Overview

overview

10

Static

static

3

HEUR-Trojan.Win32.exe

windows7-x64

10

HEUR-Trojan.Win32.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01-03-2024 08:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HEUR-Trojan.Win32.exe

  • Size

    604KB

  • MD5

    8b6bc16fd137c09a08b02bbe1bb7d670

  • SHA1

    c69a0f6c6f809c01db92ca658fcf1b643391a2b7

  • SHA256

    e67834d1e8b38ec5864cfa101b140aeaba8f1900a6e269e6a94c90fcbfe56678

  • SHA512

    b53d2cc0fe5fa52262ace9f6e6ea3f5ce84935009822a3394bfe49c4d15dfeaa96bfe10ce77ffa93dbf81e5428122aa739a94bc709f203bc346597004fd75a24

  • SSDEEP

    6144:yYghlI5/u8f1mr+4RJ99MpDa52RX5wRDhOOU0qsR:yYKlYmDXEpDHRXP01

Score
10/10
cerberdiscoveryevasionransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___WEUS_.txt

Family

cerber

Ransom Note
CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/6A05-7A53-96EF-0446-9275 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12hygy.top/6A05-7A53-96EF-0446-9275 2. http://p27dokhpz2n7nvgr.14ewqv.top/6A05-7A53-96EF-0446-9275 3. http://p27dokhpz2n7nvgr.14vvrc.top/6A05-7A53-96EF-0446-9275 4. http://p27dokhpz2n7nvgr.129p1t.top/6A05-7A53-96EF-0446-9275 5. http://p27dokhpz2n7nvgr.1apgrn.top/6A05-7A53-96EF-0446-9275 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://p27dokhpz2n7nvgr.onion/6A05-7A53-96EF-0446-9275

http://p27dokhpz2n7nvgr.12hygy.top/6A05-7A53-96EF-0446-9275

http://p27dokhpz2n7nvgr.14ewqv.top/6A05-7A53-96EF-0446-9275

http://p27dokhpz2n7nvgr.14vvrc.top/6A05-7A53-96EF-0446-9275

http://p27dokhpz2n7nvgr.129p1t.top/6A05-7A53-96EF-0446-9275

http://p27dokhpz2n7nvgr.1apgrn.top/6A05-7A53-96EF-0446-9275

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Blocklisted process makes network request 5 IoCs
  • Contacts a large (1094) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.exe
    "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.exe"
    1⤵
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
      2⤵
      • Modifies Windows Firewall
      PID:2200
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall reset
      2⤵
      • Modifies Windows Firewall
      PID:2388
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___RIURT3MD_.hta"
      2⤵
      • Blocklisted process makes network request
      • Modifies Internet Explorer settings
      • Modifies system certificate store
      PID:696
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___WEUS_.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:564
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2060
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im "HEUR-Trojan.Win32.exe"
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1956
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 1 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1812

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Network Service Discovery

1
T1046

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    67KB

    MD5

    753df6889fd7410a2e9fe333da83a429

    SHA1

    3c425f16e8267186061dd48ac1c77c122962456e

    SHA256

    b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

    SHA512

    9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Tar85E9.tmp
    Filesize

    175KB

    MD5

    dd73cead4b93366cf3465c8cd32e2796

    SHA1

    74546226dfe9ceb8184651e920d1dbfb432b314e

    SHA256

    a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

    SHA512

    ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

    Download Submit
  • C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___RIURT3MD_.hta
    Filesize

    75KB

    MD5

    19afd37622f2c51659eeb776f2b88bab

    SHA1

    1d0baa71035b62528266837e9899039e9cbb15f5

    SHA256

    d0e33af354d11b28ec404ed9d954b4da5d089493beb3b84766a4e4776a8b5c5c

    SHA512

    d4fdeba792e8c04811f59eb916811196b19c0e1b93fa426d547846c16cb9553505246b5564b38eb4a0ac9b922491658c3815e6b06bc236579bf0287b85010a6b

    Download Submit
  • C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___WEUS_.txt
    Filesize

    1KB

    MD5

    bc00545ae4c3cb2518f989d55c463ec3

    SHA1

    c5ee5c8d69a6637251dab5a313293cfc926f5c36

    SHA256

    56c31d54805512df75bbd2ea20a98185d2aac515d5e6254b43342525d02b063f

    SHA512

    9ac4d2d7c0d006e9ef8094d1afd004f913b5c029ef0a1a9c630c5d013b1630cd2e30148ec8ac691b6144c2c74e769a8a513d926019d17ffbc0bc7e7ffe562d08

    Download Submit
  • memory/1736-5-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

    Download
  • memory/1736-30-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

    Download
  • memory/1736-25-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

    Download
  • memory/1736-14-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

    Download
  • memory/1736-94-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

    Download
  • memory/1736-13-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

    Download
  • memory/1736-1-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

    Download
  • memory/1736-136-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

    Download
  • memory/1736-2-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

    Download
  • memory/1736-0-0x0000000000220000-0x0000000000251000-memory.dmp
    Filesize

    196KB

    Download