Analysis
-
max time kernel
168s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
-
submitted
21-02-2024 15:16
General
-
Target
https://github.com/kh4sh3i/Ransomware-Samples
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___YJWW3_.txt
Family
cerber
Ransom Note
CERBER RANSOMWARE
-----
YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED!
-----
The only way to decrypt y0ur files is to receive the private key and decryption program.
To receive the private key and decryption program go to any decrypted folder,
inside there is the special file (*_READ_THIS_FILE_*) with complete instructions
how to decrypt your files.
If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below:
-----
1. Download "Tor Browser" from https://www.torproject.org/ and install it.
2. In the "Tor Browser" open your personal page here:
http://p27dokhpz2n7nvgr.onion/217B-B506-FCEF-0446-95E3
Note! This page is available via "Tor Browser" only.
-----
Also you can use temporary addresses on your personal page without using "Tor Browser".
-----
1. http://p27dokhpz2n7nvgr.12hygy.top/217B-B506-FCEF-0446-95E3
2. http://p27dokhpz2n7nvgr.14ewqv.top/217B-B506-FCEF-0446-95E3
3. http://p27dokhpz2n7nvgr.14vvrc.top/217B-B506-FCEF-0446-95E3
4. http://p27dokhpz2n7nvgr.129p1t.top/217B-B506-FCEF-0446-95E3
5. http://p27dokhpz2n7nvgr.1apgrn.top/217B-B506-FCEF-0446-95E3
-----
Note! These are temporary addresses! They will be available for a limited amount of time!
-----
URLs
http://p27dokhpz2n7nvgr.onion/217B-B506-FCEF-0446-95E3
http://p27dokhpz2n7nvgr.12hygy.top/217B-B506-FCEF-0446-95E3
http://p27dokhpz2n7nvgr.14ewqv.top/217B-B506-FCEF-0446-95E3
http://p27dokhpz2n7nvgr.14vvrc.top/217B-B506-FCEF-0446-95E3
http://p27dokhpz2n7nvgr.129p1t.top/217B-B506-FCEF-0446-95E3
http://p27dokhpz2n7nvgr.1apgrn.top/217B-B506-FCEF-0446-95E3
Extracted
Path
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___OHZ565BC_.hta
Family
cerber
Ransom Note
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>CERBER RANSOMWARE: Instructions</title>
<HTA:APPLICATION APPLICATIONNAME="fPmWC3F" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize">
<style type="text/css">
a {
color: #04a;
text-decoration: none;
}
a:hover {
text-decoration: underline;
}
body {
background-color: #e7e7e7;
color: #222;
font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif;
font-size: 13pt;
line-height: 19pt;
}
body, h1 {
margin: 0;
padding: 0;
}
hr {
color: #bda;
height: 2pt;
margin: 1.5%;
}
h1 {
color: #555;
font-size: 14pt;
}
ol {
padding-left: 2.5%;
}
ol li {
padding-bottom: 13pt;
}
small {
color: #555;
font-size: 11pt;
}
ul {
list-style-type: none;
margin: 0;
padding: 0;
}
.button {
color: #04a;
cursor: pointer;
}
.button:hover {
text-decoration: underline;
}
.container {
background-color: #fff;
border: 2pt solid #c7c7c7;
margin: 5%;
min-width: 850px;
padding: 2.5%;
}
.header {
border-bottom: 2pt solid #c7c7c7;
margin-bottom: 2.5%;
padding-bottom: 2.5%;
}
.h {
display: none;
}
.hr {
background: #bda;
display: block;
height: 2pt;
margin-top: 1.5%;
margin-bottom: 1.5%;
overflow: hidden;
width: 100%;
}
.info {
background-color: #efe;
border: 2pt solid #bda;
display: inline-block;
padding: 1.5%;
text-align: center;
}
.updating {
color: red;
display: none;
padding-left: 35px;
background: url("data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=") left no-repeat;
}
#change_language {
float: right;
}
#change_language, #texts div {
display: none;
}
</style>
</head>
<body>
<div class="container">
<div class="header">
<a id="change_language" href="#" onclick="return changeLanguage1();" title="English">☑ English</a>
<h1>CERBER RANSOMWARE</h1>
<small id="title">Instructions</small>
</div>
<div id="languages">
<p>☑ Select your language</p>
