Analysis
-
max time kernel
59s -
max time network
56s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19-07-2024 03:37
Static task
static1
Behavioral task
behavioral1
Sample
VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
Resource
win7-20240708-en
General
-
Target
VirusShare_8ec363843a850f67ebad036bb4d18efd.exe
-
Size
186KB
-
MD5
8ec363843a850f67ebad036bb4d18efd
-
SHA1
ac856eb04ca1665b10bed5a1757f193ff56aca02
-
SHA256
27233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8
-
SHA512
800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684
-
SSDEEP
3072:TFFzdn1bwoWwW8BplOd4G5ts0RTy/L1yib5icNisjx3jUiXy:TFFzvwoWw3BXOdl5Ts1yw0s13jU5
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.zmvirj.top/D5AC-29B8-E992-029E-D91B
http://cerberhhyed5frqa.qor499.top/D5AC-29B8-E992-029E-D91B
http://cerberhhyed5frqa.gkfit9.win/D5AC-29B8-E992-029E-D91B
http://cerberhhyed5frqa.305iot.win/D5AC-29B8-E992-029E-D91B
http://cerberhhyed5frqa.dkrti5.win/D5AC-29B8-E992-029E-D91B
http://cerberhhyed5frqa.onion/D5AC-29B8-E992-029E-D91B
Extracted
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (16386) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
VirusShare_8ec363843a850f67ebad036bb4d18efd.exepoqexec.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{68EB7563-AB78-7FE9-5A8A-4E409041F1F7}\\poqexec.exe\"" VirusShare_8ec363843a850f67ebad036bb4d18efd.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{68EB7563-AB78-7FE9-5A8A-4E409041F1F7}\\poqexec.exe\"" poqexec.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2328 cmd.exe -
Drops startup file 1 IoCs
Processes:
VirusShare_8ec363843a850f67ebad036bb4d18efd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\poqexec.lnk VirusShare_8ec363843a850f67ebad036bb4d18efd.exe -
Executes dropped EXE 2 IoCs
Processes:
poqexec.exepoqexec.exepid process 1912 poqexec.exe 2676 poqexec.exe -
Loads dropped DLL 1 IoCs
Processes:
VirusShare_8ec363843a850f67ebad036bb4d18efd.exepid process 1708 VirusShare_8ec363843a850f67ebad036bb4d18efd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
poqexec.exeVirusShare_8ec363843a850f67ebad036bb4d18efd.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\poqexec = "\"C:\\Users\\Admin\\AppData\\Roaming\\{68EB7563-AB78-7FE9-5A8A-4E409041F1F7}\\poqexec.exe\"" poqexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\poqexec = "\"C:\\Users\\Admin\\AppData\\Roaming\\{68EB7563-AB78-7FE9-5A8A-4E409041F1F7}\\poqexec.exe\"" poqexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\poqexec = "\"C:\\Users\\Admin\\AppData\\Roaming\\{68EB7563-AB78-7FE9-5A8A-4E409041F1F7}\\poqexec.exe\"" VirusShare_8ec363843a850f67ebad036bb4d18efd.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\poqexec = "\"C:\\Users\\Admin\\AppData\\Roaming\\{68EB7563-AB78-7FE9-5A8A-4E409041F1F7}\\poqexec.exe\"" VirusShare_8ec363843a850f67ebad036bb4d18efd.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ipinfo.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2740 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
VirusShare_8ec363843a850f67ebad036bb4d18efd.exepoqexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Desktop VirusShare_8ec363843a850f67ebad036bb4d18efd.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{68EB7563-AB78-7FE9-5A8A-4E409041F1F7}\\poqexec.exe\"" VirusShare_8ec363843a850f67ebad036bb4d18efd.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Desktop poqexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{68EB7563-AB78-7FE9-5A8A-4E409041F1F7}\\poqexec.exe\"" poqexec.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
