Analysis

  • max time kernel
    121s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17-05-2024 14:15

General

  • Target

    cerber.exe

  • Size

    604KB

  • MD5

    8b6bc16fd137c09a08b02bbe1bb7d670

  • SHA1

    c69a0f6c6f809c01db92ca658fcf1b643391a2b7

  • SHA256

    e67834d1e8b38ec5864cfa101b140aeaba8f1900a6e269e6a94c90fcbfe56678

  • SHA512

    b53d2cc0fe5fa52262ace9f6e6ea3f5ce84935009822a3394bfe49c4d15dfeaa96bfe10ce77ffa93dbf81e5428122aa739a94bc709f203bc346597004fd75a24

  • SSDEEP

    6144:yYghlI5/u8f1mr+4RJ99MpDa52RX5wRDhOOU0qsR:yYKlYmDXEpDHRXP01

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___6ALV_.txt

Family

cerber

Ransom Note
CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/5F4D-7EB9-7CB2-0446-974B Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12hygy.top/5F4D-7EB9-7CB2-0446-974B 2. http://p27dokhpz2n7nvgr.14ewqv.top/5F4D-7EB9-7CB2-0446-974B 3. http://p27dokhpz2n7nvgr.14vvrc.top/5F4D-7EB9-7CB2-0446-974B 4. http://p27dokhpz2n7nvgr.129p1t.top/5F4D-7EB9-7CB2-0446-974B 5. http://p27dokhpz2n7nvgr.1apgrn.top/5F4D-7EB9-7CB2-0446-974B ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://p27dokhpz2n7nvgr.onion/5F4D-7EB9-7CB2-0446-974B

http://p27dokhpz2n7nvgr.12hygy.top/5F4D-7EB9-7CB2-0446-974B

http://p27dokhpz2n7nvgr.14ewqv.top/5F4D-7EB9-7CB2-0446-974B

http://p27dokhpz2n7nvgr.14vvrc.top/5F4D-7EB9-7CB2-0446-974B

http://p27dokhpz2n7nvgr.129p1t.top/5F4D-7EB9-7CB2-0446-974B

http://p27dokhpz2n7nvgr.1apgrn.top/5F4D-7EB9-7CB2-0446-974B

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Blocklisted process makes network request 5 IoCs
  • Contacts a large (1095) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cerber.exe
    "C:\Users\Admin\AppData\Local\Temp\cerber.exe"
    1⤵
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
      2⤵
      • Modifies Windows Firewall
      PID:2844
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall reset
      2⤵
      • Modifies Windows Firewall
      PID:2912
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___CJO9C_.hta"
      2⤵
      • Blocklisted process makes network request
      • Modifies Internet Explorer settings
      PID:1064
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___6ALV_.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:2032
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:304
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im "cerber.exe"
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1660
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 1 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:2104

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Discovery

Network Service Discovery

1
T1046

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

  • C:\Users\Admin\AppData\Local\Temp\Tar68F7.tmp
    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

  • C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___6ALV_.txt
    Filesize

    1KB

    MD5

    c39fbd0dab858c48a3ef6d6e3d9e0c9f

    SHA1

    f1e281a6c8e3a4535fbbdc9cfa52e3964627c4a9

    SHA256

    dbd452a1aa3f1dc939244975efeda72a08080c51ef84d40e98ad5e695216fb94

    SHA512

    8bf7f882b0c6da88589827e9e8e100247a378491e2c8d9a78d8ed1f141462a61402f35957a3b395165358c406e9737265edb970ef5de1a58513572d18f4a94f5

  • C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___CJO9C_.hta
    Filesize

    75KB

    MD5

    f77ef62db23dbb1e0dc03bca220f5546

    SHA1

    96e8ab59d356d3dc24e78e21c638e49c4dfc2345

    SHA256

    8a0c34c2e83f97f9cd9efdd8ce22f1c0ad702813b1a69df969ea7c03f19b357d

    SHA512

    8535e63204ddd97b9a6bd69ddf658899c35001e9d1e6aa65560ad97cd991dfd4ea658c26c168da271acffe7d714c13b6dd8e1c5c87903590aa95cecbc4b6baf1

  • memory/2196-0-0x0000000000230000-0x0000000000261000-memory.dmp
    Filesize

    196KB

  • memory/2196-1-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

  • memory/2196-2-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

  • memory/2196-5-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

  • memory/2196-9-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

  • memory/2196-79-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

  • memory/2196-86-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

  • memory/2196-122-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB