Overview

overview

10

Static

static

7

00FAEE82AB...AD.exe

windows7-x64

10

0B8E9BC319...20.exe

windows7-x64

10

0c9fa52ace...7a.exe

windows7-x64

7

15f7ea290d...8c.exe

windows7-x64

10

1DD70E8036...25.exe

windows7-x64

10

1E229029B2...DA.exe

windows7-x64

10

21977fc851...61.exe

windows7-x64

10

21e1bc4340...01.exe

windows7-x64

7

2272954a2c...5a.exe

windows7-x64

10

2C3542B5D9...85.exe

windows7-x64

7

3ac7f91e37...38.exe

windows7-x64

10

3c0fe521f6...16.exe

windows7-x64

10

41c53e90f0...4a.exe

windows7-x64

10

467c2b23b7...be.exe

windows7-x64

10

5b79b6a814...b0.exe

windows7-x64

10

712affaa8b...1).exe

windows7-x64

1

72716d15ea...21.exe

windows7-x64

7

8b04af13b7...21.exe

windows7-x64

10

Bit Paymer.exe

windows7-x64

10

KeepCalm.exe

windows7-x64

1

LockedIn.exe

windows7-x64

1

Purge.exe

windows7-x64

1

Scarab.exe

windows7-x64

10

a631ad1b1a...4b.exe

windows7-x64

6

a9053a3a52...bc.exe

windows7-x64

7

b764629e1f...1c.exe

windows7-x64

10

cf89f70633...5c.exe

windows7-x64

1

e951e82867...50.exe

windows7-x64

1

fa0c321e1a...d2.exe

windows7-x64

9

fc184274ad...27.exe

windows7-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16-03-2024 15:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe

  • Size

    390KB

  • MD5

    08109df08fa4a035c59d56d1e6c5baf4

  • SHA1

    bec86bce6f6963d0cc69c441c6d5fb6d04d3a833

  • SHA256

    3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338

  • SHA512

    61e6cc3e94ddb7a980bfb0a2e5e5ffeeb5414c9e2ef3e42551820017dbedab5cccdd8ece1fed2ca057e240bdb7836663a7f9be28f1bb9136da972750caf59704

  • SSDEEP

    12288:s8TC7FeAA9IsQwycG888888888888W88888888888E7xCYsdG:s8TygVinw1Z7xCZdG

Score
10/10
cerberdiscoveryevasionransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___JXKZU_.txt

Family

cerber

Ransom Note
Hi, I'am CRBR ENCRYPTOR ;) ----- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/58C6-B1BE-88C5-0098-9592 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.19kxwa.top/58C6-B1BE-88C5-0098-9592 2. http://xpcx6erilkjced3j.1eht65.top/58C6-B1BE-88C5-0098-9592 3. http://xpcx6erilkjced3j.1t2jhk.top/58C6-B1BE-88C5-0098-9592 4. http://xpcx6erilkjced3j.1e6ly3.top/58C6-B1BE-88C5-0098-9592 5. http://xpcx6erilkjced3j.16umxg.top/58C6-B1BE-88C5-0098-9592 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://xpcx6erilkjced3j.onion/58C6-B1BE-88C5-0098-9592

http://xpcx6erilkjced3j.19kxwa.top/58C6-B1BE-88C5-0098-9592

http://xpcx6erilkjced3j.1eht65.top/58C6-B1BE-88C5-0098-9592

http://xpcx6erilkjced3j.1t2jhk.top/58C6-B1BE-88C5-0098-9592

http://xpcx6erilkjced3j.1e6ly3.top/58C6-B1BE-88C5-0098-9592

http://xpcx6erilkjced3j.16umxg.top/58C6-B1BE-88C5-0098-9592

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Blocklisted process makes network request 5 IoCs
  • Contacts a large (1095) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
    "C:\Users\Admin\AppData\Local\Temp\3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1176
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
      2⤵
      • Modifies Windows Firewall
      PID:2620
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall reset
      2⤵
      • Modifies Windows Firewall
      PID:2884
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___M1I8BZC_.hta"
      2⤵
      • Blocklisted process makes network request
      • Modifies Internet Explorer settings
      PID:1484
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___JXKZU_.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1848
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe" > NUL && exit
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im "3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe"
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:684
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 1 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:272

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    67KB

    MD5

    753df6889fd7410a2e9fe333da83a429

    SHA1

    3c425f16e8267186061dd48ac1c77c122962456e

    SHA256

    b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

    SHA512

    9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarF05F.tmp
    Filesize

    68KB

    MD5

    9a028ba86ed9b862e22b0d2fc5a538f9

    SHA1

    6bd46f3c385cd703cc2dad5b1da1596bcc241325

    SHA256

    dfd74c55d0724ad2a574e24ff1a84f4a7c365ab132d8bebf6c460d8018772352

    SHA512

    be6c6e44a667b5afb2a06ed60145beef76a56cbc567719307abcb8a195a244a5c8cd1734fc5f1fad63538cc3f8e56d950f4c714f4f3687d284bee5eaee759e50

    Download Submit

  • C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___JXKZU_.txt
    Filesize

    1KB

    MD5

    1d2174f38e0609a24fff3f46738e58e1

    SHA1

    d173810f6e1e2c2eb7e36519e3dfb1a46684600c

    SHA256

    e61cde503cec4804401ff2cc4047f14d47bf44b9f94880a0c786eab28095ab81

    SHA512

    7e83da6261016fc77db1dc4d20cc239b721658aa4b1b7da6f40dbeb728fd35776423d058ebc8779f7d0951e5f9c9d9282aaa5daa4fb5357b6a91b1a7316687ad

    Download Submit

  • C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___M1I8BZC_.hta
    Filesize

    76KB

    MD5

    1e9391de5711410139b193352c395681

    SHA1

    b34bece7b55e73b0e6bc4e8c3b673b8b00407a2f

    SHA256

    c70ff0bae22ae0d14f71c5142caf9a0af65f22825cfa4f8dd0faf15003a4c04d

    SHA512

    7cac2341dd4755081203dca9d08d7f19048c5a106d2533ff8a5d2a3ecbb5fc3d537ba4021c02a244eef6a781110a523add43b95cce02a8a72f73c06065719a1c

    Download Submit

  • memory/1176-0-0x0000000000120000-0x0000000000152000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1176-1-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1176-2-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1176-5-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1176-95-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1176-130-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download