cerber | 593a5b367baa6b9f70709df1a01b361a88e99da7ce89fa55ad3dacec4cc8acea | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

7

Batcc_permm.exe

windows10-2004-x64

Sharing

General

Target

Batcc_permm.exe
Size

3.9MB
Sample

231126-xq39mabf2w
MD5

316066f39ae143d8223277aa14a44f2e
SHA1

f31c203bd986252ae939af3905643046b13ffbd8
SHA256

593a5b367baa6b9f70709df1a01b361a88e99da7ce89fa55ad3dacec4cc8acea
SHA512

f34f6addaeb0a2bcabc7c6c65b3252ecde63556c66fc46287a900b70e2b84d277f246a96a9ffe7d2b542c92d154da1372ec526c8980e0d24213c9ebf86eb2fee
SSDEEP

98304:kHalpo3dMT2/pCPua5bxt9TeJ/QJNBSUbhFS6kTUytwP5hW:EdMT2/pYui9jBJraUbC

Score

10^/10

cerber evasion ransomware themida trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

Batcc_permm.exe

Resource

win10v2004-20231020-en

cerber evasion ransomware themida trojan

windows10-2004-x64

25 signatures

150 seconds

Malware Config

Targets

- Target
  
  Batcc_permm.exe
- Size
  
  3.9MB
- MD5
  
  316066f39ae143d8223277aa14a44f2e
- SHA1
  
  f31c203bd986252ae939af3905643046b13ffbd8
- SHA256
  
  593a5b367baa6b9f70709df1a01b361a88e99da7ce89fa55ad3dacec4cc8acea
- SHA512
  
  f34f6addaeb0a2bcabc7c6c65b3252ecde63556c66fc46287a900b70e2b84d277f246a96a9ffe7d2b542c92d154da1372ec526c8980e0d24213c9ebf86eb2fee
- SSDEEP
  
  98304:kHalpo3dMT2/pCPua5bxt9TeJ/QJNBSUbhFS6kTUytwP5hW:EdMT2/pYui9jBJraUbC
Score

10^/10

cerber evasion ransomware themida trojan
- Cerber
  Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
  ransomware cerber
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Stops running service(s)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

cerberevasionransomwarethemidatrojan

© 2018-2025

Terms | Privacy