Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 00:24

General

  • Target

    erebus.exe

  • Size

    1.2MB

  • MD5

    0ced87772881b63caf95f1d828ba40c5

  • SHA1

    6e5fca51a018272d1b1003b16dce6ee9e836908c

  • SHA256

    ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791

  • SHA512

    65f3a52930dd560cf27a9a6e7386ae1bba22d663a1112b44fa1db043bd0b980f7dcb1d5fe21b873bb93db69c5c4d0b3c7dcf13ea110836970454b56dc16e57bb

  • SSDEEP

    24576:DxIWmj1GwuqWt6GoXrxv7EJoD7p1YQzA+GdctrOvpk5P4TB5tP9P6F:Dnqqo5PzA+Gda4TB5tFP6F

Malware Config

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\erebus.exe
    "C:\Users\Admin\AppData\Local\Temp\erebus.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && exit
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3040
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:2832
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wmic logicaldisk where drivetype=2 get deviceid | findstr . > %tmp%\y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic logicaldisk where drivetype=2 get deviceid
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2636
      • C:\Windows\SysWOW64\findstr.exe
        findstr .
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1932
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wmic logicaldisk where drivetype=3 get deviceid | findstr . > %tmp%\y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic logicaldisk where drivetype=3 get deviceid
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2768
      • C:\Windows\SysWOW64\findstr.exe
        findstr .
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2780
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wmic logicaldisk where drivetype=4 get deviceid | findstr . > %tmp%\y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2120
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic logicaldisk where drivetype=4 get deviceid
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2252
      • C:\Windows\SysWOW64\findstr.exe
        findstr .
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2924
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wmic path win32_physicalmedia get SerialNumber | findstr . > %tmp%\y && wmic cpu get ProcessorId | findstr . >> %tmp%\y && wmic path win32_BASEBOARD get Product | findstr . >> %tmp%\y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic path win32_physicalmedia get SerialNumber
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2788
      • C:\Windows\SysWOW64\findstr.exe
        findstr .
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2848
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic cpu get ProcessorId
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2592
      • C:\Windows\SysWOW64\findstr.exe
        findstr .
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2196
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic path win32_BASEBOARD get Product
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2908
      • C:\Windows\SysWOW64\findstr.exe
        findstr .
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2980
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\y

    Filesize

    83B

    MD5

    2eb57bdf6a06a0ae1c94be074c36ae4a

    SHA1

    c266d85ec38e4aa641b418f3d09eaf8fd7e5fa0e

    SHA256

    e87fd8770e76b587a33330aacd9697b00e6f4baccfa4251a8b8fd1cd6e5c7f79

    SHA512

    44e1817c0add3b30eebc98e54629464b4cb2a6ba8db404428bbc0414abc3121c06fd7356de3357d8fef2e77831900f1000fa84f6f511878fb84dc8cea1f24046

  • C:\Users\Admin\AppData\Local\Temp\y

    Filesize

    39B

    MD5

    730a1c06f8273df68828bbebb3e1fab0

    SHA1

    1c269bdd515ca992df2c07c2b4c0eda26f1a6c91

    SHA256

    da51411ba8d69f112382c4ada4c02ad9e5ab3fcececca4bd50bb11122e473679

    SHA512

    1d56e0d3704d75dff9f20347ff3e712c114a1d9e5383e6356a71a9705dd4a3bb311c174c6d026cc60707abc56f7bfda011293a8dbd7f79a299fb712d3ad33f30