b8c1f3abe165e1bab5616f0b739f1cb53c642c40ffc92f9f26aec1a73eaf0de2

Analysis

max time kernel
300s
max time network
300s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

erebus.exe
Size

1.2MB
MD5

0ced87772881b63caf95f1d828ba40c5
SHA1

6e5fca51a018272d1b1003b16dce6ee9e836908c
SHA256

ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791
SHA512

65f3a52930dd560cf27a9a6e7386ae1bba22d663a1112b44fa1db043bd0b980f7dcb1d5fe21b873bb93db69c5c4d0b3c7dcf13ea110836970454b56dc16e57bb
SSDEEP

24576:DxIWmj1GwuqWt6GoXrxv7EJoD7p1YQzA+GdctrOvpk5P4TB5tP9P6F:Dnqqo5PzA+Gda4TB5tFP6F

Score

9^/10

defense_evasion discovery execution impact ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeWMIC.exefindstr.exeWMIC.execmd.exeWMIC.exeerebus.exevssadmin.exeWMIC.exeWMIC.execmd.execmd.exeWMIC.exefindstr.exefindstr.exefindstr.execmd.exefindstr.exefindstr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erebus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

2564 vssadmin.exe

pid	process
2564	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2520	WMIC.exe
Token: SeSecurityPrivilege	2520	WMIC.exe
Token: SeTakeOwnershipPrivilege	2520	WMIC.exe
Token: SeLoadDriverPrivilege	2520	WMIC.exe
Token: SeSystemProfilePrivilege	2520	WMIC.exe
Token: SeSystemtimePrivilege	2520	WMIC.exe
Token: SeProfSingleProcessPrivilege	2520	WMIC.exe
Token: SeIncBasePriorityPrivilege	2520	WMIC.exe
Token: SeCreatePagefilePrivilege	2520	WMIC.exe
Token: SeBackupPrivilege	2520	WMIC.exe
Token: SeRestorePrivilege	2520	WMIC.exe
Token: SeShutdownPrivilege	2520	WMIC.exe
Token: SeDebugPrivilege	2520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2520	WMIC.exe
Token: SeRemoteShutdownPrivilege	2520	WMIC.exe
Token: SeUndockPrivilege	2520	WMIC.exe
Token: SeManageVolumePrivilege	2520	WMIC.exe
Token: 33	2520	WMIC.exe
Token: 34	2520	WMIC.exe
Token: 35	2520	WMIC.exe
Token: SeBackupPrivilege	2920	vssvc.exe
Token: SeRestorePrivilege	2920	vssvc.exe
Token: SeAuditPrivilege	2920	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2520	WMIC.exe
Token: SeSecurityPrivilege	2520	WMIC.exe
Token: SeTakeOwnershipPrivilege	2520	WMIC.exe
Token: SeLoadDriverPrivilege	2520	WMIC.exe
Token: SeSystemProfilePrivilege	2520	WMIC.exe
Token: SeSystemtimePrivilege	2520	WMIC.exe
Token: SeProfSingleProcessPrivilege	2520	WMIC.exe
Token: SeIncBasePriorityPrivilege	2520	WMIC.exe
Token: SeCreatePagefilePrivilege	2520	WMIC.exe
Token: SeBackupPrivilege	2520	WMIC.exe
Token: SeRestorePrivilege	2520	WMIC.exe
Token: SeShutdownPrivilege	2520	WMIC.exe
Token: SeDebugPrivilege	2520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2520	WMIC.exe
Token: SeRemoteShutdownPrivilege	2520	WMIC.exe
Token: SeUndockPrivilege	2520	WMIC.exe
Token: SeManageVolumePrivilege	2520	WMIC.exe
Token: 33	2520	WMIC.exe
Token: 34	2520	WMIC.exe
Token: 35	2520	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2888	WMIC.exe
Token: SeSecurityPrivilege	2888	WMIC.exe
Token: SeTakeOwnershipPrivilege	2888	WMIC.exe
Token: SeLoadDriverPrivilege	2888	WMIC.exe
Token: SeSystemProfilePrivilege	2888	WMIC.exe
Token: SeSystemtimePrivilege	2888	WMIC.exe
Token: SeProfSingleProcessPrivilege	2888	WMIC.exe
Token: SeIncBasePriorityPrivilege	2888	WMIC.exe
Token: SeCreatePagefilePrivilege	2888	WMIC.exe
Token: SeBackupPrivilege	2888	WMIC.exe
Token: SeRestorePrivilege	2888	WMIC.exe
Token: SeShutdownPrivilege	2888	WMIC.exe
Token: SeDebugPrivilege	2888	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2888	WMIC.exe
Token: SeRemoteShutdownPrivilege	2888	WMIC.exe
Token: SeUndockPrivilege	2888	WMIC.exe
Token: SeManageVolumePrivilege	2888	WMIC.exe
Token: 33	2888	WMIC.exe
Token: 34	2888	WMIC.exe
Token: 35	2888	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2888	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

erebus.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2172 wrote to memory of 3032	2172	erebus.exe	cmd.exe
PID 2172 wrote to memory of 3032	2172	erebus.exe	cmd.exe
PID 2172 wrote to memory of 3032	2172	erebus.exe	cmd.exe
PID 2172 wrote to memory of 3032	2172	erebus.exe	cmd.exe
PID 2172 wrote to memory of 1568	2172	erebus.exe	cmd.exe
PID 2172 wrote to memory of 1568	2172	erebus.exe	cmd.exe
PID 2172 wrote to memory of 1568	2172	erebus.exe	cmd.exe
PID 2172 wrote to memory of 1568	2172	erebus.exe	cmd.exe
PID 3032 wrote to memory of 2564	3032	cmd.exe	vssadmin.exe
PID 3032 wrote to memory of 2564	3032	cmd.exe	vssadmin.exe
PID 3032 wrote to memory of 2564	3032	cmd.exe	vssadmin.exe
PID 3032 wrote to memory of 2564	3032	cmd.exe	vssadmin.exe
PID 1568 wrote to memory of 2520	1568	cmd.exe	WMIC.exe
PID 1568 wrote to memory of 2520	1568	cmd.exe	WMIC.exe
PID 1568 wrote to memory of 2520	1568	cmd.exe	WMIC.exe
PID 1568 wrote to memory of 2520	1568	cmd.exe	WMIC.exe
PID 1568 wrote to memory of 2112	1568	cmd.exe	findstr.exe
PID 1568 wrote to memory of 2112	1568	cmd.exe	findstr.exe
PID 1568 wrote to memory of 2112	1568	cmd.exe	findstr.exe
PID 1568 wrote to memory of 2112	1568	cmd.exe	findstr.exe
PID 2172 wrote to memory of 2260	2172	erebus.exe	cmd.exe
PID 2172 wrote to memory of 2260	2172	erebus.exe	cmd.exe
PID 2172 wrote to memory of 2260	2172	erebus.exe	cmd.exe
PID 2172 wrote to memory of 2260	2172	erebus.exe	cmd.exe
PID 2260 wrote to memory of 2888	2260	cmd.exe	WMIC.exe
PID 2260 wrote to memory of 2888	2260	cmd.exe	WMIC.exe
PID 2260 wrote to memory of 2888	2260	cmd.exe	WMIC.exe
PID 2260 wrote to memory of 2888	2260	cmd.exe	WMIC.exe
PID 2260 wrote to memory of 2624	2260	cmd.exe	findstr.exe
PID 2260 wrote to memory of 2624	2260	cmd.exe	findstr.exe
PID 2260 wrote to memory of 2624	2260	cmd.exe	findstr.exe
PID 2260 wrote to memory of 2624	2260	cmd.exe	findstr.exe
PID 2172 wrote to memory of 2976	2172	erebus.exe	cmd.exe
PID 2172 wrote to memory of 2976	2172	erebus.exe	cmd.exe
PID 2172 wrote to memory of 2976	2172	erebus.exe	cmd.exe
PID 2172 wrote to memory of 2976	2172	erebus.exe	cmd.exe
PID 2976 wrote to memory of 2640	2976	cmd.exe	WMIC.exe
PID 2976 wrote to memory of 2640	2976	cmd.exe	WMIC.exe
PID 2976 wrote to memory of 2640	2976	cmd.exe	WMIC.exe
PID 2976 wrote to memory of 2640	2976	cmd.exe	WMIC.exe
PID 2976 wrote to memory of 2188	2976	cmd.exe	findstr.exe
PID 2976 wrote to memory of 2188	2976	cmd.exe	findstr.exe
PID 2976 wrote to memory of 2188	2976	cmd.exe	findstr.exe
PID 2976 wrote to memory of 2188	2976	cmd.exe	findstr.exe
PID 2172 wrote to memory of 1736	2172	erebus.exe	cmd.exe
PID 2172 wrote to memory of 1736	2172	erebus.exe	cmd.exe
PID 2172 wrote to memory of 1736	2172	erebus.exe	cmd.exe
PID 2172 wrote to memory of 1736	2172	erebus.exe	cmd.exe
PID 1736 wrote to memory of 868	1736	cmd.exe	WMIC.exe
PID 1736 wrote to memory of 868	1736	cmd.exe	WMIC.exe
PID 1736 wrote to memory of 868	1736	cmd.exe	WMIC.exe
PID 1736 wrote to memory of 868	1736	cmd.exe	WMIC.exe
PID 1736 wrote to memory of 444	1736	cmd.exe	findstr.exe
PID 1736 wrote to memory of 444	1736	cmd.exe	findstr.exe
PID 1736 wrote to memory of 444	1736	cmd.exe	findstr.exe
PID 1736 wrote to memory of 444	1736	cmd.exe	findstr.exe
PID 1736 wrote to memory of 2600	1736	cmd.exe	WMIC.exe
PID 1736 wrote to memory of 2600	1736	cmd.exe	WMIC.exe
PID 1736 wrote to memory of 2600	1736	cmd.exe	WMIC.exe
PID 1736 wrote to memory of 2600	1736	cmd.exe	WMIC.exe
PID 1736 wrote to memory of 1436	1736	cmd.exe	findstr.exe
PID 1736 wrote to memory of 1436	1736	cmd.exe	findstr.exe
PID 1736 wrote to memory of 1436	1736	cmd.exe	findstr.exe
PID 1736 wrote to memory of 1436	1736	cmd.exe	findstr.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\erebus.exe
"C:\Users\Admin\AppData\Local\Temp\erebus.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2564
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wmic logicaldisk where drivetype=2 get deviceid | findstr . > %tmp%\y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic logicaldisk where drivetype=2 get deviceid
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2520
- - C:\Windows\SysWOW64\findstr.exe
    findstr .
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2112
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wmic logicaldisk where drivetype=3 get deviceid | findstr . > %tmp%\y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic logicaldisk where drivetype=3 get deviceid
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2888
- - C:\Windows\SysWOW64\findstr.exe
    findstr .
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wmic logicaldisk where drivetype=4 get deviceid | findstr . > %tmp%\y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic logicaldisk where drivetype=4 get deviceid
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2640
- - C:\Windows\SysWOW64\findstr.exe
    findstr .
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2188
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wmic path win32_physicalmedia get SerialNumber | findstr . > %tmp%\y && wmic cpu get ProcessorId | findstr . >> %tmp%\y && wmic path win32_BASEBOARD get Product | findstr . >> %tmp%\y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path win32_physicalmedia get SerialNumber
    3⤵
    - System Location Discovery: System Language Discovery
    PID:868
- - C:\Windows\SysWOW64\findstr.exe
    findstr .
    3⤵
    - System Location Discovery: System Language Discovery
    PID:444
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get ProcessorId
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2600
- - C:\Windows\SysWOW64\findstr.exe
    findstr .
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1436
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path win32_BASEBOARD get Product
    3⤵
    - System Location Discovery: System Language Discovery
    PID:400
- - C:\Windows\SysWOW64\findstr.exe
    findstr .
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1720

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\y

Filesize
83B

MD5
445e94a8ece8238758d3a897fef6822b

SHA1
2c5e5cb3ce480d98d74fe5a0ed23d31848ebb407

SHA256
543e763d191bc04c5564cf6521eeff6c154b74415575303c72b46f32bd24594b

SHA512
c6347eb9214eab5b8e2f61358153244203480c11d4d83f83e1e37cdd3f922a6e50c5568618fb27cb2a70487d7b9bea44614a065631934fca5894a6daec1f82a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\y

Filesize
39B

MD5
730a1c06f8273df68828bbebb3e1fab0

SHA1
1c269bdd515ca992df2c07c2b4c0eda26f1a6c91

SHA256
da51411ba8d69f112382c4ada4c02ad9e5ab3fcececca4bd50bb11122e473679

SHA512
1d56e0d3704d75dff9f20347ff3e712c114a1d9e5383e6356a71a9705dd4a3bb311c174c6d026cc60707abc56f7bfda011293a8dbd7f79a299fb712d3ad33f30

Download Submit