<ul>
<li><a href="#" title="English" onclick="return sh_bl('en');">English</a></li>
<li><a href="#" title="Arabic" onclick="return sh_bl('ar');">العربية</a></li>
<li><a href="#" title="Chinese" onclick="return sh_bl('zh');">中文</a></li>
<li><a href="#" title="Dutch" onclick="return sh_bl('nl');">Nederlands</a></li>
<li><a href="#" title="French" onclick="return sh_bl('fr');">Français</a></li>
<li><a href="#" title="German" onclick="return sh_bl('de');">Deutsch</a></li>
<li><a href="#" title="Italian" onclick="return sh_bl('it');">Italiano</a></li>
<li><a href="#" title="Japanese" onclick="return sh_bl('ja');">日本語</a></li>
<li><a href="#" title="Korean" onclick="return sh_bl('ko');">한국어</a></li>
<li><a href="#" title="Polish" onclick="return sh_bl('pl');">Polski</a></li>
<li><a href="#" title="Portuguese" onclick="return sh_bl('pt');">Português</a></li>
<li><a href="#" title="Spanish" onclick="return sh_bl('es');">Español</a></li>
<li><a href="#" title="Turkish" onclick="return sh_bl('tr');">Türkçe</a></li>
</ul>
</div>
<div id="texts">
<div id="en">
<p>Can't yo<span class="h">s5R7wYfr</span>u find the necessary files?<br>Is the c<span class="h">YYEf3vT</span>ontent of your files not readable?</p>
<p>It is normal be<span class="h">MCkfAyeDOJ</span>cause the files' names and the data in your files have been encryp<span class="h">l</span>ted by "Ce<span class="h">2kn</span>rber Ransomware".</p>
<p>It me<span class="h">s1FO3rLYm</span>ans your files are NOT damage<span class="h">9nwew4r</span>d! Your files are modified only. This modification is reversible.<br>F<span class="h">OpspY</span>rom now it is not poss<span class="h">Z</span>ible to use your files until they will be decrypted.</p>
<p>The only way to dec<span class="h">NQFi8</span>rypt your files safely is to buy the special decryption software "C<span class="h">jpYxqGNb</span>erber Decryptor".</p>
<p>Any attempts to rest<span class="h">927NM0xGHj</span>ore your files with the thir<span class="h">1CqR</span>d-party software will be fatal for your files!</p>
<hr>
<p class="w331208">You can proc<span class="h">IF1QbGIyyR</span>eed with purchasing of the decryption softw<span class="h">F</span>are at your personal page:</p>
<p><span class="info"><span class="updating">Ple<span class="h">1jm</span>ase wait...</span><a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/217B-B506-FCEF-0446-95E3" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/217B-B506-FCEF-0446-95E3</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/217B-B506-FCEF-0446-95E3" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/217B-B506-FCEF-0446-95E3</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/217B-B506-FCEF-0446-95E3" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/217B-B506-FCEF-0446-95E3</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/217B-B506-FCEF-0446-95E3" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/217B-B506-FCEF-0446-95E3</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/217B-B506-FCEF-0446-95E3" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/217B-B506-FCEF-0446-95E3</a></span></p>
<p>If t<span class="h">iLWMLS8u</span>his page cannot be opened <span class="button" onclick="return _url_upd_('en');">cli<span class="h">WWlD19U</span>ck here</span> to get a new addr<span class="h">nZy</span>ess of your personal page.<br><br>If the addre<span class="h">HeH7</span>ss of your personal page is the same as befo<span class="h">POKFO3O</span>re after you tried to get a new one,<br>you c<span class="h">vQmOu</span>an try to get a new address in one hour.</p>
<p>At th<span class="h">eZzWqI92kN</span>is page you will receive the complete instr<span class="h">VJT7ij</span>uctions how to buy the decrypti<span class="h">bT</span>on software for restoring all your files.</p>
<p>Also at this page you will be able to res<span class="h">fU</span>tore any one file for free to be sure "Cerbe<span class="h">DME</span>r Decryptor" will help you.</p>
<hr>
<p>If your per<span class="h">B0FtLiDZ1</span>sonal page is not availa<span class="h">4O</span>ble for a long period there is another way to open your personal page - insta<span class="h">6vQoHmvLmJ</span>llation and use of Tor Browser:</p>
<ol>
<li>run your Inte<span class="h">K</span>rnet browser (if you do not know what it is run the Internet Explorer);</li>
<li>ent<span class="h">4MYGn96</span>er or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li>
<li>wait for the site load<span class="h">zgu7brS</span>ing;</li>
<li>on the site you will be offered to do<span class="h">IFwSnK</span>wnload Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li>
<li>ru<span class="h">jIx6Rl9eb9</span>n Tor Browser;</li>
<li>connect with the butt<span class="h">YF8oBn</span>on "Connect" (if you use the English version);</li>
<li>a normal Internet bro<span class="h">LX</span>wser window will be opened after the initialization;</li>
<li>type or copy the add<span class="h">JcA72</span>ress <br><span class="info">http://p27dokhpz2n7nvgr.onion/217B-B506-FCEF-0446-95E3</span><br> in this browser address bar;</li>
<li>pre<span class="h">k3oAczFcd</span>ss ENTER;</li>
<li>the site sho<span class="h">NJLrMl4Go</span>uld be loaded; if for some reason the site is not lo<span class="h">iB4</span>ading wait for a moment and try again.</li>
</ol>
<p>If you have any pr<span class="h">PBhKd70G</span>oblems during installation or use of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searc<span class="h">ZE9d</span>h bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use.</p>
<hr>
<p><strong>Addit<span class="h">daqt9b</span>ional information:</strong></p>
<p>You will fi<span class="h">gQlh3A2ui</span>nd the instru<span class="h">UkKFOWN5</span>ctions ("*_READ_THIS_FILE_*.hta") for re<span class="h">dJOwBr</span>storing your files in any f<span class="h">KsRBbl</span>older with your enc<span class="h">7AfF</span>rypted files.</p>
<p>The instr<span class="h">5Xae</span>uctions "*_READ_THIS_FILE_*.hta" in the f<span class="h">yyRSxYWjSU</span>older<span class="h">o7qPx</span>s with your encry<span class="h">tw</span>pted files are not vir<span class="h">V</span>uses! The instruc<span class="h">W0</span>tions "*_READ_THIS_FILE_*.hta" will he<span class="h">U3l5NRM</span>lp you to dec<span class="h">whYEnb</span>rypt your files.</p>
<p>Remembe<span class="h">9VjGZjnusX</span>r! The worst si<span class="h">Ft9CRru</span>tuation already happ<span class="h">hiIyoFt</span>ened and now the future of your files de<span class="h">TalNt5d</span>pends on your determ<span class="h">EgsSCng0Tz</span>ination and speed of your actions.</p>
</div>
<div id="ar" style="direction: rtl;">
<p>لا يمكنك العثور على الملفات الضرورية؟<br>هل محتوى الملفات غير قابل للقراءة؟</p>
<p>هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cerber Ransomware".</p>
<p>وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا.<br>ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها.</p>
<p>الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cerber Decryptor".</p>
<p>إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك!</p>
<hr>
<p>يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية:</p>
<p><span class="info"><span class="updating">أرجو الإنتظار...</span><a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/217B-B506-FCEF-0446-95E3" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/217B-B506-FCEF-0446-95E3</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/217B-B506-FCEF-0446-95E3" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/217B-B506-FCEF-0446-95E3</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/217B-B506-FCEF-0446-95E3" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/217B-B506-FCEF-0446-95E3</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/217B-B506-FCEF-0446-95E3" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/217B-B506-FCEF-0446-95E3</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/217B-B506-FCEF-0446-95E3" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/217B-B506-FCEF-0446-95E3</a></span></p>
<p>في حالة تعذر فتح هذه الصفحة <span class="button" onclick="return _url_upd_('ar');">انقر هنا</span> لإنشاء عنوان جديد لصفحتك الشخصية.</p>
<p>في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك.</p>
<p>في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cerber Decryptor" سوف يساعدك.</p>
<hr>
<p>إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor:</p>
<ol>
<li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li>
<li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li>
<li>انتظر لتحميل الموقع;</li>
<li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li>
<li>قم بتشغيل متصفح Tor;</li>
<li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li>
<li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li>
<li>قم بكتابة أو نسخ العنوان <br><span class="info">http://p27dokhpz2n7nvgr.onion/217B-B506-FCEF-0446-95E3</span><br> في شريط العنوان في المتصفح;</li>
<li>اضغط ENTER;</li>
<li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li>
</ol>
<p>إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه.</p>
<hr>
<p><strong>معلومات إض<span class="h">t</span>افية:</strong></p>
<p>س<span class="h">D93c9GC7</span>وف تجد إرشادات استعادة الملفات الخاصة بك ("*_READ_THIS_FILE_*") في أي مجلد مع ملفاتك المشفرة.</p>
<p>الإرش<span class="h">V</span>ادات ("*_READ_THIS_FILE_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_READ_THIS_FILE_*") سوف تساعدك على فك تشفير الملفات الخاصة بك.</p>
<p>تذكر أن أسوأ مو<span class="h">cjuOaIPL</span>قف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك.</p>
</div>
<div id="zh">
<p>您找不到所需的文件?<br>您文件的内容无法阅读?</p>
<p>这是正常的,因为您文件的文件名和数据已经被“Cerber Ransomware”加密了。</p>
<p>这意味着您的文件并没有损坏!您的文件�
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (1103) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Drops startup file 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Drops file in System32 directory 38 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 20 IoCs
-
Drops file in Windows directory 64 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies data under HKEY_USERS 1 IoCs
-
Modifies registry class 2 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/kh4sh3i/Ransomware-Samples1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99bec9758,0x7ff99bec9768,0x7ff99bec97782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1908,i,17259279125196759144,2766401039624918840,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1908,i,17259279125196759144,2766401039624918840,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1908,i,17259279125196759144,2766401039624918840,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2936 --field-trial-handle=1908,i,17259279125196759144,2766401039624918840,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2928 --field-trial-handle=1908,i,17259279125196759144,2766401039624918840,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1908,i,17259279125196759144,2766401039624918840,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 --field-trial-handle=1908,i,17259279125196759144,2766401039624918840,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1908,i,17259279125196759144,2766401039624918840,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 --field-trial-handle=1908,i,17259279125196759144,2766401039624918840,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\Ransomware.Cerber\cerber.exe"C:\Users\Admin\Downloads\Ransomware.Cerber\cerber.exe"1⤵
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___BK0TL2T_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___NJHO9ES_.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "cerber.exe"3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD5d60071551ab035d43f85eba9ef6d1abe
SHA147104a74c5c8f2f6f233940b016e677297d0f407
SHA25656b0a4933ba2126314b16ed800206a1b84aa24a6634b08a0009ddc1825924e30
SHA5120c34999400b7cd0f3586ecece530e5f1f016ef5d87bc8f7f163ce40ffc9623e75b2d3e1036490b08f69bbf206d7577807ba7ef326a637863abff8b9a13b1da88
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1Filesize
264KB
MD571bd5c976e02c6c877a0c7539e474678
SHA1424fcd795d90e9ac7124f3291c4f0236b7e8b586
SHA2560242d8639ddcbd348973339dbc225dd044c02be3c4061c9939d1c2b581b82133
SHA512f6791035af564ca2917f21db9a7d4956c6eab4e5b00f430919a5046127f0640f532a6215130ac8effd67c12ddc048a21b4506606f34dbdd65bc3e6be1d631d80
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
1KB
MD5be0c8fee4b5a8f100dd0382eed7118f2
SHA1876b4d98a4534a20a9eca694f55f69bddc9f7328
SHA2568baa35fcc68d5acf5121f293de94ce602fb698905b21403f2826b58a2f2ea944
SHA5125fd5fc6a82f1bdfc59d762cf1a81f2f1fba15329a48a5b275f485b014577988c9a9ddc1c0917868beca96114d51bbe9d3b1ed8f84ceb7bb0945a736db1fca072
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD5d17c1a5948c4877c3ec19a205c32f2c4
SHA1df8cbfae708fafdcbf051a4ea203598b06d9179f
SHA256fa941ae4dd07fe52b3c4f2b8554aca675fa6b1ba83fe9efd3fff61d04a1a7238
SHA512e8cdc82f6af577ea43aded555e393eee22fe7d6d32a1981f1d05033fe7738c6bcd70778dd7e2bf73f589fd45780442f26b699e207bfe854b74a93cbb2d580c94
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD5ae5b417326bdf0366fdb75246a4a286a
SHA1a5616051cdb4fe03635aca8c968ab9c9de83dd06
SHA256430d296696690f0aed1c4befa5d9f78a2e5c1133498424f9253a1f17b8b54b64
SHA51280115a6ea53b187b85fcde2cff2755e249d5d1a0ada7b9c6e844fbccc97a0b5dfa1aa6b6c467499d559ac082fafbd57996db21b9bc12402ccd814fb2a2606319
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD5259846feeff7f3a8e81ccd12ae2952f7
SHA1bd746e2c15c10d22001e84b1dc3900fe1f2a4711
SHA25669ac9eed1e38f0af729dd1d40c999d167957176329be7fba8d5b0e74e26dc8dc
SHA5121fcb28200d9aa06fdc114eee558a7c478a39010edf393388b303d12fa80a1cda97ef6ca3035f9af493462c8364a132f1e67e026e53310a36a563cd170a4bd648
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD5e4f36948023777592e89fdb45d1f9c55
SHA141c9f3d0fd1a2a88954900a6d9130506d5d178f1
SHA256b1f6933d14bd96a6a71f2db1fbc9bac37c62c300475b2b63383c90104e946514
SHA5122e2a560949f67c80cb0f5ede71377943e05e2939fa18ba6dab8e0bd52bebdd688467f079f6ecebee30daf3418bcca4dacfaf18c37ba5d9215da4d5e4e9a4fdd7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD50dd4203e31a11374289352e2c3d0ed79
SHA1b92a96130a2063e749add3f8e1b49802be4436b9
SHA256dc0a54bc37fe894b02c0df9ef41cf52b10de7c920ee5b7670d6d61329761f942
SHA5127ef66ea9e493826e987f7145c7e75ec35bc29142780c20e1556dbb144d085d34d8772be733619321e51a7083a4a123033c9ed3ea3ab93f9183233682fba8390a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
130KB
MD5e199b58d865d292652bcf8e42985b81a
SHA1807beb6b68ca949309d79b94180642e39ab77a6f
SHA256c77028d93499668e917f7c8b14a4746dc2c91da2535b6ae55c41f9669505207e
SHA51278d42422d5246c16d21a1193c8396c4e3c9b7517808f18f20f071c17af43b50071650b2250c6ba5fc87daa8c71857345298a6d716c93a38fbc4655ad37422ab0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
130KB
MD51946aa04046bf8bed9dbbdaf7abdad88
SHA1469b7c1803f0b68523d2eac649a0e7d32a43565c
SHA256de2b4f37317a7c928058dff1124db253835dba9b6e012a796ef0777278c599ac
SHA512db2b078b2d91ffeda509b5e95357cbdcf1fd8038d0e4ab8198cceeaaf3396fc3ed87af6e84573bae3b73c15b1b7aa56cb340a4d5b2802da853411da52e397464
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
107KB
MD5e946ed5adfe24a3bc40d5a6f5af0692d
SHA1a70b2da88dfb225cc320485f9d963a6de61f6922
SHA25666d826a4ab09f73292b1614c8f1c781237fa78fc8efb9a73fb4e9b2806e3c990
SHA512ada3a341013d162712319a5d72e660b239904ddc1a69e6b972abb000474a79652a02d8f2e5159d4152d04e5ae985813e65c767d4c7aa30002c81c8bc9887c11a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57c1c9.TMPFilesize
97KB
MD5a46f523d126d540097e689dd868c47b4
SHA1bfb5b2b898a5e1eb1f1a882fd8ccd840081034aa
SHA25649b76e4ec06416fa09f3082dfe4ca17d55bdf6973abfbc62d8c92645cf2501b1
SHA512bb30625d5a2e8983f179a3309c056d65439d17a892baee905f77bcd367c39c8a3a4888b5dbe8c64f748112c63341c1fba33816f7da17781bd9f51030673679e2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.jsonFilesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___OHZ565BC_.htaFilesize
75KB
MD52ab888fa20b55f5b062e88220a347b3e
SHA189b4af56fc82f5b2bf39042948627b24d7b4045a
SHA256519a4e47cfb5889aa3353cb248fbb9eb70286921f2b510804e9ad75dfe37bbf4
SHA51273cb36698dddeb5a00d01c8354b0ea6410107bd0ce8298888a84c9ec469f51cf9028b3df71c729d483f8cfda2b425b848ee027ca1409f40c2b7ed5e373d90c07
-
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___YJWW3_.txtFilesize
1KB
MD5c31ab273cdfaa94580730bdfbc9953be
SHA1d4a27db8c0bccadc40083e80fbc31e70f84e449d
SHA25674995ad635b0be44c98386570b101252f51cd33c4a8e5c73e168bbfe311e4430
SHA5129e80f3328ce215689d1a8973a001ef63c6df061843d2b5f0d35a7188b8a0aee596f471cd2cf85df79fa8ac5707b5b8c7e350739cc1617e55a51b739a89e9dcd3
-
C:\Users\Admin\Downloads\Ransomware.Cerber.zipFilesize
215KB
MD55c571c69dd75c30f95fe280ca6c624e9
SHA1b0610fc5d35478c4b95c450b66d2305155776b56
SHA256416774bf62d9612d11d561d7e13203a3cbc352382a8e382ade3332e3077e096c
SHA5128e7b9a4a514506d9b8e0f50cc521f82b5816d4d9c27da65e4245e925ec74ac8f93f8fe006acbab5fcfd4970573b11d7ea049cc79fb14ad12a3ab6383a1c200b2
-
\??\pipe\crashpad_1784_WLTQHPOJLIWDAUWAMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1412-328-0x000001D5AADF0000-0x000001D5AADF1000-memory.dmpFilesize
4KB
-
memory/1412-340-0x000001D5AADF0000-0x000001D5AADF1000-memory.dmpFilesize
4KB
-
memory/1412-329-0x000001D5AADF0000-0x000001D5AADF1000-memory.dmpFilesize
4KB
-
memory/1412-330-0x000001D5AADF0000-0x000001D5AADF1000-memory.dmpFilesize
4KB
-
memory/1412-336-0x000001D5AADF0000-0x000001D5AADF1000-memory.dmpFilesize
4KB
-
memory/1412-335-0x000001D5AADF0000-0x000001D5AADF1000-memory.dmpFilesize
4KB
-
memory/1412-334-0x000001D5AADF0000-0x000001D5AADF1000-memory.dmpFilesize
4KB
-
memory/1412-338-0x000001D5AADF0000-0x000001D5AADF1000-memory.dmpFilesize
4KB
-
memory/1412-337-0x000001D5AADF0000-0x000001D5AADF1000-memory.dmpFilesize
4KB
-
memory/1412-339-0x000001D5AADF0000-0x000001D5AADF1000-memory.dmpFilesize
4KB
-
memory/5060-344-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/5060-327-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/5060-348-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/5060-351-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/5060-359-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/5060-363-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/5060-326-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/5060-325-0x00000000021F0000-0x0000000002221000-memory.dmpFilesize
196KB
-
memory/5060-690-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/5060-712-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/5060-715-0x0000000000440000-0x0000000000451000-memory.dmpFilesize
68KB