Analysis

  • max time kernel
    133s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    05-02-2022 21:41

General

  • Target

    022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe

  • Size

    99KB

  • MD5

    20abc2fc4ae0ddc631322df67c828c17

  • SHA1

    30fc7b84a438df84624e79d5365d4bd959fb5f72

  • SHA256

    022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f

  • SHA512

    cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Ransom Note
C E R B E R ----------- Your documents, photos, databases and other important files have been encrypted! To decrypt your files follow the instructions: --------------------------------------------------------------------------------------- 1. Download and install the "Tor Browser" from https://www.torproject.org/ 2. Run it 3. In the "Tor Browser" open website: http://decrypttozxybarc.onion/6938-6B08-A4FB-0006-4649 4. Follow the instructions at this website --------------------------------------------------------------------------------------- �...Quod me non necat me fortiorem facit.�
URLs

http://decrypttozxybarc.onion/6938-6B08-A4FB-0006-4649

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

  • suricata: ET MALWARE Ransomware/Cerber Checkin 2

    suricata: ET MALWARE Ransomware/Cerber Checkin 2

  • suricata: ET MALWARE Ransomware/Cerber Checkin M3 (7)

    suricata: ET MALWARE Ransomware/Cerber Checkin M3 (7)

  • Looks for VirtualBox Guest Additions in registry 2 TTPs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Executes dropped EXE 6 IoCs
  • Looks for VMWare Tools registry key 2 TTPs
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe
    "C:\Users\Admin\AppData\Local\Temp\022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1536
    • C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe
      "C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe"
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1124
      • C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe
        "C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe" -stat -1 -wait "SoR6^pjc f!)lyx*wyJPk331@5cuI"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:288
      • C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe
        "C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe" -watchdog
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1552
      • C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe
        "C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe" -stat 102
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1720
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        3⤵
          PID:1104
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1964
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1964 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1756
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
          3⤵
            PID:1956
          • C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe
            "C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe" -stat 102 -wait "ahK!%B) !X%&_+(nDH36={6_wgd2m"
            3⤵
            • Executes dropped EXE
            • Checks BIOS information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1948
          • C:\Windows\system32\cmd.exe
            /d /c taskkill /t /f /im "mountvol.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe" > NUL
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2432
            • C:\Windows\system32\taskkill.exe
              taskkill /t /f /im "mountvol.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2468
            • C:\Windows\system32\PING.EXE
              ping -n 1 127.0.0.1
              4⤵
              • Runs ping.exe
              PID:2512
        • C:\Windows\SysWOW64\cmd.exe
          /d /c taskkill /t /f /im "022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe" > NUL
          2⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:1688
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /t /f /im "022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe"
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:320
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 127.0.0.1
            3⤵
            • Runs ping.exe
            PID:2012
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {875B8A62-F1AC-42CA-9C8D-E8C0714B5A21} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1700
        • C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe
          C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:844
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
        1⤵
          PID:2012

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T7QQD7BH\json[1].json

          MD5

          0aa762bb10362f552b6144794a0d1888

          SHA1

          750eba61c566f9d0c9b2dd997c77f35a95c515b2

          SHA256

          5eafadbd4100539125257b4a3f3c4a8fe4fd33605fc8a9b52050d715475b4de4

          SHA512

          01a293bdfc4beebac42a0fcfb0fb1dfd52613b35b7de50e942c4638e008f8527fe37a29572a7612ead8b65ad41e848e12ec3258ca5c821030cba2b394805da16

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T7QQD7BH\json[1].json

          MD5

          0aa762bb10362f552b6144794a0d1888

          SHA1

          750eba61c566f9d0c9b2dd997c77f35a95c515b2

          SHA256

          5eafadbd4100539125257b4a3f3c4a8fe4fd33605fc8a9b52050d715475b4de4

          SHA512

          01a293bdfc4beebac42a0fcfb0fb1dfd52613b35b7de50e942c4638e008f8527fe37a29572a7612ead8b65ad41e848e12ec3258ca5c821030cba2b394805da16

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YFMJZ4T6\json[1].json

          MD5

          0aa762bb10362f552b6144794a0d1888

          SHA1

          750eba61c566f9d0c9b2dd997c77f35a95c515b2

          SHA256

          5eafadbd4100539125257b4a3f3c4a8fe4fd33605fc8a9b52050d715475b4de4

          SHA512

          01a293bdfc4beebac42a0fcfb0fb1dfd52613b35b7de50e942c4638e008f8527fe37a29572a7612ead8b65ad41e848e12ec3258ca5c821030cba2b394805da16

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VLRK9K3B.txt

          MD5

          24a1b6fe028423a64e84fd5aea17d001

          SHA1

          45b8eb26b3d4f69a38f52c7469c93cda60d2e299

          SHA256

          e76b79247f3169efda1b2d1f07bf6ce4f33a1b9cc1383840ce190e5e615bef30

          SHA512

          3242f33b629397ce790e114b4dcda71c98906eef170399ff6bbbffefc7dfc237d482281eac9d634c5fb3783fad20fc679b66b55755b9d42c31a0a1f7014b43f5

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\mountvol.lnk

          MD5

          cb1355820dbefcaded468992d150f690

          SHA1

          a3afc76be32034434574cf15ae20da692a23f76e

          SHA256

          52eae6c2e5f50af8c7c57956c9ff0e43a78d3d05e89c68de2e769da988b3534b

          SHA512

          d8e7187a46fdbd1208aaff3677458343564a704921c37f7fdcdfaf49df810da5532a6d6dcf69eba47e5b9a17a1dfbce0a9381c809e76f2e8330eeda6e60188c8

        • C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe

          MD5

          20abc2fc4ae0ddc631322df67c828c17

          SHA1

          30fc7b84a438df84624e79d5365d4bd959fb5f72

          SHA256

          022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f

          SHA512

          cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1

        • C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe

          MD5

          20abc2fc4ae0ddc631322df67c828c17

          SHA1

          30fc7b84a438df84624e79d5365d4bd959fb5f72

          SHA256

          022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f

          SHA512

          cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1

        • C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe

          MD5

          20abc2fc4ae0ddc631322df67c828c17

          SHA1

          30fc7b84a438df84624e79d5365d4bd959fb5f72

          SHA256

          022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f

          SHA512

          cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1

        • C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe

          MD5

          20abc2fc4ae0ddc631322df67c828c17

          SHA1

          30fc7b84a438df84624e79d5365d4bd959fb5f72

          SHA256

          022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f

          SHA512

          cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1

        • C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe

          MD5

          20abc2fc4ae0ddc631322df67c828c17

          SHA1

          30fc7b84a438df84624e79d5365d4bd959fb5f72

          SHA256

          022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f

          SHA512

          cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1

        • C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe

          MD5

          20abc2fc4ae0ddc631322df67c828c17

          SHA1

          30fc7b84a438df84624e79d5365d4bd959fb5f72

          SHA256

          022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f

          SHA512

          cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1

        • C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe

          MD5

          20abc2fc4ae0ddc631322df67c828c17

          SHA1

          30fc7b84a438df84624e79d5365d4bd959fb5f72

          SHA256

          022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f

          SHA512

          cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1

        • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html

          MD5

          b60bd4e2c6625c8ee69e2888802ce0f9

          SHA1

          862c9deb4eac113a8974110c01ca794f950d8df0

          SHA256

          274a2e9b17def721cf6a192933543aafb6ddca3851934bb930edbc75bbe6a6df

          SHA512

          8aa1a48ed634976cd183091254a29f5c748e34d4b3fa667365d29e5f788115310c922417f320f9865525b7dc95933b5195ebcd0ad3dc5caefa45d52e748ee39c

        • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt

          MD5

          4a0508a7e0d38fdc08fe54e2fb8e6305

          SHA1

          9ed16d297dc27eee76712346fad986542314d140

          SHA256

          ea42f094e577953a8596e412555b5192615b2b11cdb6e37ce417811e1448211a

          SHA512

          a8f24cae2780c8d8806bdd1501c2699dbfe65b16c9314d038cdf806fed70cdfbe60ec13f3aa93272a3e2710fa34e7b81e2ccebd539cb7ad0b9fc9ad90dbc9fa2

        • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs

          MD5

          e9ffd9f618cbf36ad6c910c161bb8080

          SHA1

          a702b4220bbded577b4b699611bb73593b12ae71

          SHA256

          020ca4b4574a40418b8aa4c2d74b0488e9d150e8d3f5e56e5c6dcca6f7dfaaac

          SHA512

          ee87264e384579df7b74d7ac08e9a490495efa34f1a99e2d4949cb76b839c165fbb281aacae25f4ab7e911401c7bfa3fba4b0e59dd492566985fb8dbd1cf1bef

        • \Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe

          MD5

          20abc2fc4ae0ddc631322df67c828c17

          SHA1

          30fc7b84a438df84624e79d5365d4bd959fb5f72

          SHA256

          022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f

          SHA512

          cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1

        • \Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe

          MD5

          20abc2fc4ae0ddc631322df67c828c17

          SHA1

          30fc7b84a438df84624e79d5365d4bd959fb5f72

          SHA256

          022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f

          SHA512

          cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1

        • \Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe

          MD5

          20abc2fc4ae0ddc631322df67c828c17

          SHA1

          30fc7b84a438df84624e79d5365d4bd959fb5f72

          SHA256

          022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f

          SHA512

          cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1

        • memory/1104-72-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

          Filesize

          8KB

        • memory/1536-54-0x0000000076071000-0x0000000076073000-memory.dmp

          Filesize

          8KB