Overview

overview

10

Static

static

7

cleaners.zip

windows10-2004-x64

10

Spoofer.exe

windows10-2004-x64

10

cleaners/a...er.exe

windows10-2004-x64

9

spoofers/C...32.exe

windows10-2004-x64

1

spoofers/C...64.exe

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cleaners.zip

  • Size

    4.3MB

  • Sample

    240620-lemxqazepd

  • MD5

    89daae512bcf605f191336ef8a461b75

  • SHA1

    747f3997bf80e6083c2a4a8032262c440ae4de8d

  • SHA256

    4ee85019c1ae4d1abf8ea1908f635339d0a4af88ba185dc30e1104e68c7c902e

  • SHA512

    7c280cb9a325311a1e8b575bcb99a26590db2435633a78da3383d177f4c93d1744d842e8c792b921d80aef7305b58fa83f5caa784466d9393d15024827611ed7

  • SSDEEP

    98304:/Bk7AtkbjSTuW+wI9a7OCq4MrdN0wIvQxk5XxeJMWrd6B9JO:JRW2ar4X/MP0tvOR5SPO

Score
10/10
cerberevasionexecutionpersistenceprivilege_escalationransomwarespywarestealerthemidatrojan

Malware Config

Targets

    • Target

      cleaners.zip

    • Size

      4.3MB

    • MD5

      89daae512bcf605f191336ef8a461b75

    • SHA1

      747f3997bf80e6083c2a4a8032262c440ae4de8d

    • SHA256

      4ee85019c1ae4d1abf8ea1908f635339d0a4af88ba185dc30e1104e68c7c902e

    • SHA512

      7c280cb9a325311a1e8b575bcb99a26590db2435633a78da3383d177f4c93d1744d842e8c792b921d80aef7305b58fa83f5caa784466d9393d15024827611ed7

    • SSDEEP

      98304:/Bk7AtkbjSTuW+wI9a7OCq4MrdN0wIvQxk5XxeJMWrd6B9JO:JRW2ar4X/MP0tvOR5SPO

    Score
    10/10
    cerberevasionexecutionpersistenceprivilege_escalationransomwarespywarestealerthemida

    • Cerber

      Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

      ransomwarecerber

    • Disables service(s)

      evasionexecution

    • Server Software Component: Terminal Services DLL

      persistence

    • Stops running service(s)

      evasionexecution

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Drops file in System32 directory

    behavioral1

    • Target

      Spoofer.exe

    • Size

      24KB

    • MD5

      7a4a3fea89bfe8810ef9835273d6fc84

    • SHA1

      cd411d7d4eed7b622ca2d1ea5495055da76216ee

    • SHA256

      2d9b399a3a584808b4bd38d9f6a12752e2b02875f92252f944a5bd7bf129e2f0

    • SHA512

      a921faf7de2ae61421432ba176ef7254f005bc052d41054019d1fbc5714c213266c598a64cd4c3edd4cec35130e3ce8d7595bb2bcc7c669a20d69b0ca93277d4

    • SSDEEP

      384:IfedtZWjBkCUo6tqt7glQcpF3dPBlcR8lfZKlD04tEGD4PTeB2DKiES3M+f:KVgtrYD0iEG4SBWUS3f

    Score
    10/10
    cerberevasionexecutionpersistenceprivilege_escalationransomware

    • Cerber

      Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

      ransomwarecerber

    • Disables service(s)

      evasionexecution

    • Server Software Component: Terminal Services DLL

      persistence

    • Stops running service(s)

      evasionexecution

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Drops file in System32 directory

    behavioral2

    • Target

      cleaners/applecleaner.exe

    • Size

      3.6MB

    • MD5

      f96eb2236970fb3ea97101b923af4228

    • SHA1

      e0eed80f1054acbf5389a7b8860a4503dd3e184a

    • SHA256

      46fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172

    • SHA512

      2fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7

    • SSDEEP

      98304:z7m+ij9HD0+jCihNRkl/W6aG/wcKnfu8NUT6Ko:e+y4ihkl/Wo/afHPb

    Score
    9/10
    evasionpersistenceprivilege_escalationthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Modifies Windows Firewall

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3

    • Target

      spoofers/CupFixerx32.EXE

    • Size

      451KB

    • MD5

      feac8b5c2d2b99e7a3c8f1ba41ba3472

    • SHA1

      002bd5344c44f288c22e69b5e2846d515bfa429e

    • SHA256

      7fce635cb66dc1286856a1f1f281b90431288be4a9647a8e0cbd2a0346748b95

    • SHA512

      b95b83545ca45453e6d64b7c2cf276932eded9658187aa91dcff948e59c313ae071b0059a481cd7b01aae778fc4fda71aa830fb99b84197fb17e03e9a10e8e68

    • SSDEEP

      6144:Traq37wODH1cNaej2JMBO+1ObTq45kCNYczkF77TlfFBYdHJz6:B7wsAKJMBAFNVkF77Rfz

    Score
    1/10
    behavioral4

    • Target

      spoofers/CupFixerx64.exe

    • Size

      377KB

    • MD5

      b4eceb90668db85712e66fd493ce4ca5

    • SHA1

      951f3e9503b9b31a0c944355870dbfea0df32441

    • SHA256

      bf8df68bbac80b4382206917b9bb46e8fd6cf76f6acd7374a3e6f5470681597c

    • SHA512

      b912554fd863b237edd9f6518676ca9a190b7c7dc54024973a6062da8bf5ce8c6ad16219032cb0ed1ade7d2b5a855a6dc2aeb71c0ddde476a8bec64068ba0284

    • SSDEEP

      6144:4NFU+vVycygjjsp5dcAONdA22xVK8LRPo4WBIeX+oD9/nwLk9C9I6i:4bygjjsrdcAONdA22xVK8LRPo4WGkD9Q

    Score
    1/10
    behavioral5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Netsh Helper DLL

1
T1546.007

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Privilege Escalation

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

5
T1012

System Information Discovery

7
T1082

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Service Stop

2
T1489

Tasks