Overview

overview

10

Static

static

7

0251ebd0df...ed.exe

windows7-x64

10

0251ebd0df...ed.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    168s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    12-03-2024 14:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0251ebd0df7c32e2a03ff9bb48754e9e13ef2ee2d0e99ce1c135a50b448338ed.exe

  • Size

    236KB

  • MD5

    b81165ab0938e84fa87efefe0e2c0030

  • SHA1

    9e33c952c6a0e14162c0de07eabc7d64e7f5b272

  • SHA256

    0251ebd0df7c32e2a03ff9bb48754e9e13ef2ee2d0e99ce1c135a50b448338ed

  • SHA512

    93805f5191a75cae4360ad41ec705bc1b6120db6f94c755016f6a9fecff02562ecbf95ee4e466149cefc7133289be04cd531954e311f38694a32b12b84db9932

  • SSDEEP

    6144:KZtaw1henWCopyU0wKxbVKNaquP4V1+v1jnef:gHyVU0wKlVK0q9V141Cf

Score
10/10
cerberdiscoveryevasionransomwareupx

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_READ_THIS_FILE_IQ13G_.txt

Ransom Note
----- "CERBER RANSOMWARE" ----- YOUR DOCUMENTS, PHOT0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED ----- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/7435-9474-BA2D-0091-BE31 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.1hkjl3.top/7435-9474-BA2D-0091-BE31 2. http://p27dokhpz2n7nvgr.16nxpn.top/7435-9474-BA2D-0091-BE31 3. http://p27dokhpz2n7nvgr.133chr.top/7435-9474-BA2D-0091-BE31 4. http://p27dokhpz2n7nvgr.17gvad.top/7435-9474-BA2D-0091-BE31 5. http://p27dokhpz2n7nvgr.15yvce.top/7435-9474-BA2D-0091-BE31 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://p27dokhpz2n7nvgr.onion/7435-9474-BA2D-0091-BE31

http://p27dokhpz2n7nvgr.1hkjl3.top/7435-9474-BA2D-0091-BE31

http://p27dokhpz2n7nvgr.16nxpn.top/7435-9474-BA2D-0091-BE31

http://p27dokhpz2n7nvgr.133chr.top/7435-9474-BA2D-0091-BE31

http://p27dokhpz2n7nvgr.17gvad.top/7435-9474-BA2D-0091-BE31

http://p27dokhpz2n7nvgr.15yvce.top/7435-9474-BA2D-0091-BE31

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Blocklisted process makes network request 5 IoCs
  • Contacts a large (1094) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Deletes itself 1 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 38 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0251ebd0df7c32e2a03ff9bb48754e9e13ef2ee2d0e99ce1c135a50b448338ed.exe
    "C:\Users\Admin\AppData\Local\Temp\0251ebd0df7c32e2a03ff9bb48754e9e13ef2ee2d0e99ce1c135a50b448338ed.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
      2⤵
      • Modifies Windows Firewall
      PID:2684
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall reset
      2⤵
      • Modifies Windows Firewall
      PID:2568
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_READ_THIS_FILE_KQXUJR_.hta"
      2⤵
      • Blocklisted process makes network request
      • Modifies Internet Explorer settings
      • Modifies system certificate store
      PID:1544
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_READ_THIS_FILE_IQ13G_.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1500
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1924
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im "0251ebd0df7c32e2a03ff9bb48754e9e13ef2ee2d0e99ce1c135a50b448338ed.exe"
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2380
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 1 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1432

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Network Service Discovery

1
T1046

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    67KB

    MD5

    753df6889fd7410a2e9fe333da83a429

    SHA1

    3c425f16e8267186061dd48ac1c77c122962456e

    SHA256

    b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

    SHA512

    9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TarC09.tmp
    Filesize

    175KB

    MD5

    dd73cead4b93366cf3465c8cd32e2796

    SHA1

    74546226dfe9ceb8184651e920d1dbfb432b314e

    SHA256

    a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

    SHA512

    ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

    Download Submit
  • C:\Users\Admin\Desktop\_READ_THIS_FILE_IQ13G_.txt
    Filesize

    1KB

    MD5

    4a47282a2e89f58cee63b8e36292c2b3

    SHA1

    052cb49079ddaebfad9fb6a498df7f1aba0ffca6

    SHA256

    6591773477ccadb47fee553b3cb7979267d5d6a79765b56fdb3f2f2950fba6a3

    SHA512

    92fa3d9c160d6dbc9e40a5f16c9df42b820edeac3e459e60e48c9ca037b857aef873e78bd14a67da5e25d363dfbb2cfc81aaeb45036fb1781df6c54a67013247

    Download Submit
  • C:\Users\Admin\Desktop\_READ_THIS_FILE_KQXUJR_.hta
    Filesize

    75KB

    MD5

    bc4d6c845db349fa49a0131d1364ccd2

    SHA1

    743cd75194e7b52f12f44a7cac11b13e1c19d33e

    SHA256

    3e81e850c560087f50f94801fbc183cff2b757d6ee84ec827c3a86786fc75ab8

    SHA512

    62ef721310856785e6b41d3d4e653a8a6aedf6ccd381fd799f25b791fe2cdd908b0e7943a9d6a4480565d91b6574459ca782aa8dbb26190ea60cfe0d4f4e7269

    Download Submit
  • memory/2940-4-0x00000000002A0000-0x00000000002A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2940-6-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download
  • memory/2940-105-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download
  • memory/2940-108-0x0000000000210000-0x0000000000211000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2940-109-0x0000000003AA0000-0x0000000003AB0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2940-2-0x0000000000210000-0x0000000000211000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2940-0-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download
  • memory/2940-5-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download
  • memory/2940-3-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download