Analysis
-
max time kernel
34s -
max time network
40s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 05:13
Static task
static1
Behavioral task
behavioral1
Sample
tXauTiJr.exe
Resource
win10v2004-20240226-en
General
-
Target
tXauTiJr.exe
-
Size
521KB
-
MD5
464c348f1bdf66a75c6b0d51256e916c
-
SHA1
fa7f683e451ab0a0c6c18a4dde7b9bbdde72ff27
-
SHA256
a58b1f94ba24a2d7f06c2b7a9840243c4e1b75b1b580cf1ce4c5d9af69cedc85
-
SHA512
cb07284fd3d33eef29f761fd0d044a9143b9e934eff49a625290c4da23580c1b0bb1f4cd9d5e574c698fbf791d13aa476be2a550baebb4f925ef019015710233
-
SSDEEP
6144:8a/Z+6VHFnEXbw2Y3h3NWqU/xdwpN8T4LUEDW9VXnHFudT7coWspLaIZ1ZT:8a/h8w2UNiX0gEOpnHFutV5n3
Malware Config
Signatures
-
Cerber 3 IoCs
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
Processes:
taskkill.exeAMIDEWINx64.exeAMIDEWINx64.exepid process 4216 taskkill.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} AMIDEWINx64.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} AMIDEWINx64.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tXauTiJr.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation tXauTiJr.exe -
Executes dropped EXE 2 IoCs
Processes:
AMIDEWINx64.exeAMIDEWINx64.exepid process 1472 AMIDEWINx64.exe 2072 AMIDEWINx64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 4216 taskkill.exe 2420 taskkill.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 648 648 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
taskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4216 taskkill.exe Token: SeDebugPrivilege 2420 taskkill.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
tXauTiJr.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4752 wrote to memory of 1612 4752 tXauTiJr.exe cmd.exe PID 4752 wrote to memory of 1612 4752 tXauTiJr.exe cmd.exe PID 4752 wrote to memory of 4576 4752 tXauTiJr.exe cmd.exe PID 4752 wrote to memory of 4576 4752 tXauTiJr.exe cmd.exe PID 4752 wrote to memory of 4600 4752 tXauTiJr.exe cmd.exe PID 4752 wrote to memory of 4600 4752 tXauTiJr.exe cmd.exe PID 4752 wrote to memory of 4536 4752 tXauTiJr.exe cmd.exe PID 4752 wrote to memory of 4536 4752 tXauTiJr.exe cmd.exe PID 4752 wrote to memory of 3492 4752 tXauTiJr.exe cmd.exe PID 4752 wrote to memory of 3492 4752 tXauTiJr.exe cmd.exe PID 3492 wrote to memory of 4216 3492 cmd.exe taskkill.exe PID 3492 wrote to memory of 4216 3492 cmd.exe taskkill.exe PID 4752 wrote to memory of 2732 4752 tXauTiJr.exe cmd.exe PID 4752 wrote to memory of 2732 4752 tXauTiJr.exe cmd.exe PID 2732 wrote to memory of 1472 2732 cmd.exe AMIDEWINx64.exe PID 2732 wrote to memory of 1472 2732 cmd.exe AMIDEWINx64.exe PID 4752 wrote to memory of 3380 4752 tXauTiJr.exe cmd.exe PID 4752 wrote to memory of 3380 4752 tXauTiJr.exe cmd.exe PID 3380 wrote to memory of 2072 3380 cmd.exe AMIDEWINx64.exe PID 3380 wrote to memory of 2072 3380 cmd.exe AMIDEWINx64.exe PID 4752 wrote to memory of 1904 4752 tXauTiJr.exe cmd.exe PID 4752 wrote to memory of 1904 4752 tXauTiJr.exe cmd.exe PID 1904 wrote to memory of 2420 1904 cmd.exe taskkill.exe PID 1904 wrote to memory of 2420 1904 cmd.exe taskkill.exe PID 4752 wrote to memory of 724 4752 tXauTiJr.exe cmd.exe PID 4752 wrote to memory of 724 4752 tXauTiJr.exe cmd.exe PID 4752 wrote to memory of 4984 4752 tXauTiJr.exe cmd.exe PID 4752 wrote to memory of 4984 4752 tXauTiJr.exe cmd.exe PID 4752 wrote to memory of 5044 4752 tXauTiJr.exe cmd.exe PID 4752 wrote to memory of 5044 4752 tXauTiJr.exe cmd.exe PID 4752 wrote to memory of 1580 4752 tXauTiJr.exe cmd.exe PID 4752 wrote to memory of 1580 4752 tXauTiJr.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tXauTiJr.exe"C:\Users\Admin\AppData\Local\Temp\tXauTiJr.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM WmiPrvSE.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM WmiPrvSE.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS %RANDOM%%RANDOM%%RANDOM%2⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 9207524679253⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV %RANDOM%%RANDOM%%RANDOM%2⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 9207524679253⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM WmiPrvSE.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM WmiPrvSE.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeFilesize
452KB
MD5c4d09d3b3516550ad2ded3b09e28c10c
SHA17a5e77bb9ba74cf57cb1d119325b0b7f64199824
SHA25666433a06884f28fdabb85a73c682d1587767e1dfa116907559ec00ed8d0919d3
SHA5122e7800aae592d38c4a6c854b11d0883de70f938b29d78e257ab47a8a2bbf09121145d0a9aea9b56c16e18cde31b693d31d7ebfcd0473b7c15df5d7ae6708bbd2
-
C:\ProgramData\Microsoft\Windows\amifldrv64.sysFilesize
18KB
MD5785045f8b25cd2e937ddc6b09debe01a
SHA1029c678674f482ababe8bbfdb93152392457109d
SHA25637073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba
SHA51240bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9