cerber | 3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338

Analysis

max time kernel
130s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-08-2024 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
Size

390KB
MD5

08109df08fa4a035c59d56d1e6c5baf4
SHA1

bec86bce6f6963d0cc69c441c6d5fb6d04d3a833
SHA256

3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338
SHA512

61e6cc3e94ddb7a980bfb0a2e5e5ffeeb5414c9e2ef3e42551820017dbedab5cccdd8ece1fed2ca057e240bdb7836663a7f9be28f1bb9136da972750caf59704
SSDEEP

12288:s8TC7FeAA9IsQwycG888888888888W88888888888E7xCYsdG:s8TygVinw1Z7xCZdG

Score

10^/10

cerber discovery evasion persistence privilege_escalation ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___JFBRHIA_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/04DB-0DF2-E0EF-0098-9677 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.19kxwa.top/04DB-0DF2-E0EF-0098-9677 2. http://xpcx6erilkjced3j.1eht65.top/04DB-0DF2-E0EF-0098-9677 3. http://xpcx6erilkjced3j.1t2jhk.top/04DB-0DF2-E0EF-0098-9677 4. http://xpcx6erilkjced3j.1e6ly3.top/04DB-0DF2-E0EF-0098-9677 5. http://xpcx6erilkjced3j.16umxg.top/04DB-0DF2-E0EF-0098-9677 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://xpcx6erilkjced3j.onion/04DB-0DF2-E0EF-0098-9677

http://xpcx6erilkjced3j.19kxwa.top/04DB-0DF2-E0EF-0098-9677

http://xpcx6erilkjced3j.1eht65.top/04DB-0DF2-E0EF-0098-9677

http://xpcx6erilkjced3j.1t2jhk.top/04DB-0DF2-E0EF-0098-9677

http://xpcx6erilkjced3j.1e6ly3.top/04DB-0DF2-E0EF-0098-9677

http://xpcx6erilkjced3j.16umxg.top/04DB-0DF2-E0EF-0098-9677

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (1107) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2664	netsh.exe
1084	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\q:	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened (read-only)	\??\y:	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened (read-only)	\??\a:	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened (read-only)	\??\j:	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened (read-only)	\??\r:	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened (read-only)	\??\z:	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened (read-only)	\??\h:	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened (read-only)	\??\p:	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened (read-only)	\??\m:	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened (read-only)	\??\n:	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened (read-only)	\??\t:	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened (read-only)	\??\u:	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened (read-only)	\??\x:	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened (read-only)	\??\i:	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened (read-only)	\??\l:	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened (read-only)	\??\g:	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened (read-only)	\??\k:	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened (read-only)	\??\o:	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened (read-only)	\??\s:	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened (read-only)	\??\v:	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened (read-only)	\??\w:	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened (read-only)	\??\b:	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened (read-only)	\??\e:	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp8E41.bmp"	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\microsoft sql server	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\program files (x86)\microsoft\word	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\program files (x86)\office	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\program files (x86)\excel	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\program files (x86)\microsoft\office	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\program files (x86)\outlook	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\program files (x86)\the bat!	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\program files\	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\program files (x86)\bitcoin	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\program files (x86)\onenote	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\program files (x86)\thunderbird	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\program files (x86)\word	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\program files (x86)\	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\program files (x86)\microsoft\excel	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\program files (x86)\powerpoint	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\program files (x86)\steam	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\office	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat!	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\word	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\steam	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\desktop	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\the bat!	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\word	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\steam	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\office	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\outlook	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\office	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat!	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat!	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\word	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\desktop	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\onenote	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\documents	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\documents	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\excel	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3180	cmd.exe
3916	PING.EXE

Kills process with taskkill 1 IoCs

evasion

pid	Process
4720	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4328	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3916	PING.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2444	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
Token: SeCreatePagefilePrivilege	2444	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
Token: SeDebugPrivilege	4720	taskkill.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2664	2444	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe	94
PID 2444 wrote to memory of 2664	2444	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe	94
PID 2444 wrote to memory of 2664	2444	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe	94
PID 2444 wrote to memory of 1084	2444	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe	96
PID 2444 wrote to memory of 1084	2444	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe	96
PID 2444 wrote to memory of 1084	2444	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe	96
PID 2444 wrote to memory of 532	2444	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe	104
PID 2444 wrote to memory of 532	2444	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe	104
PID 2444 wrote to memory of 532	2444	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe	104
PID 2444 wrote to memory of 4328	2444	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe	105
PID 2444 wrote to memory of 4328	2444	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe	105
PID 2444 wrote to memory of 4328	2444	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe	105
PID 2444 wrote to memory of 3180	2444	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe	109
PID 2444 wrote to memory of 3180	2444	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe	109
PID 2444 wrote to memory of 3180	2444	3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe	109
PID 3180 wrote to memory of 4720	3180	cmd.exe	111
PID 3180 wrote to memory of 4720	3180	cmd.exe	111
PID 3180 wrote to memory of 4720	3180	cmd.exe	111
PID 3180 wrote to memory of 3916	3180	cmd.exe	112
PID 3180 wrote to memory of 3916	3180	cmd.exe	112
PID 3180 wrote to memory of 3916	3180	cmd.exe	112

C:\Users\Admin\AppData\Local\Temp\3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
"C:\Users\Admin\AppData\Local\Temp\3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2664
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1084
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___10RVQWZ9_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - System Location Discovery: System Language Discovery
  PID:532
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___4IGAF_.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:4328
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe" > NUL && exit
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:3180
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4720
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4412,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4448 /prefetch:8
1⤵
PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___JFBRHIA_.txt

Filesize
1KB

MD5
0f4c0861bf2310a623148036ebfe6417

SHA1
5c719a01fb4dd5aa7457edfde25044b86c025d86

SHA256
50d19e8e5244ca4744b863c38f05f1491e42fd4de915bed22195412b644918b0

SHA512
22d93acb4cfd4970c1e9d5b5d6335996c3a0cab331d7458754c2527065ee1419a50a000aa4f96768930a4b7e9552a514ad635ef9143e78af0f72344a584dd24f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___EJ6LWVA_.hta

Filesize
76KB

MD5
588df6e8103b7986b418a692f04ab99b

SHA1
0ae8f03e50275d8dc0f59969c2a17f15be1beb9e

SHA256
d9c068b541e63d131568e88f7ca20cdf23776eb1221fb435b6bbad36ff86b026

SHA512
11b07ffa533721014b0485eab67534f4826ee58dc65566f8d2d4bc0b87f18664130e1d59bb72d610271180fdf3ab0a1bf0be10f72903bd724f6cff9264c9e0b7

Download Submit
memory/2444-0-0x00000000014D0000-0x0000000001502000-memory.dmp

Filesize
200KB

Download
memory/2444-1-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2444-2-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2444-3-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2444-7-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2444-422-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2444-416-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2444-442-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads