Analysis
-
max time kernel
127s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
07-06-2024 17:12
General
-
Target
VirusShare_270b70bad151a515136f553e5bc880ac.exe
-
Size
344KB
-
MD5
270b70bad151a515136f553e5bc880ac
-
SHA1
77b7def336c7647c6faadaf7136d70ff1e9ba7fc
-
SHA256
db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa
-
SHA512
c198f9498d634ec4d05cf29a1bb6ade8c59a2904510464e3b292b11bcf5382d7fe603e46b6a72b14f3f996811f68101e46c467914b21ea6eccaf423df2d1a43f
-
SSDEEP
3072:v5sAzvcjE+lcO3zXgKRcP66BpwwB9RStc3Yfqr:v5jvc4+lcO3zQKSPfBJXv3YM
Score
10/10
Malware Config
Extracted
Path
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt
Family
cerber
Ransom Note
C E R B E R R A N S O M W A R E
#########################################################################
Cannot you find the files you need?
Is the content of the files that you looked for not readable?
It is normal because the files' names, as well as the data in your files
have been encrypted.
Great!!!
You have turned to be a part of a big community #Cerber_Ransomware.
#########################################################################
!!! If you are reading this message it means the software
!!! "Cerber Ransomware" has been removed from your computer.
#########################################################################
What is encryption?
-------------------
Encryption is a reversible modification of information for security
reasons but providing full access to it for authorized users.
To become an authorized user and keep the modification absolutely
reversible (in other words to have a possibility to decrypt your files)
you should have an individual private key.
But not only it.
It is required also to have the special decryption software
(in your case "Cerber Decryptor" software) for safe and complete
decryption of all your files and data.
#########################################################################
Everything is clear for me but what should I do?
------------------------------------------------
The first step is reading these instructions to the end.
Your files have been encrypted with the "Cerber Ransomware" software; the
instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt")
in the folders with your encrypted files are not viruses, they will
help you.
After reading this text the most part of people start searching in the
Internet the words the "Cerber Ransomware" where they find a lot of
ideas, recommendations and instructions.
It is necessary to realize that we are the ones who closed the lock on
your files and we are the only ones who have this secret key to
open them.
!!! Any attempts to get back your files with the third-party tools can
!!! be fatal for your encrypted files.
The most part of the third-party software change data within the
encrypted file to restore it but this causes damage to the files.
Finally it will be impossible to decrypt your files.
When you make a puzzle but some items are lost, broken or not put in its
place - the puzzle items will never match, the same way the third-party
software will ruin your files completely and irreversibly.
You should realize that any intervention of the third-party software to
restore files encrypted with the "Cerber Ransomware" software may be
fatal for your files.
#########################################################################
!!! There are several plain steps to restore your files but if you do
!!! not follow them we will not be able to help you, and we will not try
!!! since you have read this warning already.
#########################################################################
For your information the software to decrypt your files (as well as the
private key provided together) are paid products.
After purchase of the software package you will be able to:
1. decrypt all your files;
2. work with your documents;
3. view your photos and other media;
4. continue your usual and comfortable work at the computer.
If you understand all importance of the situation then we propose to you
to go directly to your personal page where you will receive the complete
instructions and guarantees to restore your files.
#########################################################################
There is a list of temporary addresses to go on your personal page below:
_______________________________________________________________________
|
| 1. http://cerberhhyed5frqa.vmfu48.win/F7B5-1FAC-49A0-0073-17FA
|
| 2. http://cerberhhyed5frqa.45tori.win/F7B5-1FAC-49A0-0073-17FA
|
| 3. http://cerberhhyed5frqa.fkr84i.win/F7B5-1FAC-49A0-0073-17FA
|
| 4. http://cerberhhyed5frqa.fkri48.win/F7B5-1FAC-49A0-0073-17FA
|
| 5. http://cerberhhyed5frqa.djre89.win/F7B5-1FAC-49A0-0073-17FA
|_______________________________________________________________________
#########################################################################
What should you do with these addresses?
