cerber | 416774bf62d9612d11d561d7e13203a3cbc352382a8e382ade3332e3077e096c

Analysis

max time kernel
144s
max time network
151s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
30-06-2024 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cerber.exe
Size

604KB
MD5

8b6bc16fd137c09a08b02bbe1bb7d670
SHA1

c69a0f6c6f809c01db92ca658fcf1b643391a2b7
SHA256

e67834d1e8b38ec5864cfa101b140aeaba8f1900a6e269e6a94c90fcbfe56678
SHA512

b53d2cc0fe5fa52262ace9f6e6ea3f5ce84935009822a3394bfe49c4d15dfeaa96bfe10ce77ffa93dbf81e5428122aa739a94bc709f203bc346597004fd75a24
SSDEEP

6144:yYghlI5/u8f1mr+4RJ99MpDa52RX5wRDhOOU0qsR:yYKlYmDXEpDHRXP01

Score

10^/10

cerber discovery evasion persistence privilege_escalation ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___IA6RJ8XG_.hta

Family

cerber

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>CERBER RANSOMWARE: Instructions</title> <HTA:APPLICATION APPLICATIONNAME="vx48jVZ" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style type="text/css"> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 13pt; line-height: 19pt; } body, h1 { margin: 0; padding: 0; } hr { color: #bda; height: 2pt; margin: 1.5%; } h1 { color: #555; font-size: 14pt; } ol { padding-left: 2.5%; } ol li { padding-bottom: 13pt; } small { color: #555; font-size: 11pt; } ul { list-style-type: none; margin: 0; padding: 0; } .button { color: #04a; cursor: pointer; } .button:hover { text-decoration: underline; } .container { background-color: #fff; border: 2pt solid #c7c7c7; margin: 5%; min-width: 850px; padding: 2.5%; } .header { border-bottom: 2pt solid #c7c7c7; margin-bottom: 2.5%; padding-bottom: 2.5%; } .h { display: none; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { background-color: #efe; border: 2pt solid #bda; display: inline-block; padding: 1.5%; text-align: center; } .updating { color: red; display: none; padding-left: 35px; background: url("data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=") left no-repeat; } #change_language { float: right; } #change_language, #texts div { display: none; } </style> </head> <body> <div class="container"> <div class="header"> <a id="change_language" href="#" onclick="return changeLanguage1();" title="English">☑ English</a> <h1>CERBER RANSOMWARE</h1> Instructions </div> <div id="languages"> ☑ Select your language <ul> <li><a href="#" title="English" onclick="return sh_bl('en');">English</a></li> <li><a href="#" title="Arabic" onclick="return sh_bl('ar');">العربية</a></li> <li><a href="#" title="Chinese" onclick="return sh_bl('zh');">中文</a></li> <li><a href="#" title="Dutch" onclick="return sh_bl('nl');">Nederlands</a></li> <li><a href="#" title="French" onclick="return sh_bl('fr');">Français</a></li> <li><a href="#" title="German" onclick="return sh_bl('de');">Deutsch</a></li> <li><a href="#" title="Italian" onclick="return sh_bl('it');">Italiano</a></li> <li><a href="#" title="Japanese" onclick="return sh_bl('ja');">日本語</a></li> <li><a href="#" title="Korean" onclick="return sh_bl('ko');">한국어</a></li> <li><a href="#" title="Polish" onclick="return sh_bl('pl');">Polski</a></li> <li><a href="#" title="Portuguese" onclick="return sh_bl('pt');">Português</a></li> <li><a href="#" title="Spanish" onclick="return sh_bl('es');">Español</a></li> <li><a href="#" title="Turkish" onclick="return sh_bl('tr');">Türkçe</a></li> </ul> </div> <div id="texts"> <div id="en"> Can't yo3ler4u find the necessary files? Is the c1XuxZmuontent of your files not readable? It is normal beL9Nlck3cause the files' names and the data in your files have been encrypF922B6uted by "CeYxUfrber Ransomware". It mebgans your files are NOT damageKMmRld! Your files are modified only. This modification is reversible. FXDI1rom now it is not poss2ZFtible to use your files until they will be decrypted. The only way to decMf56Wvrypt your files safely is to buy the special decryption software "CSCqerber Decryptor". Any attempts to restDi1pOore your files with the thirWqWLdiivtfd-party software will be fatal for your files! <hr> You can procnQfEeed with purchasing of the decryption softwTMIm5Oxare at your personal page: PleRMHC5Rase wait...<a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/99FA-6665-5429-0446-9C4B" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/99FA-6665-5429-0446-9C4B</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/99FA-6665-5429-0446-9C4B" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/99FA-6665-5429-0446-9C4B</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/99FA-6665-5429-0446-9C4B" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/99FA-6665-5429-0446-9C4B</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/99FA-6665-5429-0446-9C4B" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/99FA-6665-5429-0446-9C4B</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/99FA-6665-5429-0446-9C4B" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/99FA-6665-5429-0446-9C4B</a> If tfAOhis page cannot be opened  clinck here  to get a new addrwhess of your personal page. If the addrepss of your personal page is the same as befoyE7aKwQre after you tried to get a new one, you cNhOHWfDan try to get a new address in one hour. At thOis page you will receive the complete instrauctions how to buy the decryptifo81q8glIMon software for restoring all your files. Also at this page you will be able to resMzlIw9Ytore any one file for free to be sure "Cerbe65iTHcI1jzr Decryptor" will help you. <hr> If your perMN3mesonal page is not availak8ofcgVzxble for a long period there is another way to open your personal page - instayQwhE8Kllation and use of Tor Browser: <ol> <li>run your InteLNdK1EW99crnet browser (if you do not know what it is run the Internet Explorer);</li> <li>entEy3dzoZBer or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site load4btRfding;</li> <li>on the site you will be offered to do0DIzD1IY6wnload Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>ruRf6j3kn Tor Browser;</li> <li>connect with the butt1yDV4zon "Connect" (if you use the English version);</li> <li>a normal Internet broblGrz88wser window will be opened after the initialization;</li> <li>type or copy the addcoFzOQEuress http://p27dokhpz2n7nvgr.onion/99FA-6665-5429-0446-9C4B in this browser address bar;</li> <li>pre0Tabu4GKIss ENTER;</li> <li>the site shoDuld be loaded; if for some reason the site is not lo8LAoiAading wait for a moment and try again.</li> </ol> If you have any prvhGG1roblems during installation or use of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searcGkws4Yh bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use. <hr> AdditMxrEional information: You will fiPnd the instrusSk3vqjctions ("*_READ_THIS_FILE_*.hta") for reBrdKHOIS8storing your files in any frSzOteDWolder with your encScvD6BhHrypted files. The instrtAe2Ztqzvuctions "*_READ_THIS_FILE_*.hta" in the fO4CHz1rxolder58y7BOBe26s with your encryDhpted files are not viriiKFPuses! The instrucWphMoQTtions "*_READ_THIS_FILE_*.hta" will heUXz08lp you to decY2myqrypt your files. Remembeso3T2Mur! The worst siJUEzEtuation already happJMvened and now the future of your files de0sfcyY7V6Wpends on your determ7nIJKahUyination and speed of your actions. </div> <div id="ar" style="direction: rtl;"> لا يمكنك العثور على الملفات الضرورية؟ هل محتوى الملفات غير قابل للقراءة؟ هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cerber Ransomware". وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا. ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها. الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cerber Decryptor". إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك! <hr> يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية: أرجو الإنتظار...<a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/99FA-6665-5429-0446-9C4B" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/99FA-6665-5429-0446-9C4B</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/99FA-6665-5429-0446-9C4B" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/99FA-6665-5429-0446-9C4B</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/99FA-6665-5429-0446-9C4B" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/99FA-6665-5429-0446-9C4B</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/99FA-6665-5429-0446-9C4B" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/99FA-6665-5429-0446-9C4B</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/99FA-6665-5429-0446-9C4B" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/99FA-6665-5429-0446-9C4B</a> في حالة تعذر فتح هذه الصفحة  انقر هنا  لإنشاء عنوان جديد لصفحتك الشخصية. في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك. في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cerber Decryptor" سوف يساعدك. <hr> إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor: <ol> <li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li> <li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li> <li>انتظر لتحميل الموقع;</li> <li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li> <li>قم بتشغيل متصفح Tor;</li> <li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li> <li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li> <li>قم بكتابة أو نسخ العنوان http://p27dokhpz2n7nvgr.onion/99FA-6665-5429-0446-9C4B في شريط العنوان في المتصفح;</li> <li>اضغط ENTER;</li> <li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li> </ol> إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه. <hr> معلومات إضg8dWfYh2nافية: سtdوف تجد إرشادات استعادة الملفات الخاصة بك ("*_READ_THIS_FILE_*") في أي مجلد مع ملفاتك المشفرة. الإرشEvnYvKbV1ادات ("*_READ_THIS_FILE_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_READ_THIS_FILE_*") سوف تساعدك على فك تشفير الملفات الخاصة بك. تذكر أن أسوأ موAEقف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك. </div> <div id="zh"> 您找不到所需的文件？ 您文件的内容无法阅读？ 这是正常的，因为您文件的文件名和数据已经被“Cerber Ransomware”加密了。 这意味着您的文件并没有损坏！您的

