cerber | 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100

General

Target

5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
Size

382KB
MD5

432ad4941c057927786e3b6646ecf2f3
SHA1

45babe449954544219054e327523de5812597eaa
SHA256

5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100
SHA512

8b8fa755cf8a18fe7a822edcb977e8d8ee7615ccc56f5eac5c4eb7113f1faa8c983a9da18a08923c7e14d1bc86f2cae7d0a98322e8fcb8fb180733c0e9b04ab3

Score

10^/10

cerber discovery evasion persistence ransomware spyware stealer suricata

Malware Config

Signatures

Cerber 2 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

Processes:

5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exegpresult.exe

description	ioc	process
Mutant opened	shell.{A431E284-FF41-2B74-3E2C-52A35D2135D0}	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
Mutant created	shell.{A431E284-FF41-2B74-3E2C-52A35D2135D0}	gpresult.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exegpresult.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	gpresult.exe

suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2380 bcdedit.exe
3532 bcdedit.exe

pid	process
2380	bcdedit.exe
3532	bcdedit.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exegpresult.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A2960505-E42D-C35E-0E5A-BF98F493D4A2}\\gpresult.exe\""	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A2960505-E42D-C35E-0E5A-BF98F493D4A2}\\gpresult.exe\""	gpresult.exe

Contacts a large (530) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 1 IoCs

Processes:

gpresult.exe

pid process

3096 gpresult.exe

pid	process
3096	gpresult.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

gpresult.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	gpresult.exe

Drops startup file 1 IoCs

Processes:

5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\gpresult.lnk	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

gpresult.exe5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpresult = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A2960505-E42D-C35E-0E5A-BF98F493D4A2}\\gpresult.exe\""	gpresult.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	gpresult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gpresult = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A2960505-E42D-C35E-0E5A-BF98F493D4A2}\\gpresult.exe\""	gpresult.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows\CurrentVersion\Run	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpresult = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A2960505-E42D-C35E-0E5A-BF98F493D4A2}\\gpresult.exe\""	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gpresult = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A2960505-E42D-C35E-0E5A-BF98F493D4A2}\\gpresult.exe\""	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows\CurrentVersion\Run	gpresult.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
548 ipinfo.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1380 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3800 taskkill.exe

flow	ioc
4	ip-api.com
548	ipinfo.io

pid	process
1380	vssadmin.exe

pid	process
3800	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

Processes:

5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exegpresult.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A2960505-E42D-C35E-0E5A-BF98F493D4A2}\\gpresult.exe\""	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\Desktop	gpresult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A2960505-E42D-C35E-0E5A-BF98F493D4A2}\\gpresult.exe\""	gpresult.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\Desktop	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4060 PING.EXE

pid	process
4060	PING.EXE

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exetaskkill.exegpresult.exevssvc.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	1772	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
Token: SeDebugPrivilege	3800	taskkill.exe
Token: SeDebugPrivilege	3096	gpresult.exe
Token: SeBackupPrivilege	1052	vssvc.exe
Token: SeRestorePrivilege	1052	vssvc.exe
Token: SeAuditPrivilege	1052	vssvc.exe
Token: SeIncreaseQuotaPrivilege	604	wmic.exe
Token: SeSecurityPrivilege	604	wmic.exe
Token: SeTakeOwnershipPrivilege	604	wmic.exe
Token: SeLoadDriverPrivilege	604	wmic.exe
Token: SeSystemProfilePrivilege	604	wmic.exe
Token: SeSystemtimePrivilege	604	wmic.exe
Token: SeProfSingleProcessPrivilege	604	wmic.exe
Token: SeIncBasePriorityPrivilege	604	wmic.exe
Token: SeCreatePagefilePrivilege	604	wmic.exe
Token: SeBackupPrivilege	604	wmic.exe
Token: SeRestorePrivilege	604	wmic.exe
Token: SeShutdownPrivilege	604	wmic.exe
Token: SeDebugPrivilege	604	wmic.exe
Token: SeSystemEnvironmentPrivilege	604	wmic.exe
Token: SeRemoteShutdownPrivilege	604	wmic.exe
Token: SeUndockPrivilege	604	wmic.exe
Token: SeManageVolumePrivilege	604	wmic.exe
Token: 33	604	wmic.exe
Token: 34	604	wmic.exe
Token: 35	604	wmic.exe
Token: 36	604	wmic.exe
Token: SeIncreaseQuotaPrivilege	604	wmic.exe
Token: SeSecurityPrivilege	604	wmic.exe
Token: SeTakeOwnershipPrivilege	604	wmic.exe
Token: SeLoadDriverPrivilege	604	wmic.exe
Token: SeSystemProfilePrivilege	604	wmic.exe
Token: SeSystemtimePrivilege	604	wmic.exe
Token: SeProfSingleProcessPrivilege	604	wmic.exe
Token: SeIncBasePriorityPrivilege	604	wmic.exe
Token: SeCreatePagefilePrivilege	604	wmic.exe
Token: SeBackupPrivilege	604	wmic.exe
Token: SeRestorePrivilege	604	wmic.exe
Token: SeShutdownPrivilege	604	wmic.exe
Token: SeDebugPrivilege	604	wmic.exe
Token: SeSystemEnvironmentPrivilege	604	wmic.exe
Token: SeRemoteShutdownPrivilege	604	wmic.exe
Token: SeUndockPrivilege	604	wmic.exe
Token: SeManageVolumePrivilege	604	wmic.exe
Token: 33	604	wmic.exe
Token: 34	604	wmic.exe
Token: 35	604	wmic.exe
Token: 36	604	wmic.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.execmd.exegpresult.exe

description	pid	process	target process
PID 1772 wrote to memory of 3096	1772	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe	gpresult.exe
PID 1772 wrote to memory of 3096	1772	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe	gpresult.exe
PID 1772 wrote to memory of 3096	1772	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe	gpresult.exe
PID 1772 wrote to memory of 624	1772	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe	cmd.exe
PID 1772 wrote to memory of 624	1772	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe	cmd.exe
PID 1772 wrote to memory of 624	1772	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe	cmd.exe
PID 624 wrote to memory of 3800	624	cmd.exe	taskkill.exe
PID 624 wrote to memory of 3800	624	cmd.exe	taskkill.exe
PID 624 wrote to memory of 3800	624	cmd.exe	taskkill.exe
PID 624 wrote to memory of 4060	624	cmd.exe	PING.EXE
PID 624 wrote to memory of 4060	624	cmd.exe	PING.EXE
PID 624 wrote to memory of 4060	624	cmd.exe	PING.EXE
PID 3096 wrote to memory of 1380	3096	gpresult.exe	vssadmin.exe
PID 3096 wrote to memory of 1380	3096	gpresult.exe	vssadmin.exe
PID 3096 wrote to memory of 604	3096	gpresult.exe	wmic.exe
PID 3096 wrote to memory of 604	3096	gpresult.exe	wmic.exe
PID 3096 wrote to memory of 2380	3096	gpresult.exe	bcdedit.exe
PID 3096 wrote to memory of 2380	3096	gpresult.exe	bcdedit.exe
PID 3096 wrote to memory of 3532	3096	gpresult.exe	bcdedit.exe
PID 3096 wrote to memory of 3532	3096	gpresult.exe	bcdedit.exe

C:\Users\Admin\AppData\Local\Temp\5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
"C:\Users\Admin\AppData\Local\Temp\5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe"
1⤵
- Cerber
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772

C:\Users\Admin\AppData\Roaming\{A2960505-E42D-C35E-0E5A-BF98F493D4A2}\gpresult.exe
"C:\Users\Admin\AppData\Roaming\{A2960505-E42D-C35E-0E5A-BF98F493D4A2}\gpresult.exe"
2⤵
- Cerber
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\system32\vssadmin.exe
"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1380

C:\Windows\system32\wbem\wmic.exe
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:604

C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:2380

C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:3532

C:\Windows\SysWOW64\cmd.exe
/d /c taskkill /f /im "5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe" > NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3800

C:\Windows\SysWOW64\PING.EXE
ping -n 1 127.0.0.1
3⤵
- Runs ping.exe
PID:4060

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Modify Registry

3

T1112

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Network Service Scanning

1

T1046

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ODIFJ91X\json[1].json
Filesize
302B

MD5
8ea85462999d0b5942e53b071bd59ae4

SHA1
6b5b5dc3e4cc7245987c0b05809d4a78dbd09d21

SHA256
1855b73d3c877b3812d32b5b8ee65953f59ddb7b4908ea7ca30b3205c7340e6b

SHA512
7b7b1b58e2db79f9fc34684cd21d8223ab4206bc95566c40df5b8d1d3f11e437f3270021ed3ebc0f58282f24672cc8b21a4d378cc793149b6f2f5e1930eb1ed5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\gpresult.lnk
Filesize
1KB

MD5
4323b367fdb4cf2599b2bb9e106a6c34

SHA1
ad05b73551d7204feeaf462031702d64b486437f

SHA256
bada440c4bb65c19fa89440600211d516e6cd0c453025a36fd693616bb5abb95

SHA512
803dee08b3c0a04a498cdebe48a3b86dd57f9de2e2e10033c9a8073b1d4c36cfa478717c1268647fc3bdc747b630c246a04bccc32d9650a37101675130f90458

Download Submit
C:\Users\Admin\AppData\Roaming\{A2960505-E42D-C35E-0E5A-BF98F493D4A2}\gpresult.exe
Filesize
382KB

MD5
432ad4941c057927786e3b6646ecf2f3

SHA1
45babe449954544219054e327523de5812597eaa

SHA256
5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100

SHA512
8b8fa755cf8a18fe7a822edcb977e8d8ee7615ccc56f5eac5c4eb7113f1faa8c983a9da18a08923c7e14d1bc86f2cae7d0a98322e8fcb8fb180733c0e9b04ab3

Download Submit
C:\Users\Admin\AppData\Roaming\{A2960505-E42D-C35E-0E5A-BF98F493D4A2}\gpresult.exe
Filesize
382KB

MD5
432ad4941c057927786e3b6646ecf2f3

SHA1
45babe449954544219054e327523de5812597eaa

SHA256
5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100

SHA512
8b8fa755cf8a18fe7a822edcb977e8d8ee7615ccc56f5eac5c4eb7113f1faa8c983a9da18a08923c7e14d1bc86f2cae7d0a98322e8fcb8fb180733c0e9b04ab3

Download Submit
memory/604-144-0x0000000000000000-mapping.dmp

Download
memory/624-136-0x0000000000000000-mapping.dmp

Download
memory/1380-143-0x0000000000000000-mapping.dmp

Download
memory/1772-131-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1772-137-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1772-132-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1772-130-0x00000000021B0000-0x00000000021E5000-memory.dmp

Filesize
212KB

Download
memory/2380-145-0x0000000000000000-mapping.dmp

Download
memory/3096-142-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3096-133-0x0000000000000000-mapping.dmp

Download
memory/3096-141-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3532-146-0x0000000000000000-mapping.dmp

Download
memory/3800-139-0x0000000000000000-mapping.dmp

Download
memory/4060-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads