Overview
overview
10Static
static
10Tear.exe
windows7-x64
10Tear.exe
windows10-2004-x64
10adochi.exe
windows7-x64
7adochi.exe
windows10-2004-x64
7autoit.exe
windows7-x64
10autoit.exe
windows10-2004-x64
6autoit2.exe
windows7-x64
10autoit2.exe
windows10-2004-x64
10autoit3.exe
windows7-x64
10autoit3.exe
windows10-2004-x64
10deviation.exe
windows7-x64
8deviation.exe
windows10-2004-x64
8encoder.exe
windows7-x64
10encoder.exe
windows10-2004-x64
10encoder2.exe
windows7-x64
9encoder2.exe
windows10-2004-x64
encoder3.exe
windows7-x64
10encoder3.exe
windows10-2004-x64
10encoder4.exe
windows7-x64
5encoder4.exe
windows10-2004-x64
5encoder5.exe
windows7-x64
10encoder5.exe
windows10-2004-x64
10erebus.exe
windows7-x64
9erebus.exe
windows10-2004-x64
7myxaha.exe
windows7-x64
7myxaha.exe
windows10-2004-x64
7$LOCALAPPD...er.exe
windows7-x64
7$LOCALAPPD...er.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2024 00:24
Behavioral task
behavioral1
Sample
Tear.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
Tear.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
adochi.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
adochi.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
autoit.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral6
Sample
autoit.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
autoit2.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
autoit2.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
autoit3.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
autoit3.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
deviation.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
deviation.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
encoder.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral14
Sample
encoder.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
encoder2.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral16
Sample
encoder2.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
encoder3.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral18
Sample
encoder3.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
encoder4.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral20
Sample
encoder4.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
encoder5.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
encoder5.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
erebus.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral24
Sample
erebus.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
myxaha.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
myxaha.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
$LOCALAPPDATA/ConduitInstaller.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral28
Sample
$LOCALAPPDATA/ConduitInstaller.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral30
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral32
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
erebus.exe
-
Size
1.2MB
-
MD5
0ced87772881b63caf95f1d828ba40c5
-
SHA1
6e5fca51a018272d1b1003b16dce6ee9e836908c
-
SHA256
ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791
-
SHA512
65f3a52930dd560cf27a9a6e7386ae1bba22d663a1112b44fa1db043bd0b980f7dcb1d5fe21b873bb93db69c5c4d0b3c7dcf13ea110836970454b56dc16e57bb
-
SSDEEP
24576:DxIWmj1GwuqWt6GoXrxv7EJoD7p1YQzA+GdctrOvpk5P4TB5tP9P6F:Dnqqo5PzA+Gda4TB5tFP6F
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation erebus.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5048 4324 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erebus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3168 WMIC.exe Token: SeSecurityPrivilege 3168 WMIC.exe Token: SeTakeOwnershipPrivilege 3168 WMIC.exe Token: SeLoadDriverPrivilege 3168 WMIC.exe Token: SeSystemProfilePrivilege 3168 WMIC.exe Token: SeSystemtimePrivilege 3168 WMIC.exe Token: SeProfSingleProcessPrivilege 3168 WMIC.exe Token: SeIncBasePriorityPrivilege 3168 WMIC.exe Token: SeCreatePagefilePrivilege 3168 WMIC.exe Token: SeBackupPrivilege 3168 WMIC.exe Token: SeRestorePrivilege 3168 WMIC.exe Token: SeShutdownPrivilege 3168 WMIC.exe Token: SeDebugPrivilege 3168 WMIC.exe Token: SeSystemEnvironmentPrivilege 3168 WMIC.exe Token: SeRemoteShutdownPrivilege 3168 WMIC.exe Token: SeUndockPrivilege 3168 WMIC.exe Token: SeManageVolumePrivilege 3168 WMIC.exe Token: 33 3168 WMIC.exe Token: 34 3168 WMIC.exe Token: 35 3168 WMIC.exe Token: 36 3168 WMIC.exe Token: SeIncreaseQuotaPrivilege 3168 WMIC.exe Token: SeSecurityPrivilege 3168 WMIC.exe Token: SeTakeOwnershipPrivilege 3168 WMIC.exe Token: SeLoadDriverPrivilege 3168 WMIC.exe Token: SeSystemProfilePrivilege 3168 WMIC.exe Token: SeSystemtimePrivilege 3168 WMIC.exe Token: SeProfSingleProcessPrivilege 3168 WMIC.exe Token: SeIncBasePriorityPrivilege 3168 WMIC.exe Token: SeCreatePagefilePrivilege 