----------------------------------------
If you read the instructions in TXT format (if you have instruction in
HTML (the file with an icon of your Internet browser) then the easiest
way is to run it):
1. take a look at the first address (in this case it is
http://cerberhhyed5frqa.vmfu48.win/F7B5-1FAC-49A0-0073-17FA);
2. select it with the mouse cursor holding the left mouse button and
moving the cursor to the right;
3. release the left mouse button and press the right one;
4. select "Copy" in the appeared menu;
5. run your Internet browser (if you do not know what it is run the
Internet Explorer);
6. move the mouse cursor to the address bar of the browser (this is the
place where the site address is written);
7. click the right mouse button in the field where the site address
is written;
8. select the button "Insert" in the appeared menu;
9. then you will see the address
http://cerberhhyed5frqa.vmfu48.win/F7B5-1FAC-49A0-0073-17FA
appeared there;
10. press ENTER;
11. the site should be loaded; if it is not loaded repeat the same
instructions with the second address and continue until the last
address if falling.
If for some reason the site cannot be opened check the connection to the
Internet; if the site still cannot be opened take a look at the
instructions on omitting the point about working with the addresses in
the HTML instructions.
If you browse the instructions in HTML format:
1. click the left mouse button on the first address (in this case it is
http://cerberhhyed5frqa.vmfu48.win/F7B5-1FAC-49A0-0073-17FA);
2. in a new tab or window of your web browser the site should be loaded;
if it is not loaded repeat the same instructions with the second
address and continue until the last address.
If for some reason the site cannot be opened check the connection to
the Internet.
#########################################################################
Unfortunately these sites are short-term since the antivirus companies
are interested in you do not have a chance to restore your files but
continue to buy their products.
Unlike them we are ready to help you always.
If you need our help but the temporary sites are not available:
1. run your Internet browser (if you do not know what it is run the
Internet Explorer);
2. enter or copy the address
https://www.torproject.org/download/download-easy.html.en into the
address bar of your browser and press ENTER;
3. wait for the site loading;
4. on the site you will be offered to download Tor Browser; download and
run it, follow the installation instructions, wait until the
installation is completed;
5. run Tor Browser;
6. connect with the button "Connect" (if you use the English version);
7. a normal Internet browser window will be opened after
the initialization;
8. type or copy the address
________________________________________________________
| |
| http://cerberhhyed5frqa.onion/F7B5-1FAC-49A0-0073-17FA |
|________________________________________________________|
in this browser address bar;
9. press ENTER;
10. the site should be loaded; if for some reason the site is not loading
wait for a moment and try again.
If you have any problems during installation or operation of Tor Browser,
please, visit https://www.youtube.com/ and type request in the search bar
"install tor browser windows" and you will find a lot of training videos
about Tor Browser installation and operation.
If TOR address is not available for a long period (2-3 days) it means you
are late; usually you have about 2-3 weeks after reading the instructions
to restore your files.
#########################################################################
Additional information:
You will find the instructions for restoring your files in those folders
where you have your encrypted files only.
The instructions are made in two file formats - HTML and TXT for
your convenience.
Unfortunately antivirus companies cannot protect or restore your files
but they can make the situation worse removing the instructions how to
restore your encrypted files.
The instructions are not viruses; they have informative nature only, so
any claims on the absence of any instruction files you can send to your
antivirus company.
#########################################################################
Cerber Ransomware Project is not malicious and is not intended to harm a
person and his/her information data.
The project is created for the sole purpose of instruction regarding
information security, as well as certification of antivirus software for
their suitability for data protection.
Together we make the Internet a better and safer place.
#########################################################################
If you look through this text in the Internet and realize that something
is wrong with your files but you do not have any instructions to restore
your files, please, contact your antivirus support.
#########################################################################
Remember that the worst situation already happened and now it depends on
your determination and speed of your actions the further life of
your files.
