Overview
overview
10Static
static
10Tear.exe
windows7-x64
10Tear.exe
windows10-2004-x64
10adochi.exe
windows7-x64
7adochi.exe
windows10-2004-x64
7autoit.exe
windows7-x64
10autoit.exe
windows10-2004-x64
6autoit2.exe
windows7-x64
10autoit2.exe
windows10-2004-x64
10autoit3.exe
windows7-x64
10autoit3.exe
windows10-2004-x64
10deviation.exe
windows7-x64
8deviation.exe
windows10-2004-x64
8encoder.exe
windows7-x64
10encoder.exe
windows10-2004-x64
10encoder2.exe
windows7-x64
9encoder2.exe
windows10-2004-x64
encoder3.exe
windows7-x64
10encoder3.exe
windows10-2004-x64
10encoder4.exe
windows7-x64
5encoder4.exe
windows10-2004-x64
5encoder5.exe
windows7-x64
10encoder5.exe
windows10-2004-x64
10erebus.exe
windows7-x64
9erebus.exe
windows10-2004-x64
7myxaha.exe
windows7-x64
7myxaha.exe
windows10-2004-x64
7$LOCALAPPD...er.exe
windows7-x64
7$LOCALAPPD...er.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 00:24
Behavioral task
behavioral1
Sample
Tear.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Tear.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
adochi.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
adochi.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
autoit.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
autoit.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
autoit2.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
autoit2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
autoit3.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
autoit3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
deviation.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
deviation.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
encoder.exe
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
encoder.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
encoder2.exe
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
encoder2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
encoder3.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
encoder3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
encoder4.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
encoder4.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
encoder5.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
encoder5.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
erebus.exe
Resource
win7-20240708-en
Behavioral task
behavioral24
Sample
erebus.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
myxaha.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
myxaha.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
$LOCALAPPDATA/ConduitInstaller.exe
Resource
win7-20240729-en
Behavioral task
behavioral28
Sample
$LOCALAPPDATA/ConduitInstaller.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241023-en
Behavioral task
behavioral32
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
erebus.exe
-
Size
1.2MB
-
MD5
0ced87772881b63caf95f1d828ba40c5
-
SHA1
6e5fca51a018272d1b1003b16dce6ee9e836908c
-
SHA256
ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791
-
SHA512
65f3a52930dd560cf27a9a6e7386ae1bba22d663a1112b44fa1db043bd0b980f7dcb1d5fe21b873bb93db69c5c4d0b3c7dcf13ea110836970454b56dc16e57bb
-
SSDEEP
24576:DxIWmj1GwuqWt6GoXrxv7EJoD7p1YQzA+GdctrOvpk5P4TB5tP9P6F:Dnqqo5PzA+Gda4TB5tFP6F
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erebus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2832 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2636 WMIC.exe Token: SeSecurityPrivilege 2636 WMIC.exe Token: SeTakeOwnershipPrivilege 2636 WMIC.exe Token: SeLoadDriverPrivilege 2636 WMIC.exe Token: SeSystemProfilePrivilege 2636 WMIC.exe Token: SeSystemtimePrivilege 2636 WMIC.exe Token: SeProfSingleProcessPrivilege 2636 WMIC.exe Token: SeIncBasePriorityPrivilege 2636 WMIC.exe Token: SeCreatePagefilePrivilege 2636 WMIC.exe Token: SeBackupPrivilege 2636 WMIC.exe Token: SeRestorePrivilege 2636 WMIC.exe Token: SeShutdownPrivilege 2636 WMIC.exe Token: SeDebugPrivilege 2636 WMIC.exe Token: SeSystemEnvironmentPrivilege 2636 WMIC.exe Token: SeRemoteShutdownPrivilege 2636 WMIC.exe Token: SeUndockPrivilege 2636 WMIC.exe Token: SeManageVolumePrivilege 2636 WMIC.exe Token: 33 2636 WMIC.exe Token: 34 2636 WMIC.exe Token: 35 2636 WMIC.exe Token: SeBackupPrivilege 1976 vssvc.exe Token: SeRestorePrivilege 1976 vssvc.exe Token: SeAuditPrivilege 1976 vssvc.exe Token: SeIncreaseQuotaPrivilege 2636 WMIC.exe Token: SeSecurityPrivilege 2636 WMIC.exe Token: SeTakeOwnershipPrivilege 2636 WMIC.exe Token: SeLoadDriverPrivilege 2636 WMIC.exe Token: SeSystemProfilePrivilege 2636 WMIC.exe Token: SeSystemtimePrivilege 2636 WMIC.exe Token: SeProfSingleProcessPrivilege 2636 WMIC.exe Token: SeIncBasePriorityPrivilege 2636 WMIC.exe Token: SeCreatePagefilePrivilege 2636 WMIC.exe Token: SeBackupPrivilege 2636 WMIC.exe Token: SeRestorePrivilege 2636 WMIC.exe Token: SeShutdownPrivilege 2636 WMIC.exe Token: SeDebugPrivilege 2636 WMIC.exe Token: SeSystemEnvironmentPrivilege 2636 WMIC.exe Token: SeRemoteShutdownPrivilege 2636 WMIC.exe Token: SeUndockPrivilege 2636 WMIC.exe Token: SeManageVolumePrivilege 2636 WMIC.exe Token: 33 2636 WMIC.exe Token: 34 2636 WMIC.exe Token: 35 2636 WMIC.exe Token: SeIncreaseQuotaPrivilege 2768 WMIC.exe Token: SeSecurityPrivilege 2768 WMIC.exe Token: SeTakeOwnershipPrivilege 2768 WMIC.exe Token: SeLoadDriverPrivilege 2768 WMIC.exe Token: SeSystemProfilePrivilege 2768 WMIC.exe Token: SeSystemtimePrivilege 2768 WMIC.exe Token: SeProfSingleProcessPrivilege 2768 WMIC.exe Token: SeIncBasePriorityPrivilege 2768 WMIC.exe Token: SeCreatePagefilePrivilege 2768 WMIC.exe Token: SeBackupPrivilege 2768 WMIC.exe Token: SeRestorePrivilege 2768 WMIC.exe Token: SeShutdownPrivilege 2768 WMIC.exe Token: SeDebugPrivilege 2768 WMIC.exe Token: SeSystemEnvironmentPrivilege 2768 WMIC.exe Token: SeRemoteShutdownPrivilege 2768 WMIC.exe Token: SeUndockPrivilege 2768 WMIC.exe Token: SeManageVolumePrivilege 2768 WMIC.exe Token: 33 2768 WMIC.exe Token: 34 2768 WMIC.exe Token: 35 2768 WMIC.exe Token: SeIncreaseQuotaPrivilege 2768 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2316 wrote to memory of 3040 2316 erebus.exe 30 PID 2316 wrote to memory of 3040 2316 erebus.exe 30 PID 2316 wrote to memory of 3040 2316 erebus.exe 30 PID 2316 wrote to memory of 3040 2316 erebus.exe 30 PID 2316 wrote to memory of 3052 2316 erebus.exe 32 PID 2316 wrote to memory of 3052 2316 erebus.exe 32 PID 2316 wrote to memory of 3052 2316 erebus.exe 32 PID 2316 wrote to memory of 3052 2316 erebus.exe 32 PID 3040 wrote to memory of 2832 3040 cmd.exe 34 PID 3040 wrote to memory of 2832 3040 cmd.exe 34 PID 3040 wrote to memory of 2832 3040 cmd.exe 34 PID 3040 wrote to memory of 2832 3040 cmd.exe 34 PID 3052 wrote to memory of 2636 3052 cmd.exe 35 PID 3052 wrote to memory of 2636 3052 cmd.exe 35 PID 3052 wrote to memory of 2636 3052 cmd.exe 35 PID 3052 wrote to memory of 2636 3052 cmd.exe 35 PID 3052 wrote to memory of 1932 3052 cmd.exe 36 PID 3052 wrote to memory of 1932 3052 cmd.exe 36 PID 3052 wrote to memory of 1932 3052 cmd.exe 36 PID 3052 wrote to memory of 1932 3052 cmd.exe 36 PID 2316 wrote to memory of 2708 2316 erebus.exe 39 PID 2316 wrote to memory of 2708 2316 erebus.exe 39 PID 2316 wrote to memory of 2708 2316 erebus.exe 39 PID 2316 wrote to memory of 2708 2316 erebus.exe 39 PID 2708 wrote to memory of 2768 2708 cmd.exe 41 PID 2708 wrote to memory of 2768 2708 cmd.exe 41 PID 2708 wrote to memory of 2768 2708 cmd.exe 41 PID 2708 wrote to memory of 2768 2708 cmd.exe 41 PID 2708 wrote to memory of 2780 2708 cmd.exe 42 PID 2708 wrote to memory of 2780 2708 cmd.exe 42 PID 2708 wrote to memory of 2780 2708 cmd.exe 42 PID 2708 wrote to memory of 2780 2708 cmd.exe 42 PID 2316 wrote to memory of 2120 2316 erebus.exe 43 PID 2316 wrote to memory of 2120 2316 erebus.exe 43 PID 2316 wrote to memory of 2120 2316 erebus.exe 43 PID 2316 wrote to memory of 2120 2316 erebus.exe 43 PID 2120 wrote to memory of 2252 2120 cmd.exe 45 PID 2120 wrote to memory of 2252 2120 cmd.exe 45 PID 2120 wrote to memory of 2252 2120 cmd.exe 45 PID 2120 wrote to memory of 2252 2120 cmd.exe 45 PID 2120 wrote to memory of 2924 2120 cmd.exe 46 PID 2120 wrote to memory of 2924 2120 cmd.exe 46 PID 2120 wrote to memory of 2924 2120 cmd.exe 46 PID 2120 wrote to memory of 2924 2120 cmd.exe 46 PID 2316 wrote to memory of 2732 2316 erebus.exe 48 PID 2316 wrote to memory of 2732 2316 erebus.exe 48 PID 2316 wrote to memory of 2732 2316 erebus.exe 48 PID 2316 wrote to memory of 2732 2316 erebus.exe 48 PID 2732 wrote to memory of 2788 2732 cmd.exe 50 PID 2732 wrote to memory of 2788 2732 cmd.exe 50 PID 2732 wrote to memory of 2788 2732 cmd.exe 50 PID 2732 wrote to memory of 2788 2732 cmd.exe 50 PID 2732 wrote to memory of 2848 2732 cmd.exe 51 PID 2732 wrote to memory of 2848 2732 cmd.exe 51 PID 2732 wrote to memory of 2848 2732 cmd.exe 51 PID 2732 wrote to memory of 2848 2732 cmd.exe 51 PID 2732 wrote to memory of 2592 2732 cmd.exe 52 PID 2732 wrote to memory of 2592 2732 cmd.exe 52 PID 2732 wrote to memory of 2592 2732 cmd.exe 52 PID 2732 wrote to memory of 2592 2732 cmd.exe 52 PID 2732 wrote to memory of 2196 2732 cmd.exe 53 PID 2732 wrote to memory of 2196 2732 cmd.exe 53 PID 2732 wrote to memory of 2196 2732 cmd.exe 53 PID 2732 wrote to memory of 2196 2732 cmd.exe 53 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\erebus.exe"C:\Users\Admin\AppData\Local\Temp\erebus.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2832
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic logicaldisk where drivetype=2 get deviceid | findstr . > %tmp%\y2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic logicaldisk where drivetype=2 get deviceid3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
C:\Windows\SysWOW64\findstr.exefindstr .3⤵
- System Location Discovery: System Language Discovery
PID:1932
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic logicaldisk where drivetype=3 get deviceid | findstr . > %tmp%\y2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic logicaldisk where drivetype=3 get deviceid3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\SysWOW64\findstr.exefindstr .3⤵
- System Location Discovery: System Language Discovery
PID:2780
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic logicaldisk where drivetype=4 get deviceid | findstr . > %tmp%\y2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic logicaldisk where drivetype=4 get deviceid3⤵
- System Location Discovery: System Language Discovery
PID:2252
-
-
C:\Windows\SysWOW64\findstr.exefindstr .3⤵
- System Location Discovery: System Language Discovery
PID:2924
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic path win32_physicalmedia get SerialNumber | findstr . > %tmp%\y && wmic cpu get ProcessorId | findstr . >> %tmp%\y && wmic path win32_BASEBOARD get Product | findstr . >> %tmp%\y2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_physicalmedia get SerialNumber3⤵
- System Location Discovery: System Language Discovery
PID:2788
-
-
C:\Windows\SysWOW64\findstr.exefindstr .3⤵
- System Location Discovery: System Language Discovery
PID:2848
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get ProcessorId3⤵
- System Location Discovery: System Language Discovery
PID:2592
-
-
C:\Windows\SysWOW64\findstr.exefindstr .3⤵
- System Location Discovery: System Language Discovery
PID:2196
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_BASEBOARD get Product3⤵
- System Location Discovery: System Language Discovery
PID:2908
-
-
C:\Windows\SysWOW64\findstr.exefindstr .3⤵
- System Location Discovery: System Language Discovery
PID:2980
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
83B
MD52eb57bdf6a06a0ae1c94be074c36ae4a
SHA1c266d85ec38e4aa641b418f3d09eaf8fd7e5fa0e
SHA256e87fd8770e76b587a33330aacd9697b00e6f4baccfa4251a8b8fd1cd6e5c7f79
SHA51244e1817c0add3b30eebc98e54629464b4cb2a6ba8db404428bbc0414abc3121c06fd7356de3357d8fef2e77831900f1000fa84f6f511878fb84dc8cea1f24046
-
Filesize
39B
MD5730a1c06f8273df68828bbebb3e1fab0
SHA11c269bdd515ca992df2c07c2b4c0eda26f1a6c91
SHA256da51411ba8d69f112382c4ada4c02ad9e5ab3fcececca4bd50bb11122e473679
SHA5121d56e0d3704d75dff9f20347ff3e712c114a1d9e5383e6356a71a9705dd4a3bb311c174c6d026cc60707abc56f7bfda011293a8dbd7f79a299fb712d3ad33f30