Analysis

  • max time kernel
    117s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    07-05-2024 11:26

General

  • Target

    cerber.exe

  • Size

    604KB

  • MD5

    8b6bc16fd137c09a08b02bbe1bb7d670

  • SHA1

    c69a0f6c6f809c01db92ca658fcf1b643391a2b7

  • SHA256

    e67834d1e8b38ec5864cfa101b140aeaba8f1900a6e269e6a94c90fcbfe56678

  • SHA512

    b53d2cc0fe5fa52262ace9f6e6ea3f5ce84935009822a3394bfe49c4d15dfeaa96bfe10ce77ffa93dbf81e5428122aa739a94bc709f203bc346597004fd75a24

  • SSDEEP

    6144:yYghlI5/u8f1mr+4RJ99MpDa52RX5wRDhOOU0qsR:yYKlYmDXEpDHRXP01

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___35GPHBC_.txt

Family

cerber

Ransom Note
CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/55A8-1BAF-733A-0446-95EF Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12hygy.top/55A8-1BAF-733A-0446-95EF 2. http://p27dokhpz2n7nvgr.14ewqv.top/55A8-1BAF-733A-0446-95EF 3. http://p27dokhpz2n7nvgr.14vvrc.top/55A8-1BAF-733A-0446-95EF 4. http://p27dokhpz2n7nvgr.129p1t.top/55A8-1BAF-733A-0446-95EF 5. http://p27dokhpz2n7nvgr.1apgrn.top/55A8-1BAF-733A-0446-95EF ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://p27dokhpz2n7nvgr.onion/55A8-1BAF-733A-0446-95EF

http://p27dokhpz2n7nvgr.12hygy.top/55A8-1BAF-733A-0446-95EF

http://p27dokhpz2n7nvgr.14ewqv.top/55A8-1BAF-733A-0446-95EF

http://p27dokhpz2n7nvgr.14vvrc.top/55A8-1BAF-733A-0446-95EF

http://p27dokhpz2n7nvgr.129p1t.top/55A8-1BAF-733A-0446-95EF

http://p27dokhpz2n7nvgr.1apgrn.top/55A8-1BAF-733A-0446-95EF

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Blocklisted process makes network request 7 IoCs
  • Contacts a large (1096) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cerber.exe
    "C:\Users\Admin\AppData\Local\Temp\cerber.exe"
    1⤵
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
      2⤵
      • Modifies Windows Firewall
      PID:2380
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall reset
      2⤵
      • Modifies Windows Firewall
      PID:3012
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___TDSQ2B7_.hta"
      2⤵
      • Blocklisted process makes network request
      • Modifies Internet Explorer settings
      • Modifies system certificate store
      PID:2916
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___35GPHBC_.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:948
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:484
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im "cerber.exe"
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1292
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 1 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1916

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Discovery

Network Service Discovery

1
T1046

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    242B

    MD5

    ffbb284e827cbdb2040903253950850c

    SHA1

    d7c24ae4509825a422fb9359a108742264a8e150

    SHA256

    734409f14267ac899bd748272a7e56f9cf11990b0bfd6049620f42572935b312

    SHA512

    c0d64d9ac637b1c9d87f86e08a52f79bfeb44395ff2dbff7beae535b958c1e1289d879055e4804ecdb9620340a6b91747daba9e5c647b3a3f2cdef01cad26b45

  • C:\Users\Admin\AppData\Local\Temp\Tar4272.tmp
    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

  • C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___35GPHBC_.txt
    Filesize

    1KB

    MD5

    2480e5e828ea3abd15a4a943ef3ba678

    SHA1

    b11fd1f50d31a1439c5f2eab0d6dfad115a13689

    SHA256

    141b3fc80a5ec50adbf78f9a07c8b3e49ecae9cf00d0bdbb37aeeafaf061ae56

    SHA512

    237db4f7b9bad395375fc10bb057433284cc67580b3ed4c78ea871c4f9e81b1a9584d8245299f85f1cc59110a19931b7f184beef8df251f0d41a140a9e4ebca5

  • C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___TDSQ2B7_.hta
    Filesize

    75KB

    MD5

    01e1004e2b15e23f1082b9696308e6d7

    SHA1

    30a337d024d60caca287237927aa48a48f07c10a

    SHA256

    8c09c8c1d11db58049afa62c41b7e2944b23511033cd3a9af6a94909396988ca

    SHA512

    e41bc1b40285d159b532eaad84a26307ab4f694320f27e25a0c3fad72258ccf7881a500f8719253b61cbb0e090a9fa557dbd032c58407b48aa297745a0343e97

  • memory/2896-1-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

  • memory/2896-0-0x0000000000220000-0x0000000000251000-memory.dmp
    Filesize

    196KB

  • memory/2896-2-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

  • memory/2896-5-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

  • memory/2896-79-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

  • memory/2896-120-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB