Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    167s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    05/02/2022, 21:41

General

  • Target

    022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe

  • Size

    99KB

  • MD5

    20abc2fc4ae0ddc631322df67c828c17

  • SHA1

    30fc7b84a438df84624e79d5365d4bd959fb5f72

  • SHA256

    022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f

  • SHA512

    cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1

Malware Config

Extracted

Path

C:\Users\Admin\Music\# DECRYPT MY FILES #.txt

Ransom Note
C E R B E R ----------- Your documents, photos, databases and other important files have been encrypted! To decrypt your files follow the instructions: --------------------------------------------------------------------------------------- 1. Download and install the "Tor Browser" from https://www.torproject.org/ 2. Run it 3. In the "Tor Browser" open website: http://decrypttozxybarc.onion/D0B9-7690-D2D4-0006-4D1A 4. Follow the instructions at this website --------------------------------------------------------------------------------------- �...Quod me non necat me fortiorem facit.�
URLs

http://decrypttozxybarc.onion/D0B9-7690-D2D4-0006-4D1A

Signatures

  • suricata: ET MALWARE Ransomware/Cerber Checkin 2

    suricata: ET MALWARE Ransomware/Cerber Checkin 2

  • suricata: ET MALWARE Ransomware/Cerber Checkin M3 (14)

    suricata: ET MALWARE Ransomware/Cerber Checkin M3 (14)

  • Looks for VirtualBox Guest Additions in registry 2 TTPs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Looks for VMWare Tools registry key 2 TTPs
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe
    "C:\Users\Admin\AppData\Local\Temp\022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Adds Run key to start application
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4272
    • C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe
      "C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe"
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4532
      • C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe
        "C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe" -stat -1 -wait "=a-Akau5uWl9~{s!#h^+DMlH(vSVs"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1052
      • C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe
        "C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe" -watchdog
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4188
      • C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe
        "C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe" -stat 94
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3404
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        3⤵
          PID:1660
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
          3⤵
          • Enumerates system info in registry
          • Modifies registry class
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1156
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc421846f8,0x7ffc42184708,0x7ffc42184718
            4⤵
              PID:4724
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
              4⤵
                PID:3460
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
                4⤵
                  PID:4808
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3084 /prefetch:8
                  4⤵
                    PID:1160
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:1
                    4⤵
                      PID:2500
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
                      4⤵
                        PID:2380
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5312 /prefetch:8
                        4⤵
                          PID:5056
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
                          4⤵
                            PID:1744
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17715483856487101452,12411652332534045183,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
                            4⤵
                              PID:4736
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
                            3⤵
                              PID:1928
                            • C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe
                              "C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe" -stat 94 -wait "fJ6yWW{F[G4HP@_<c#)gAVg^{C57M"
                              3⤵
                              • Executes dropped EXE
                              • Checks BIOS information in registry
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1712
                            • C:\Windows\system32\cmd.exe
                              /d /c taskkill /t /f /im "expand.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe" > NUL
                              3⤵
                                PID:888
                                • C:\Windows\system32\taskkill.exe
                                  taskkill /t /f /im "expand.exe"
                                  4⤵
                                  • Kills process with taskkill
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4824
                                • C:\Windows\system32\PING.EXE
                                  ping -n 1 127.0.0.1
                                  4⤵
                                  • Runs ping.exe
                                  PID:3796
                            • C:\Windows\SysWOW64\cmd.exe
                              /d /c taskkill /t /f /im "022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe" > NUL
                              2⤵
                              • Suspicious use of WriteProcessMemory
                              PID:4464
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill /t /f /im "022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe"
                                3⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4512
                              • C:\Windows\SysWOW64\PING.EXE
                                ping -n 1 127.0.0.1
                                3⤵
                                • Runs ping.exe
                                PID:1976
                          • C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe
                            C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe
                            1⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4908
                          • C:\Windows\system32\AUDIODG.EXE
                            C:\Windows\system32\AUDIODG.EXE 0x33c 0x3d8
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2164
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                            1⤵
                            • Modifies data under HKEY_USERS
                            PID:4192
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:4240
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                              1⤵
                              • Drops file in Windows directory
                              • Suspicious use of AdjustPrivilegeToken
                              PID:528
                            • C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe
                              C:\Users\Admin\AppData\Roaming\{039EB981-FDFB-E250-78E7-3E7222249782}\expand.exe
                              1⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              PID:948

                            Network

                            MITRE ATT&CK Enterprise v6

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • memory/528-392-0x000001C8F5940000-0x000001C8F5944000-memory.dmp

                              Filesize

                              16KB

                            • memory/3460-226-0x00007FFC5F770000-0x00007FFC5F771000-memory.dmp

                              Filesize

                              4KB

                            • memory/4192-143-0x000002708BB80000-0x000002708BB90000-memory.dmp

                              Filesize

                              64KB