Analysis
-
max time kernel
114s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
02-10-2022 19:08
General
-
Target
Endermanch@Cerber5.exe
-
Size
313KB
-
MD5
fe1bc60a95b2c2d77cd5d232296a7fa4
-
SHA1
c07dfdea8da2da5bad036e7c2f5d37582e1cf684
-
SHA256
b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
-
SHA512
266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89
-
SSDEEP
6144:nl578cxdGY87FohbnmM2i8ito7wTmCbL94KCT3OAmK:nl59zH8MiM2z+NLQBN
Malware Config
Extracted
\??\c:\_R_E_A_D___T_H_I_S___YSPYQ_.txt
cerber
http://xpcx6erilkjced3j.onion/EAD5-77F2-AF90-0098-BE7F
http://xpcx6erilkjced3j.1n5mod.top/EAD5-77F2-AF90-0098-BE7F
http://xpcx6erilkjced3j.19kdeh.top/EAD5-77F2-AF90-0098-BE7F
http://xpcx6erilkjced3j.1mpsnr.top/EAD5-77F2-AF90-0098-BE7F
http://xpcx6erilkjced3j.18ey8e.top/EAD5-77F2-AF90-0098-BE7F
http://xpcx6erilkjced3j.17gcun.top/EAD5-77F2-AF90-0098-BE7F
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Blocklisted process makes network request 6 IoCs
-
Contacts a large (1111) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 38 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 20 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@Cerber5.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@Cerber5.exe"1⤵
- Checks computer location settings
- Drops startup file
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___NY09DIL9_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___CJ6HBG_.txt2⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "E" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "E"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___CJ6HBG_.txtFilesize
1KB
MD5031db75012f0fbe6fc420f2da70c1ebc
SHA1afaf1538e92175eca2a34cb22ee31ac8205d4943
SHA2569675b3bed5bc3631795f5cc88f6d5e5d82e44a84463a36710dbffeb213296ee3
SHA512d9511114205cb6fb428a7c6623995d3b11ad0aed44c26451f68cb636c79fca2971ed9488246975a90be87ba7d930a6c3c5f0a011fa5d83fc4f866d3950de2000
-
C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___NY09DIL9_.htaFilesize
76KB
MD5fe732d84745aa02b2dc2dc44d0f507ad
SHA1980a5fad37cabdfad4f39e4565bd71d40fcc8309
SHA256a2d3fd4f08359b7019ac519a6c6741ff843d86dcff30725994f078ff2ba1806d
SHA512808798cd4c66d6d326a64d4255d661fb20f4798370a6728d06cb8a6ce025a434c98bd4e03c543bfdddf2242eea280153d7881122514b77370dc3520a498b0537
-
memory/480-135-0x0000000000000000-mapping.dmp
-
memory/1132-146-0x0000000008DB8000-0x0000000008DC0000-memory.dmpFilesize
32KB
-
memory/1132-137-0x0000000000000000-mapping.dmp
-
memory/1944-134-0x0000000000000000-mapping.dmp
-
memory/2232-138-0x0000000000000000-mapping.dmp
-
memory/3544-136-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3544-132-0x0000000005D90000-0x0000000005DC1000-memory.dmpFilesize
196KB
-
memory/3544-143-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3544-133-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3968-144-0x0000000000000000-mapping.dmp
-
memory/4152-142-0x0000000000000000-mapping.dmp
-
memory/4696-145-0x0000000000000000-mapping.dmp
-
memory/4960-148-0x0000017DCC480000-0x0000017DCC490000-memory.dmpFilesize
64KB
-
memory/4960-149-0x0000017DCC580000-0x0000017DCC590000-memory.dmpFilesize
64KB