Analysis
-
max time kernel
155s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
29-03-2024 18:14
General
-
Target
https://github.com/kh4sh3i/Ransomware-Samples
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___3O9J4CT8_.hta
Family
cerber
Ransom Note
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>CERBER RANSOMWARE: Instructions</title>
<HTA:APPLICATION APPLICATIONNAME="NrCAq8ep" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize">
<style type="text/css">
a {
color: #04a;
text-decoration: none;
}
a:hover {
text-decoration: underline;
}
body {
background-color: #e7e7e7;
color: #222;
font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif;
font-size: 13pt;
line-height: 19pt;
}
body, h1 {
margin: 0;
padding: 0;
}
hr {
color: #bda;
height: 2pt;
margin: 1.5%;
}
h1 {
color: #555;
font-size: 14pt;
}
ol {
padding-left: 2.5%;
}
ol li {
padding-bottom: 13pt;
}
small {
color: #555;
font-size: 11pt;
}
ul {
list-style-type: none;
margin: 0;
padding: 0;
}
.button {
color: #04a;
cursor: pointer;
}
.button:hover {
text-decoration: underline;
}
.container {
background-color: #fff;
border: 2pt solid #c7c7c7;
margin: 5%;
min-width: 850px;
padding: 2.5%;
}
.header {
border-bottom: 2pt solid #c7c7c7;
margin-bottom: 2.5%;
padding-bottom: 2.5%;
}
.h {
display: none;
}
.hr {
background: #bda;
display: block;
height: 2pt;
margin-top: 1.5%;
margin-bottom: 1.5%;
overflow: hidden;
width: 100%;
}
.info {
background-color: #efe;
border: 2pt solid #bda;
display: inline-block;
padding: 1.5%;
text-align: center;
}
.updating {
color: red;
display: none;
padding-left: 35px;
background: url("data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=") left no-repeat;
}
#change_language {
float: right;
}
#change_language, #texts div {
display: none;
}
</style>
</head>
<body>
<div class="container">
<div class="header">
<a id="change_language" href="#" onclick="return changeLanguage1();" title="English">☑ English</a>
<h1>CERBER RANSOMWARE</h1>
<small id="title">Instructions</small>
</div>
<div id="languages">
<p>☑ Select your language</p>
<ul>
<li><a href="#" title="English" onclick="return sh_bl('en');">English</a></li>
<li><a href="#" title="Arabic" onclick="return sh_bl('ar');">العربية</a></li>
<li><a href="#" title="Chinese" onclick="return sh_bl('zh');">中文</a></li>
<li><a href="#" title="Dutch" onclick="return sh_bl('nl');">Nederlands</a></li>
<li><a href="#" title="French" onclick="return sh_bl('fr');">Français</a></li>
<li><a href="#" title="German" onclick="return sh_bl('de');">Deutsch</a></li>
<li><a href="#" title="Italian" onclick="return sh_bl('it');">Italiano</a></li>
<li><a href="#" title="Japanese" onclick="return sh_bl('ja');">日本語</a></li>
<li><a href="#" title="Korean" onclick="return sh_bl('ko');">한국어</a></li>
<li><a href="#" title="Polish" onclick="return sh_bl('pl');">Polski</a></li>
<li><a href="#" title="Portuguese" onclick="return sh_bl('pt');">Português</a></li>
<li><a href="#" title="Spanish" onclick="return sh_bl('es');">Español</a></li>
<li><a href="#" title="Turkish" onclick="return sh_bl('tr');">Türkçe</a></li>
</ul>
</div>
<div id="texts">
<div id="en">
<p>Can't yo<span class="h">KfP</span>u find the necessary files?<br>Is the c<span class="h">mRm8Hmuq4</span>ontent of your files not readable?</p>
<p>It is normal be<span class="h">zqSpUjDfW</span>cause the files' names and the data in your files have been encryp<span class="h">Xk</span>ted by "Ce<span class="h">PmE39x1</span>rber Ransomware".</p>
<p>It me<span class="h">hhdn</span>ans your files are NOT damage<span class="h">ZhjtR</span>d! Your files are modified only. This modification is reversible.<br>F<span class="h">ghGwSp3caR</span>rom now it is not poss<span class="h">1IeuQFBR</span>ible to use your files until they will be decrypted.</p>
<p>The only way to dec<span class="h">nks5bs</span>rypt your files safely is to buy the special decryption software "C<span class="h">ZxQtd1DRG</span>erber Decryptor".</p>