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___NXFB0Y_.txt

Family

cerber

Ransom Note

CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/99FA-6665-5429-0446-9C4B Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12hygy.top/99FA-6665-5429-0446-9C4B 2. http://p27dokhpz2n7nvgr.14ewqv.top/99FA-6665-5429-0446-9C4B 3. http://p27dokhpz2n7nvgr.14vvrc.top/99FA-6665-5429-0446-9C4B 4. http://p27dokhpz2n7nvgr.129p1t.top/99FA-6665-5429-0446-9C4B 5. http://p27dokhpz2n7nvgr.1apgrn.top/99FA-6665-5429-0446-9C4B ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://p27dokhpz2n7nvgr.onion/99FA-6665-5429-0446-9C4B

http://p27dokhpz2n7nvgr.12hygy.top/99FA-6665-5429-0446-9C4B

http://p27dokhpz2n7nvgr.14ewqv.top/99FA-6665-5429-0446-9C4B

http://p27dokhpz2n7nvgr.14vvrc.top/99FA-6665-5429-0446-9C4B

http://p27dokhpz2n7nvgr.129p1t.top/99FA-6665-5429-0446-9C4B

http://p27dokhpz2n7nvgr.1apgrn.top/99FA-6665-5429-0446-9C4B

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (1105) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1280	netsh.exe
4408	netsh.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	cerber.exe

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	cerber.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpAEFD.bmp"	cerber.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\word	cerber.exe
File opened for modification	\??\c:\program files (x86)\steam	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\excel	cerber.exe
File opened for modification	\??\c:\program files (x86)\excel	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server	cerber.exe
File opened for modification	\??\c:\program files\	cerber.exe
File opened for modification	\??\c:\program files (x86)\office	cerber.exe
File opened for modification	\??\c:\program files (x86)\outlook	cerber.exe
File opened for modification	\??\c:\program files (x86)\the bat!	cerber.exe
File opened for modification	\??\c:\program files (x86)\thunderbird	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\office	cerber.exe
File opened for modification	\??\c:\program files (x86)\bitcoin	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\program files (x86)\onenote	cerber.exe
File opened for modification	\??\c:\program files (x86)\powerpoint	cerber.exe
File opened for modification	\??\c:\program files (x86)\word	cerber.exe
File opened for modification	\??\c:\program files (x86)\	cerber.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\documents	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\desktop	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\desktop	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\documents	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook	cerber.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Kills process with taskkill 1 IoCs

evasion

pid	Process
4332	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cerber.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2540	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3988	PING.EXE

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
3212	WINWORD.EXE
3212	WINWORD.EXE
2080	WINWORD.EXE
2080	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1616	cerber.exe
Token: SeCreatePagefilePrivilege	1616	cerber.exe
Token: SeDebugPrivilege	4332	taskkill.exe
Token: SeDebugPrivilege	1748	firefox.exe
Token: SeDebugPrivilege	1748	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1748	firefox.exe
1748	firefox.exe
1748	firefox.exe
1748	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1748	firefox.exe
1748	firefox.exe
1748	firefox.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
3212	WINWORD.EXE
3212	WINWORD.EXE
3212	WINWORD.EXE
3212	WINWORD.EXE
3212	WINWORD.EXE
3212	WINWORD.EXE
3212	WINWORD.EXE
3212	WINWORD.EXE
3212	WINWORD.EXE
3212	WINWORD.EXE
3212	WINWORD.EXE
3212	WINWORD.EXE
3212	WINWORD.EXE
3212	WINWORD.EXE
3212	WINWORD.EXE
2080	WINWORD.EXE
2080	WINWORD.EXE
2080	WINWORD.EXE
2080	WINWORD.EXE
2080	WINWORD.EXE
2080	WINWORD.EXE
1748	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 4408	1616	cerber.exe	73
PID 1616 wrote to memory of 4408	1616	cerber.exe	73
PID 1616 wrote to memory of 4408	1616	cerber.exe	73
PID 1616 wrote to memory of 1280	1616	cerber.exe	75
PID 1616 wrote to memory of 1280	1616	cerber.exe	75
PID 1616 wrote to memory of 1280	1616	cerber.exe	75
PID 1616 wrote to memory of 952	1616	cerber.exe	77
PID 1616 wrote to memory of 952	1616	cerber.exe	77
PID 1616 wrote to memory of 952	1616	cerber.exe	77
PID 1616 wrote to memory of 2540	1616	cerber.exe	78
PID 1616 wrote to memory of 2540	1616	cerber.exe	78
PID 1616 wrote to memory of 2540	1616	cerber.exe	78
PID 1616 wrote to memory of 2880	1616	cerber.exe	80
PID 1616 wrote to memory of 2880	1616	cerber.exe	80
PID 1616 wrote to memory of 2880	1616	cerber.exe	80
PID 2880 wrote to memory of 4332	2880	cmd.exe	82
PID 2880 wrote to memory of 4332	2880	cmd.exe	82
PID 2880 wrote to memory of 4332	2880	cmd.exe	82
PID 2880 wrote to memory of 3988	2880	cmd.exe	84
PID 2880 wrote to memory of 3988	2880	cmd.exe	84
PID 2880 wrote to memory of 3988	2880	cmd.exe	84
PID 356 wrote to memory of 1748	356	firefox.exe	92
PID 356 wrote to memory of 1748	356	firefox.exe	92
PID 356 wrote to memory of 1748	356	firefox.exe	92
PID 356 wrote to memory of 1748	356	firefox.exe	92
PID 356 wrote to memory of 1748	356	firefox.exe	92
PID 356 wrote to memory of 1748	356	firefox.exe	92
PID 356 wrote to memory of 1748	356	firefox.exe	92
PID 356 wrote to memory of 1748	356	firefox.exe	92
PID 356 wrote to memory of 1748	356	firefox.exe	92
PID 356 wrote to memory of 1748	356	firefox.exe	92
PID 356 wrote to memory of 1748	356	firefox.exe	92
PID 1748 wrote to memory of 520	1748	firefox.exe	93
PID 1748 wrote to memory of 520	1748	firefox.exe	93
PID 1748 wrote to memory of 3492	1748	firefox.exe	94
PID 1748 wrote to memory of 3492	1748	firefox.exe	94
PID 1748 wrote to memory of 3492	1748	firefox.exe	94
PID 1748 wrote to memory of 3492	1748	firefox.exe	94
PID 1748 wrote to memory of 3492	1748	firefox.exe	94
PID 1748 wrote to memory of 3492	1748	firefox.exe	94
PID 1748 wrote to memory of 3492	1748	firefox.exe	94
PID 1748 wrote to memory of 3492	1748	firefox.exe	94
PID 1748 wrote to memory of 3492	1748	firefox.exe	94
PID 1748 wrote to memory of 3492	1748	firefox.exe	94
PID 1748 wrote to memory of 3492	1748	firefox.exe	94
PID 1748 wrote to memory of 3492	1748	firefox.exe	94
PID 1748 wrote to memory of 3492	1748	firefox.exe	94
PID 1748 wrote to memory of 3492	1748	firefox.exe	94
PID 1748 wrote to memory of 3492	1748	firefox.exe	94
PID 1748 wrote to memory of 3492	1748	firefox.exe	94
PID 1748 wrote to memory of 3492	1748	firefox.exe	94
PID 1748 wrote to memory of 3492	1748	firefox.exe	94
PID 1748 wrote to memory of 3492	1748	firefox.exe	94
PID 1748 wrote to memory of 3492	1748	firefox.exe	94
PID 1748 wrote to memory of 3492	1748	firefox.exe	94
PID 1748 wrote to memory of 3492	1748	firefox.exe	94
PID 1748 wrote to memory of 3492	1748	firefox.exe	94
PID 1748 wrote to memory of 3492	1748	firefox.exe	94
PID 1748 wrote to memory of 3492	1748	firefox.exe	94
PID 1748 wrote to memory of 3492	1748	firefox.exe	94
PID 1748 wrote to memory of 3492	1748	firefox.exe	94
PID 1748 wrote to memory of 3492	1748	firefox.exe	94
PID 1748 wrote to memory of 3492	1748	firefox.exe	94
PID 1748 wrote to memory of 3492	1748	firefox.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cerber.exe
"C:\Users\Admin\AppData\Local\Temp\cerber.exe"
1⤵
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:4408
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:1280
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___C6W94_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:952
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___WSRVK_.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2540
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "cerber.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4332
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3988

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ReceiveSync.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3212

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Opened.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2080

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:356
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1748.0.1931144273\1437864219" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1708 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3cdea2d-1638-48d5-a94d-ee585867ef49} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" 1796 1fd19fd5a58 gpu
    3⤵
    PID:520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1748.1.1433535101\1405903653" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df34cf11-e5f2-4263-a968-2519e1838212} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" 2152 1fd0ef6fb58 socket
    3⤵
    PID:3492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1748.2.794541922\1474862279" -childID 1 -isForBrowser -prefsHandle 2800 -prefMapHandle 2704 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {83f84060-fb4a-4446-855e-a3b8f6978d5d} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" 2984 1fd19f5ab58 tab
    3⤵
    PID:3600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1748.3.1119418918\1495042140" -childID 2 -isForBrowser -prefsHandle 3468 -prefMapHandle 3464 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1a35f88-9115-4930-95ad-9261039d9cdc} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" 3480 1fd1c8df958 tab
    3⤵
    PID:2592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1748.4.1911421882\49711306" -childID 3 -isForBrowser -prefsHandle 3648 -prefMapHandle 3644 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {62d9f138-dac1-4be4-a8b1-1b1661c086bb} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" 3652 1fd0ef61958 tab
    3⤵
    PID:3468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1748.5.331746681\293625191" -childID 4 -isForBrowser -prefsHandle 4672 -prefMapHandle 4668 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {95d5db00-4b62-4a15-bd58-5a776cba2ba6} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" 5020 1fd1c86c558 tab
    3⤵
    PID:3680
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1748.6.1362347272\661871299" -childID 5 -isForBrowser -prefsHandle 4748 -prefMapHandle 4760 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {53bbea1c-4924-44ba-90da-5e26728204aa} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" 3672 1fd1ff70a58 tab
    3⤵
    PID:3192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1748.7.1341866644\573231068" -childID 6 -isForBrowser -prefsHandle 5272 -prefMapHandle 5276 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a794119-ac05-455a-b663-ab2150cf90b2} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" 5156 1fd1ff6f558 tab
    3⤵
    PID:4680
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1748.8.406867348\621061030" -childID 7 -isForBrowser -prefsHandle 5576 -prefMapHandle 5572 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {051859c9-4812-4c9b-a2a9-f9e4c57e8ad2} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" 5584 1fd2191db58 tab
    3⤵
    PID:4164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

Filesize
333KB

MD5
e7f663ce715a2b74c17a013567b05926

SHA1
2b281c8ca9e1832394d0561a7cd6217393141545

SHA256
26776f52e21b7864c6a8aff3d8dbd1d73618214a9de454e922852c320465730b

SHA512
5600cc8c25a390b6a0b71108641d8974662b28464be8e5185dfe4313f37e5cd07d32c572219d6079efdf1081b455e1eb5315084fe5a0f1b8dc40cbe4cb1eb7a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db

Filesize
24KB

MD5
a6064fc9ce640751e063d9af443990da

SHA1
367a3a7d57bfb3e9a6ec356dfc411a5f14dfde2a

SHA256
5f72c11fd2fa88d8b8bfae1214551f8d5ee07b8895df824fa717ebbcec118a6c

SHA512
0e42dd8e341e2334eda1e19e1a344475ed3a0539a21c70ba2247f480c706ab8e2ff6dbeb790614cbde9fb547699b24e69c85c54e99ed77a08fe7e1d1b4b488d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___NXFB0Y_.txt

Filesize
1KB

MD5
fc5784a642bda0f8e3127ffb05af9761

SHA1
80d7af246ed0c3ad3116850f68cd1bb996a07d16

SHA256
ce1f3362081a72b37380cb9a9fb99e3ce6931862a531fa51c0085cf85c65d0a3

SHA512
75c1da153f967ce95454d78cd57239974a170e03012b4bfe189127039082fdd97cf98dd33b9a717417c044176a1de97073decc84f8201c49268cfed68b705664

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDA1AA.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
263B

MD5
e64b8c057d0ab0d4caea0ed92b72f02f

SHA1
69144b5523cb7d7947d320ae6196c30f600b68ef

SHA256
75ebef455ed1bded34d9cf7737b440b6dd30307200bbce3241d864ea53119cc3

SHA512
0c2829adacfe5df776e8caaf38c9244effe3bd970ca25f596ed7478e8e92a0d43a456fa379fca9648b20185f09569bafb6ea2b98d6ec32a488ddce163d44a7db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___IA6RJ8XG_.hta

Filesize
75KB

MD5
e413e80a27dca827b9d4d73efaee183e

SHA1
c89abfb5079956429440e8e1ece4c80b5bb41eed

SHA256
ff0031854436157ca66d5f5d07220e7a758afbc7a0e3c2374915e7c401bc283b

SHA512
1478c54c33d49039e3ff472c22ca695ac7653f4d61db48bafcddf23fc1ee0341c71178ee67b4db4ef32e53cae70f656f3b7e88cef6723bf727d949feab9e8161

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
1b0f7b9421ee35066bd8c09326792b06

SHA1
cd1cefa504635fb11e6b211a50bc2608f65388ea

SHA256
143dbb62ac3d07d9f9d0637633fa5971eb2f89944f07de8c5f87284d1f877a8f

SHA512
097785719bb4df5a7d69d3f2cbdf4adda33dad7069e22898a2d4b0dea74d6337559b17bd3a645f9378faa42a9b291f8da8fc9fbc7428abd99bcfce6bec8d6a3c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\068916ee-0660-444b-b2ab-cea8a4969d66

Filesize
11KB

MD5
a8cdf73ad12e04f756d073c7cf88cf59

SHA1
96219664a2f421d4865451c0a70394c74c7bdd14

SHA256
d167ce627dcac6ca9081d27bd71379d9f38e499b584be16da9305464fdfcf12e

SHA512
a1a7e756aa2b373d5e3cfbdf4671379e6ebb8068fce6417cb557d5996c106f6092ad99612f94307558f77fad42cabc4f778c47a2091752bc7e025d8e7f87549d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\d2ff565c-05b3-4491-81e2-2ddec0a5b5ca

Filesize
746B

MD5
b7e1cb62ec15db533ba672068f2d718e

SHA1
f0017fae8281064f27807bb69d39193248ebfa80

SHA256
aa2bee7048845fba14270711b9bb5728e0569fbf364bef2ce01ad2d237973b54

SHA512
004b23c93e33ee4b0f266f3c4f3a60ffe965ea292984387d0037d0a2d3f88700003189570bc27124a7cabc4b39d977992c9e4e9caff9ce83ddf925642725ff59

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
f4d7ef5184bcc0678b9c2bb4d93f2416

SHA1
376df1331d08ab75dfe7cba96b57dc642b7f6667

SHA256
447271b0c98d9d11eabb72c6c9186ac2dc0a80595b6bc9e6c79e0796ae482486

SHA512
c76003bec57dfbf4b916c841495aa4603cc89d95e8daf40f57b96b29e0cefa8155485636f6bce592ba0b00e13c7b56f95f9a289e2a089fd6377efb1ba57ec3ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

Filesize
6KB

MD5
40fa08142d863acc414f830379e42840

SHA1
686d0930837975292097b1934c69cf0ac2a1d89d

SHA256
f297d549698b9d067e4b0d21cb240d8892d445611ca3a0b7fc69c146354d46e8

SHA512
f980846350e375ab93851da15e9a3a27a041f540757aa819558d8fb3e07fcd3c25ac62e4def54d5f395f8fd98879bd84080f7d8f00b40cdf62e8db249b5d964e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
28db6f42650b61d3112926256c538eee

SHA1
d2c5e783299e987f2c1c05826915ba19b3955fcf

SHA256
fe4c41af14860af5a54e88745a11501a9c5c3355e196b43795a433f5d31c6a41

SHA512
3a1bf93d3fe5611b0fe9e985f366b9f65d54a5f97e3ade8b8af106c68ca9004d324a63091ca3d676399dad2982e9ca7bb3ce891e9cf23e2003b3608e40361cf7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
7f868e557b098795d645df9ea302427f

SHA1
001f3306144559b4049a8ab139b4139f51e59c0e

SHA256
b228e23ecfb7965e3badefcbb031de0b4bb887634bccb34a826ac8ac89124ac5

SHA512
56fd8aa514cc25db5a2c9191d665eaffe90182cc5e4f15317e0cfbc9adf7336d9ad937d20384b0504f784e5939b76b4c4b0020cb06e4a472c650355cc6c4c89a

Download Submit
memory/1616-374-0x0000000000440000-0x0000000000451000-memory.dmp

Filesize
68KB

Download
memory/1616-373-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1616-349-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1616-0-0x00007FFC1EA40000-0x00007FFC1EC1B000-memory.dmp

Filesize
1.9MB

Download
memory/1616-9-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1616-5-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1616-1-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2080-653-0x00007FFBDEAD0000-0x00007FFBDEAE0000-memory.dmp

Filesize
64KB

Download
memory/2080-659-0x00007FFBDB110000-0x00007FFBDB120000-memory.dmp

Filesize
64KB

Download
memory/2080-656-0x00007FFBDEAD0000-0x00007FFBDEAE0000-memory.dmp

Filesize
64KB

Download
memory/2080-655-0x00007FFBDEAD0000-0x00007FFBDEAE0000-memory.dmp

Filesize
64KB

Download
memory/2080-654-0x00007FFBDEAD0000-0x00007FFBDEAE0000-memory.dmp

Filesize
64KB

Download
memory/2080-660-0x00007FFBDB110000-0x00007FFBDB120000-memory.dmp

Filesize
64KB

Download
memory/3212-649-0x00007FFBDEAD0000-0x00007FFBDEAE0000-memory.dmp

Filesize
64KB

Download
memory/3212-650-0x00007FFBDEAD0000-0x00007FFBDEAE0000-memory.dmp

Filesize
64KB

Download
memory/3212-651-0x00007FFBDEAD0000-0x00007FFBDEAE0000-memory.dmp

Filesize
64KB

Download
memory/3212-652-0x00007FFBDEAD0000-0x00007FFBDEAE0000-memory.dmp

Filesize
64KB

Download
memory/3212-383-0x00007FFBDB110000-0x00007FFBDB120000-memory.dmp

Filesize
64KB

Download
memory/3212-382-0x00007FFBDB110000-0x00007FFBDB120000-memory.dmp

Filesize
64KB

Download
memory/3212-379-0x00007FFBDEAD0000-0x00007FFBDEAE0000-memory.dmp

Filesize
64KB

Download
memory/3212-378-0x00007FFBDEAD0000-0x00007FFBDEAE0000-memory.dmp

Filesize
64KB

Download
memory/3212-377-0x00007FFBDEAD0000-0x00007FFBDEAE0000-memory.dmp

Filesize
64KB

Download
memory/3212-376-0x00007FFBDEAD0000-0x00007FFBDEAE0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads