Extracted

Extracted

• • Target

    b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

  • Size

    313KB

  • MD5

    fe1bc60a95b2c2d77cd5d232296a7fa4

  • SHA1

    c07dfdea8da2da5bad036e7c2f5d37582e1cf684

  • SHA256

    b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

  • SHA512

    266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

  • SSDEEP

    6144:nl578cxdGY87FohbnmM2i8ito7wTmCbL94KCT3OAmK:nl59zH8MiM2z+NLQBN

  Score

  10^/10

  cerberdiscoveryevasionransomware

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber

  • Blocklisted process makes network request

  • Contacts a large (1094) amount of remote hosts

    This may indicate a network scan to discover remotely running services.

    discovery

  • Modifies Windows Firewall

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory

  • Sets desktop wallpaper using registry

    ransomware
  behavioral1behavioral2