<p>Any attempts to rest<span class="h">YthFnr4w</span>ore your files with the thir<span class="h">EWX</span>d-party software will be fatal for your files!</p>
<hr>
<p class="w331208">You can proc<span class="h">pmztFFe2rv</span>eed with purchasing of the decryption softw<span class="h">g5</span>are at your personal page:</p>
<p><span class="info"><span class="updating">Ple<span class="h">6vfjS2c</span>ase wait...</span><a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/BD5C-3D4E-B27F-0446-9470" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/BD5C-3D4E-B27F-0446-9470</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/BD5C-3D4E-B27F-0446-9470" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/BD5C-3D4E-B27F-0446-9470</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/BD5C-3D4E-B27F-0446-9470" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/BD5C-3D4E-B27F-0446-9470</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/BD5C-3D4E-B27F-0446-9470" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/BD5C-3D4E-B27F-0446-9470</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/BD5C-3D4E-B27F-0446-9470" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/BD5C-3D4E-B27F-0446-9470</a></span></p>
<p>If t<span class="h">Bu7ETTW25L</span>his page cannot be opened <span class="button" onclick="return _url_upd_('en');">cli<span class="h">YsXhylG</span>ck here</span> to get a new addr<span class="h">LzM9U7Q</span>ess of your personal page.<br><br>If the addre<span class="h">3PYlc</span>ss of your personal page is the same as befo<span class="h">dOu8Stnh4E</span>re after you tried to get a new one,<br>you c<span class="h">bnV</span>an try to get a new address in one hour.</p>
<p>At th<span class="h">G7fUPI</span>is page you will receive the complete instr<span class="h">ySsVu</span>uctions how to buy the decrypti<span class="h">Z0HvNd</span>on software for restoring all your files.</p>
<p>Also at this page you will be able to res<span class="h">Fr</span>tore any one file for free to be sure "Cerbe<span class="h">DoCuGXk</span>r Decryptor" will help you.</p>
<hr>
<p>If your per<span class="h">Xzk</span>sonal page is not availa<span class="h">uJpVRiIJ</span>ble for a long period there is another way to open your personal page - insta<span class="h">o0lidY</span>llation and use of Tor Browser:</p>
<ol>
<li>run your Inte<span class="h">6XBOm</span>rnet browser (if you do not know what it is run the Internet Explorer);</li>
<li>ent<span class="h">g0S9b</span>er or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li>
<li>wait for the site load<span class="h">HgwNU</span>ing;</li>
<li>on the site you will be offered to do<span class="h">rq</span>wnload Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li>
<li>ru<span class="h">X2es1</span>n Tor Browser;</li>
<li>connect with the butt<span class="h">0atCen712a</span>on "Connect" (if you use the English version);</li>
<li>a normal Internet bro<span class="h">1GUy</span>wser window will be opened after the initialization;</li>
<li>type or copy the add<span class="h">EMqDlmJp</span>ress <br><span class="info">http://p27dokhpz2n7nvgr.onion/BD5C-3D4E-B27F-0446-9470</span><br> in this browser address bar;</li>
<li>pre<span class="h">UI</span>ss ENTER;</li>
<li>the site sho<span class="h">Q7jcKp5ad</span>uld be loaded; if for some reason the site is not lo<span class="h">0gua</span>ading wait for a moment and try again.</li>
</ol>
<p>If you have any pr<span class="h">cYch20pKCE</span>oblems during installation or use of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searc<span class="h">FePvce</span>h bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use.</p>
<hr>
<p><strong>Addit<span class="h">1aLSIOYh9N</span>ional information:</strong></p>
<p>You will fi<span class="h">T</span>nd the instru<span class="h">gVv7mc</span>ctions ("*_READ_THIS_FILE_*.hta") for re<span class="h">YCNvfu</span>storing your files in any f<span class="h">dR</span>older with your enc<span class="h">M9MOev</span>rypted files.</p>
<p>The instr<span class="h">QY8nLE</span>uctions "*_READ_THIS_FILE_*.hta" in the f<span class="h">ZS8sfjckx</span>older<span class="h">1CT4</span>s with your encry<span class="h">t9Xdv</span>pted files are not vir<span class="h">Q</span>uses! The instruc<span class="h">Srq9rWzPs</span>tions "*_READ_THIS_FILE_*.hta" will he<span class="h">0F</span>lp you to dec<span class="h">iX04pDV</span>rypt your files.</p>
<p>Remembe<span class="h">F19SI</span>r! The worst si<span class="h">XprccyUVn</span>tuation already happ<span class="h">i90Oaj</span>ened and now the future of your files de<span class="h">ombu6Hm18o</span>pends on your determ<span class="h">i</span>ination and speed of your actions.</p>
</div>
<div id="ar" style="direction: rtl;">
<p>لا يمكنك العثور على الملفات الضرورية؟<br>هل محتوى الملفات غير قابل للقراءة؟</p>
<p>هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cerber Ransomware".</p>
<p>وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا.<br>ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها.</p>
<p>الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cerber Decryptor".</p>
<p>إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك!</p>
<hr>
<p>يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية:</p>
<p><span class="info"><span class="updating">أرجو الإنتظار...</span><a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/BD5C-3D4E-B27F-0446-9470" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/BD5C-3D4E-B27F-0446-9470</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/BD5C-3D4E-B27F-0446-9470" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/BD5C-3D4E-B27F-0446-9470</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/BD5C-3D4E-B27F-0446-9470" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/BD5C-3D4E-B27F-0446-9470</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/BD5C-3D4E-B27F-0446-9470" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/BD5C-3D4E-B27F-0446-9470</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/BD5C-3D4E-B27F-0446-9470" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/BD5C-3D4E-B27F-0446-9470</a></span></p>
<p>في حالة تعذر فتح هذه الصفحة <span class="button" onclick="return _url_upd_('ar');">انقر هنا</span> لإنشاء عنوان جديد لصفحتك الشخصية.</p>
<p>في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك.</p>
<p>في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cerber Decryptor" سوف يساعدك.</p>
<hr>
<p>إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor:</p>
<ol>
<li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li>
<li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li>
<li>انتظر لتحميل الموقع;</li>
<li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li>
<li>قم بتشغيل متصفح Tor;</li>
<li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li>
<li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li>
<li>قم بكتابة أو نسخ العنوان <br><span class="info">http://p27dokhpz2n7nvgr.onion/BD5C-3D4E-B27F-0446-9470</span><br> في شريط العنوان في المتصفح;</li>
<li>اضغط ENTER;</li>
<li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li>
</ol>
<p>إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه.</p>
<hr>
<p><strong>معلومات إض<span class="h">Dw</span>افية:</strong></p>
<p>س<span class="h">D18</span>وف تجد إرشادات استعادة الملفات الخاصة بك ("*_READ_THIS_FILE_*") في أي مجلد مع ملفاتك المشفرة.</p>
<p>الإرش<span class="h">DGIbSTQ</span>ادات ("*_READ_THIS_FILE_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_READ_THIS_FILE_*") سوف تساعدك على فك تشفير الملفات الخاصة بك.</p>
<p>تذكر أن أسوأ مو<span class="h">bXCBm9CB</span>قف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك.</p>
</div>
<div id="zh">
<p>您找不到所需的文件?<br>您文件的内容无法阅读?</p>
<p>这是正常的,因为您文件的文件名和数据已经被“Cerber Ransomware”加密了。</p>
<p>这意味着您的文件并没有损坏!您的�
Extracted
Path
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___XVYBEM_.txt
Family
cerber
Ransom Note
CERBER RANSOMWARE
-----
YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED!
-----
The only way to decrypt y0ur files is to receive the private key and decryption program.
To receive the private key and decryption program go to any decrypted folder,
inside there is the special file (*_READ_THIS_FILE_*) with complete instructions
how to decrypt your files.
If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below:
-----
1. Download "Tor Browser" from https://www.torproject.org/ and install it.
2. In the "Tor Browser" open your personal page here:
http://p27dokhpz2n7nvgr.onion/BD5C-3D4E-B27F-0446-9470
Note! This page is available via "Tor Browser" only.
-----
Also you can use temporary addresses on your personal page without using "Tor Browser".
-----
1. http://p27dokhpz2n7nvgr.12hygy.top/BD5C-3D4E-B27F-0446-9470
2. http://p27dokhpz2n7nvgr.14ewqv.top/BD5C-3D4E-B27F-0446-9470
3. http://p27dokhpz2n7nvgr.14vvrc.top/BD5C-3D4E-B27F-0446-9470
4. http://p27dokhpz2n7nvgr.129p1t.top/BD5C-3D4E-B27F-0446-9470
5. http://p27dokhpz2n7nvgr.1apgrn.top/BD5C-3D4E-B27F-0446-9470
-----
Note! These are temporary addresses! They will be available for a limited amount of time!
-----
URLs
http://p27dokhpz2n7nvgr.onion/BD5C-3D4E-B27F-0446-9470
http://p27dokhpz2n7nvgr.12hygy.top/BD5C-3D4E-B27F-0446-9470
http://p27dokhpz2n7nvgr.14ewqv.top/BD5C-3D4E-B27F-0446-9470
http://p27dokhpz2n7nvgr.14vvrc.top/BD5C-3D4E-B27F-0446-9470
http://p27dokhpz2n7nvgr.129p1t.top/BD5C-3D4E-B27F-0446-9470
http://p27dokhpz2n7nvgr.1apgrn.top/BD5C-3D4E-B27F-0446-9470
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (1110) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Drops startup file 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 38 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 20 IoCs
-
Drops file in Windows directory 64 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/kh4sh3i/Ransomware-Samples1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee19e9758,0x7ffee19e9768,0x7ffee19e97782⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1848,i,9118327221256452211,15832331031422220760,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1848,i,9118327221256452211,15832331031422220760,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 --field-trial-handle=1848,i,9118327221256452211,15832331031422220760,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1848,i,9118327221256452211,15832331031422220760,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1848,i,9118327221256452211,15832331031422220760,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 --field-trial-handle=1848,i,9118327221256452211,15832331031422220760,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 --field-trial-handle=1848,i,9118327221256452211,15832331031422220760,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 --field-trial-handle=1848,i,9118327221256452211,15832331031422220760,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 --field-trial-handle=1848,i,9118327221256452211,15832331031422220760,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5160 --field-trial-handle=1848,i,9118327221256452211,15832331031422220760,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1600 --field-trial-handle=1848,i,9118327221256452211,15832331031422220760,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2548 --field-trial-handle=1848,i,9118327221256452211,15832331031422220760,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Cerber.zip\cerber.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Cerber.zip\cerber.exe"1⤵
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on2⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset2⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___QL01GE_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___AAT7MRER_.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "cerber.exe"3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Mamba.zip\131.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Mamba.zip\131.exe"1⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5be42eddefda4f5205ab5e1ac783637ad
SHA17b4399c06a2c98f0f864250907ec0e505696109f
SHA2564558ae26078434868e0fc817c878fc86bf971f61b98e93cc64d87c2917604a68
SHA5123f4918cf074670e6a9a49f5ac7a59f96c85280d7229f28b05188b77bdf4b2a411839a5a3f550743e1d89448753c55ef136e10c456f7713be40c5bde93e208fb2
-
Filesize
1KB
MD54d02671c53152bc2972ab0ca2966e61c
SHA1b32df1753af76a9c481ad10423d0c5ba321d10bc
SHA2560f8832109916665de53959221958166530e7ccc672b8f38b6465322334f4caca
SHA512f49080917799c07ee50ed17b2f751d4501538968f21f0606dc9ed2fb13ce90bfae08cd4e35566352a6735f1ffdf07a7b77ee00662ad0d450f539f400964d0914
-
Filesize
1KB
MD5cdb96727f40057ed549feafba84444d8
SHA1799b2e2d32f5c034d6cc2052954f43d564cfd227
SHA256b7309804ee38c83c746ba6bfc3c2ea0aca2bb0073430d81cda79ebea863f039d
SHA512deb435035b532dccff9cd38d9e1211935d384ea79ee91600c53867052c24d331d3b062d935bbfc39763b7fd67592b44dbab6d893295ef13f2f21e0ab457b22f5
-
Filesize
1KB
MD541e5bb85c1654364137e67cbc76bb2f9
SHA1f2608a30515e22539969860141f34bce25e07616
SHA256d33b2b43530c827660d0d68ba147eee9a5ee2684b3dc2b4e371cf7944fe75dbb
SHA512e4051468bfff818db323355dc1f7016e031f2944ae5054204dd8c2fbd6cad2f71281ed0a7de399943b76cf83d9ebe0d5a315bf2883ec212a5b33fd11d30c8266
-
Filesize
1KB
MD5dfb9bcb45e070a615cf116c33f77e082
SHA1a052d3d5ecf1cbc3733f7d58f933c73df5911bb7
SHA2562c497db7ebc5746b8c82ec1314ffdfb5f6f52d7561cf20bab481cd51f5ec729d
SHA51208fb6fb0afaabe65b6a6f01cef8ceeae0cf5133cce58728980a588adbabe5b0a14932d6b1d6f865a47fce9d0de8fa4b46dc33f7099b4e52b71ced4a1a2d10919
-
Filesize
1KB
MD51ef78be71a5dee7adc85b4b4c7fd8880
SHA1b69ab7333715d934cc8769fd6e3165db61c52e6d
SHA2563be31237d075c2b004811804d6f498079188aa18af8448e38771285732e71fd5
SHA512d4c3dfea588293fdebc094efb1dc17009535e8f581810d7485e344253354982b24c988e2aa55685993d836de655d9fccd817abb58e155b4655a113a556a60113
-
Filesize
1KB
MD52280c63dc31fbb629c8f4b54a55a7cbe
SHA19af7dde6c099db861a96199b091e9dae25a39d35
SHA256681811fe4ed0b767508ba633ada60df454add6a886d78555bb7d896c67f2a5c7
SHA51279975e9f39fb9174346d5ec4ab7c304c1e03d001811a395a23180abb7555c9b11e98fb09c94a52797072dbc81a1d9bb8643fdfa36f0b0469e69883d30aa032dd
-
Filesize
6KB
MD5e66517b8817c780cc4f1d64ba47aff1e
SHA12c7ddd38d1179a6bf344a09616f3146de303f582
SHA256b5316473909c17337caabaa876a5db467c4da229ec4fea0e4a08481d1780a328
SHA512311cc6a7b6c3b3ff787a798ad2bacfd665bf28de82d6d9f3ff689dc49a36dd674c21f17273d8c04cd394922585892b1ff45dc09db88bac38f6ed067b0f1146c9
-
Filesize
6KB
MD54caa7ba0af2f3c0c9ca9345c7d0ebafb
SHA15ca8c05b5a399b3da793ebb472b938f965b82808
SHA256c581fe6c6887341cb566bb2bd31ae78afc5574df7037d0bd4296aa786f9736d1
SHA512f7e4e64e2c824c78d480b334cbd47735e28a9ae16475c67a51c19e208e8b4927aaf5911504a72d3762fdcceb3166950df00f98a5e83299b309bc82ebc73693d0
-
Filesize
6KB
MD51fa9bc14258cf3d95171bfb7b574ea30
SHA1363d6ed5d05ef7dad807bbbbcfe4c27e5ad449fb
SHA256a0e9b7384996b01969d3cf4567613c18bedc5aa11975246d44bcb16349e7cf20
SHA5127fd7a0f742eb261d1ae3cbe710af892d1c8050b27f6bcb49534248b6ed9ad72b022ba9d16f3beb757f2691a546e3d230549f45d1319a7cf6c708b4da275a1dbb
-
Filesize
6KB
MD55a3e7a75103bc83cacdf3da065233324
SHA145ba9fb5536314fd66d56688e7f1ebb80991fb54
SHA256309597f0b4da640318ebd72b6cdc667f8cd6d70e00b928790f5203c76396c34e
SHA51271aff2f81e48f8b3fb35e274412178055df8ddf65c79d7bccf3aae109d77290f225ef7855430420502c34814a0285ff28414b8a889afbf13c4fcbd16bc003c20
-
Filesize
128KB
MD57d180ca8a594a030c83426b0b9cd88bb
SHA1dae38022c1ad20cadefd188d4414410b37e4b589
SHA256adfe0df502685b08c43046237a893a1d1295c7991fa110f137c7d234b649bf84
SHA51259ccf71f9d83466f4258fa66d2c2fffb92d02a9d52d01d2ae1e94b250270df8d0cc4dab0ac39bd8b029dfa919716fcdfcbc72a0a62e80900750c3b28c119f76c
-
Filesize
128KB
MD58fd9b5cfeb3bfa83431db5fd28c8d2b3
SHA1e8e1695475e4ef2931110ba5b45d84ec9b0ccf17
SHA256196483ad5bef1335f956bac540b871a37e79fd152c8b7cac11daf9407b20f136
SHA51291bfa147ff50cc9af607c347964e42cd5d4c1e25573c544129eb66d9d941584de38b8b2baa981ed706d03c965cd7be2b4cf1dc5b0f3b90cc13cc62ffb5113e1b
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
75KB
MD55a6d8286bc970ec564ee0cc05727c037
SHA1be29dab56e439b6a827214d274a37ce1053bd930
SHA256ca9a5fdf1c531b0b85cab89e16cb93d5a6c9bdfa8c50f4e58d1da0a4793d4db4
SHA5122e0dcb540e42e2d1bdc8f67d3af58d3d5df02fe0cfa05e2d19cfdb3f1e350b13d2fdaf0f09c46b826ce598fb743be3fb8aea992a18cf5acf1dc665c4c2e35cc5
-
Filesize
1KB
MD552eb9070f1d435e451138b3cf17b590f
SHA121cd74929241ae552d5cbcbcfc98fee0cf72d2b7
SHA25686ec4ac3cc6a5464c7a3768cdfc40f3fa99b7d3d38c922179d352d1dc4766f80
SHA51264b8561af79fdb5d333b9f527171e60a7054fe902f224942365c6962599c4927dc412171318ca378613100f6cbe74219d81c24c4327398f990be7835d21490ae
-
Filesize
15.1MB
MD5e88a0140466c45348c7b482bb3e103df
SHA1c59741da45f77ed2350c72055c7b3d96afd4bfc1
SHA256bab1853454ca6fdd3acd471254101db1b805b601e309a49ec7b4b1fbcfc47ad7
SHA5122dc9682f4fb6ea520acc505bdbe7671ab7251bf9abd25a5275f0c543a6157d7fa5325b9dce6245e035641ab831d646f0e14f6649f9464f5e97431ab1bf7da431
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
196KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB