Analysis

  • max time kernel
    139s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    18-06-2020 23:20

General

  • Target

    cfd2d6f189b04d42618007fc9c540352.exe

  • Size

    252KB

  • MD5

    cfd2d6f189b04d42618007fc9c540352

  • SHA1

    f8413a21c4179378b2c23a3302ba33505e273430

  • SHA256

    408fd7edadfbdaab161e04afcfc115c464916e99aaba8b036f52c57c3ade49c5

  • SHA512

    5a1917dd23aa02e273ba0fc381961ed7fab4dc70202f62a581b6361c4d34b7ce51b3f3adf61d9dec8ab49b4667573f7755f2a968a836d10d1afbadab598a6cc0

Malware Config

Extracted

Path

\??\c:\_R_E_A_D___T_H_I_S___B1QQT_.txt

Family

cerber

Ransom Note
Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/6060-6F07-2EC7-0446-AF7A Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.18ey8e.top/6060-6F07-2EC7-0446-AF7A 2. http://xpcx6erilkjced3j.17gcun.top/6060-6F07-2EC7-0446-AF7A 3. http://xpcx6erilkjced3j.1ebjjq.top/6060-6F07-2EC7-0446-AF7A 4. http://xpcx6erilkjced3j.15ezkm.top/6060-6F07-2EC7-0446-AF7A 5. http://xpcx6erilkjced3j.1mfmkz.top/6060-6F07-2EC7-0446-AF7A ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://xpcx6erilkjced3j.onion/6060-6F07-2EC7-0446-AF7A

http://xpcx6erilkjced3j.18ey8e.top/6060-6F07-2EC7-0446-AF7A

http://xpcx6erilkjced3j.17gcun.top/6060-6F07-2EC7-0446-AF7A

http://xpcx6erilkjced3j.1ebjjq.top/6060-6F07-2EC7-0446-AF7A

http://xpcx6erilkjced3j.15ezkm.top/6060-6F07-2EC7-0446-AF7A

http://xpcx6erilkjced3j.1mfmkz.top/6060-6F07-2EC7-0446-AF7A

Signatures

  • Suspicious use of WriteProcessMemory 28 IoCs
  • Blacklisted process makes network request 7 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Drops startup file 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Kills process with taskkill 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 77 IoCs
  • Drops file in System32 directory 38 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Modifies service 2 TTPs 10 IoCs
  • Enumerates connected drives 3 TTPs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cfd2d6f189b04d42618007fc9c540352.exe
    "C:\Users\Admin\AppData\Local\Temp\cfd2d6f189b04d42618007fc9c540352.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Drops startup file
    • Suspicious use of AdjustPrivilegeToken
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    PID:1492
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
      2⤵
      • Modifies service
      PID:1252
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall reset
      2⤵
      • Modifies service
      PID:1848
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___WZKRT2SJ_.hta"
      2⤵
      • Blacklisted process makes network request
      • Modifies system certificate store
      • Modifies Internet Explorer settings
      PID:1384
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___YRBU_.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1652
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "c" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1616
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im "c"
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1572
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 1 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:2004

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads