Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2024-06-28...er.exe

windows7-x64

10

2024-06-28...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    28/06/2024, 01:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-28_bab358c5bcab551fa9497d8042f81edd_cerber.exe

  • Size

    507KB

  • MD5

    bab358c5bcab551fa9497d8042f81edd

  • SHA1

    6960214279e7974cd9a6627ec0c62fbec42c8880

  • SHA256

    b95f96a7d181d4f4aa5ab989e6e667f23deeb239ba4dff8f7f0371c61fdda9c3

  • SHA512

    aefb9125df42dc333a82264b1eec4aadfc89c35d277301d025387bc1688ab412f287746813d2bc3288260b7bae58227130783edd85c6d4d359223c58a9a99f7b

  • SSDEEP

    6144:um4asNDAe1UxYIud67pCsJARzBUIg8rDph992STjrBpZwfKIn5w6i:KasN26t47pCRGTkjPTPiyZ6i

Score
10/10
cerberdiscoveryevasionpersistenceprivilege_escalationransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_READ_THI$_FILE_FY2962H_.txt

Ransom Note
--- [ CERBER RANSOMWARE ] --- ! YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED ! --- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: --- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://hjhqmbxyinislkkt.onion/5C36-54AD-5EBC-0502-0010 Note! This page is available via "Tor Browser" only. --- Also you can use temporary addresses on your personal page without using "Tor Browser". --- 1. http://hjhqmbxyinislkkt.1npg9s.top/5C36-54AD-5EBC-0502-0010 2. http://hjhqmbxyinislkkt.1fy93v.top/5C36-54AD-5EBC-0502-0010 3. http://hjhqmbxyinislkkt.13kn4l.top/5C36-54AD-5EBC-0502-0010 4. http://hjhqmbxyinislkkt.14klmz.top/5C36-54AD-5EBC-0502-0010 5. http://hjhqmbxyinislkkt.13eymq.top/5C36-54AD-5EBC-0502-0010 --- Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://hjhqmbxyinislkkt.onion/5C36-54AD-5EBC-0502-0010

http://hjhqmbxyinislkkt.1npg9s.top/5C36-54AD-5EBC-0502-0010

http://hjhqmbxyinislkkt.1fy93v.top/5C36-54AD-5EBC-0502-0010

http://hjhqmbxyinislkkt.13kn4l.top/5C36-54AD-5EBC-0502-0010

http://hjhqmbxyinislkkt.14klmz.top/5C36-54AD-5EBC-0502-0010

http://hjhqmbxyinislkkt.13eymq.top/5C36-54AD-5EBC-0502-0010

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Blocklisted process makes network request 1 IoCs
  • Contacts a large (1090) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-28_bab358c5bcab551fa9497d8042f81edd_cerber.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-28_bab358c5bcab551fa9497d8042f81edd_cerber.exe"
    1⤵
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2488
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      PID:2524
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall reset
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      PID:1780
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_READ_THI$_FILE_4K2XVF_.hta"
      2⤵
      • Blocklisted process makes network request
      • Modifies Internet Explorer settings
      PID:760
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_READ_THI$_FILE_FY2962H_.txt
      2⤵
        PID:1884
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:956
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im "2024-06-28_bab358c5bcab551fa9497d8042f81edd_cerber.exe"
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1788
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 1 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:2888
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:1564
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
      1⤵
        PID:2108

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Desktop\_READ_THI$_FILE_4K2XVF_.hta
        Filesize

        75KB

        MD5

        261a816620df602ff663e5a5c3cfb06d

        SHA1

        1d73526af696c1185c930a90c4da1d8796afe020

        SHA256

        9c156f682e83bdc5b34ef6a29132ba1ee5882a7af9a717fa3de4ffd0d1bc9d9d

        SHA512

        cbd46126a56189c5ed8e699ca0cba88eb8c69b9a01a1cd59bf0063012835a97777209053a2ca8a965ebea538c4669392b31f620ffb274462930781c439bbc30f

        Download Submit

      • C:\Users\Admin\Desktop\_READ_THI$_FILE_FY2962H_.txt
        Filesize

        1KB

        MD5

        1de9ae3f57e1543f1d70bc47209da6c4

        SHA1

        aa2f959e1889b5a58da8423790f4122b799b063b

        SHA256

        f7bd9ce3b728408fa58f080bd00e4d4b97b8ee69942095750d4d8075d7a47fcf

        SHA512

        e2fa22635febe350564ef3a13a8846a82dc63c400131287edba80d2a825f49f8058e13c4adbefa2554f81fb76e138a64aff1756e5bb02823b905e1472ba7142c

        Download Submit

      • C:\Users\Admin\Desktop\_READ_THI$_FILE_LAL3E_.jpeg
        Filesize

        150KB

        MD5

        ee4b4ff4bdc7c0dce718153abe3de461

        SHA1

        1d6a586069a30eb6516bcafc6a8e1d371e9523bd

        SHA256

        9ab383e342c9c957031db2b3bca6e769a836864ee099caa66f2225b02c7dce61

        SHA512

        9e931198a3529790598ea01816b96ed14cd2c59d0eed1c8307e2d654cdaeca2f80e57e6fff4ca133f08167c2c7b2e2923115d4a7b007e9afa1798d5a58938f99

        Download Submit

      • memory/1564-94-0x0000000000170000-0x0000000000172000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2488-5-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/2488-63-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/2488-72-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/2488-10-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/2488-1-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/2488-2-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/2488-93-0x00000000029D0000-0x00000000029D2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2488-0-0x0000000000240000-0x0000000000277000-memory.dmp

        Filesize

        220KB

        Download

      • memory/2488-117-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download