General
-
Target
0d7d34458f0513ade330aef62cdc0a78
-
Size
312KB
-
Sample
200619-b75e4vr1xx
-
MD5
0d7d34458f0513ade330aef62cdc0a78
-
SHA1
73d572f55942041be66743ef949fc8ea478e292c
-
SHA256
5da74ce3acdb1b9c0f6f03f20e7bbcdc9d550ba8be492eb4dd157281ca38985c
-
SHA512
bcc71191f1b370a812db583803c453b681152948b24cdfceb7971ab8e3a247d7e4d9a6461388d00e71a8fa01bb524c1dde84fd0231aec8ffe2167cc5c2a643cb
Static task
static1
Behavioral task
behavioral1
Sample
0d7d34458f0513ade330aef62cdc0a78.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
0d7d34458f0513ade330aef62cdc0a78.exe
Resource
win10
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.6oifgr.win/49AA-EE7E-2B2B-0291-1FAA
http://cerberhhyed5frqa.xo59ok.win/49AA-EE7E-2B2B-0291-1FAA
http://cerberhhyed5frqa.zx34jk.win/49AA-EE7E-2B2B-0291-1FAA
http://cerberhhyed5frqa.rt4e34.win/49AA-EE7E-2B2B-0291-1FAA
http://cerberhhyed5frqa.as13fd.win/49AA-EE7E-2B2B-0291-1FAA
http://cerberhhyed5frqa.onion/49AA-EE7E-2B2B-0291-1FAA
Extracted
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
http://cerberhhyed5frqa.6oifgr.win/49AA-EE7E-2B2B-0291-1FAA
http://cerberhhyed5frqa.xo59ok.win/49AA-EE7E-2B2B-0291-1FAA
http://cerberhhyed5frqa.zx34jk.win/49AA-EE7E-2B2B-0291-1FAA
http://cerberhhyed5frqa.rt4e34.win/49AA-EE7E-2B2B-0291-1FAA
http://cerberhhyed5frqa.as13fd.win/49AA-EE7E-2B2B-0291-1FAA
http://cerberhhyed5frqa.6oifgr.win/49AA-EE7E-2B2B-0291-1FAA);
http://cerberhhyed5frqa.onion/49AA-EE7E-2B2B-0291-1FAA
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.6oifgr.win/B124-7025-3012-0291-17C5
http://cerberhhyed5frqa.xo59ok.win/B124-7025-3012-0291-17C5
http://cerberhhyed5frqa.zx34jk.win/B124-7025-3012-0291-17C5
http://cerberhhyed5frqa.rt4e34.win/B124-7025-3012-0291-17C5
http://cerberhhyed5frqa.as13fd.win/B124-7025-3012-0291-17C5
http://cerberhhyed5frqa.onion/B124-7025-3012-0291-17C5
Extracted
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
http://cerberhhyed5frqa.6oifgr.win/B124-7025-3012-0291-17C5
http://cerberhhyed5frqa.xo59ok.win/B124-7025-3012-0291-17C5
http://cerberhhyed5frqa.zx34jk.win/B124-7025-3012-0291-17C5
http://cerberhhyed5frqa.rt4e34.win/B124-7025-3012-0291-17C5
http://cerberhhyed5frqa.as13fd.win/B124-7025-3012-0291-17C5
http://cerberhhyed5frqa.6oifgr.win/B124-7025-3012-0291-17C5);
http://cerberhhyed5frqa.onion/B124-7025-3012-0291-17C5
Targets
-
-
Target
0d7d34458f0513ade330aef62cdc0a78
-
Size
312KB
-
MD5
0d7d34458f0513ade330aef62cdc0a78
-
SHA1
73d572f55942041be66743ef949fc8ea478e292c
-
SHA256
5da74ce3acdb1b9c0f6f03f20e7bbcdc9d550ba8be492eb4dd157281ca38985c
-
SHA512
bcc71191f1b370a812db583803c453b681152948b24cdfceb7971ab8e3a247d7e4d9a6461388d00e71a8fa01bb524c1dde84fd0231aec8ffe2167cc5c2a643cb
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Modifies boot configuration data using bcdedit
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Deletes itself
-
Drops startup file
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Program crash
-
Modifies service
-
Sets desktop wallpaper using registry
-