3168 WMIC.exe Token: SeBackupPrivilege 3168 WMIC.exe Token: SeRestorePrivilege 3168 WMIC.exe Token: SeShutdownPrivilege 3168 WMIC.exe Token: SeDebugPrivilege 3168 WMIC.exe Token: SeSystemEnvironmentPrivilege 3168 WMIC.exe Token: SeRemoteShutdownPrivilege 3168 WMIC.exe Token: SeUndockPrivilege 3168 WMIC.exe Token: SeManageVolumePrivilege 3168 WMIC.exe Token: 33 3168 WMIC.exe Token: 34 3168 WMIC.exe Token: 35 3168 WMIC.exe Token: 36 3168 WMIC.exe Token: SeIncreaseQuotaPrivilege 1624 WMIC.exe Token: SeSecurityPrivilege 1624 WMIC.exe Token: SeTakeOwnershipPrivilege 1624 WMIC.exe Token: SeLoadDriverPrivilege 1624 WMIC.exe Token: SeSystemProfilePrivilege 1624 WMIC.exe Token: SeSystemtimePrivilege 1624 WMIC.exe Token: SeProfSingleProcessPrivilege 1624 WMIC.exe Token: SeIncBasePriorityPrivilege 1624 WMIC.exe Token: SeCreatePagefilePrivilege 1624 WMIC.exe Token: SeBackupPrivilege 1624 WMIC.exe Token: SeRestorePrivilege 1624 WMIC.exe Token: SeShutdownPrivilege 1624 WMIC.exe Token: SeDebugPrivilege 1624 WMIC.exe Token: SeSystemEnvironmentPrivilege 1624 WMIC.exe Token: SeRemoteShutdownPrivilege 1624 WMIC.exe Token: SeUndockPrivilege 1624 WMIC.exe Token: SeManageVolumePrivilege 1624 WMIC.exe Token: 33 1624 WMIC.exe Token: 34 1624 WMIC.exe Token: 35 1624 WMIC.exe Token: 36 1624 WMIC.exe Token: SeIncreaseQuotaPrivilege 1624 WMIC.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 4324 wrote to memory of 3708 4324 erebus.exe 85 PID 4324 wrote to memory of 3708 4324 erebus.exe 85 PID 4324 wrote to memory of 3708 4324 erebus.exe 85 PID 4324 wrote to memory of 3936 4324 erebus.exe 87 PID 4324 wrote to memory of 3936 4324 erebus.exe 87 PID 4324 wrote to memory of 3936 4324 erebus.exe 87 PID 3936 wrote to memory of 3168 3936 cmd.exe 89 PID 3936 wrote to memory of 3168 3936 cmd.exe 89 PID 3936 wrote to memory of 3168 3936 cmd.exe 89 PID 3936 wrote to memory of 2092 3936 cmd.exe 91 PID 3936 wrote to memory of 2092 3936 cmd.exe 91 PID 3936 wrote to memory of 2092 3936 cmd.exe 91 PID 4324 wrote to memory of 3664 4324 erebus.exe 93 PID 4324 wrote to memory of 3664 4324 erebus.exe 93 PID 4324 wrote to memory of 3664 4324 erebus.exe 93 PID 3664 wrote to memory of 1624 3664 cmd.exe 95 PID 3664 wrote to memory of 1624 3664 cmd.exe 95 PID 3664 wrote to memory of 1624 3664 cmd.exe 95 PID 3664 wrote to memory of 3172 3664 cmd.exe 96 PID 3664 wrote to memory of 3172 3664 cmd.exe 96 PID 3664 wrote to memory of 3172 3664 cmd.exe 96 PID 4324 wrote to memory of 4856 4324 erebus.exe 98 PID 4324 wrote to memory of 4856 4324 erebus.exe 98 PID 4324 wrote to memory of 4856 4324 erebus.exe 98 PID 4856 wrote to memory of 228 4856 cmd.exe 100 PID 4856 wrote to memory of 228 4856 cmd.exe 100 PID 4856 wrote to memory of 228 4856 cmd.exe 100 PID 4856 wrote to memory of 1148 4856 cmd.exe 101 PID 4856 wrote to memory of 1148 4856 cmd.exe 101 PID 4856 wrote to memory of 1148 4856 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\erebus.exe"C:\Users\Admin\AppData\Local\Temp\erebus.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && exit2⤵
- System Location Discovery: System Language Discovery
PID:3708
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic logicaldisk where drivetype=2 get deviceid | findstr . > %tmp%\y2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic logicaldisk where drivetype=2 get deviceid3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3168
-
-
C:\Windows\SysWOW64\findstr.exefindstr .3⤵
- System Location Discovery: System Language Discovery
PID:2092
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic logicaldisk where drivetype=3 get deviceid | findstr . > %tmp%\y2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic logicaldisk where drivetype=3 get deviceid3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Windows\SysWOW64\findstr.exefindstr .3⤵
- System Location Discovery: System Language Discovery
PID:3172
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic logicaldisk where drivetype=4 get deviceid | findstr . > %tmp%\y2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic logicaldisk where drivetype=4 get deviceid3⤵
- System Location Discovery: System Language Discovery
PID:228
-
-
C:\Windows\SysWOW64\findstr.exefindstr .3⤵
- System Location Discovery: System Language Discovery
PID:1148
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 7242⤵
- Program crash
PID:5048
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4324 -ip 43241⤵PID:1596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39B
MD5730a1c06f8273df68828bbebb3e1fab0
SHA11c269bdd515ca992df2c07c2b4c0eda26f1a6c91
SHA256da51411ba8d69f112382c4ada4c02ad9e5ab3fcececca4bd50bb11122e473679
SHA5121d56e0d3704d75dff9f20347ff3e712c114a1d9e5383e6356a71a9705dd4a3bb311c174c6d026cc60707abc56f7bfda011293a8dbd7f79a299fb712d3ad33f30