Analysis
-
max time kernel
369s -
max time network
393s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
06-08-2024 16:24
General
-
Target
https://www.youtube.com/redirect?event=backstage_event&redir_token=QUFFLUhqbWR4TlBCa2Z4UjZDcWVESmJwcS1zWXJXTF8wZ3xBQ3Jtc0tsenF4LUpxV25MeGNlZlFEcHVqX1pHM3hrY0FDbUN3Y3pWajIzUllwV0g5X2hta3B2dEJTV3BzSmp5QVUwazBFeWR4TVRQYTNoMWlXMlpiaDRKRFBQWUIyMThWbWozWUsxd1FGMHBseVE3TjUzV2hhcw&q=https%3A%2F%2Fwww.dropbox.com%2Fscl%2Ffi%2Frlx6kz3gzrwup8laoyijg%2FAdobe-A-tivator.rar%3Frlkey%3Diui2ku44r3td0rvm46r0pbvw5%26st%3D4ua9ggn4%26dl%3D1
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___28JSD_.hta
cerber
Extracted
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___WKMX_.txt
cerber
http://p27dokhpz2n7nvgr.onion/65B1-1F63-C661-0446-920C
http://p27dokhpz2n7nvgr.12hygy.top/65B1-1F63-C661-0446-920C
http://p27dokhpz2n7nvgr.14ewqv.top/65B1-1F63-C661-0446-920C
http://p27dokhpz2n7nvgr.14vvrc.top/65B1-1F63-C661-0446-920C
http://p27dokhpz2n7nvgr.129p1t.top/65B1-1F63-C661-0446-920C
http://p27dokhpz2n7nvgr.1apgrn.top/65B1-1F63-C661-0446-920C
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (1118) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Drops startup file 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
-
Drops file in System32 directory 38 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 20 IoCs
-
Drops file in Windows directory 64 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies registry class 4 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of FindShellTrayWindow 46 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/redirect?event=backstage_event&redir_token=QUFFLUhqbWR4TlBCa2Z4UjZDcWVESmJwcS1zWXJXTF8wZ3xBQ3Jtc0tsenF4LUpxV25MeGNlZlFEcHVqX1pHM3hrY0FDbUN3Y3pWajIzUllwV0g5X2hta3B2dEJTV3BzSmp5QVUwazBFeWR4TVRQYTNoMWlXMlpiaDRKRFBQWUIyMThWbWozWUsxd1FGMHBseVE3TjUzV2hhcw&q=https%3A%2F%2Fwww.dropbox.com%2Fscl%2Ffi%2Frlx6kz3gzrwup8laoyijg%2FAdobe-A-tivator.rar%3Frlkey%3Diui2ku44r3td0rvm46r0pbvw5%26st%3D4ua9ggn4%26dl%3D11⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0x100,0x104,0xe4,0x108,0x7ff82f8846f8,0x7ff82f884708,0x7ff82f8847182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,15117843335250078076,17591947520713463577,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,15117843335250078076,17591947520713463577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2508 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,15117843335250078076,17591947520713463577,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,15117843335250078076,17591947520713463577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,15117843335250078076,17591947520713463577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,15117843335250078076,17591947520713463577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,15117843335250078076,17591947520713463577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,15117843335250078076,17591947520713463577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,15117843335250078076,17591947520713463577,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,15117843335250078076,17591947520713463577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,15117843335250078076,17591947520713463577,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,15117843335250078076,17591947520713463577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,15117843335250078076,17591947520713463577,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,15117843335250078076,17591947520713463577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,15117843335250078076,17591947520713463577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,15117843335250078076,17591947520713463577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1932,15117843335250078076,17591947520713463577,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5488 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1932,15117843335250078076,17591947520713463577,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3372 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,15117843335250078076,17591947520713463577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4260 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,15117843335250078076,17591947520713463577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,15117843335250078076,17591947520713463577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,15117843335250078076,17591947520713463577,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1972 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,15117843335250078076,17591947520713463577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1932,15117843335250078076,17591947520713463577,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6452 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,15117843335250078076,17591947520713463577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6656 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Ransomware-master\Ransomware-master\etc\Ransomware.Locky\Locky~\" -ad -an -ai#7zMap25973:178:7zEvent210021⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Ransomware-master\Ransomware-master\etc\Ransomware.Locky\" -an -ai#7zMap22543:178:7zEvent173891⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\Ransomware-master\Ransomware-master\etc\Ransomware.Cerber\cerber.exe"C:\Users\Admin\Downloads\Ransomware-master\Ransomware-master\etc\Ransomware.Cerber\cerber.exe"1⤵
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___3PAU_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___07YT7K5_.txt2⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "cerber.exe"3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Users\Admin\Downloads\Ransomware-master\Ransomware-master\etc\Ransomware.Cerber\cerber.exe"C:\Users\Admin\Downloads\Ransomware-master\Ransomware-master\etc\Ransomware.Cerber\cerber.exe"1⤵
-
C:\Users\Admin\Downloads\Ransomware-master\Ransomware-master\etc\Ransomware.Cerber\cerber.exe"C:\Users\Admin\Downloads\Ransomware-master\Ransomware-master\etc\Ransomware.Cerber\cerber.exe"1⤵
-
C:\Users\Admin\Downloads\Ransomware-master\Ransomware-master\etc\Ransomware.Cerber\cerber.exe"C:\Users\Admin\Downloads\Ransomware-master\Ransomware-master\etc\Ransomware.Cerber\cerber.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Discovery
Browser Information Discovery
1Network Service Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5d7114a6cd851f9bf56cf771c37d664a2
SHA1769c5d04fd83e583f15ab1ef659de8f883ecab8a
SHA256d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e
SHA51233bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8
-
Filesize
152B
MD5719923124ee00fb57378e0ebcbe894f7
SHA1cc356a7d27b8b27dc33f21bd4990f286ee13a9f9
SHA256aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808
SHA512a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc
-
Filesize
3KB
MD5098af1ff57cb35a25a0149ba2fe0302c
SHA1b56bc2bb19af2367fd3e552c66e96c249af6c706
SHA2560384a4add30d1d33b6d948860e7915cf3901df796e11a0f1000f17581df8bf54
SHA5126e80fdba26741e36ac6e9d0affdec426becfc1b5698ed27ca92cbe42c7880ca7e60aabac4cc9b820bb7464dfe02254e274b0bc3069e6e07a9e3ed142b43e14e4
-
Filesize
4KB
MD5f094bb0bfd46348a52a24350005f009e
SHA152bf61da72f9bf761c1bdf95dbbb7f388d6abed2
SHA2568f1c504088962a6127d5e5f869ee8321664d0eb44ede7a136445acf10b144118
SHA512e2ead0aed3e4cd6b7c44190ba6d684467041fc592dbdacb5682947434339e7e2962eb7802e101ffa265e7c23f8bd2d4654bcd7b7f718340503b5d001a1f47654
-
Filesize
4KB
MD5c874b5fb41e90815593528d021849f18
SHA124d8c0960296c5771c4bef0d175d99c615641079
SHA2564e05174e2e494503a46d57094d2aa67741393a670ea0f1e842d0a59f20b212e7
SHA51232d21b5682a73c06a74d939c64b4181d4716b8d5cd2eb33ef66aa534297a4b3a05296b6b673e965bfd3bdf2c4e262962652dd0d794b0c0ef75a7feb2e3597c6e
-
Filesize
1KB
MD52682069549af7566c087b0638cbad7da
SHA1413ea369c9c5063c3fe2e4f632c03526a1197e54
SHA2563409ff3b5300575821112cba3bf6520e09e38b9750691ded92cce6f777850cf8
SHA5126ee2104ab025059738540b02473956324c06eb7cf0233b638ec42174217a1ec16c356e017762888a77a710cb5f1832c98966dec71c03ac426ab9298d427f342d
-
Filesize
1KB
MD5f98b8720c714fd7046db8c51b7143e57
SHA19728e6275334546548fc5950b5c906ba8a5f1f2d
SHA2563179363998ef533e366b2cd927e401f676b0e00f1ca8d249cea323f1f916093b
SHA51293479a1c23d866b4c836d871cf5d7ab5df841e2f3bb824f47fa6a846c64e07e59596ca81bda6c58005b31fb395f7364805e736c4980806cc8477829fcb9e27c5
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
1KB
MD59eb6dc89e23d35642049c401db12bfda
SHA115eb97f1ae9dd628f657ee07b5c2d45d96fcb9e2
SHA25658cab3ec1f03a92e8c94792441700ae58060c99d73fe2957782079b40c9cc47b
SHA512afeabf181448e9c88681ec92d35dbbc4320a9a480c550e2f29713984eca5416478d20689c28bf5c49dfce459cca90046b360af7fc87ea4b7a0854295dba2876f
-
Filesize
6KB
MD55193c7d5e473d6595f943f12278d4a7f
SHA1eb547b2bcca57214aec4565c623bfa8fe6cc56a2
SHA25695e2d342b44d4706f182dc7cc4b3f910ceec7bea684caac85dd765b829d5a370
SHA512594af268b2893c9a7f02d2e507d5037e2665c6c82980fc1d672a61ef28709faeed769686ca74750e817f2f9d51566b8c747bf73af5ad15c3dbe29af0fb1e5a90
-
Filesize
7KB
MD5fc0270d2b89a602303caffa32109912b
SHA1bc9b4de34347bd849fa7f51f8f779eb182c53d4a
SHA256d3112782b9f7c89183d99c546251be717b0e56c3a8b91ce25b02444a7a38c2fe
SHA512d7c9cf2ab82823f00beb2db7fb60297bcd98e86300f573b291a9be9212fca770cd6d2c79c11070f9f68854f54e95ae3e5f260eab3225f68affef8141238df3bb
-
Filesize
7KB
MD586f04237b6aeedc3e008a92c15fe0038
SHA1cc97138a2ca674a898d13c037773754b836fef73
SHA256fb4c34e8ab66e4073fd10b6b59ea53b43c3214ab510c9ed2d5a2f2b710b6f1fe
SHA5123c38976d410e97d95f379540dc49de1a8d713c9ff61daec1297ac87d8a23ea35375b48fd520fbaaf4065f04cd82fd9a84f9aa15b6e82afe587a81b3c7ac80d23
-
Filesize
7KB
MD507ecec4ee72ba09184ff2298b75b93b5
SHA15841952a1ddc8bb2459b28827f187404d4ff8a42
SHA2569350721fc0ec4efb39ee359adcb3e5c925026b06e9f382ea3bfd7d1d57e57cf1
SHA512f56aec215d4d81d66a52016b8ef2f0bc400396692f336ebebd21ef6287ebc54d1ff0239060f1c3ef31fd637c9d5482f2eec683051b0caf9fba2b850a0c5ccb05
-
Filesize
6KB
MD5d33b097b62225f5bd58edf6594b9d779
SHA1534eda5e37267bd72a9e8ae5097dae71913c8b63
SHA2567359246895d1712373ebc44c05b6a6de1b91422600eb8095948dac53e5c973cf
SHA512b87e4546eb6e097b238dbd687de5cd118de8251025d204b21366da2e5d16503f5ac0245d38bdac0f5a6d414d4a507ae24b37766c3a2ca59a61bfcc119ca4010b
-
Filesize
7KB
MD5acc25482647dbdea276ea6b8d401bcd7
SHA18f57dcf301ecd836e65ad8f4969def5ce2f0ba75
SHA25650cb30d460db782a7557a4d0412fd72a7c13ae1781fe07a9cd7d75246e69ee15
SHA51231f678cdf5d7bf7ca4a15d7a6ab308514f62d584f2852a2c738e8106bd240b2feb1e2042ca7ed2081b785e2a9ba4d35f0fadf74c9246ed00bf01f4b8d153833a
-
Filesize
1KB
MD5e100ba0b5e59567b1f483b74f4a9306d
SHA17cbfc67a650095b26b149d537791b47a9899f344
SHA256a35b0fe34da0de9c3d6cccd741d94c9b7d815451ba80d7c2aacda6fe8d195d29
SHA5127d22e07a5220ff7aae1ec302c1e71da292a8cf457754a2c342a523ba63230a5a01a3b36835704c334b4557205d5a47745d17bb90d278037825de4eb699a80edd
-
Filesize
1KB
MD54d4af2e9aacc4fb5a61c05033a0927a0
SHA18aba4589a9ea59bf9a52ace7eba06fee6210a510
SHA256151f03ffe5aece0c2b2154762429278faed7040018721b44493835c680751f0b
SHA512f8e52f2528a79fc356e39ff2d42339bfde9a3132b52067fe2867af32ec48e609a56524ba86312215db0e30d4eabffec081506e93fb01f55ad342766e52eba586
-
Filesize
1KB
MD53eab0b8092669fcfccc2cdf9392e238c
SHA1ea07349b63411b70413c5fbd8cb3e3aba525d156
SHA2565ef09eebb3a4df0cf5a38bbd5f8c1cda0aa66fa99d3689060dd619cfcf68f230
SHA512b6d098f444c957438224781316dc6eb6eae28aa4073e5ce7fba834ee6c6800681d6b9276712183919b23b1289954095f2a071157f416e6c7a12bb5b6c00dbab4
-
Filesize
1KB
MD51536bbbeb7d5dbd736d87f90eed2ea25
SHA1dc330c8e63a02cb6d877ac35aed6596fe6c192ac
SHA2565ebff81c7e71bb81bd12e919ec91fffd7fadfaaefcc8127807d25bfd64cc1069
SHA5127632eb935758a7cc0e5b7613179b5875a441c95ce245f7f3d20fdad0ced4e16c6f6c351a958c416125e14ef3f121f96f552a9ff6d8c065fd3a4219719011e4df
-
Filesize
1KB
MD5f6afd0ee2524d3b5c8219164f2add4f0
SHA104449fcf869fc889813b7323e3acc4c80cbb200b
SHA256ff4e9739648c1b6a418165fcf7ae100ca0af442abc40d44d5d6d953f2cd6085b
SHA512d451d7a1a3fbdeaf7e52d32ce123ea0d19a2c2dda09a023f863f9f88df3c2071dd7d7c9ecc248eae80ad8b70a5171ef9591958182861dcd975b82a6844508f38
-
Filesize
1KB
MD5ce836397cbf04600e3a07acd1d3789fd
SHA1f1fd743a104e77e3e172e26a1e8d2421ac3f9934
SHA2566dad67887e5f9775765ba3ddcdb87f0d4dfa33802e4fbb94585946a2ca2c4c65
SHA51228e2f4e7ce6797241266b8c4edcd02115d60e684d7d6994fe666ed19d67b3601490b38a0389871235d222fdae7cf22fb46749d9004c9d22b744099249b60d62b
-
Filesize
1KB
MD52632abd54bdec5a4431b6a17f08eebf3
SHA1f6e3148be2a35df647f644e0656d2cb5fd21375e
SHA2565d27b9851969802dd78c66de11fe6b4f61b7ba3e6f843d19ec08d06b6201c470
SHA5122a0a028fd2469842bf38a1df3cb983698c234bac9ea30a9fb21a606ec7e41ceec303ce1e4e0951f182e9302c44e233863305514c7f9c4c97d7179e9a722117ec
-
Filesize
1KB
MD5390aa1c67db0b63cd713ffd52a424e6b
SHA12657254bf640aed216fdc922b6fe0b1db18055bc
SHA256dde6cf86e3962e68d917743b451e324608c638c0f6494b5df2c9d0f9d7c9bb69
SHA512845fbc950368f00736c2e034811d7d1330cea5396b111278d18231fa3effe99a59573b433d9e7b7cdffddc3b56c907abb525e79bbcb8f6f1ff534a516035b7e9
-
Filesize
1KB
MD52916bc6badbc358a0b30b528d41896e5
SHA1a5ee73cd5599844b62a27c2ddfac85420e11a1e0
SHA256d99b8f8dbac2ca2300b44a3598eb5b1e076e82ebc3b326077512986838aa1fcd
