Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    18-06-2020 23:20

General

  • Target

    cfd2d6f189b04d42618007fc9c540352.exe

  • Size

    252KB

  • MD5

    cfd2d6f189b04d42618007fc9c540352

  • SHA1

    f8413a21c4179378b2c23a3302ba33505e273430

  • SHA256

    408fd7edadfbdaab161e04afcfc115c464916e99aaba8b036f52c57c3ade49c5

  • SHA512

    5a1917dd23aa02e273ba0fc381961ed7fab4dc70202f62a581b6361c4d34b7ce51b3f3adf61d9dec8ab49b4667573f7755f2a968a836d10d1afbadab598a6cc0

Malware Config

Extracted

Path

\??\c:\_R_E_A_D___T_H_I_S___GMBN0QUJ_.txt

Family

cerber

Ransom Note
Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/7D55-E5DE-1676-0446-A3F4 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.18ey8e.top/7D55-E5DE-1676-0446-A3F4 2. http://xpcx6erilkjced3j.17gcun.top/7D55-E5DE-1676-0446-A3F4 3. http://xpcx6erilkjced3j.1ebjjq.top/7D55-E5DE-1676-0446-A3F4 4. http://xpcx6erilkjced3j.15ezkm.top/7D55-E5DE-1676-0446-A3F4 5. http://xpcx6erilkjced3j.1mfmkz.top/7D55-E5DE-1676-0446-A3F4 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://xpcx6erilkjced3j.onion/7D55-E5DE-1676-0446-A3F4

http://xpcx6erilkjced3j.18ey8e.top/7D55-E5DE-1676-0446-A3F4

http://xpcx6erilkjced3j.17gcun.top/7D55-E5DE-1676-0446-A3F4

http://xpcx6erilkjced3j.1ebjjq.top/7D55-E5DE-1676-0446-A3F4

http://xpcx6erilkjced3j.15ezkm.top/7D55-E5DE-1676-0446-A3F4

http://xpcx6erilkjced3j.1mfmkz.top/7D55-E5DE-1676-0446-A3F4

Signatures

  • Blacklisted process makes network request 8 IoCs
  • Drops file in System32 directory 38 IoCs
  • Modifies registry class 1 IoCs
  • Enumerates connected drives 3 TTPs
  • Drops file in Program Files directory 20 IoCs
  • Drops startup file 1 IoCs
  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Drops file in Windows directory 77 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cfd2d6f189b04d42618007fc9c540352.exe
    "C:\Users\Admin\AppData\Local\Temp\cfd2d6f189b04d42618007fc9c540352.exe"
    1⤵
    • Drops file in System32 directory
    • Modifies registry class
    • Drops file in Program Files directory
    • Drops startup file
    • Sets desktop wallpaper using registry
    • Suspicious use of WriteProcessMemory
    • Suspicious use of AdjustPrivilegeToken
    • Drops file in Windows directory
    PID:3920
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
      2⤵
        PID:3972
      • C:\Windows\SysWOW64\netsh.exe
        C:\Windows\system32\netsh.exe advfirewall reset
        2⤵
          PID:4048
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___J0LBLG_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          2⤵
          • Blacklisted process makes network request
          PID:3840
        • C:\Windows\SysWOW64\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___OJ3YZ_.txt
          2⤵
          • Opens file in notepad (likely ransom note)
          PID:2068
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "c" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3516
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im "c"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            • Kills process with taskkill
            PID:3376
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 127.0.0.1
            3⤵
            • Runs ping.exe
            PID:1308

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads