Overview

overview

10

Static

static

10

ransomware...3n.exe

windows7-x64

ransomware...3n.exe

windows10-2004-x64

ransomware...le.exe

windows7-x64

ransomware...le.exe

windows10-2004-x64

ransomware...it.exe

windows7-x64

10

ransomware...it.exe

windows10-2004-x64

10

ransomware...le.exe

windows10-2004-x64

10

ransomware... 5.exe

windows7-x64

10

ransomware... 5.exe

windows10-2004-x64

10

ransomware...de.exe

windows7-x64

10

ransomware...de.exe

windows10-2004-x64

10

ransomware...ck.exe

windows7-x64

7

ransomware...ck.exe

windows10-2004-x64

7

ransomware...ye.exe

windows7-x64

6

ransomware...ye.exe

windows10-2004-x64

6

ransomware...ap.exe

windows7-x64

6

ransomware...ap.exe

windows10-2004-x64

6

ransomware...ya.exe

windows7-x64

6

ransomware...ya.exe

windows10-2004-x64

6

ransomware...om.exe

windows7-x64

10

ransomware...om.exe

windows10-2004-x64

10

ransomware...ab.exe

windows7-x64

10

ransomware...ab.exe

windows10-2004-x64

10

ransomware...ye.exe

windows7-x64

10

ransomware...ye.exe

windows10-2004-x64

10

ransomware...ni.exe

windows7-x64

10

ransomware...ni.exe

windows10-2004-x64

10

ransomware...pt.exe

windows7-x64

10

ransomware...pt.exe

windows10-2004-x64

10

ransomware...ya.exe

windows7-x64

7

ransomware...ya.exe

windows10-2004-x64

7

ransomware...en.exe

windows7-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-03-2024 04:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ransomwares/Cerber 5/Cerber 5.exe

  • Size

    313KB

  • MD5

    fe1bc60a95b2c2d77cd5d232296a7fa4

  • SHA1

    c07dfdea8da2da5bad036e7c2f5d37582e1cf684

  • SHA256

    b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

  • SHA512

    266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

  • SSDEEP

    6144:nl578cxdGY87FohbnmM2i8ito7wTmCbL94KCT3OAmK:nl59zH8MiM2z+NLQBN

Score
10/10
cerberdiscoveryevasionransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___K5M2_.txt

Family

cerber

Ransom Note
Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0T0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/A112-D896-B9FC-0098-B0F1 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1n5mod.top/A112-D896-B9FC-0098-B0F1 2. http://xpcx6erilkjced3j.19kdeh.top/A112-D896-B9FC-0098-B0F1 3. http://xpcx6erilkjced3j.1mpsnr.top/A112-D896-B9FC-0098-B0F1 4. http://xpcx6erilkjced3j.18ey8e.top/A112-D896-B9FC-0098-B0F1 5. http://xpcx6erilkjced3j.17gcun.top/A112-D896-B9FC-0098-B0F1 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://xpcx6erilkjced3j.onion/A112-D896-B9FC-0098-B0F1

http://xpcx6erilkjced3j.1n5mod.top/A112-D896-B9FC-0098-B0F1

http://xpcx6erilkjced3j.19kdeh.top/A112-D896-B9FC-0098-B0F1

http://xpcx6erilkjced3j.1mpsnr.top/A112-D896-B9FC-0098-B0F1

http://xpcx6erilkjced3j.18ey8e.top/A112-D896-B9FC-0098-B0F1

http://xpcx6erilkjced3j.17gcun.top/A112-D896-B9FC-0098-B0F1

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Contacts a large (1111) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ransomwares\Cerber 5\Cerber 5.exe
    "C:\Users\Admin\AppData\Local\Temp\ransomwares\Cerber 5\Cerber 5.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:212
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
      2⤵
      • Modifies Windows Firewall
      PID:3940
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall reset
      2⤵
      • Modifies Windows Firewall
      PID:2896
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___GKPI_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      2⤵
        PID:4836
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___DDC6_.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:948
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "C" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1792
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im "C"
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2044
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 1 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:2148
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1404 --field-trial-handle=3488,i,1267426273081718772,6254127258555406296,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:2076

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___8RSYGI_.hta
        Filesize

        76KB

        MD5

        3106f790244c705a99a8ce42b3234847

        SHA1

        d6b5d1d8c7feb45afac891310b2545a99ff1ba95

        SHA256

        2ffed10c9f97de9137b0e6492337c157bc1a7f79dd4b4ba7d70ae597217c67b3

        SHA512

        dd7c79f457ee9817d6be88ca96b529455d93b4a6245f8296c80f8659bc3f07e974b087f218ded84087e3d73294aabeca28d5b31f81a37cf2e7d4d4c09e85b17a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___K5M2_.txt
        Filesize

        1KB

        MD5

        1d2756dcb4d7e744501a343d1e4099b8

        SHA1

        39b9b16f1b711c276506da48747fe18c5e2b4966

        SHA256

        7e504f44f9f472426f2a7f93c14cd19710672c03e52213a1c1a1a10022afdd90

        SHA512

        af38b55a0e45f1845f42ebaebc983d1e674ad84e578a0e3631f0e753b1255a2bae3599466c6f48af81358176e760c7ff51279c610f621a3121a357f737976727

        Download Submit

      • memory/212-5-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/212-1-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/212-8-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/212-17-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/212-22-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/212-35-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/212-3-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/212-0-0x0000000001540000-0x0000000001571000-memory.dmp

        Filesize

        196KB

        Download

      • memory/212-397-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/212-417-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/212-418-0x0000000000440000-0x000000000044E000-memory.dmp

        Filesize

        56KB

        Download