Overview

overview

10

Static

static

7

Ransomware...er.exe

windows10-2004-x64

8

Ransomware/7ev3n.exe

windows10-2004-x64

Ransomware...le.exe

windows10-2004-x64

Ransomware...it.exe

windows10-2004-x64

10

Ransomware/Birele.exe

windows10-2004-x64

10

Ransomware...r5.exe

windows10-2004-x64

8

Ransomware...us.exe

windows10-2004-x64

10

Ransomware...er.exe

windows10-2004-x64

10

Ransomware...ll.exe

windows10-2004-x64

7

Ransomware...ck.exe

windows10-2004-x64

7

Ransomware/Dharma.exe

windows10-2004-x64

9

Ransomware/Fantom.exe

windows10-2004-x64

10

Ransomware...ab.exe

windows10-2004-x64

7

Ransomware...ye.exe

windows10-2004-x64

10

Ransomware...Eye.js

windows10-2004-x64

10

Ransomware...pt.exe

windows10-2004-x64

10

Ransomware...en.exe

windows10-2004-x64

8

Ransomware...AZ.dll

windows10-2004-x64

3

Ransomware...om.exe

windows10-2004-x64

10

Ransomware...ya.exe

windows10-2004-x64

10

Ransomware...ap.exe

windows10-2004-x64

1

Ransomware....A.exe

windows10-2004-x64

6

Ransomware...om.exe

windows10-2004-x64

10

Ransomware...nt.exe

windows10-2004-x64

Ransomware...ot.exe

windows10-2004-x64

Ransomware/RedEye.exe

windows10-2004-x64

Ransomware...re.exe

windows10-2004-x64

7

Ransomware/Rokku.exe

windows10-2004-x64

10

Ransomware/Satana.exe

windows10-2004-x64

5

Ransomware/Seftad.exe

windows10-2004-x64

6

Ransomware...re.exe

windows10-2004-x64

10

Ransomware/UIWIX.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    144s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-uk
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-uklocale:uk-uaos:windows10-2004-x64systemwindows
  • submitted
    03-03-2024 13:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ransomware/Cerber5.exe

  • Size

    313KB

  • MD5

    fe1bc60a95b2c2d77cd5d232296a7fa4

  • SHA1

    c07dfdea8da2da5bad036e7c2f5d37582e1cf684

  • SHA256

    b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

  • SHA512

    266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

  • SSDEEP

    6144:nl578cxdGY87FohbnmM2i8ito7wTmCbL94KCT3OAmK:nl59zH8MiM2z+NLQBN

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ransomware\Cerber5.exe
    "C:\Users\Admin\AppData\Local\Temp\Ransomware\Cerber5.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
      2⤵
      • Modifies Windows Firewall
      PID:500
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall reset
      2⤵
      • Modifies Windows Firewall
      PID:1688
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "C" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4956
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im "C"
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3344
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 1 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:3424

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3056-0-0x0000000005DA0000-0x0000000005DD1000-memory.dmp
    Filesize

    196KB

    Download
  • memory/3056-1-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/3056-4-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/3056-5-0x0000000000400000-0x0000000000433000-memory.dmp
    Filesize

    204KB

    Download
  • memory/3056-6-0x0000000000440000-0x000000000044F000-memory.dmp
    Filesize

    60KB

    Download