SHA512b0304964de5ca0debc87291a73ba4383fd4d344309d5f8d78c96ea38cc2271d09313fe6a3a9d36f35741f0e4a4daa971bb89b5c8791744e8d4db738cc60cc5b6
-
Filesize
1KB
MD59916c0ccf35691d6f0778e8f574dba6b
SHA174cab464db4e56284f43b63b8a6796ad2b27ed3f
SHA256d7113343d879983bbd2028c9e0540cb9c3452cb7f2cebb83df5f128a01f9a10c
SHA512106e71b2333ab5d88d0e194361a4810fb61350e62c752efab2f93e40e09191e7b96c3cd244054abd2b7897db3cb53c623f23270aa1b861a4bbd545fc5b8be6a2
-
Filesize
1KB
MD5b25c151fdcb2af6ccfda9ddaf4062666
SHA1439cae2f2dff4bee348f699e14a519be0f77355e
SHA2562f29e7bcb32db3f42e33c9c6d868481342f846c18789b06effae56785ae7a1d7
SHA5128933b9645a77ebb3dccecfe70d8f82d3c19c2ed019a580de5691845ff22273b0109356920db7db18c841690b0df8f1879a68407d647cd44e75e300ba9f1efc49
-
Filesize
1KB
MD5d12c5fd1b28c044b0399fd73a493666c
SHA1ed6103611b04dc66e2db83d6fd7b4a5a9cbb93db
SHA2567a52121256dab2e267c4ace502ee4e436b9610c950fff5eb7d33310f41b58be4
SHA5121af5019d43704fd857775ea595c2da4f968b50234d8ef010682213b7d73008b57c84272b6d00de11c2e81d9a83cba82a32a1d3e6bfb99ff5f9e92350ef4ec4d4
-
Filesize
204B
MD5a284287f95a216c56b9aeddc7e69284b
SHA1fe281f71beb302fda00500144285737bcccf8baa
SHA25683f42c85468ef1d34ed33ac5e93bd8f4b3b85ff0335b9a2d1c22eedaac2868bb
SHA5120ba35d4fc5f081a3753c74cf2e530727b8cc4e7f61c3be2d15a710b810b1f26b794b5d8db237700f2ea9a2b26881b5968a95a8458f223d0b25118a789208aa92
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD55b2d588334d5a91e7d5093bedc3d34a6
SHA18214bf41964e259cba545b45d93030f9d652a8b5
SHA2564263f2f2b567a4e36c4cce8cbfeec4621e071d2715c7a38cd8cc5061e84d5fd0
SHA51243b49be75dd63ef6a3c685e10441fa4fe76f2390512dbe21effce0db1b2e50786191ce3fff939a647d06182a025e1d0817849bf516392d542a871bc3dc758bb4
-
Filesize
11KB
MD5e9420e8103010f7cdf73a7bbcf8614d4
SHA1d60079ed3d01d91a85a3c2222b7b9a6b6ad451d8
SHA256c267dffcc8b2d135a2cd1142c727b625eb81d1ebb0b638a80b6f58306feb4dde
SHA512c9c5a810da055ffd3ebf62140cf1fa73ac0cd9576c4ec3d7377f7aa12c5baed4a849c2d3121ae408661e6a1791c5e62b696288c155620558556b5ed83eeeebaf
-
Filesize
11KB
MD518e17e6bf9516665c6486b00ff19eb16
SHA1141c09392cd7297e1c0e4eafe76377650a44c8a6
SHA2566cdaab0a2754f3b13b02b1f2b02fa3f5505dc41f1f5e9456380001f4c6a3b8e5
SHA512c01a46863644fae31aa97b55bb9c332dfb85d50bb5d61a923165d91b68028efe6ea8be265610ae0903c3a9f5d301e902017d2f945d10669d8f4d5040401540a4
-
Filesize
1KB
MD551e863482c60e3b736425e79793b872c
SHA1eb43fdaa00706de035bb7f946675c34df511e532
SHA2569c5570b66cc6d48ec4e87011f60a34c3998d7aa8e661ed500556cf86569b8a0f
SHA512bc48753a06bd7595e7e9f4e6e738ac7f0bca254b7069a7b1436221828a70fcb6d1b919976bbcbdfd95426dbfc33ffc36e0e6d27c9e581df7244d18a95cca75f4
-
Filesize
75KB
MD5d19c4c83da6594e03b935c2e076ae179
SHA1de1156ec5a7b96aee28956d70a4d086e3a839551
SHA256aff62b9be93e2ca9a18e39b29e32781bbbb8412899a91c3e09b42fd6a881d20a
SHA512c2c12250f871cd2dc13a9e290df3e042d75ed8b77b2840f290853ee3b930a8087531cfc63501098bd0ee121fc739b35fa03080f23ac09338266a5c7032629008
-
Filesize
12.9MB
MD530da61eabe92b48ce784f7ee31f5ec44
SHA14922cfc2c10b5d92b2fb199fc6a2aaed095035e0
SHA2562e156957ffdc73801662b89b1f6773434c4d13bb4b9bc1670827e399ad64aa7e
SHA512648a9e6ddce09e5bf5da680f8d031afe3224b236cea9598e64e0d592f64ec0bed61e0ff089a931772d0f758a42a463e7ee6ea7ef117ad1c1453dbc2240b9f209
-
Filesize
68KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB