Overview

overview

10

Static

static

3

3ac7f91e37...38.exe

windows7-x64

10

3ac7f91e37...38.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    16-08-2024 14:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe

  • Size

    390KB

  • MD5

    08109df08fa4a035c59d56d1e6c5baf4

  • SHA1

    bec86bce6f6963d0cc69c441c6d5fb6d04d3a833

  • SHA256

    3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338

  • SHA512

    61e6cc3e94ddb7a980bfb0a2e5e5ffeeb5414c9e2ef3e42551820017dbedab5cccdd8ece1fed2ca057e240bdb7836663a7f9be28f1bb9136da972750caf59704

  • SSDEEP

    12288:s8TC7FeAA9IsQwycG888888888888W88888888888E7xCYsdG:s8TygVinw1Z7xCZdG

Score
10/10
cerberdiscoveryevasionpersistenceprivilege_escalationransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___T16LV_.txt

Family

cerber

Ransom Note
Hi, I'am CRBR ENCRYPTOR ;) ----- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/E453-2FFA-FE32-0098-93E0 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.19kxwa.top/E453-2FFA-FE32-0098-93E0 2. http://xpcx6erilkjced3j.1eht65.top/E453-2FFA-FE32-0098-93E0 3. http://xpcx6erilkjced3j.1t2jhk.top/E453-2FFA-FE32-0098-93E0 4. http://xpcx6erilkjced3j.1e6ly3.top/E453-2FFA-FE32-0098-93E0 5. http://xpcx6erilkjced3j.16umxg.top/E453-2FFA-FE32-0098-93E0 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://xpcx6erilkjced3j.onion/E453-2FFA-FE32-0098-93E0

http://xpcx6erilkjced3j.19kxwa.top/E453-2FFA-FE32-0098-93E0

http://xpcx6erilkjced3j.1eht65.top/E453-2FFA-FE32-0098-93E0

http://xpcx6erilkjced3j.1t2jhk.top/E453-2FFA-FE32-0098-93E0

http://xpcx6erilkjced3j.1e6ly3.top/E453-2FFA-FE32-0098-93E0

http://xpcx6erilkjced3j.16umxg.top/E453-2FFA-FE32-0098-93E0

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Blocklisted process makes network request 5 IoCs
  • Contacts a large (1098) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
    "C:\Users\Admin\AppData\Local\Temp\3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe"
    1⤵
    • Drops startup file
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2256
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall reset
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2348
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___ZN5MLD_.hta"
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://xpcx6erilkjced3j.1t2jhk.top/E453-2FFA-FE32-0098-93E0
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2596
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2596 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1728
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2596 CREDAT:668677 /prefetch:2
          4⤵
            PID:2336
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___T16LV_.txt
        2⤵
        • System Location Discovery: System Language Discovery
        • Opens file in notepad (likely ransom note)
        PID:3004
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe" > NUL && exit
        2⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:1192
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im "3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:692
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 1 127.0.0.1
          3⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1576

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Privilege Escalation

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Network Service Discovery

    1
    T1046

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    1
    T1012

    Remote System Discovery

    1
    T1018

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    System Network Configuration Discovery

    1
    T1016

    Internet Connection Discovery

    1
    T1016.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      49a16eb34e0833ee9f1598f775fc7d97

      SHA1

      cb2ccf71a81f45f72e3e9531c9b6c6d349dcf60b

      SHA256

      88073d3253f8d5f22a38845d6a707ae4edad3424189b2cccc720504bb59ae24d

      SHA512

      608fbf4bf63de1339ef9b832ce54ca8beeeada85625e21845b155418921c57763ae49b623f52d435e05040c0cec83d7ecd60cc8993703f315ae8795f4e1c3224

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      1827754031947928addfb3a736c54ac9

      SHA1

      3534ea43fa448bb557c8b8285915fe04f7bea507

      SHA256

      86af047feb69167b18371603455a5ccc22dcbc7e19ebbc51a6f27beeac6e20f0

      SHA512

      3eeeb27cca5ff284c5e1d935660091034dc074352bf8a7ea5159890e5620c84abe4c2728f33c6478a6f49d66fa39361659dc9cb878c9fbf4520f86111fbd4dd5

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      19de34a706b92058948c77ed59bf6da5

      SHA1

      37140730fe90235fb77e94b5d678e41d9eaad7ce

      SHA256

      0c953cef3d660f72b4f0bcf7bd0650c50b6260e2257b5366b63870c4626d5235

      SHA512

      57f432e7b747d417eb4c506bdb8782c891611ee9150475bb30952ccab5f4c99839ba9a614b51e6065d1b9a1d0bcf44c5b83a734caeffd1782e0634bf46434920

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      10dddab01f5d851bfddc6c25d886c2f7

