General
-
Target
120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample
-
Size
120KB
-
Sample
210726-jvxjtnq1gs
-
MD5
678fff3a5ab12f5af6bbb814d1810b4c
-
SHA1
b088bc6af8ddba1bee212b6f8bf4dcc66002a4ed
-
SHA256
120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30
-
SHA512
2904ac506a3959c6ed067ad62416ddfa392486f783f62f2eb97b7fe8b66b3292884d95e60886ca61894e9c041937378ad6dd059f9541f5cb170efd46f334bdfc
Static task
static1
Behavioral task
behavioral1
Sample
120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample.exe
Resource
win10v20210408
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt
http://decrypttozxybarc.dconnect.eu/B8AE-27AC-278B-0006-4BF7
http://decrypttozxybarc.tor2web.org/B8AE-27AC-278B-0006-4BF7
http://decrypttozxybarc.onion.cab/B8AE-27AC-278B-0006-4BF7
http://decrypttozxybarc.onion.to/B8AE-27AC-278B-0006-4BF7
http://decrypttozxybarc.onion.link/B8AE-27AC-278B-0006-4BF7
http://decrypttozxybarc.onion/B8AE-27AC-278B-0006-4BF7
Extracted
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
http://decrypttozxybarc.dconnect.eu/B8AE-27AC-278B-0006-4BF7
http://decrypttozxybarc.tor2web.org/B8AE-27AC-278B-0006-4BF7
http://decrypttozxybarc.onion.cab/B8AE-27AC-278B-0006-4BF7
http://decrypttozxybarc.onion.to/B8AE-27AC-278B-0006-4BF7
http://decrypttozxybarc.onion.link/B8AE-27AC-278B-0006-4BF7
http://decrypttozxybarc.onion/B8AE-27AC-278B-0006-4BF7
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\# DECRYPT MY FILES #.txt
http://decrypttozxybarc.dconnect.eu/7CE5-408B-03AA-0006-4CFB
http://decrypttozxybarc.tor2web.org/7CE5-408B-03AA-0006-4CFB
http://decrypttozxybarc.onion.cab/7CE5-408B-03AA-0006-4CFB
http://decrypttozxybarc.onion.to/7CE5-408B-03AA-0006-4CFB
http://decrypttozxybarc.onion.link/7CE5-408B-03AA-0006-4CFB
http://decrypttozxybarc.onion/7CE5-408B-03AA-0006-4CFB
Extracted
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
http://decrypttozxybarc.dconnect.eu/7CE5-408B-03AA-0006-4CFB
http://decrypttozxybarc.tor2web.org/7CE5-408B-03AA-0006-4CFB
http://decrypttozxybarc.onion.cab/7CE5-408B-03AA-0006-4CFB
http://decrypttozxybarc.onion.to/7CE5-408B-03AA-0006-4CFB
http://decrypttozxybarc.onion.link/7CE5-408B-03AA-0006-4CFB
http://decrypttozxybarc.onion/7CE5-408B-03AA-0006-4CFB
Targets
-
-
Target
120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30.sample
-
Size
120KB
-
MD5
678fff3a5ab12f5af6bbb814d1810b4c
-
SHA1
b088bc6af8ddba1bee212b6f8bf4dcc66002a4ed
-
SHA256
120904fa76dba7bdaf0f5c3732b58b050e8d1366c11093ada9e4d894076f2d30
-
SHA512
2904ac506a3959c6ed067ad62416ddfa392486f783f62f2eb97b7fe8b66b3292884d95e60886ca61894e9c041937378ad6dd059f9541f5cb170efd46f334bdfc
-
suricata: ET MALWARE Ransomware/Cerber Checkin 2
-
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (12)
-
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (8)
-
Looks for VirtualBox Guest Additions in registry
-
Modifies boot configuration data using bcdedit
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-