poqexec.exepid process 1912 poqexec.exe 1912 poqexec.exe 1912 poqexec.exe 1912 poqexec.exe 1912 poqexec.exe 1912 poqexec.exe 1912 poqexec.exe 1912 poqexec.exe 1912 poqexec.exe 1912 poqexec.exe 1912 poqexec.exe 1912 poqexec.exe 1912 poqexec.exe 1912 poqexec.exe 1912 poqexec.exe 1912 poqexec.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
VirusShare_8ec363843a850f67ebad036bb4d18efd.exepoqexec.exetaskkill.exepoqexec.exedescription pid process Token: SeDebugPrivilege 1708 VirusShare_8ec363843a850f67ebad036bb4d18efd.exe Token: SeDebugPrivilege 1912 poqexec.exe Token: SeDebugPrivilege 2740 taskkill.exe Token: SeDebugPrivilege 2676 poqexec.exe -
Suspicious use of UnmapMainImage 3 IoCs
Processes:
VirusShare_8ec363843a850f67ebad036bb4d18efd.exepoqexec.exepoqexec.exepid process 1708 VirusShare_8ec363843a850f67ebad036bb4d18efd.exe 1912 poqexec.exe 2676 poqexec.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
VirusShare_8ec363843a850f67ebad036bb4d18efd.execmd.exetaskeng.exedescription pid process target process PID 1708 wrote to memory of 1912 1708 VirusShare_8ec363843a850f67ebad036bb4d18efd.exe poqexec.exe PID 1708 wrote to memory of 1912 1708 VirusShare_8ec363843a850f67ebad036bb4d18efd.exe poqexec.exe PID 1708 wrote to memory of 1912 1708 VirusShare_8ec363843a850f67ebad036bb4d18efd.exe poqexec.exe PID 1708 wrote to memory of 1912 1708 VirusShare_8ec363843a850f67ebad036bb4d18efd.exe poqexec.exe PID 1708 wrote to memory of 2328 1708 VirusShare_8ec363843a850f67ebad036bb4d18efd.exe cmd.exe PID 1708 wrote to memory of 2328 1708 VirusShare_8ec363843a850f67ebad036bb4d18efd.exe cmd.exe PID 1708 wrote to memory of 2328 1708 VirusShare_8ec363843a850f67ebad036bb4d18efd.exe cmd.exe PID 1708 wrote to memory of 2328 1708 VirusShare_8ec363843a850f67ebad036bb4d18efd.exe cmd.exe PID 2328 wrote to memory of 2740 2328 cmd.exe taskkill.exe PID 2328 wrote to memory of 2740 2328 cmd.exe taskkill.exe PID 2328 wrote to memory of 2740 2328 cmd.exe taskkill.exe PID 2328 wrote to memory of 2740 2328 cmd.exe taskkill.exe PID 2328 wrote to memory of 2980 2328 cmd.exe PING.EXE PID 2328 wrote to memory of 2980 2328 cmd.exe PING.EXE PID 2328 wrote to memory of 2980 2328 cmd.exe PING.EXE PID 2328 wrote to memory of 2980 2328 cmd.exe PING.EXE PID 1832 wrote to memory of 2676 1832 taskeng.exe poqexec.exe PID 1832 wrote to memory of 2676 1832 taskeng.exe poqexec.exe PID 1832 wrote to memory of 2676 1832 taskeng.exe poqexec.exe PID 1832 wrote to memory of 2676 1832 taskeng.exe poqexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{68EB7563-AB78-7FE9-5A8A-4E409041F1F7}\poqexec.exe"C:\Users\Admin\AppData\Roaming\{68EB7563-AB78-7FE9-5A8A-4E409041F1F7}\poqexec.exe"2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "VirusShare_8ec363843a850f67ebad036bb4d18efd.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_8ec363843a850f67ebad036bb4d18efd.exe" > NUL2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "VirusShare_8ec363843a850f67ebad036bb4d18efd.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\taskeng.exetaskeng.exe {DD8D62E3-5BAF-4748-8C70-AAC6266231A4} S-1-5-21-940600906-3464502421-4240639183-1000:MGWWAYYN\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{68EB7563-AB78-7FE9-5A8A-4E409041F1F7}\poqexec.exeC:\Users\Admin\AppData\Roaming\{68EB7563-AB78-7FE9-5A8A-4E409041F1F7}\poqexec.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.htmlFilesize
12KB
MD5b1f4a937019d90307f83fd8ba69f5e26
SHA159d7c7f94e88cc3974bb9f9441e42593488c180b
SHA25647a5c66dab901a0a92e79122961ca3362cd3e8913b1e42bf80d02d95b39d766a
SHA5120d8353ce7ef1e5a8f211bdbc406b133c0933e8a816c72229d8c9850143af136556b7532801d70a7a43bb16610c96720d31a6afeda5837a514602fc546059b8b5
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txtFilesize
10KB
MD57d56f6acfbfdf0f2fc6770b819e94baa
SHA1761990c1d443d56e44535f52e218d0d12ba014bb
SHA256e5c40be95993ad13b583f1805524505107926d64ec6be84d69716fddc1699a71
SHA512a8b07db8e04dde1261170afaecba9ccbcbd04b502665bed0aca6cf21c848fe43fd58ddae4ffe741d9f847b7eae060425dcac295fc5f0f1b1d65d80eefbae373f
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.urlFilesize
85B
MD50bc64ea3a3ea9ec60940a696604084e3
SHA173e1e6ebdde16c97c40f7270d9f46072929a7010
SHA25669d0b2831383f710c4fd863b1cb24928f129f01865539dbc4dc079ef5aece2f9
SHA512e7c15c5692a71c46c1b35337fcb544915a0c03594207ee01fc69c35b4b5ef46a5077b9a1ea60e3f1539ea2ab46ff6531b8de4eddebcf086fb37db7e1f7cf5706
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbsFilesize
225B
MD5f6d629f2a4c0815f005230185bd892fe
SHA11572070cf8773883a6fd5f5d1eb51ec724bbf708
SHA256ff1de66f8a5386adc3363ee5e5f5ead298104d47de1db67941dcbfc0c4e7781f
SHA512b63ecf71f48394df16ef117750ed8608cc6fd45a621796478390a5d8e614255d12c96881811de1fd687985839d7401efb89b956bb4ea7c8af00c406d51afbc7c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\poqexec.lnkFilesize
1KB
MD501ca82a128797fb3e62f431bbe3ed4e2
SHA19e95d0f2dd0c8d1a8a217a085bc61a9eccf6ddde
SHA2569712d7ce1b2b1a236ef5a4d1fff941c4514ecd6d1b930b21647d8990d70383ac
SHA51222e9b9d67c50b9c2e3a5e55cdc161868c813c23737781eb505c2c7143fef083a0f0682ad0b38ca513c385ee93d139231b5c71455c4b889be03361a45eb508fe5
-
\Users\Admin\AppData\Roaming\{68EB7563-AB78-7FE9-5A8A-4E409041F1F7}\poqexec.exeFilesize
186KB
MD58ec363843a850f67ebad036bb4d18efd
SHA1ac856eb04ca1665b10bed5a1757f193ff56aca02
SHA25627233293b7a11e9ab8c1bca56a7e415914e1269febb514563e522afd04bc39f8
SHA512800f15fb824a28860719b2ff329dd9bcd94cf9db26c9617656665564b39d8c116552296656f5c109a697b6afc5658f0ba4688e4803358504000f6150047d6684
-
memory/1708-0-0x0000000000150000-0x0000000000171000-memory.dmpFilesize
132KB
-
memory/1708-1-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1708-2-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1708-16-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1912-40-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1912-25-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1912-37-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1912-26-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1912-48-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1912-20-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1912-12-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1912-13-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2676-22-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2676-23-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB