cerber | a58b1f94ba24a2d7f06c2b7a9840243c4e1b75b1b580cf1ce4c5d9af69cedc85

General

Target

tXauTiJr.exe
Size

521KB
MD5

464c348f1bdf66a75c6b0d51256e916c
SHA1

fa7f683e451ab0a0c6c18a4dde7b9bbdde72ff27
SHA256

a58b1f94ba24a2d7f06c2b7a9840243c4e1b75b1b580cf1ce4c5d9af69cedc85
SHA512

cb07284fd3d33eef29f761fd0d044a9143b9e934eff49a625290c4da23580c1b0bb1f4cd9d5e574c698fbf791d13aa476be2a550baebb4f925ef019015710233
SSDEEP

6144:8a/Z+6VHFnEXbw2Y3h3NWqU/xdwpN8T4LUEDW9VXnHFudT7coWspLaIZ1ZT:8a/h8w2UNiX0gEOpnHFutV5n3

Score

10^/10

cerber ransomware

Malware Config

Signatures

Cerber 3 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

Processes:

taskkill.exeAMIDEWINx64.exeAMIDEWINx64.exe

pid	process
4216	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}	AMIDEWINx64.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tXauTiJr.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	tXauTiJr.exe

Executes dropped EXE 2 IoCs

Processes:

AMIDEWINx64.exeAMIDEWINx64.exe

pid process

1472 AMIDEWINx64.exe
2072 AMIDEWINx64.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

4216 taskkill.exe
2420 taskkill.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

648
648
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 4216 taskkill.exe
Token: SeDebugPrivilege 2420 taskkill.exe

pid	process
1472	AMIDEWINx64.exe
2072	AMIDEWINx64.exe

pid	process
4216	taskkill.exe
2420	taskkill.exe

pid	process
648
648

description	pid	process
Token: SeDebugPrivilege	4216	taskkill.exe
Token: SeDebugPrivilege	2420	taskkill.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

tXauTiJr.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4752 wrote to memory of 1612	4752	tXauTiJr.exe	cmd.exe
PID 4752 wrote to memory of 1612	4752	tXauTiJr.exe	cmd.exe
PID 4752 wrote to memory of 4576	4752	tXauTiJr.exe	cmd.exe
PID 4752 wrote to memory of 4576	4752	tXauTiJr.exe	cmd.exe
PID 4752 wrote to memory of 4600	4752	tXauTiJr.exe	cmd.exe
PID 4752 wrote to memory of 4600	4752	tXauTiJr.exe	cmd.exe
PID 4752 wrote to memory of 4536	4752	tXauTiJr.exe	cmd.exe
PID 4752 wrote to memory of 4536	4752	tXauTiJr.exe	cmd.exe
PID 4752 wrote to memory of 3492	4752	tXauTiJr.exe	cmd.exe
PID 4752 wrote to memory of 3492	4752	tXauTiJr.exe	cmd.exe
PID 3492 wrote to memory of 4216	3492	cmd.exe	taskkill.exe
PID 3492 wrote to memory of 4216	3492	cmd.exe	taskkill.exe
PID 4752 wrote to memory of 2732	4752	tXauTiJr.exe	cmd.exe
PID 4752 wrote to memory of 2732	4752	tXauTiJr.exe	cmd.exe
PID 2732 wrote to memory of 1472	2732	cmd.exe	AMIDEWINx64.exe
PID 2732 wrote to memory of 1472	2732	cmd.exe	AMIDEWINx64.exe
PID 4752 wrote to memory of 3380	4752	tXauTiJr.exe	cmd.exe
PID 4752 wrote to memory of 3380	4752	tXauTiJr.exe	cmd.exe
PID 3380 wrote to memory of 2072	3380	cmd.exe	AMIDEWINx64.exe
PID 3380 wrote to memory of 2072	3380	cmd.exe	AMIDEWINx64.exe
PID 4752 wrote to memory of 1904	4752	tXauTiJr.exe	cmd.exe
PID 4752 wrote to memory of 1904	4752	tXauTiJr.exe	cmd.exe
PID 1904 wrote to memory of 2420	1904	cmd.exe	taskkill.exe
PID 1904 wrote to memory of 2420	1904	cmd.exe	taskkill.exe
PID 4752 wrote to memory of 724	4752	tXauTiJr.exe	cmd.exe
PID 4752 wrote to memory of 724	4752	tXauTiJr.exe	cmd.exe
PID 4752 wrote to memory of 4984	4752	tXauTiJr.exe	cmd.exe
PID 4752 wrote to memory of 4984	4752	tXauTiJr.exe	cmd.exe
PID 4752 wrote to memory of 5044	4752	tXauTiJr.exe	cmd.exe
PID 4752 wrote to memory of 5044	4752	tXauTiJr.exe	cmd.exe
PID 4752 wrote to memory of 1580	4752	tXauTiJr.exe	cmd.exe
PID 4752 wrote to memory of 1580	4752	tXauTiJr.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\tXauTiJr.exe
"C:\Users\Admin\AppData\Local\Temp\tXauTiJr.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4536

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM WmiPrvSE.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3492

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM WmiPrvSE.exe
3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS %RANDOM%%RANDOM%%RANDOM%
2⤵
- Suspicious use of WriteProcessMemory
PID:2732

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 920752467925
3⤵
- Cerber
- Executes dropped EXE
PID:1472

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV %RANDOM%%RANDOM%%RANDOM%
2⤵
- Suspicious use of WriteProcessMemory
PID:3380

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 920752467925
3⤵
- Cerber
- Executes dropped EXE
PID:2072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM WmiPrvSE.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM WmiPrvSE.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys
2⤵
PID:724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys
2⤵
PID:4984

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
2⤵
PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1580

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
Filesize
452KB

MD5
c4d09d3b3516550ad2ded3b09e28c10c

SHA1
7a5e77bb9ba74cf57cb1d119325b0b7f64199824

SHA256
66433a06884f28fdabb85a73c682d1587767e1dfa116907559ec00ed8d0919d3

SHA512
2e7800aae592d38c4a6c854b11d0883de70f938b29d78e257ab47a8a2bbf09121145d0a9aea9b56c16e18cde31b693d31d7ebfcd0473b7c15df5d7ae6708bbd2

Download Submit
C:\ProgramData\Microsoft\Windows\amifldrv64.sys
Filesize
18KB

MD5
785045f8b25cd2e937ddc6b09debe01a

SHA1
029c678674f482ababe8bbfdb93152392457109d

SHA256
37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba

SHA512
40bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads