cerber | f15a78efd211bae6dd492d449beeb3844bd758a5241cfa48d0fd19dbe766102d

Analysis

max time kernel
93s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2025 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

perm/serials/AmiSpoof.bat
Size

1KB
MD5

bc8ad04cbe42db4c424cb586c8b012cd
SHA1

60e2c2e59bf363d109edd02d9c2d75eea4176a34
SHA256

6c94f726e939c3c699de60291d6fcb7dcf3b37bc18267db26719d22ed04fedbc
SHA512

ef7a5d971f4147e2b586b2f00bbde3b07f37d54ed168ec649a84b687e07817dd12d1ce62810914f63813c8f51ecd681b35d0e1e8812f024404fa905ab2cac019

Score

10^/10

cerber ransomware

Malware Config

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Cerber family
cerber

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
4264	taskkill.exe

Suspicious behavior: LoadsDriver 42 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4264	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2744	2208	cmd.exe	83
PID 2208 wrote to memory of 2744	2208	cmd.exe	83
PID 2208 wrote to memory of 4948	2208	cmd.exe	84
PID 2208 wrote to memory of 4948	2208	cmd.exe	84
PID 2208 wrote to memory of 1756	2208	cmd.exe	85
PID 2208 wrote to memory of 1756	2208	cmd.exe	85
PID 2208 wrote to memory of 3244	2208	cmd.exe	86
PID 2208 wrote to memory of 3244	2208	cmd.exe	86
PID 2208 wrote to memory of 3872	2208	cmd.exe	87
PID 2208 wrote to memory of 3872	2208	cmd.exe	87
PID 2208 wrote to memory of 4856	2208	cmd.exe	88
PID 2208 wrote to memory of 4856	2208	cmd.exe	88
PID 2208 wrote to memory of 4024	2208	cmd.exe	89
PID 2208 wrote to memory of 4024	2208	cmd.exe	89
PID 2208 wrote to memory of 2516	2208	cmd.exe	90
PID 2208 wrote to memory of 2516	2208	cmd.exe	90
PID 2208 wrote to memory of 2756	2208	cmd.exe	91
PID 2208 wrote to memory of 2756	2208	cmd.exe	91
PID 2208 wrote to memory of 1600	2208	cmd.exe	92
PID 2208 wrote to memory of 1600	2208	cmd.exe	92
PID 2208 wrote to memory of 1788	2208	cmd.exe	93
PID 2208 wrote to memory of 1788	2208	cmd.exe	93
PID 2208 wrote to memory of 1816	2208	cmd.exe	94
PID 2208 wrote to memory of 1816	2208	cmd.exe	94
PID 2208 wrote to memory of 3108	2208	cmd.exe	95
PID 2208 wrote to memory of 3108	2208	cmd.exe	95
PID 2208 wrote to memory of 840	2208	cmd.exe	96
PID 2208 wrote to memory of 840	2208	cmd.exe	96
PID 2208 wrote to memory of 4692	2208	cmd.exe	97
PID 2208 wrote to memory of 4692	2208	cmd.exe	97
PID 2208 wrote to memory of 3716	2208	cmd.exe	98
PID 2208 wrote to memory of 3716	2208	cmd.exe	98
PID 2208 wrote to memory of 4680	2208	cmd.exe	99
PID 2208 wrote to memory of 4680	2208	cmd.exe	99
PID 2208 wrote to memory of 760	2208	cmd.exe	100
PID 2208 wrote to memory of 760	2208	cmd.exe	100
PID 2208 wrote to memory of 2392	2208	cmd.exe	101
PID 2208 wrote to memory of 2392	2208	cmd.exe	101
PID 2208 wrote to memory of 1072	2208	cmd.exe	102
PID 2208 wrote to memory of 1072	2208	cmd.exe	102
PID 2208 wrote to memory of 728	2208	cmd.exe	103
PID 2208 wrote to memory of 728	2208	cmd.exe	103
PID 2208 wrote to memory of 5100	2208	cmd.exe	104
PID 2208 wrote to memory of 5100	2208	cmd.exe	104
PID 2208 wrote to memory of 948	2208	cmd.exe	105
PID 2208 wrote to memory of 948	2208	cmd.exe	105
PID 2208 wrote to memory of 1444	2208	cmd.exe	106
PID 2208 wrote to memory of 1444	2208	cmd.exe	106
PID 2208 wrote to memory of 3560	2208	cmd.exe	107
PID 2208 wrote to memory of 3560	2208	cmd.exe	107
PID 2208 wrote to memory of 208	2208	cmd.exe	108
PID 2208 wrote to memory of 208	2208	cmd.exe	108
PID 2208 wrote to memory of 1760	2208	cmd.exe	109
PID 2208 wrote to memory of 1760	2208	cmd.exe	109
PID 2208 wrote to memory of 2584	2208	cmd.exe	110
PID 2208 wrote to memory of 2584	2208	cmd.exe	110
PID 2208 wrote to memory of 2340	2208	cmd.exe	111
PID 2208 wrote to memory of 2340	2208	cmd.exe	111
PID 2208 wrote to memory of 2956	2208	cmd.exe	112
PID 2208 wrote to memory of 2956	2208	cmd.exe	112
PID 2208 wrote to memory of 220	2208	cmd.exe	113
PID 2208 wrote to memory of 220	2208	cmd.exe	113
PID 2208 wrote to memory of 3448	2208	cmd.exe	114
PID 2208 wrote to memory of 3448	2208	cmd.exe	114

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\perm\serials\AmiSpoof.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /IVN "American Megatrends International, LLC."
  2⤵
  PID:2744
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SM "ASRock Inc."
  2⤵
  PID:4948
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SP "ASRock Inc."
  2⤵
  PID:1756
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SV "10"
  2⤵
  PID:3244
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SK "SKU"
  2⤵
  PID:3872
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /ID "10/02/2023"
  2⤵
  PID:4856
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SS "To be filled by O.E.M."
  2⤵
  PID:4024
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SF "To be filled by O.E.M."
  2⤵
  PID:2516
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BT "Default string"
  2⤵
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BLC "Default string"
  2⤵
  PID:1600
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BTH 2 "Default string"
  2⤵
  PID:1788
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BLCH 2 "Default string"
  2⤵
  PID:1816
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CM "Default string"
  2⤵
  PID:3108
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CV "Default string"
  2⤵
  PID:840
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CA "Default string"
  2⤵
  PID:4692
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CSK "Default string"
  2⤵
  PID:3716
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CMH 3 "Default string"
  2⤵
  PID:4680
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CVH 3 "Default string"
  2⤵
  PID:760
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CSH 3 "Default string"
  2⤵
  PID:2392
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CAH 3 "Default string"
  2⤵
  PID:1072
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CSKH 3 "Default string"
  2⤵
  PID:728
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /OS 1 "Default string"
  2⤵
  PID:5100
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /OS 2 "Default string"
  2⤵
  PID:948
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /OS 3 "Default string"
  2⤵
  PID:1444
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /OS 4 "Default string"
  2⤵
  PID:3560
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /OS 5 "Default string"
  2⤵
  PID:208
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /OS 6 "Default string"
  2⤵
  PID:1760
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /OS 7 "Default string"
  2⤵
  PID:2584
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /OS 8 "Default string"
  2⤵
  PID:2340
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SCO 1 "Default string"
  2⤵
  PID:2956
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SCO 2 "Default string"
  2⤵
  PID:220
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SCO 3 "Default string"
  2⤵
  PID:3448
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SCO 4 "Default string"
  2⤵
  PID:1920
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CS "Default string"
  2⤵
  PID:4152
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PAT "To be filled by O.E.M."
  2⤵
  PID:1064
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PSN "To be filled by O.E.M."
  2⤵
  PID:3368
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PPN "To be filled by O.E.M."
  2⤵
  PID:1264
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SU auto
  2⤵
  PID:1052
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BSH 2 M80-610215235
  2⤵
  PID:4172
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BS M80-610215235
  2⤵
  PID:4636
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CM "ASRock Inc."
  2⤵
  PID:552
- C:\Users\Admin\AppData\Local\Temp\perm\serials\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BM "ASRock Inc."
  2⤵
  PID:3568
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM WmiPrvSE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4264

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads