Overview

overview

10

Static

static

3

OHT1k0.exe

windows7-x64

1

OHT1k0.exe

windows10-2004-x64

7

tXauTiJr.exe

windows7-x64

10

tXauTiJr.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    mw3reaper (4).rar

  • Size

    13.2MB

  • Sample

    240805-pfn3yszaph

  • MD5

    c77fd8185dd3fe2ee5672a0531c4b3c7

  • SHA1

    7e321783026506c06cd3c34dabdb2ec4f277d17b

  • SHA256

    11c712b2b16eeb1652793fc8bad16d9177ef161398dceb95e136f8f2a349e56c

  • SHA512

    b0c3696a406a34b5a1e7cf8413d416251959006162901a7934054f09f0b909e2e582ce215dd97b8f7170b47c5d054f95ea9109d1cbcff67c69844e89125dce7b

  • SSDEEP

    393216:UN0mmXrXBwtGmoWtJVKSJgNn3TeGKLCM3v:UN8rXetGTWtJNJgNnDI/

Score
10/10
cerberbootkitdefense_evasionpersistenceransomware

Malware Config

Targets

    • Target

      OHT1k0.exe

    • Size

      13.7MB

    • MD5

      deeb1ac61b724f2298efedccc11e550f

    • SHA1

      46aa7dd63305dbce00f8949991ffb23f18abdfc2

    • SHA256

      85b2e9865d7382519e64d6c8f4c828b9fcf384d8db988af14ba172fb3704c857

    • SHA512

      0300b978bb01ea09b66577558a810276a5d18a3643ed3dc322d4ed17043da7e49db64d2bfbbee38a33b37924262fbe3d0c5de4bc2de63e688b6ecd24467eef58

    • SSDEEP

      393216:tiGxXoBUjMI4XFCyhJmM1WJ1ckpXeeKeKapRCe:tim3jP4wyjvUckh3K2RCe

    Score
    7/10
    bootkitdefense_evasionpersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      tXauTiJr.exe

    • Size

      521KB

    • MD5

      464c348f1bdf66a75c6b0d51256e916c

    • SHA1

      fa7f683e451ab0a0c6c18a4dde7b9bbdde72ff27

    • SHA256

      a58b1f94ba24a2d7f06c2b7a9840243c4e1b75b1b580cf1ce4c5d9af69cedc85

    • SHA512

      cb07284fd3d33eef29f761fd0d044a9143b9e934eff49a625290c4da23580c1b0bb1f4cd9d5e574c698fbf791d13aa476be2a550baebb4f925ef019015710233

    • SSDEEP

      6144:8a/Z+6VHFnEXbw2Y3h3NWqU/xdwpN8T4LUEDW9VXnHFudT7coWspLaIZ1ZT:8a/h8w2UNiX0gEOpnHFutV5n3

    Score
    10/10
    cerberdefense_evasionransomware

    • Cerber

      Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

      ransomwarecerber

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks