Analysis

  • max time kernel
    119s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07-05-2024 13:54

General

  • Target

    update.exe

  • Size

    336KB

  • MD5

    d18869a94504fcfde57fd7b8f44b618e

  • SHA1

    d7440f79066b4e482595960d8aa7afcda64e32c6

  • SHA256

    9e78cbd01966ae356ccfafb9c753a08fce648b6e157b017d43ce6497c9d761f6

  • SHA512

    35c3fcbec05364b147947867d5eaaff90c973f6eeff1259f532bf63ec200fa0fbcc85c9eeb8175633ffa543ba6c54bf0477892f7cf14dddaf18fa1e987ee0265

  • SSDEEP

    6144:nNBfB4r3IoSaqhFYDSRP09kJEbLC1wkyQAGElHHDBRMN0qtBkPTqv:nNRoSThqDSRP0meC1nAldWu1PGv

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_READ_THI$_FILE_RABI1_.txt

Ransom Note
CERBER RAN$OMWARE --- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! --- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: --- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/E9C0-0016-A657-0446-96A2 Note! This page is available via "Tor Browser" only. --- Also you can use temporary addresses on your personal page without using "Tor Browser". --- 1. http://p27dokhpz2n7nvgr.1czh7o.top/E9C0-0016-A657-0446-96A2 2. http://p27dokhpz2n7nvgr.1hpvzl.top/E9C0-0016-A657-0446-96A2 3. http://p27dokhpz2n7nvgr.1pglcs.top/E9C0-0016-A657-0446-96A2 4. http://p27dokhpz2n7nvgr.1cewld.top/E9C0-0016-A657-0446-96A2 5. http://p27dokhpz2n7nvgr.1js3tl.top/E9C0-0016-A657-0446-96A2 --- Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://p27dokhpz2n7nvgr.onion/E9C0-0016-A657-0446-96A2

http://p27dokhpz2n7nvgr.1czh7o.top/E9C0-0016-A657-0446-96A2

http://p27dokhpz2n7nvgr.1hpvzl.top/E9C0-0016-A657-0446-96A2

http://p27dokhpz2n7nvgr.1pglcs.top/E9C0-0016-A657-0446-96A2

http://p27dokhpz2n7nvgr.1cewld.top/E9C0-0016-A657-0446-96A2

http://p27dokhpz2n7nvgr.1js3tl.top/E9C0-0016-A657-0446-96A2

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Blocklisted process makes network request 5 IoCs
  • Contacts a large (1095) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\update.exe
    "C:\Users\Admin\AppData\Local\Temp\update.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Users\Admin\AppData\Local\Temp\update.exe
      "C:\Users\Admin\AppData\Local\Temp\update.exe"
      2⤵
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2356
      • C:\Windows\SysWOW64\netsh.exe
        C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
        3⤵
        • Modifies Windows Firewall
        PID:2880
      • C:\Windows\SysWOW64\netsh.exe
        C:\Windows\system32\netsh.exe advfirewall reset
        3⤵
        • Modifies Windows Firewall
        PID:2312
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_READ_THI$_FILE_ZK7BKS_.hta"
        3⤵
        • Blocklisted process makes network request
        • Modifies Internet Explorer settings
        PID:1596
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_READ_THI$_FILE_RABI1_.txt
        3⤵
          PID:2320
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:2480
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im "update.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3028
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:1828
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:1668
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
      1⤵
        PID:3024

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Privilege Escalation

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Defense Evasion

      Impair Defenses

      1
      T1562

      Disable or Modify System Firewall

      1
      T1562.004

      Modify Registry

      2
      T1112

      Discovery

      Network Service Discovery

      1
      T1046

      System Information Discovery

      1
      T1082

      Remote System Discovery

      1
      T1018

      Impact

      Defacement

      1
      T1491

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        68KB

        MD5

        29f65ba8e88c063813cc50a4ea544e93

        SHA1

        05a7040d5c127e68c25d81cc51271ffb8bef3568

        SHA256

        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

        SHA512

        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      • C:\Users\Admin\AppData\Local\Temp\Tar6A9C.tmp
        Filesize

        177KB

        MD5

        435a9ac180383f9fa094131b173a2f7b

        SHA1

        76944ea657a9db94f9a4bef38f88c46ed4166983

        SHA256

        67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

        SHA512

        1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      • C:\Users\Admin\Desktop\_READ_THI$_FILE_FHETN_.jpeg
        Filesize

        150KB

        MD5

        cfa078ba2cc7289e0970ab0a1032e4b5

        SHA1

        8c43068bdf7342692817aaa0905fd8cbb2cde2b9

        SHA256

        9b6b8c39630004f276990b3458048c149cea643ba94adc966e2fe4f85a24b061

        SHA512

        5d325f76fde9aef60d620f80c04cd7eebf9335001b09d2bd4a991bb69c05445922bcbdecb0edf05fa98314b856457016403cb53336aeb7f3151812d8a711a68e

      • C:\Users\Admin\Desktop\_READ_THI$_FILE_RABI1_.txt
        Filesize

        1KB

        MD5

        09df7a88f4ff9d4840231b0d1e77a8eb

        SHA1

        fa9594c56dd71510195e845d171be930a7f2e9f9

        SHA256

        38e55c0ac91f89e11522ffc67a324670ec3ce6b19fda02688fc6c3a155505840

        SHA512

        f590429e67c24822ff51aea87168f3bea9e77be4263a4b81975571e85ce6f54fb2634db49a4cc73646347a478b0fd118e9ffe464bc2133ff295a9d455113a351

      • C:\Users\Admin\Desktop\_READ_THI$_FILE_ZK7BKS_.hta
        Filesize

        75KB

        MD5

        892fc0176c0dfb7ab3948fc9dd6ed35d

        SHA1

        2be4b5a7bc0fb99028ff5ca1d1f15de5e8bb6ab9

        SHA256

        1ac7a5b59d7c8e6dc5d2a18bc87715abfa9e7b2bb0cc99a76cbdb71a405fbd08

        SHA512

        a0157bb172a00f9f18910a77c3de8433005bea3a5958fff580b577597651e4b362c14fd794fcc69a2bd9942dd93d22dd5d3f259cf27a3327310d6b74b2974169

      • memory/1668-93-0x0000000000130000-0x0000000000132000-memory.dmp
        Filesize

        8KB

      • memory/2356-14-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/2356-10-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/2356-64-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/2356-7-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/2356-92-0x0000000000840000-0x0000000000842000-memory.dmp
        Filesize

        8KB

      • memory/2356-5-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/2356-4-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/2356-2-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/2356-308-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/2524-0-0x0000000000140000-0x0000000000191000-memory.dmp
        Filesize

        324KB

      • memory/2524-6-0x0000000000140000-0x0000000000191000-memory.dmp
        Filesize

        324KB

      • memory/2524-1-0x0000000000320000-0x0000000000371000-memory.dmp
        Filesize

        324KB