Analysis

  • max time kernel
    126s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08-05-2024 13:07

General

  • Target

    09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe

  • Size

    131KB

  • MD5

    5dd451691d249335fe3918b9865814d5

  • SHA1

    da0b239b102c5266c1c2cb15b7c42b0a54b1ca23

  • SHA256

    aff75f4ea273d6ab7a9cb9023c37ab723c827ca2a630342dd0054d9c4f0c1227

  • SHA512

    c1d0a729ca243a192df7753c382a6ed503002b310ab7648f4fcc4618a8647366356aebb01a1e707fb9a1a75396d2a43436028b1099e35d96deef170fc917e8e6

  • SSDEEP

    1536:EAzqL19QneOJQObmI/yPJJHAE4qJvbfxsIzAaVVlo/ba5CabNF+FsBDIQlfJ2hMM:PqtOJRf/yxJAmlRVHFb5J2yos2T

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.xmfir0.win/7EC5-54FB-5552-006F-577B | | 2. http://cerberhhyed5frqa.gkfit9.win/7EC5-54FB-5552-006F-577B | | 3. http://cerberhhyed5frqa.305iot.win/7EC5-54FB-5552-006F-577B | | 4. http://cerberhhyed5frqa.dkrti5.win/7EC5-54FB-5552-006F-577B | | 5. http://cerberhhyed5frqa.cneo59.win/7EC5-54FB-5552-006F-577B |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.xmfir0.win/7EC5-54FB-5552-006F-577B); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.xmfir0.win/7EC5-54FB-5552-006F-577B appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.xmfir0.win/7EC5-54FB-5552-006F-577B); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/7EC5-54FB-5552-006F-577B | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.xmfir0.win/7EC5-54FB-5552-006F-577B

http://cerberhhyed5frqa.gkfit9.win/7EC5-54FB-5552-006F-577B

http://cerberhhyed5frqa.305iot.win/7EC5-54FB-5552-006F-577B

http://cerberhhyed5frqa.dkrti5.win/7EC5-54FB-5552-006F-577B

http://cerberhhyed5frqa.cneo59.win/7EC5-54FB-5552-006F-577B

http://cerberhhyed5frqa.onion/7EC5-54FB-5552-006F-577B

Extracted

Path

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://cerberhhyed5frqa.xmfir0.win/7EC5-54FB-5552-006F-577B" target="_blank">http://cerberhhyed5frqa.xmfir0.win/7EC5-54FB-5552-006F-577B</a></li> <li><a href="http://cerberhhyed5frqa.gkfit9.win/7EC5-54FB-5552-006F-577B" target="_blank">http://cerberhhyed5frqa.gkfit9.win/7EC5-54FB-5552-006F-577B</a></li> <li><a href="http://cerberhhyed5frqa.305iot.win/7EC5-54FB-5552-006F-577B" target="_blank">http://cerberhhyed5frqa.305iot.win/7EC5-54FB-5552-006F-577B</a></li> <li><a href="http://cerberhhyed5frqa.dkrti5.win/7EC5-54FB-5552-006F-577B" target="_blank">http://cerberhhyed5frqa.dkrti5.win/7EC5-54FB-5552-006F-577B</a></li> <li><a href="http://cerberhhyed5frqa.cneo59.win/7EC5-54FB-5552-006F-577B" target="_blank">http://cerberhhyed5frqa.cneo59.win/7EC5-54FB-5552-006F-577B</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.xmfir0.win/7EC5-54FB-5552-006F-577B" target="_blank">http://cerberhhyed5frqa.xmfir0.win/7EC5-54FB-5552-006F-577B</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.xmfir0.win/7EC5-54FB-5552-006F-577B" target="_blank">http://cerberhhyed5frqa.xmfir0.win/7EC5-54FB-5552-006F-577B</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.xmfir0.win/7EC5-54FB-5552-006F-577B" target="_blank">http://cerberhhyed5frqa.xmfir0.win/7EC5-54FB-5552-006F-577B</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/7EC5-54FB-5552-006F-577B</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Contacts a large (16389) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 59 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe
    "C:\Users\Admin\AppData\Local\Temp\09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\instnm.exe
      "C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\instnm.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Sets desktop wallpaper using registry
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2200
      • C:\Windows\system32\vssadmin.exe
        "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2472
      • C:\Windows\system32\wbem\wmic.exe
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2932
      • C:\Windows\System32\bcdedit.exe
        "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2060
      • C:\Windows\System32\bcdedit.exe
        "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1040
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1680
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1680 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1928
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1680 CREDAT:668673 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2624
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        3⤵
          PID:2392
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
          3⤵
            PID:2924
          • C:\Windows\system32\cmd.exe
            /d /c taskkill /t /f /im "instnm.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\instnm.exe" > NUL
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1540
            • C:\Windows\system32\taskkill.exe
              taskkill /t /f /im "instnm.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1064
            • C:\Windows\system32\PING.EXE
              ping -n 1 127.0.0.1
              4⤵
              • Runs ping.exe
              PID:784
        • C:\Windows\SysWOW64\cmd.exe
          /d /c taskkill /t /f /im "09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe" > NUL
          2⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:3064
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /t /f /im "09.06.2016_Emma-Watson_our-big-party-photo_for-youuuuuuuuuuuuuuu.exe"
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2628
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 127.0.0.1
            3⤵
            • Runs ping.exe
            PID:2452
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2468
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1604
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1604 CREDAT:275457 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2752
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
        1⤵
          PID:1812