URLs
http://cerberhhyed5frqa.vmfu48.win/F7B5-1FAC-49A0-0073-17FA
http://cerberhhyed5frqa.45tori.win/F7B5-1FAC-49A0-0073-17FA
http://cerberhhyed5frqa.fkr84i.win/F7B5-1FAC-49A0-0073-17FA
http://cerberhhyed5frqa.fkri48.win/F7B5-1FAC-49A0-0073-17FA
http://cerberhhyed5frqa.djre89.win/F7B5-1FAC-49A0-0073-17FA
http://cerberhhyed5frqa.onion/F7B5-1FAC-49A0-0073-17FA
Extracted
Path
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html
Ransom Note
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Cerber Ransomware</title>
<style>
a {
color: #47c;
text-decoration: none;
}
a:hover {
text-decoration: underline;
}
body {
background-color: #e7e7e7;
color: #333;
font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";
font-size: 16px;
line-height: 1.6;
margin: 0;
padding: 0;
}
hr {
background-color: #e7e7e7;
border: 0 none;
border-bottom: 1px solid #c7c7c7;
height: 5px;
margin: 30px 0;
}
li {
padding: 0 0 7px 7px;
}
ol {
padding-left: 3em;
}
.container {
background-color: #fff;
border: 1px solid #c7c7c7;
margin: 40px;
padding: 40px 40px 20px 40px;
}
.info, .tor {
background-color: #efe;
border: 1px solid #bda;
display: block;
padding: 0px 20px;
}
.logo {
font-size: 12px;
font-weight: bold;
line-height: 1;
margin: 0;
}
.tor {
padding: 10px 0;
text-align: center;
}
.warning {
background-color: #f5e7e7;
border: 1px solid #ebccd1;
color: #a44;
display: block;
padding: 15px 10px;
text-align: center;
}
</style>
</head>
<body>
<div class="container">
<h3>C E R B E R R A N S O M W A R E</h3>
<hr>
<p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p>
<p>It is normal because the files' names, as well as the data in your files have been encrypted.</p>
<p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p>
<hr>
<p><span class="warning">If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer.</span></p>
<hr>
<h3>What is encryption?</h3>
<p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p>
<p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p>
<p>But not only it.</p>
<p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p>
<hr>
<h3>Everything is clear for me but what should I do?</h3>
<p>The first step is reading these instructions to the end.</p>
<p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p>
<p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p>
<p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p>
<p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p>
<p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p>
<p>Finally it will be impossible to decrypt your files.</p>
<p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p>
<p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p>
<hr>
<p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p>
<hr>
<p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p>
<p>After purchase of the software package you will be able to:</p>
<ol>
<li>decrypt all your files;</li>
<li>work with your documents;</li>
<li>view your photos and other media;</li>
<li>continue your usual and comfortable work at the computer.</li>
</ol>
<p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p>
<hr>
<div class="info">
<p>There is a list of temporary addresses to go on your personal page below:</p>
<ol>
<li><a href="http://cerberhhyed5frqa.vmfu48.win/F7B5-1FAC-49A0-0073-17FA" target="_blank">http://cerberhhyed5frqa.vmfu48.win/F7B5-1FAC-49A0-0073-17FA</a></li>
<li><a href="http://cerberhhyed5frqa.45tori.win/F7B5-1FAC-49A0-0073-17FA" target="_blank">http://cerberhhyed5frqa.45tori.win/F7B5-1FAC-49A0-0073-17FA</a></li>
<li><a href="http://cerberhhyed5frqa.fkr84i.win/F7B5-1FAC-49A0-0073-17FA" target="_blank">http://cerberhhyed5frqa.fkr84i.win/F7B5-1FAC-49A0-0073-17FA</a></li>
<li><a href="http://cerberhhyed5frqa.fkri48.win/F7B5-1FAC-49A0-0073-17FA" target="_blank">http://cerberhhyed5frqa.fkri48.win/F7B5-1FAC-49A0-0073-17FA</a></li>
<li><a href="http://cerberhhyed5frqa.djre89.win/F7B5-1FAC-49A0-0073-17FA" target="_blank">http://cerberhhyed5frqa.djre89.win/F7B5-1FAC-49A0-0073-17FA</a></li>
</ol>
</div>
<hr>
<h3>What should you do with these addresses?</h3>
<p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p>
<ol>
<li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.vmfu48.win/F7B5-1FAC-49A0-0073-17FA" target="_blank">http://cerberhhyed5frqa.vmfu48.win/F7B5-1FAC-49A0-0073-17FA</a>);</li>
<li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li>
<li>release the left mouse button and press the right one;</li>
<li>select "Copy" in the appeared menu;</li>
<li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li>
<li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li>
<li>click the right mouse button in the field where the site address is written;</li>
<li>select the button "Insert" in the appeared menu;</li>
<li>then you will see the address <a href="http://cerberhhyed5frqa.vmfu48.win/F7B5-1FAC-49A0-0073-17FA" target="_blank">http://cerberhhyed5frqa.vmfu48.win/F7B5-1FAC-49A0-0073-17FA</a> appeared there;</li>
<li>press ENTER;</li>
<li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li>
</ol>
<p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p>
<p>If you browse the instructions in HTML format:</p>
<ol>
<li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.vmfu48.win/F7B5-1FAC-49A0-0073-17FA" target="_blank">http://cerberhhyed5frqa.vmfu48.win/F7B5-1FAC-49A0-0073-17FA</a>);</li>
<li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li>
</ol>
<p>If for some reason the site cannot be opened check the connection to the Internet.</p>
<hr>
<p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p>
<p>Unlike them we are ready to help you always.</p>
<p>If you need our help but the temporary sites are not available:</p>
<ol>
<li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li>
<li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li>
<li>wait for the site loading;</li>
<li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li>
<li>run Tor Browser;</li>
<li>connect with the button "Connect" (if you use the English version);</li>
<li>a normal Internet browser window will be opened after the initialization;</li>
<li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/F7B5-1FAC-49A0-0073-17FA</span> in this browser address bar;</li>
<li>press ENTER;</li>
<li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li>
</ol>
<p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p>
<p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p>
<hr>
<h3>Additional information:</h3>
<p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p>
<p>The instructions are made in two file formats - HTML and TXT for your convenience.</p>
<p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p>
<p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p>
<hr>
<p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p>
<p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p>
<p>Together we make the Internet a better and safer place.</p>
<hr>
<p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p>
<hr>
<p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p>
</div>
</body>
</html>
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (16389) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 2 IoCs
-
Modifies Control Panel 4 IoCs
-
Modifies Internet Explorer settings 1 TTPs 59 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 50 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 56 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_270b70bad151a515136f553e5bc880ac.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_270b70bad151a515136f553e5bc880ac.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\mshta.exe"C:\Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\mshta.exe"2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1324 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1324 CREDAT:537601 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵
-
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "mshta.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\mshta.exe" > NUL3⤵
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "mshta.exe"4⤵
- Kills process with taskkill
-
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
-
-
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "VirusShare_270b70bad151a515136f553e5bc880ac.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_270b70bad151a515136f553e5bc880ac.exe" > NUL2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "VirusShare_270b70bad151a515136f553e5bc880ac.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1664 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4981⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD545d3807743dbb13b9cb061b39d118ba8
SHA17ca7d7e8522b999a401971fa3928b1acbd8efa24
SHA2560672cc09bd67495e96e4ef733271121afd3eecb18c1a440793622a20d23136a6
SHA5121c0dc98bf7e63d2e5e9df2ee839025c38098de578a2bb0c3c4f225c6440da246b6b43815be45c9f4ebe31069604d3ee1dab7d5d5d2cf04b57617cbc808dae391
-
Filesize
10KB
MD516f8f08e7690226839971ac2cdbc1dc9
SHA1a4700637f16074479e5c0c96029f5f4274ac1f15
SHA2569ed59a59ecb5a685054c0c1c68a28002f8afba0d6a3dc42cdef59c1e1029b51a
SHA512cfed12502c166c4f929e6d249930d4320758266054b7db3ed1e996dbd6e2f74e08931fbe030d64c5e7a4bc2e7dcad8fd2548865849ab6c08a848738805c83b3a
-
Filesize
85B
MD53e04dd65fd2f3a6e7481decd05934ef6
SHA1cebca1ad2d9c3417ed5b9c8340c4095756941044
SHA256d6537b0581a65a4c5d6cb701bb1e7ae76f65b238816d1d697a7948a86caba47a
SHA5122de5abaec04feb8a71b82787889743cff4c043286edfd18e3e6aec23a6d511679fc9833930e9bf2f52e12077661c752acc3621fe1bbd462ad4200b771b179769
-
Filesize
219B
MD535a3e3b45dcfc1e6c4fd4a160873a0d1
SHA1a0bcc855f2b75d82cbaae3a8710f816956e94b37
SHA2568ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934
SHA5126d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
342B
MD5cfcd1f20ca066fda2d35336bd9676139
SHA123e0212ff0968fc51375d6ba588631a0f1662a6a
SHA2569b2d913aed2f030088385eef1016424a60f0f4cad2511c052013bb2e318f8c1c
SHA512e2ad8cac951e049fc1e1944cdc45dbc6934b2afe4cefe45b64d50e345034ab3f93977c8aa2b5c1cb2fd792873e6e3402b4445e9c2263ef9ba6c00aa6517ad26b
-
Filesize
342B
MD550111e0aa60f96984ef14b713cf62de2
SHA1258416479ff6ce196f4f016ab22c522f250df5e6
SHA25635fa6274e553a29d0c980c4f4e6b71b93f222cd357972a37e0564edee1edafa9
SHA5121f2e719911f582d3614f5f9a3fc1ce2ad0323138a968af5647cbe3a44d57c3feccf4254f0c33d8a047a3ff0670c929c750387e55fea142fa5a714dded29820a2
-
Filesize
342B
MD5d8701a1333c58c428333692939893d8b
SHA1ee161ef6e8930e90e282819fe4213422780861a3
SHA25652192eb4199060cf3942d06858eed7c26c0f8f749b21695663847d8fcf5e32ae
SHA512023b7f08fdbf63c47da72ea1d6c4a551b6b156c23b673385fb951c799a67ec3f69e69445586a147e7849bddedc409aee49ef49caf9935ee1fb7726e144f23e29
-
Filesize
342B
MD5885fd1595fe5ddd8937a0ec743baf4bc
SHA1decbf14fd8d44fe0abf3ebdf8337a89c3079913c
SHA256a86658e0e922a90ff867bbd54859d23f67c4f3ac384ea2289d55bf60c4f3dde5
SHA512bdc73fdb5d7f02373d7bf9467b18e9065c22a55c38254fd81fbb8ee3c6653a35d8e16d47722373c051f54fd9a7c61385a05d7079a0f1abffa8f6ecb013516092
-
Filesize
342B
MD5f2ed2307034f73a117d826b1f028b033
SHA1aecfa5ed3a904db9d0cc0f179e5ae47704a20904
SHA256bd20f19c408935551e7eba3dfa631f09280fa01bcd568cf61527168edbcc049f
SHA5124375b9eb786e220437ecf7a7e8f86d653591d62a81d2d992de3dfc9ce26a43683110d6028dfcc4b2f80669b1164e78f7092b0edca12410c03c3038934da56003
-
Filesize
342B
MD5dae6ffbdbffb0e8684f992d074b71a24
SHA1a33fda944cf84a9fd59b275d579e5502603f5a85
SHA256a0f0efeba1e4fb2941ebbd7eb65cce10deadcf8e5dc9dee0e59c5b79fedd36a1
SHA5125032da60060c8d03c9c2352fd2b2d11d8257b8e95d69689206156d00b3cbd0004eb913bbcc6b4b04b3be055319b716b31978f2b1a881f762abe99cd4fd6caf97
-
Filesize
342B
MD5fc03240d1b3ce13e3608a52312bbb55c
SHA10c393186cfaa10237239aa4df9f913e1bcb0ba92
SHA256ae2058da380aaeadfd64b7da1fdf9b9dc87e99261e77f916d75eb0b6d2ba8d34
SHA5125686b57b33ab5e08588f05054521e3791757deccb4fadc27dc5c33e9bb1e1ee2f421e42ead8bde99b07b74bb482705779db58fc214ec1d459e337c5983d7dee7
-
Filesize
5KB
MD56fa1727cdb9c12f9dfbc5d78ae735a37
SHA1fb873ed38f84478f9dc21355eb537500a27857cc
SHA256c0318e4b13fe343dc9e3257667749328ee9490dfbb684926907a62c53a24b304
SHA512c30f731644a128394d40c10ab514510143e9824b6d8e852aca3cc114d03d1bc69d0de66d685de87b5a998c981266649d3ef826e1b0bf21bcc7e1f6c6bf161d0e
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1KB
MD5774e3f25e78fcb4b3912fb318069393c
SHA1622a41e11b2f065d7162e1d46e529e38f77b916f
SHA25632f2f8949b8dd7fb5314d01e9d8399bc71f782bdeed5aa2ff97c44b30cf4c99b
SHA512eb7073f5c3f839e0301d7582759406d68432814cf259139773a0c160702830711e6d0bb3336dc9b90c619958ecadeed8c4bdd2bb11c4624231535bcbd09df526
-
Filesize
344KB
MD5270b70bad151a515136f553e5bc880ac
SHA177b7def336c7647c6faadaf7136d70ff1e9ba7fc
SHA256db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa
SHA512c198f9498d634ec4d05cf29a1bb6ade8c59a2904510464e3b292b11bcf5382d7fe603e46b6a72b14f3f996811f68101e46c467914b21ea6eccaf423df2d1a43f
-
Filesize
120KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB