvc.exeAUDIODG.EXEtaskkill.exedescription pid process Token: SeDebugPrivilege 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe Token: SeIncreaseQuotaPrivilege 2688 WMIC.exe Token: SeSecurityPrivilege 2688 WMIC.exe Token: SeTakeOwnershipPrivilege 2688 WMIC.exe Token: SeLoadDriverPrivilege 2688 WMIC.exe Token: SeSystemProfilePrivilege 2688 WMIC.exe Token: SeSystemtimePrivilege 2688 WMIC.exe Token: SeProfSingleProcessPrivilege 2688 WMIC.exe Token: SeIncBasePriorityPrivilege 2688 WMIC.exe Token: SeCreatePagefilePrivilege 2688 WMIC.exe Token: SeBackupPrivilege 2688 WMIC.exe Token: SeRestorePrivilege 2688 WMIC.exe Token: SeShutdownPrivilege 2688 WMIC.exe Token: SeDebugPrivilege 2688 WMIC.exe Token: SeSystemEnvironmentPrivilege 2688 WMIC.exe Token: SeRemoteShutdownPrivilege 2688 WMIC.exe Token: SeUndockPrivilege 2688 WMIC.exe Token: SeManageVolumePrivilege 2688 WMIC.exe Token: 33 2688 WMIC.exe Token: 34 2688 WMIC.exe Token: 35 2688 WMIC.exe Token: SeIncreaseQuotaPrivilege 2688 WMIC.exe Token: SeSecurityPrivilege 2688 WMIC.exe Token: SeTakeOwnershipPrivilege 2688 WMIC.exe Token: SeLoadDriverPrivilege 2688 WMIC.exe Token: SeSystemProfilePrivilege 2688 WMIC.exe Token: SeSystemtimePrivilege 2688 WMIC.exe Token: SeProfSingleProcessPrivilege 2688 WMIC.exe Token: SeIncBasePriorityPrivilege 2688 WMIC.exe Token: SeCreatePagefilePrivilege 2688 WMIC.exe Token: SeBackupPrivilege 2688 WMIC.exe Token: SeRestorePrivilege 2688 WMIC.exe Token: SeShutdownPrivilege 2688 WMIC.exe Token: SeDebugPrivilege 2688 WMIC.exe Token: SeSystemEnvironmentPrivilege 2688 WMIC.exe Token: SeRemoteShutdownPrivilege 2688 WMIC.exe Token: SeUndockPrivilege 2688 WMIC.exe Token: SeManageVolumePrivilege 2688 WMIC.exe Token: 33 2688 WMIC.exe Token: 34 2688 WMIC.exe Token: 35 2688 WMIC.exe Token: SeBackupPrivilege 2636 vssvc.exe Token: SeRestorePrivilege 2636 vssvc.exe Token: SeAuditPrivilege 2636 vssvc.exe Token: SeShutdownPrivilege 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe Token: 33 1180 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1180 AUDIODG.EXE Token: 33 1180 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1180 AUDIODG.EXE Token: SeDebugPrivilege 1640 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
mshta.exepid process 1368 mshta.exe 1368 mshta.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exepid process 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.execmd.execmd.exedescription pid process target process PID 768 wrote to memory of 2620 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe cmd.exe PID 768 wrote to memory of 2620 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe cmd.exe PID 768 wrote to memory of 2620 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe cmd.exe PID 768 wrote to memory of 2620 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe cmd.exe PID 2620 wrote to memory of 2688 2620 cmd.exe WMIC.exe PID 2620 wrote to memory of 2688 2620 cmd.exe WMIC.exe PID 2620 wrote to memory of 2688 2620 cmd.exe WMIC.exe PID 768 wrote to memory of 2748 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe mshta.exe PID 768 wrote to memory of 2748 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe mshta.exe PID 768 wrote to memory of 2748 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe mshta.exe PID 768 wrote to memory of 2748 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe mshta.exe PID 768 wrote to memory of 2804 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe cmd.exe PID 768 wrote to memory of 2804 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe cmd.exe PID 768 wrote to memory of 2804 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe cmd.exe PID 768 wrote to memory of 2804 768 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe cmd.exe PID 2804 wrote to memory of 1640 2804 cmd.exe taskkill.exe PID 2804 wrote to memory of 1640 2804 cmd.exe taskkill.exe PID 2804 wrote to memory of 1640 2804 cmd.exe taskkill.exe PID 2804 wrote to memory of 2264 2804 cmd.exe PING.EXE PID 2804 wrote to memory of 2264 2804 cmd.exe PING.EXE PID 2804 wrote to memory of 2264 2804 cmd.exe PING.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe"C:\Users\Admin\AppData\Local\Temp\0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe"1⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\_README_.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im "0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_README_.hta"1⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5641⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\_README_.htaFilesize
66KB
MD54609dc1603750ce9bc58c4e821b2c8bf
SHA165d444fcc2ec9cbb59c6f9d2db263700695afcc8
SHA256a983b5585c424ade543d18c100ccec44070d22f130abc68ccbd7bd6c5eed3873
SHA5129e33bf89dd4bb3664cfd1d4e24ec07bde923b03f7ed3477156a1320e9296c653fb011640900263c51139ea261001b5b2cada98fe1acd1455ac41ff3df79b19da
-
memory/768-0-0x0000000000230000-0x000000000025F000-memory.dmpFilesize
188KB
-
memory/768-1-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/768-2-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/768-7-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/768-8-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/768-9-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/768-10-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/768-297-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/768-298-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/768-307-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB