cerber | 11c712b2b16eeb1652793fc8bad16d9177ef161398dceb95e136f8f2a349e56c

Analysis

max time kernel
23s
max time network
21s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
05-08-2024 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tXauTiJr.exe
Size

521KB
MD5

464c348f1bdf66a75c6b0d51256e916c
SHA1

fa7f683e451ab0a0c6c18a4dde7b9bbdde72ff27
SHA256

a58b1f94ba24a2d7f06c2b7a9840243c4e1b75b1b580cf1ce4c5d9af69cedc85
SHA512

cb07284fd3d33eef29f761fd0d044a9143b9e934eff49a625290c4da23580c1b0bb1f4cd9d5e574c698fbf791d13aa476be2a550baebb4f925ef019015710233
SSDEEP

6144:8a/Z+6VHFnEXbw2Y3h3NWqU/xdwpN8T4LUEDW9VXnHFudT7coWspLaIZ1ZT:8a/h8w2UNiX0gEOpnHFutV5n3

Score

10^/10

cerber defense_evasion ransomware

Malware Config

Signatures

Cerber 3 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

description	ioc	pid	Process
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.exe
		2912	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.exe

Executes dropped EXE 2 IoCs

pid	Process
2632	AMIDEWINx64.exe
2360	AMIDEWINx64.exe

Loads dropped DLL 1 IoCs

pid	Process
2748	cmd.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
2912	taskkill.exe
2872	taskkill.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
476	Process not Found
476	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	taskkill.exe
Token: SeDebugPrivilege	2872	taskkill.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 2400	1404	tXauTiJr.exe	31
PID 1404 wrote to memory of 2400	1404	tXauTiJr.exe	31
PID 1404 wrote to memory of 2400	1404	tXauTiJr.exe	31
PID 1404 wrote to memory of 1860	1404	tXauTiJr.exe	32
PID 1404 wrote to memory of 1860	1404	tXauTiJr.exe	32
PID 1404 wrote to memory of 1860	1404	tXauTiJr.exe	32
PID 1404 wrote to memory of 2552	1404	tXauTiJr.exe	33
PID 1404 wrote to memory of 2552	1404	tXauTiJr.exe	33
PID 1404 wrote to memory of 2552	1404	tXauTiJr.exe	33
PID 1404 wrote to memory of 2572	1404	tXauTiJr.exe	34
PID 1404 wrote to memory of 2572	1404	tXauTiJr.exe	34
PID 1404 wrote to memory of 2572	1404	tXauTiJr.exe	34
PID 1404 wrote to memory of 2064	1404	tXauTiJr.exe	36
PID 1404 wrote to memory of 2064	1404	tXauTiJr.exe	36
PID 1404 wrote to memory of 2064	1404	tXauTiJr.exe	36
PID 2064 wrote to memory of 2912	2064	cmd.exe	38
PID 2064 wrote to memory of 2912	2064	cmd.exe	38
PID 2064 wrote to memory of 2912	2064	cmd.exe	38
PID 1404 wrote to memory of 2748	1404	tXauTiJr.exe	41
PID 1404 wrote to memory of 2748	1404	tXauTiJr.exe	41
PID 1404 wrote to memory of 2748	1404	tXauTiJr.exe	41
PID 2748 wrote to memory of 2632	2748	cmd.exe	43
PID 2748 wrote to memory of 2632	2748	cmd.exe	43
PID 2748 wrote to memory of 2632	2748	cmd.exe	43
PID 1404 wrote to memory of 1408	1404	tXauTiJr.exe	44
PID 1404 wrote to memory of 1408	1404	tXauTiJr.exe	44
PID 1404 wrote to memory of 1408	1404	tXauTiJr.exe	44
PID 1408 wrote to memory of 2360	1408	cmd.exe	46
PID 1408 wrote to memory of 2360	1408	cmd.exe	46
PID 1408 wrote to memory of 2360	1408	cmd.exe	46
PID 1404 wrote to memory of 2112	1404	tXauTiJr.exe	47
PID 1404 wrote to memory of 2112	1404	tXauTiJr.exe	47
PID 1404 wrote to memory of 2112	1404	tXauTiJr.exe	47
PID 2112 wrote to memory of 2872	2112	cmd.exe	49
PID 2112 wrote to memory of 2872	2112	cmd.exe	49
PID 2112 wrote to memory of 2872	2112	cmd.exe	49
PID 1404 wrote to memory of 2984	1404	tXauTiJr.exe	51
PID 1404 wrote to memory of 2984	1404	tXauTiJr.exe	51
PID 1404 wrote to memory of 2984	1404	tXauTiJr.exe	51
PID 1404 wrote to memory of 2816	1404	tXauTiJr.exe	53
PID 1404 wrote to memory of 2816	1404	tXauTiJr.exe	53
PID 1404 wrote to memory of 2816	1404	tXauTiJr.exe	53
PID 1404 wrote to memory of 2704	1404	tXauTiJr.exe	55
PID 1404 wrote to memory of 2704	1404	tXauTiJr.exe	55
PID 1404 wrote to memory of 2704	1404	tXauTiJr.exe	55
PID 1404 wrote to memory of 2736	1404	tXauTiJr.exe	57
PID 1404 wrote to memory of 2736	1404	tXauTiJr.exe	57
PID 1404 wrote to memory of 2736	1404	tXauTiJr.exe	57

C:\Users\Admin\AppData\Local\Temp\tXauTiJr.exe
"C:\Users\Admin\AppData\Local\Temp\tXauTiJr.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM WmiPrvSE.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\system32\taskkill.exe
    TASKKILL /F /IM WmiPrvSE.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS %RANDOM%%RANDOM%%RANDOM%
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
    C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 22392297032260
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:2632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV %RANDOM%%RANDOM%%RANDOM%
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
    C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 22392297032260
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:2360
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM WmiPrvSE.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\system32\taskkill.exe
    TASKKILL /F /IM WmiPrvSE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys
  2⤵
  PID:2984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys
  2⤵
  PID:2816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
  2⤵
  PID:2704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe

Filesize
452KB

MD5
c4d09d3b3516550ad2ded3b09e28c10c

SHA1
7a5e77bb9ba74cf57cb1d119325b0b7f64199824

SHA256
66433a06884f28fdabb85a73c682d1587767e1dfa116907559ec00ed8d0919d3

SHA512
2e7800aae592d38c4a6c854b11d0883de70f938b29d78e257ab47a8a2bbf09121145d0a9aea9b56c16e18cde31b693d31d7ebfcd0473b7c15df5d7ae6708bbd2

Download Submit
C:\ProgramData\Microsoft\Windows\amifldrv64.sys

Filesize
18KB

MD5
785045f8b25cd2e937ddc6b09debe01a

SHA1
029c678674f482ababe8bbfdb93152392457109d

SHA256
37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba

SHA512
40bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9

Download Submit