Overview

overview

10

Static

static

10

081899c525...89.dll

windows7-x64

1

082060e332...76.exe

windows7-x64

10

09d22d6340...64.exe

windows7-x64

1

1f4e927f6e...a4.exe

windows7-x64

8

20efc37efc...db.dll

windows7-x64

6

23b5ce252f...5b.exe

windows7-x64

10

35fdad147c...8f.exe

windows7-x64

1

36bfd9f40c...07.exe

windows7-x64

1

56ec95785f...a4.exe

windows7-x64

1

675e7e38d9...a8.exe

windows7-x64

9

6b4df38111...7a.exe

windows7-x64

7

6b4f6a820d...96.exe

windows7-x64

1

721ccbb780...29.exe

windows7-x64

3

75a9ade196...1d.exe

windows7-x64

10

79271d57c5...61.exe

windows7-x64

7

*.*/update.exe

windows7-x64

6

*.*/˫�...��.bat

windows7-x64

1

847001fe67...7e.exe

windows7-x64

1

97d846563e...3b.exe

windows7-x64

1

9a5a08d7a4...4a.exe

windows7-x64

10

9da42140ca...70.exe

windows7-x64

6

ac7da11c38...e2.exe

windows7-x64

10

b3489810af...5f.exe

windows7-x64

1

bf11915a5a...55.dll

windows7-x64

6

c453aa991f...3e.dll

windows7-x64

6

c97d9bbc80...15.exe

windows7-x64

10

cfe55dc501...48.exe

windows7-x64

6

d2a120aa4a...78.exe

windows7-x64

10

db97db6b03...1b.dll

windows7-x64

6

dc276b7ca4...cf.exe

windows7-x64

10

e714a8c576...a4.exe

windows7-x64

1

f0c2927859...a6.exe

windows7-x64

7

Resubmissions

26-03-2024 14:35

240326-ryecksfd5y 10

26-03-2024 14:27

240326-rse2xsfb8y 10

Analysis

  • max time kernel
    38s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-03-2024 14:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe

  • Size

    314KB

  • MD5

    f93ecc98e4c4659023b81397578201e3

  • SHA1

    8c6ce5195b39239d219da8de3b4e757204f75f07

  • SHA256

    9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a

  • SHA512

    6835d190e85fa196e325d5b9e9833f88b22348b5e7dad7fe10aa2b065c66e61342cbf31fb8a4c1b5761a9f72b2f55d7eaeab9f8ee411ade6090327268a85a039

  • SSDEEP

    6144:N/ox45SkZNudlSP7VeJCaYAbjJF7UjWDvtlP8A2KoGFn6NHCcWITEYlxHt9Nqw:NgScC03SPxSlYMF7UjWDvzPh2eFnDcWg

Score
10/10
discoveryevasionransomwareupx

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_READ_THI$_FILE_33QNII2_.txt

Ransom Note
CERBER RAN$OMWARE --- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! --- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: --- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/12EA-1E35-D050-0446-9493 Note! This page is available via "Tor Browser" only. --- Also you can use temporary addresses on your personal page without using "Tor Browser". --- 1. http://p27dokhpz2n7nvgr.1hpvzl.top/12EA-1E35-D050-0446-9493 2. http://p27dokhpz2n7nvgr.1pglcs.top/12EA-1E35-D050-0446-9493 3. http://p27dokhpz2n7nvgr.1cewld.top/12EA-1E35-D050-0446-9493 4. http://p27dokhpz2n7nvgr.1js3tl.top/12EA-1E35-D050-0446-9493 5. http://p27dokhpz2n7nvgr.1ajohk.top/12EA-1E35-D050-0446-9493 --- Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://p27dokhpz2n7nvgr.onion/12EA-1E35-D050-0446-9493

http://p27dokhpz2n7nvgr.1hpvzl.top/12EA-1E35-D050-0446-9493

http://p27dokhpz2n7nvgr.1pglcs.top/12EA-1E35-D050-0446-9493

http://p27dokhpz2n7nvgr.1cewld.top/12EA-1E35-D050-0446-9493

http://p27dokhpz2n7nvgr.1js3tl.top/12EA-1E35-D050-0446-9493

http://p27dokhpz2n7nvgr.1ajohk.top/12EA-1E35-D050-0446-9493

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Contacts a large (1091) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
    "C:\Users\Admin\AppData\Local\Temp\9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Users\Admin\AppData\Local\Temp\9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
      C:\Users\Admin\AppData\Local\Temp\9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
      2⤵
        PID:2848
      • C:\Users\Admin\AppData\Local\Temp\9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
        C:\Users\Admin\AppData\Local\Temp\9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
        2⤵
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1924
        • C:\Windows\SysWOW64\netsh.exe
          C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
          3⤵
          • Modifies Windows Firewall
          PID:2016
        • C:\Windows\SysWOW64\netsh.exe
          C:\Windows\system32\netsh.exe advfirewall reset
          3⤵
          • Modifies Windows Firewall
          PID:404
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_READ_THI$_FILE_CWN7_.hta"
          3⤵
          • Blocklisted process makes network request
          • Modifies Internet Explorer settings
          PID:1016
        • C:\Windows\SysWOW64\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_READ_THI$_FILE_33QNII2_.txt
          3⤵
            PID:876
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
        1⤵
        • Suspicious use of FindShellTrayWindow
        PID:628
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
        1⤵
          PID:2520

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Desktop\_READ_THI$_FILE_33QNII2_.txt
          Filesize

          1KB

          MD5

          115ef07cc68d6ff4d144991709c92d76

          SHA1

          1267df1f384ed8a4fd970b0e24d1abef62fa6964

          SHA256

          af7e28007c1647432fd401c3f767b2f59ad1f5d5286bfea5f04a1236fa8445dc

          SHA512

          96dd3eea1ad347d37f86dd9808071147f5217872049ecded4154aa29c8977f989dc271afbb556ccc7030f8e99905daef40434cea0045d55083bec91e7969eccf

          Download Submit

        • C:\Users\Admin\Desktop\_READ_THI$_FILE_CWN7_.hta
          Filesize

          75KB

          MD5

          62afa0aa1f2daf545964ad4446b881a3

          SHA1

          dfd44fed47ea0dba8330b20354ca23943c1d6122

          SHA256

          536389eb648d19de149d259403f8e076099bbf469b55329ad8b4d8eb218d5428

          SHA512

          2734138f301be72aff23228a0d10e138e550fb133af676a9144b9e3a613d8031a64667d5ac0dbcc707ee6f95d54973a1ddb9981b30cb478b1c3cf248fac47a5e

          Download Submit

        • C:\Users\Admin\Desktop\_READ_THI$_FILE_WO2M8SKC_.jpeg
          Filesize

          150KB

          MD5

          4b8154d3f14a658e56762b117634540e

          SHA1

          af14b815a4e87170731267e9d454b4c09965ebca

          SHA256

          0992df0539b170c8a57bd280689a638eb0b5114f56f78068aad8f1e584ff74e2

          SHA512

          4006d0bf15495782bb69ff5cafe2d40fa2d1e135cac475013050a182491af042eaa942e5fd632d27cac317657a67dc69027d1bf347ee2c049313e38664991352

          Download Submit

        • memory/628-110-0x0000000000370000-0x0000000000371000-memory.dmp

          Filesize

          4KB

          Download

        • memory/628-88-0x0000000000370000-0x0000000000371000-memory.dmp

          Filesize

          4KB

          Download

        • memory/628-87-0x00000000001B0000-0x00000000001B2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1720-3-0x0000000000CA0000-0x0000000000CD4000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1720-2-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1720-0-0x0000000000CA0000-0x0000000000CD4000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1924-1-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/1924-22-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/1924-27-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/1924-35-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/1924-60-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/1924-16-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/1924-14-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/1924-86-0x00000000004A0000-0x00000000004A2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1924-10-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/1924-7-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/1924-6-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/1924-109-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/1924-5-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download