Overview

overview

10

Static

static

1

Endermanch...r5.exe

windows7-x64

10

Endermanch...r5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-03-2024 14:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    [email protected]

  • Size

    313KB

  • MD5

    fe1bc60a95b2c2d77cd5d232296a7fa4

  • SHA1

    c07dfdea8da2da5bad036e7c2f5d37582e1cf684

  • SHA256

    b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

  • SHA512

    266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

  • SSDEEP

    6144:nl578cxdGY87FohbnmM2i8ito7wTmCbL94KCT3OAmK:nl59zH8MiM2z+NLQBN

Score
10/10
cerberdiscoveryevasionransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___YPFGP_.txt

Family

cerber

Ransom Note
Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0T0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/F4C1-2974-20FE-0098-BAB6 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1n5mod.top/F4C1-2974-20FE-0098-BAB6 2. http://xpcx6erilkjced3j.19kdeh.top/F4C1-2974-20FE-0098-BAB6 3. http://xpcx6erilkjced3j.1mpsnr.top/F4C1-2974-20FE-0098-BAB6 4. http://xpcx6erilkjced3j.18ey8e.top/F4C1-2974-20FE-0098-BAB6 5. http://xpcx6erilkjced3j.17gcun.top/F4C1-2974-20FE-0098-BAB6 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://xpcx6erilkjced3j.onion/F4C1-2974-20FE-0098-BAB6

http://xpcx6erilkjced3j.1n5mod.top/F4C1-2974-20FE-0098-BAB6

http://xpcx6erilkjced3j.19kdeh.top/F4C1-2974-20FE-0098-BAB6

http://xpcx6erilkjced3j.1mpsnr.top/F4C1-2974-20FE-0098-BAB6

http://xpcx6erilkjced3j.18ey8e.top/F4C1-2974-20FE-0098-BAB6

http://xpcx6erilkjced3j.17gcun.top/F4C1-2974-20FE-0098-BAB6

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Contacts a large (1117) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3904
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
      2⤵
      • Modifies Windows Firewall
      PID:536
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall reset
      2⤵
      • Modifies Windows Firewall
      PID:3768
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___7KV5XJ_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      2⤵
        PID:4672
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___3AS6_.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:4916
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "E" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2400
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im "E"
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1940
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 1 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:3540

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___12338I64_.hta
      Filesize

      76KB

      MD5

      4f433c52a025d6f0d0f6ee76e71e1779

      SHA1

      1f41e67655626b3de36b09e5107831f35449d4ca

      SHA256

      4ff86fb7b81a4d1d39d614ba1be92a44f692f506e2c3635fef3d197a17527f1c

      SHA512

      b9a2fa523be1badf756d3c6d7596da6e93e17b9164ada095f168800afe0bd1da0e5ad4c384973f480a2d9f9921773ef9cadb80f6e1bf9a8e00cb84c0318437d2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___YPFGP_.txt
      Filesize

      1KB

      MD5

      d2e1de34473dac676f7d0a7b5e534025

      SHA1

      f7996b9d02f783ebfd954a9239fe7157e9288ee0

      SHA256

      2abf6753efaf9eeb5303e7bea765952e2d10e24a1b4172e91f82765af6b9e55d

      SHA512

      57f1b138d67762f96246121616b17bdd7eaf8d20833cfb1344463511b89493a60362fe2b45326f0074096941d594fa3dcdf41888561a0a513110d8a24965763c

      Download Submit

    • memory/3904-0-0x0000000001530000-0x0000000001561000-memory.dmp

      Filesize

      196KB

      Download

    • memory/3904-1-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3904-2-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3904-6-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3904-16-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3904-23-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3904-404-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3904-409-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3904-432-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3904-435-0x0000000000440000-0x000000000044E000-memory.dmp

      Filesize

      56KB

      Download