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Execution

        Windows Management Instrumentation

        1
        T1047

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Defense Evasion

        Indicator Removal

        2
        T1070

        File Deletion

        2
        T1070.004

        Modify Registry

        4
        T1112

        Credential Access

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Network Service Discovery

        2
        T1046

        System Information Discovery

        2
        T1082

        Remote System Discovery

        1
        T1018

        Collection

        Data from Local System

        1
        T1005

        Impact

        Inhibit System Recovery

        3
        T1490

        Defacement

        1
        T1491

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url
          Filesize

          85B

          MD5

          855016e88e8681057fa255efcc1945d0

          SHA1

          5432fc2bd00c82e8fb617ee05554fab9b5c2b2de

          SHA256

          3ceb8a8daf46f5f80037b7a71ce94dd4af9025ff2dcbe58471fce3f2acb62b4d

          SHA512

          dfbe659001aa06da882c072aeaab38aa7459e5f473e8efb632c7260663c87e2523a7251e5889546527358759bb897748973a14fe1639dc74a817e7883a47bfc2

        • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.html
          Filesize

          12KB

          MD5

          3373f94d4c0763e14b720aadef093dd8

          SHA1

          79a709b9891819f55ab87c8f2b5a410472e80a60

          SHA256

          8ec094ce6442dd8ae156dee4b2da3780c5900de8139690a98b462cc96c11ada5

          SHA512

          10e7c4c647537973844c35e685b7f216cede38d35d72dc69e8b9bf8c9f2c49d5c6fa1d8173445b820f7ee338a942f1ec86cb3024c5780a391a1c2ceb27b763e9

        • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.txt
          Filesize

          10KB

          MD5

          816a10203afbc3e12fc5bd71ae62caa6

          SHA1

          2c50075ca3aa2d8e9da6f1393be2430213e7c005

          SHA256

          63e6913f67a7deb8f3e9475a4930b013d6088a2b841cb33783541067b9574b49

          SHA512

          94dbd05bf7f8ed135c03ab49657284836f747ca1a83cfd1e74e41c9600d6486ba3ec3802493cc05fdea2dae5b0c713fab63eba2f234a7a1fb6c30e3da195f314

        • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\# DECRYPT MY FILES #.vbs
          Filesize

          219B

          MD5

          35a3e3b45dcfc1e6c4fd4a160873a0d1

          SHA1

          a0bcc855f2b75d82cbaae3a8710f816956e94b37

          SHA256

          8ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934

          SHA512

          6d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          68KB

          MD5

          29f65ba8e88c063813cc50a4ea544e93

          SHA1

          05a7040d5c127e68c25d81cc51271ffb8bef3568

          SHA256

          1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

          SHA512

          e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          ef965220c9f641d209ca78bc21b404d3

          SHA1

          7c05f7fad0e94ef59b1a6bf5270ba629ffd18404

          SHA256

          8b5aa70f51347456c1b3ae7c62b8964188fc0e7828a99a582ad37f5bb578a00e

          SHA512

          5d0bc3d7a031af0ad3cd01d39a138a96d31bd5b169c3f8e381f3053541d980f0dd1de47b1c6bd6103368740823ac76287fbd12d7b9f3425e7b79b4a1e5dc5f97

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          ed0598fe0a7942052f8ae0ff43817274

          SHA1

          f0b842726ec2c3d11b17706732b79d4c2e235a2e

          SHA256

          8503f2be60f0bc822903b2e4a36fde469323add266bfc681fd9b133902ca5154

          SHA512

          34abe69398ca598c9ecb88bbc8e45b280006af81f2fc3e6e39d5cca5c24cc475f6b1d02c9920277e6c82a35ce2c7bb00fb9ced003bcf52f50c30c72856530dd9

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          4d099b3ce4ddaa31396d421f077b2d75

          SHA1

          c6681266cbb7965dcb00a4a1123ddab3975192ad

          SHA256

          0e11eaea34cf9f7b2b991b7477801bb5f3c0ce1edfc0639c8152feab04dd16ee

          SHA512

          393ed9bcf97da1144008173c475288a04b4f879d9c9df62d5f11fd5aa49e3a7e53ec521c5cf628fd4e6d21beb267eb2f7675b782486666119b3e7e7b6fc4f720

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          6352141c85362b6bd89a148187b93303

          SHA1

          8484a6a1f6f5efe6b46cc58fdb3bc09b408d149f

          SHA256

          8b8e0369f8761f3ff05c9f1ff4419476085bf23a4f7ee56e630c353d0cf5f74a

          SHA512

          0c5fd03c8c9827268536df4aa61fdfafaf83522e278a819910bad0f2e990f96ba5f163873fbdbf7f9c942eba8154bc6ce0915f80fff6edd736efa8dfd8600d69

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          db1cce741bdcd12357d6bff10c78e58e

          SHA1

          3f73fb67e2078d7c630db2bace55782d653c1138

          SHA256

          95db272d28bf77805d595b322c2b3a0c78d605e77aa950242463f6f687b05c77

          SHA512

          5b2150f1700955a74a64f18239ea13f13b8d01f8f08fc768535bd1dc04008c468b0549039044b2b62efb0c2d8c3b0f1bc805d66cf4425bc1acb3c2793f3f1f2b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          8673cc76a973a19ff397089fa62addb4

          SHA1

          2c025cb92d562709449566a3e786075de12ef590

          SHA256

          491360acc2083ddfb431ced87421983bd4de2bfc44f4582904267079e0caefbd

          SHA512

          d5e40e25debb421e917cf34bc0c7b949ad57911bf3a178f521db6b476486c843a39c9b45b6d7fe627eefb3742b2383fb972eae5db9c18aab8fdcf161a309b9e6

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          a9fcdd3ef939cfded7404ad0226ea27c

          SHA1

          961c6ffc9e4b0f93f9a95e26db292bd139a82866

          SHA256

          9d3890a1001ae009ef434a2ac1eaf608093f7f5f2f938f815d55d86bc7813f60

          SHA512

          558bdf4d4c836f0342189620129e666d1659ce6c76c34824daea0f6348e670baa278ae459aabfde59e0105aa81e12c035543250a77644868519a8a308aae7747

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          1fe27bf3f2cd8cc33f9721a756ee5d99

          SHA1

          dc21f0cde38aa047576eb8667ae8248f2bd13179

          SHA256

          50878f428003e81753017062ac341a818eea21a06d6f70aa2459b13626805a55

          SHA512

          92f1aa475155f43fc7efb7b77fc4b69d817f4d5b99dfb4db3837fa8b5c10b1c08947ca25cea684ebacb3cfd36087d1899eb716953ec840ff7144ff17cf90cfed

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          2f944227cebc10ededb983a87589cf68

          SHA1

          eceb10723ee361e87ab752241e20755cd0f02b0b

          SHA256

          30ba3cea49e9d51762939926cc8b10023d2a20277b4fabdf8469adc570bcde60

          SHA512

          e68ea7ce79098b01c8f26c8fcad6e1f15a63cfa5b65d680eca44788087d74b338a5145de6d827ee133ec2ecab20c471bcd5011b1486cb33b7e642aaea38cd1d6

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          dc16ae247d0836b45e6502428181c035

          SHA1

          e8763af8b2f61a934c7ddcba95b539da1cdd320f

          SHA256

          4b0c94bfe352dfd5d334bc586a076341c87fa140480581d721ea3b1183693625

          SHA512

          2d95a3bd7c9c371e00afc312232ccf4e9bb7b2c0dfcdfdabfc5907803e343bcb5b134a7e8dc15a5cb1101c757ff309c389ee8ebbbb16be7a8dd71068de527df5

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          9bb3ea7fa18d7d042c002e8e64c8f6b6

          SHA1

          568c6e1a2ec2136c9b97c7aa6295fd9cd81f8490

          SHA256

          16dda0a317a1eb2eaee5b8f6d9e24141b819cdf29c623dd052d484eea41cc03d

          SHA512

          c8ab69477ab8bacfa62ae8dfcb1e90955466e26f51952dd78c99df5358f60efd3dcdb0e3742da25181c8ee027f8325baa670474e72e5dd4716432d93a5224f7a

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          3872190de9cfa5e8f7d9cee891cb463e

          SHA1

          01492986eb923d4ade99d7e6d79a9808550c845e

          SHA256

          5bb068cd69cbb683a4c1f6b85da16bcedbdfbf13a9fc8de39ab42b7b56f1c0b7

          SHA512

          1c39a0e2cd5e24eee10e9cacbbcbec68746042728cc96d6b38b7de1d5a682457b672ee638f38d49de1b6b49e56867c8ee17a4bffb74fdf72f48f29e5aeb1ac2a

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          d7091a202eb2717edb825b316893581d

          SHA1

          6753f532d2a55feeca91ec7f68eb971d7bb797c3

          SHA256

          973033a13ca7b2b5ca76536d1dc5f4223d67fa5b849849b0ae527b6bfc52391b

          SHA512

          e65a1033bd5f030d49146310407d6d428a56cfde486ffebdd5cbd0c2baea7c73317d2aeb15501a8867eabfbb588c2a60d2bfef1353e448c9a3d9cd6f80cb2b21

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          b5ad7d4a9ffcff6f4c5bee96e6b6619a

          SHA1

          573de82d319f0611c4f013c9416aec38abfd528d

          SHA256

          a4e15b1ebf232e6f453e91a4f0b4e981ebf682b40679ce9c197d8ca388f67596

          SHA512

          8dc68cf51396403de5ef8032ef43a5c26f99d2fb4d8c6df4b0b387272afeb26763a9abd11c694b3a19ae15f2710f7a8959ca42b396819b745ef1b360bc8651ba

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          68d7755b8ae2454c509950ba18cc223a

          SHA1

          ad3aeaba00d854d56b8c52979dc3b143b96e4dda

          SHA256

          6957629ae9f0a4d9c484702b5a57bb2a98eac5b97c783f812d05b34a815977f6

          SHA512

          2d2ebf27e4f7ab49fe1bc30a40dc7e0ea430b7e9a2cdc76f7ec979949c715db9702fc0742dffdc67d1ec4ee8174a537552653431e4e639242d902c03643828bc

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          e1aa283d091c941cfde3d822dd0ceb3a

          SHA1

          fe75599bb30866f5ca3695d3bda153671199da1e

          SHA256

          0b65c8b486ce2fff09094b6a1445fb6baf6753ddbc88e1e4a9346a2061d9da93

          SHA512

          027fc6a2ffeaf2c0c2a160ff063155304f951f0e241660d0f464e03367cf03e664f121da5d8c4761469d7c19dda43d8595782a0175c89a78463cea419110ece4

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          9ec4a9c24cb56e63ac87bbef85060c14

          SHA1

          7647e786a046b785807eca44823c948f1db3e3ce

          SHA256

          3a7360a23cf1b860d6c593f7d55958d1ae93c75756453bc1ccb2ecca08009860

          SHA512

          2a313d2534fb66eb380efbda218694760efcf2727196256b0eb5087cdcc90f0a985bb44011d1cf87bf6014fbfa1fd63bc9e56dd4633b115b06376ecc9a11c8f0

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          0cc7f67a4087a07fd8cd270b1314898f

          SHA1

          593e40900bb65099ac98d5c764709a44540a0b70

          SHA256

          5fafd53d32b47b2ca88fefcdc30dc0987f607dd5e2ddc221a70ae92998d7ccd8

          SHA512

          028ec760035f8ad41825b9af7fd62f3e4e8d5dbfcc014190483b71779f65bfe0e675c655998fe90112145913be6b5612501e46b7c57ab834f20527b4943c0960

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          35711466d88d38ce2eb974ede607b3a4

          SHA1

          70057107a4e7a76e577f4ef9acce645d95fe6728

          SHA256

          394158808390e785e21dd44ee421f5938c579e590026e619cb1e689be9b0b056

          SHA512

          7de5ce1be4ff438b82907df0c6d02dc8408bb88fc7921041b5670069756d0fcb5cff588c4dcfe333ff50fbda39444b038ad77bb30bde6653bdec02a0e955072e

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{195DC021-0D3C-11EF-A34E-5E73522EB9B5}.dat
          Filesize

          5KB

          MD5

          c1ea0bf6af53dece17aba93547ea6ff9

          SHA1

          4cd965b3c57eeb3e07ebae35e9ecd9129cd0d91c

          SHA256

          487ded9b391b35d8536c5f5d28928639cb326128787a172cf8cce7dc5254bede

          SHA512

          f51b610841b5a48214323be2d5e2d48089d03ff6ffdfb11ae8b67b2db238a004c2b53811cb69a87d4f614e0697ad1d4aa26f5fb751342968aa2b19e335cbdd7b

        • C:\Users\Admin\AppData\Local\Temp\Cab3314.tmp
          Filesize

          65KB

          MD5

          ac05d27423a85adc1622c714f2cb6184

          SHA1

          b0fe2b1abddb97837ea0195be70ab2ff14d43198

          SHA256

          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

          SHA512

          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        • C:\Users\Admin\AppData\Local\Temp\Tar33E4.tmp
          Filesize

          177KB

          MD5

          435a9ac180383f9fa094131b173a2f7b

          SHA1

          76944ea657a9db94f9a4bef38f88c46ed4166983

          SHA256

          67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

          SHA512

          1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\instnm.lnk
          Filesize

          1KB

          MD5

          253b3ea6762c53592913e6746b2e0f00

          SHA1

          6b54d01472f102fb4f61dbb9fa79a761e2af8a3a

          SHA256

          90bb08b510feb79a138690c81f83b6dd1d3d7d0bc9d52179e1e767a4b72ddbc2

          SHA512

          b21ae2024ae5b3943b09c43e229b68919b7c7abbae887feee2aa9a74f562d7921c1faf9c8894f8a0f8810dcca6e53ea0d848e5d31b1f8f7a30a201457ff2505e

        • \??\PIPE\samr
          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        • \Users\Admin\AppData\Roaming\{04E11A53-556B-582E-C494-323BC9541A7E}\instnm.exe
          Filesize

          131KB

          MD5

          5dd451691d249335fe3918b9865814d5

          SHA1

          da0b239b102c5266c1c2cb15b7c42b0a54b1ca23

          SHA256

          aff75f4ea273d6ab7a9cb9023c37ab723c827ca2a630342dd0054d9c4f0c1227

          SHA512

          c1d0a729ca243a192df7753c382a6ed503002b310ab7648f4fcc4618a8647366356aebb01a1e707fb9a1a75396d2a43436028b1099e35d96deef170fc917e8e6

        • memory/2188-13-0x0000000000400000-0x0000000000427000-memory.dmp
          Filesize

          156KB

        • memory/2188-0-0x0000000000020000-0x0000000000036000-memory.dmp
          Filesize

          88KB

        • memory/2188-1-0x0000000000400000-0x0000000000427000-memory.dmp
          Filesize

          156KB

        • memory/2200-21-0x0000000000400000-0x0000000000427000-memory.dmp
          Filesize

          156KB

        • memory/2200-22-0x0000000000400000-0x0000000000427000-memory.dmp
          Filesize

          156KB

        • memory/2200-483-0x0000000000400000-0x0000000000427000-memory.dmp
          Filesize

          156KB

        • memory/2200-19-0x0000000002610000-0x0000000002611000-memory.dmp
          Filesize

          4KB

        • memory/2200-16-0x0000000000400000-0x0000000000427000-memory.dmp
          Filesize

          156KB

        • memory/2200-14-0x0000000000400000-0x0000000000427000-memory.dmp
          Filesize

          156KB

        • memory/2200-24-0x0000000000400000-0x0000000000427000-memory.dmp
          Filesize

          156KB

        • memory/2200-471-0x0000000003A20000-0x0000000003A22000-memory.dmp
          Filesize

          8KB

        • memory/2200-960-0x0000000000400000-0x0000000000427000-memory.dmp
          Filesize

          156KB