      SHA1

      987f6c4277a1b5942ec6d3a78afc9f77717e4edd

      SHA256

      c42dee308591ca899cafc14dfcb8024d241ee5681f739efc55d2e921f0e476ea

      SHA512

      dfb44f62ae3d5f2ca665979e8d19563833ea3e0ff1ffa27644e6a1c7ef2a886f25df3e2e495dcbf3e382d859cfbc48a5248daabc238e45ed55fd79908d847043

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      06d7ab6737b160a8b9aed861e6006772

      SHA1

      0080ce32706cde729083f7a8deb058bb8a9845b0

      SHA256

      0a5fef085ba02fb319ec28f28747274c7a3d928494d9b78c6725c8c8b664dbf0

      SHA512

      4a4db4578e00f7b11f8d04b286584a384c961c0419a0ecb71703c1875cb042e701d89002e3a16a307df57288c68d24b24500e1484efe274fad9a25016c594524

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      393da11d8fbefac8fb1c758f296ef2e9

      SHA1

      be23e5ddb0408583404635ee231b9428b98e0ca0

      SHA256

      286e0fcb82c8a603cdd60e87686ece55b73b8382ebccbd40d47fd04494400c61

      SHA512

      c3b9e38037949a2e91654c7440874f8c2e566e22293bbd0316dccd908843c0b8e8a907a00ee5ac264235dabf6f00b8870922ac7a4917521ae978dee961d0805c

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      7e0bd8d2a2d65aeb61e99c5bea84627a

      SHA1

      282ac84db26eed080f52331d2833b01f862deacd

      SHA256

      cd5eaf84ca4a0cbaaa3ae0e09068769d51bf84fe75b9ad66e3e2b79d06abb7eb

      SHA512

      915d8af92547e4e67eb9d29297c5c427c9f1e34af167bdf694c4b1acad608dd38038ad26bfab5f826b9f9432a5b92631bf001b7dedcb04c2ad95d2f021e0e149

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      8950598020fa9a4713459bb49cc035d4

      SHA1

      7367d1e7357ad342489eef5d2e457e34ce71a60b

      SHA256

      8a02fe8b6e7d00381ab1527b7c803b4555f7f3d3ef2f44a42a9ac3a89ad4f923

      SHA512

      f60fb5c9c800add8637ff916226f99b1376fb86ec84be9d4ddc5a5858568c619805d84c040b675e28f537b58ef67edf1b8c9fffdec607d04c4e13b49399ab3f2

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      692800ce5b3464a8147d0298897ab2e6

      SHA1

      f1776e45cf8f1fbce5d86cfce4e052fe11f94d43

      SHA256

      240b9feb21b264aa7a978438c8e930ec91c34e20a236aa7e5f87624644fd8122

      SHA512

      c9b0bd9afecf6d69aaf854e1744e4d231541255e6d53670a0c200aa70f7c4d6cb3db7d0ea8deef3ce4fb30ddcce08f18c95331e999b1553c87e3de814fa72ae5

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      b6f85c3e14102ccefc0db7d8af7ff80b

      SHA1

      fd144a7609feb0b6790455e43d23b0cefb051028

      SHA256

      8ceac600326c402a9f10614680273c078045099e265bd259f052a2d7c13f7674

      SHA512

      cea368ff9f71e70b6dcaab024d58188472743b596ee8a29e931b43b7ff6acbdf329fb80ad7451487c135b4aea7a07d9d4d3aea3f022016b6f631c5577f853afa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab17E7.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar1896.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___T16LV_.txt
      Filesize

      1KB

      MD5

      a5206f7bc6a04bf9b6762d593c492401

      SHA1

      fe6390eb89b8d9985fb93c4744abbbb6c6b9d278

      SHA256

      fd9d0f5f072c22f4f45ee617d6b25a7b960f39cb35b289cf07d721240127d48f

      SHA512

      d9b5e0fb6542e9dd46c6760bd024e4412fc6ec4bd81b5fb11a2625fa35ab6737e1ce4c4e81e36b9374a0755181343c41efc80b31186ee3954ecbf329f4b1f331

      Download Submit

    • C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___ZN5MLD_.hta
      Filesize

      76KB

      MD5

      a99e8ad60f6e6d01e1f213085eb2cac8

      SHA1

      f2b09b1dfc614a15578886f8f14007fffb7ff862

      SHA256

      4991369964c68acd019a37335909defa0ccf388bc8353727072afc1e58acbf69

      SHA512

      b888995703c861c9045215e39b5c436b044b8abbfd70db96145a1e73d8bd2ca68ce252debf38f96f1b9728cc7a41b4db060b52f3446171c7732f5b79c697664e

      Download Submit

    • memory/1056-5-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1056-1-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1056-0-0x0000000000120000-0x0000000000152000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1056-2-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1056-117-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1056-135-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download