cerber | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/archive/refs/heads/master[.]zip

Resubmissions

19-08-2024 12:07

240819-pap33awgjj 4

19-08-2024 11:59

240819-n5r1gasfne 10

19-08-2024 11:54

240819-n292wasend 8

Analysis

max time kernel
463s
max time network
464s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/archive/refs/heads/master.zip

Score

10^/10

cerber cryptolocker troldesh defense_evasion discovery evasion persistence privilege_escalation ransomware trojan upx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___HYJZ_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0T0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/C464-CEA4-335C-0098-BB50 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1n5mod.top/C464-CEA4-335C-0098-BB50 2. http://xpcx6erilkjced3j.19kdeh.top/C464-CEA4-335C-0098-BB50 3. http://xpcx6erilkjced3j.1mpsnr.top/C464-CEA4-335C-0098-BB50 4. http://xpcx6erilkjced3j.18ey8e.top/C464-CEA4-335C-0098-BB50 5. http://xpcx6erilkjced3j.17gcun.top/C464-CEA4-335C-0098-BB50 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://xpcx6erilkjced3j.onion/C464-CEA4-335C-0098-BB50

http://xpcx6erilkjced3j.1n5mod.top/C464-CEA4-335C-0098-BB50

http://xpcx6erilkjced3j.19kdeh.top/C464-CEA4-335C-0098-BB50

http://xpcx6erilkjced3j.1mpsnr.top/C464-CEA4-335C-0098-BB50

http://xpcx6erilkjced3j.18ey8e.top/C464-CEA4-335C-0098-BB50

http://xpcx6erilkjced3j.17gcun.top/C464-CEA4-335C-0098-BB50

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Birele.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\Birele.exe"	Birele.exe

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Contacts a large (1109) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exe

pid	Process
1584	netsh.exe
4428	netsh.exe

Drops startup file 1 IoCs

Processes:

Cerber5.exe

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	Cerber5.exe

Executes dropped EXE 2 IoCs

Processes:

{34184A33-0407-212E-3320-09040709E2C2}.exe{34184A33-0407-212E-3320-09040709E2C2}.exe

pid	Process
5752	{34184A33-0407-212E-3320-09040709E2C2}.exe
5800	{34184A33-0407-212E-3320-09040709E2C2}.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

Processes:

Birele.exe

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	Birele.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	Birele.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	Birele.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	Birele.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	Birele.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	Birele.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/6092-264-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/6092-265-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/6092-268-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/6092-266-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/6092-271-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4320-273-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/4320-274-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/6092-276-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4320-278-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/4320-279-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/6092-280-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{34184A33-0407-212E-3320-09040709E2C2}.exeNoMoreRansom.exeBirele.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\Birele.exe"	Birele.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Cerber5.exe

description	ioc	Process
File opened (read-only)	\??\g:	Cerber5.exe
File opened (read-only)	\??\h:	Cerber5.exe
File opened (read-only)	\??\i:	Cerber5.exe
File opened (read-only)	\??\o:	Cerber5.exe
File opened (read-only)	\??\r:	Cerber5.exe
File opened (read-only)	\??\e:	Cerber5.exe
File opened (read-only)	\??\u:	Cerber5.exe
File opened (read-only)	\??\w:	Cerber5.exe
File opened (read-only)	\??\x:	Cerber5.exe
File opened (read-only)	\??\t:	Cerber5.exe
File opened (read-only)	\??\z:	Cerber5.exe
File opened (read-only)	\??\a:	Cerber5.exe
File opened (read-only)	\??\k:	Cerber5.exe
File opened (read-only)	\??\l:	Cerber5.exe
File opened (read-only)	\??\n:	Cerber5.exe
File opened (read-only)	\??\q:	Cerber5.exe
File opened (read-only)	\??\s:	Cerber5.exe
File opened (read-only)	\??\b:	Cerber5.exe
File opened (read-only)	\??\j:	Cerber5.exe
File opened (read-only)	\??\m:	Cerber5.exe
File opened (read-only)	\??\p:	Cerber5.exe
File opened (read-only)	\??\v:	Cerber5.exe
File opened (read-only)	\??\y:	Cerber5.exe

Drops file in System32 directory 38 IoCs

Processes:

Cerber5.exe

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	Cerber5.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

$uckyLocker.exeCerber5.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\Wallpaper = "0"	$uckyLocker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpC5BF.bmp"	Cerber5.exe

Drops file in Program Files directory 20 IoCs

Processes:

Cerber5.exe

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\onenote	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\outlook	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\powerpoint	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\steam	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\excel	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\word	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\excel	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\office	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\thunderbird	Cerber5.exe
File opened for modification	\??\c:\program files\	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\bitcoin	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\word	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\the bat!	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\office	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	Cerber5.exe

Drops file in Windows directory 64 IoCs

Processes:

Cerber5.exe

description	ioc	Process
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\office	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\documents	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\desktop	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\word	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\steam	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\word	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\the bat!	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\office	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\excel	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat!	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat!	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\documents	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\steam	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\desktop	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\word	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat!	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird	Cerber5.exe
File opened for modification	\??\c:\windows\	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word	Cerber5.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

$uckyLocker.exeCerber5.exenetsh.exeBirele.exetaskkill.exeCryptoLocker.exe{34184A33-0407-212E-3320-09040709E2C2}.exe{34184A33-0407-212E-3320-09040709E2C2}.exeNoMoreRansom.exenetsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$uckyLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cerber5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Birele.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
1116	taskkill.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeNoMoreRansom.exe

pid	Process
396	msedge.exe
396	msedge.exe
4968	msedge.exe
4968	msedge.exe
4320	identity_helper.exe
4320	identity_helper.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
5248	msedge.exe
5248	msedge.exe
6092	NoMoreRansom.exe
6092	NoMoreRansom.exe
6092	NoMoreRansom.exe
6092	NoMoreRansom.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid	Process
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Cerber5.exetaskkill.exe

description	pid	Process
Token: SeShutdownPrivilege	5028	Cerber5.exe
Token: SeCreatePagefilePrivilege	5028	Cerber5.exe
Token: SeDebugPrivilege	1116	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	Process
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	Process
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 4968 wrote to memory of 864	4968	msedge.exe	85
PID 4968 wrote to memory of 864	4968	msedge.exe	85
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 2448	4968	msedge.exe	86
PID 4968 wrote to memory of 396	4968	msedge.exe	87
PID 4968 wrote to memory of 396	4968	msedge.exe	87
PID 4968 wrote to memory of 3224	4968	msedge.exe	88
PID 4968 wrote to memory of 3224	4968	msedge.exe	88
PID 4968 wrote to memory of 3224	4968	msedge.exe	88
PID 4968 wrote to memory of 3224	4968	msedge.exe	88
PID 4968 wrote to memory of 3224	4968	msedge.exe	88
PID 4968 wrote to memory of 3224	4968	msedge.exe	88
PID 4968 wrote to memory of 3224	4968	msedge.exe	88
PID 4968 wrote to memory of 3224	4968	msedge.exe	88
PID 4968 wrote to memory of 3224	4968	msedge.exe	88
PID 4968 wrote to memory of 3224	4968	msedge.exe	88
PID 4968 wrote to memory of 3224	4968	msedge.exe	88
PID 4968 wrote to memory of 3224	4968	msedge.exe	88
PID 4968 wrote to memory of 3224	4968	msedge.exe	88
PID 4968 wrote to memory of 3224	4968	msedge.exe	88
PID 4968 wrote to memory of 3224	4968	msedge.exe	88
PID 4968 wrote to memory of 3224	4968	msedge.exe	88
PID 4968 wrote to memory of 3224	4968	msedge.exe	88
PID 4968 wrote to memory of 3224	4968	msedge.exe	88
PID 4968 wrote to memory of 3224	4968	msedge.exe	88
PID 4968 wrote to memory of 3224	4968	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/archive/refs/heads/master.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff97c7046f8,0x7ff97c704708,0x7ff97c704718
  2⤵
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,9030760081915375465,7746526595462159208,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,9030760081915375465,7746526595462159208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,9030760081915375465,7746526595462159208,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9030760081915375465,7746526595462159208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9030760081915375465,7746526595462159208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,9030760081915375465,7746526595462159208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,9030760081915375465,7746526595462159208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2172,9030760081915375465,7746526595462159208,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5480 /prefetch:8
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9030760081915375465,7746526595462159208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9030760081915375465,7746526595462159208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9030760081915375465,7746526595462159208,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9030760081915375465,7746526595462159208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9030760081915375465,7746526595462159208,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9030760081915375465,7746526595462159208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,9030760081915375465,7746526595462159208,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5556 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,9030760081915375465,7746526595462159208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1360 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2508

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1680

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:880
- C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
  "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5752
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000000E4
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5800

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\$uckyLocker.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\$uckyLocker.exe"
1⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:2016

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\NoMoreRansom.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\NoMoreRansom.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6092

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Cerber5.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Cerber5.exe"
1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5028
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1584
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4428

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Birele.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Birele.exe"
1⤵
- Modifies WinLogon for persistence
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4320
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\24db59b0-0f33-4b9d-83db-4636e724458f.tmp

Filesize
6KB

MD5
3a7f7cc441254e818637607773f259c2

SHA1
3483104c20925e3253856930ea84e433e402cdfc

SHA256
86a40255f153e159f5dedf4457da75cafcec5e215f9f84661d4352eb3109b1df

SHA512
59a0dbbedbf54963f1e854f8835d9bbf46662dbac683e992599a0f0278c4a7e6ad1ab3d78a671063c33c489c580bf1ddb68ca5d389c9f75d44ff90a5cebcc490

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
255B

MD5
d11edf9e08a127c768843acea41d0bc5

SHA1
ff1af9b39de4a3f547407fd9864ffdd2bb6c7354

SHA256
217e4d9d1412e45abf7a653f72a5ab8b53bc8fc6f377f52a042668a41abc7478

SHA512
92c3f0def567b0e2f2523ed25eb9d4abff06070b8be744fea4a6678f25f292439d7bc0c8015eaa6281b7f43149eebb3d3821cd6d6436598481113694b11ddea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b3bbbee56fc8828e577c05a460c37b52

SHA1
2d8ff429238eee90bd3ab4265e4d3fd9a0d7227f

SHA256
49179504b34175eb2c10f8ef36ae62dcdb88564c4f557028a94ce6572ce6f14b

SHA512
f2906dd8c9fe3907d96d44e9e07f45a17d9fb90ce0f3cb1c2855fdf05e1c745a589ffa70a5823c0dd0577c44860874c8808676c2af3822b11eb41293362bd70e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8152d195aafae7432d945c9ad7b278e6

SHA1
ab3a84746bde2f4d837b8cc7188ba28d98825e8a

SHA256
84c7a8f6204a9e29cec11138e5efecf2e50a7c5f0c84f140ea5a287c65d3166e

SHA512
94a64bcdbce439083b2afb0227c504ad1c8143fbfc29fd46337c656214b71bc4ce958a28845ac29b9e83aa359424b4a9fdfc4d188959e58af8ab9a0b2eb26c6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3dfc8e7451addf093ef7f8a540a749d9

SHA1
f4675f41eb607d736ea8481c638c723154b37521

SHA256
381e5bb3ab47dd074c5789a0005c67165d6d6d92fa9c169a6b995adc65108947

SHA512
f34cde0fe593fb8283951f70c94e28e8dd4f60efeb7cdf650089e749318561ed9e0f5a4cee6fc2ee310f870888da2752b49dac9f04651a8c7d0feada7a73d528

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
81547706478ffa002a9bd6926e120f90

SHA1
e5e30816e78237c353febbc8e381de8b7ccb0c5d

SHA256
db8d09e8268f4b285af1543f0cb3c443ea6a25ab1252b809b9450f89b3440a1d

SHA512
567d49ef3a1ebccf348a945a0f4e334014af0cfefbaf46e197cfaaee5204f49a83cbb113918823d041eb5fa9688956a68d6ff7eafc9d5198554d6e48ad9f34fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
62b09b88142f8c85bf86464f434370e1

SHA1
01113f766b045902ab344d496f9a66aec997e0ac

SHA256
8c737190d20fc200a310abf0ae8fcdece75d35b3bb293ffcd1e7c23dc64e578a

SHA512
69e23861327b20180fd3c2f114ec91aa956465f341a79d0411196f46b918f848df27e9d1f576c9071e22740c3c38d120107a608b7094dbf23500a686f48c55f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___HYJZ_.txt

Filesize
1KB

MD5
adc5c250e043353e301f4a03a9792f92

SHA1
457221b3720e32fcb16511f88d61c09409b3f533

SHA256
ff0d607b1229660fd9dc0c0f20079bf5bb105d22e21db563d7262b97862d2421

SHA512
3f2ed8481a70f74345e4f5d9b161ab507508216ca7965deeffdcda640df71e44d8b7567aaf62b556d35fa02d18c4d7de1008a8b903a008d61e5410fea70ec67e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___SV2ZG_.hta

Filesize
76KB

MD5
33313f4ae90b389ff322d0659845bb24

SHA1
59fec8babae5aeed3117bce7541714bdb7f4cdaf

SHA256
16ba378a98a7687a4c3eabb1ab0564c24d555f0fc51b56ed402985b28b146e97

SHA512
b0ccfca136f09d788f40dff41331d78d746da37a96925decdd74358980c41cea15663625a1642462b370296bf4a050023621f10603e7eb245ef9016b6f76c337

Download Submit
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
\??\pipe\LOCAL\crashpad_4968_QVYHKMQQESGEZMYW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2016-160-0x0000000005820000-0x00000000058B2000-memory.dmp

Filesize
584KB

Download
memory/2016-161-0x00000000059E0000-0x00000000059EA000-memory.dmp

Filesize
40KB

Download
memory/2016-158-0x0000000000DE0000-0x0000000000E4E000-memory.dmp

Filesize
440KB

Download
memory/2016-159-0x0000000005DD0000-0x0000000006374000-memory.dmp

Filesize
5.6MB

Download
memory/4320-273-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4320-278-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4320-279-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4320-274-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5028-649-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6092-264-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/6092-276-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/6092-280-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/6092-271-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/6092-266-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/6092-268-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/6092-265-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download