Resubmissions

12-03-2024 04:20

240312-eyaceaab88 10

12-03-2024 03:53

240312-ef5etshf87 10

General

  • Target

    mw3reaper.rar

  • Size

    13.2MB

  • Sample

    240312-eyaceaab88

  • MD5

    c77fd8185dd3fe2ee5672a0531c4b3c7

  • SHA1

    7e321783026506c06cd3c34dabdb2ec4f277d17b

  • SHA256

    11c712b2b16eeb1652793fc8bad16d9177ef161398dceb95e136f8f2a349e56c

  • SHA512

    b0c3696a406a34b5a1e7cf8413d416251959006162901a7934054f09f0b909e2e582ce215dd97b8f7170b47c5d054f95ea9109d1cbcff67c69844e89125dce7b

  • SSDEEP

    393216:UN0mmXrXBwtGmoWtJVKSJgNn3TeGKLCM3v:UN8rXetGTWtJNJgNnDI/

Malware Config

Targets

    • Target

      mw3reaper.rar

    • Size

      13.2MB

    • MD5

      c77fd8185dd3fe2ee5672a0531c4b3c7

    • SHA1

      7e321783026506c06cd3c34dabdb2ec4f277d17b

    • SHA256

      11c712b2b16eeb1652793fc8bad16d9177ef161398dceb95e136f8f2a349e56c

    • SHA512

      b0c3696a406a34b5a1e7cf8413d416251959006162901a7934054f09f0b909e2e582ce215dd97b8f7170b47c5d054f95ea9109d1cbcff67c69844e89125dce7b

    • SSDEEP

      393216:UN0mmXrXBwtGmoWtJVKSJgNn3TeGKLCM3v:UN8rXetGTWtJNJgNnDI/

    • Cerber

      Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Defense Evasion

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks