Overview

overview

10

Static

static

3

3ac7f91e37...38.exe

windows7-x64

10

3ac7f91e37...38.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-08-2024 14:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe

  • Size

    390KB

  • MD5

    08109df08fa4a035c59d56d1e6c5baf4

  • SHA1

    bec86bce6f6963d0cc69c441c6d5fb6d04d3a833

  • SHA256

    3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338

  • SHA512

    61e6cc3e94ddb7a980bfb0a2e5e5ffeeb5414c9e2ef3e42551820017dbedab5cccdd8ece1fed2ca057e240bdb7836663a7f9be28f1bb9136da972750caf59704

  • SSDEEP

    12288:s8TC7FeAA9IsQwycG888888888888W88888888888E7xCYsdG:s8TygVinw1Z7xCZdG

Score
10/10
cerberdiscoveryevasionpersistenceprivilege_escalationransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___B3GRJJ_.txt

Family

cerber

Ransom Note
Hi, I'am CRBR ENCRYPTOR ;) ----- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/27CD-F8B6-D76A-0098-96B2 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.19kxwa.top/27CD-F8B6-D76A-0098-96B2 2. http://xpcx6erilkjced3j.1eht65.top/27CD-F8B6-D76A-0098-96B2 3. http://xpcx6erilkjced3j.1t2jhk.top/27CD-F8B6-D76A-0098-96B2 4. http://xpcx6erilkjced3j.1e6ly3.top/27CD-F8B6-D76A-0098-96B2 5. http://xpcx6erilkjced3j.16umxg.top/27CD-F8B6-D76A-0098-96B2 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://xpcx6erilkjced3j.onion/27CD-F8B6-D76A-0098-96B2

http://xpcx6erilkjced3j.19kxwa.top/27CD-F8B6-D76A-0098-96B2

http://xpcx6erilkjced3j.1eht65.top/27CD-F8B6-D76A-0098-96B2

http://xpcx6erilkjced3j.1t2jhk.top/27CD-F8B6-D76A-0098-96B2

http://xpcx6erilkjced3j.1e6ly3.top/27CD-F8B6-D76A-0098-96B2

http://xpcx6erilkjced3j.16umxg.top/27CD-F8B6-D76A-0098-96B2

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Contacts a large (1109) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
    "C:\Users\Admin\AppData\Local\Temp\3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:1896
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall reset
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:1764
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___EMVE_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4472
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___SOX7BA_.txt
      2⤵
      • System Location Discovery: System Language Discovery
      • Opens file in notepad (likely ransom note)
      PID:4252
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe" > NUL && exit
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:3132
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im "3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2896
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 1 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4412
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3908,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=1048 /prefetch:8
    1⤵
      PID:3856

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Privilege Escalation

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Network Service Discovery

    1
    T1046

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    2
    T1012

    Remote System Discovery

    1
    T1018

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    System Network Configuration Discovery

    1
    T1016

    Internet Connection Discovery

    1
    T1016.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___B3GRJJ_.txt
      Filesize

      1KB

      MD5

      4a3b824128f241cd9296c837249170c0

      SHA1

      0a296c2b670d411b1b21ed1ab7b9ecfb5325d23a

      SHA256

      c3bff5068ad205c8f3264abbcc8d46341f07f5e34419979ff93960c736ce2650

      SHA512

      68b28e878e93c014568028a9874e03415fe88ce85212d7765da252801b9b4c3da8d70621e4d61e68d1c7f8e2e27008c5440fd873d41cca46fe53cd6de17fed14

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___NJ0ON_.hta
      Filesize

      76KB

      MD5

      1fc8e7fcf4017bb65052bf691db4c216

      SHA1

      2090e211d85d699947271896ca4b0913a7a0d55e

      SHA256

      ad14533c044e755e2989b4de0ddcbe4665fb1bfa77ec33416fb49eccc5c4d0c1

      SHA512

      b27bbb9ca564f76f872f8e3c7caea318aeec1767368988f0c718b2d8239fc9cdccaac9c1128c3f24106796f623e1ea20240319c58656471954bea3f399a934a8

      Download Submit

    • memory/1920-0-0x0000000001510000-0x0000000001542000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1920-1-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1920-2-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1920-4-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1920-7-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1920-438-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1920-443-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1920-460-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

      Download