General
-
Target
0158aa84c26e2890a241fb43dbef52a745fcf2961661b3d670296d86bd92682b
-
Size
218KB
-
Sample
220523-y2hmqsehb5
-
MD5
15e278d69ec44692ffaf07f239aac819
-
SHA1
431d35d893067533e5af3ff4a3521d84e4833455
-
SHA256
0158aa84c26e2890a241fb43dbef52a745fcf2961661b3d670296d86bd92682b
-
SHA512
5a29bb6e8b569c7e72c6ce8974cd0f6823e7e71a9a3eae62b7d43c615ab8d4836160822f8f67941bff03a768a3116c83b757f24f971428a948327999dec57540
Malware Config
Targets
-
-
Target
0158aa84c26e2890a241fb43dbef52a745fcf2961661b3d670296d86bd92682b
-
Size
218KB
-
MD5
15e278d69ec44692ffaf07f239aac819
-
SHA1
431d35d893067533e5af3ff4a3521d84e4833455
-
SHA256
0158aa84c26e2890a241fb43dbef52a745fcf2961661b3d670296d86bd92682b
-
SHA512
5a29bb6e8b569c7e72c6ce8974cd0f6823e7e71a9a3eae62b7d43c615ab8d4836160822f8f67941bff03a768a3116c83b757f24f971428a948327999dec57540
Score10/10-
suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata: ET MALWARE Ransomware/Cerber Checkin 2
-
Contacts a large (3210) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Contacts a large (7554) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-