Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
25-08-2024 06:02
General
-
Target
d77aca4282fed414d70959186372251565abbd29f261219e544d778224dd3a7d.exe
-
Size
231KB
-
MD5
5b2c1302039d496f0f970f559b201dfe
-
SHA1
796d10701e5d1dc3e49119322cabc46c5619d272
-
SHA256
d77aca4282fed414d70959186372251565abbd29f261219e544d778224dd3a7d
-
SHA512
5a685fe98463e7150dbd23cd5ad01c12ccadb03d5eab16099bc0e34d04cd524dcf5be2d2e41a0b0f525242d0539a95d9fcb93dae140291a1ee994c478768e708
-
SSDEEP
6144:9PIeJarlToZNDlkPNvabl9uxX0Xp85VBLc4vm+fbcn8Klh3vOCU:9QxX0Xp8lc428EJ4
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\# DECRYPT MY FILES #.txt
cerber
http://52uo5k3t73ypjije.a2uzpe.top/352A-6370-B700-0073-3E17
http://52uo5k3t73ypjije.go8hpw.top/352A-6370-B700-0073-3E17
http://52uo5k3t73ypjije.n6kswi.top/352A-6370-B700-0073-3E17
http://52uo5k3t73ypjije.1bipa9.top/352A-6370-B700-0073-3E17
http://52uo5k3t73ypjije.onion.to/352A-6370-B700-0073-3E17
http://52uo5k3t73ypjije.onion/352A-6370-B700-0073-3E17
Extracted
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\# DECRYPT MY FILES #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Contacts a large (517) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes itself 1 IoCs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Kills process with taskkill 2 IoCs
-
Modifies Control Panel 4 IoCs
-
Modifies Internet Explorer settings 1 TTPs 59 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of WriteProcessMemory 50 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d77aca4282fed414d70959186372251565abbd29f261219e544d778224dd3a7d.exe"C:\Users\Admin\AppData\Local\Temp\d77aca4282fed414d70959186372251565abbd29f261219e544d778224dd3a7d.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{E928710A-E979-F53C-318F-B4C7DDC4D2F4}\EhStorAuthn.exe"C:\Users\Admin\AppData\Roaming\{E928710A-E979-F53C-318F-B4C7DDC4D2F4}\EhStorAuthn.exe"2⤵
- Adds policy Run key to start application
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2784 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2784 CREDAT:537601 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵
-
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "EhStorAuthn.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{E928710A-E979-F53C-318F-B4C7DDC4D2F4}\EhStorAuthn.exe" > NUL3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "EhStorAuthn.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "d77aca4282fed414d70959186372251565abbd29f261219e544d778224dd3a7d.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\d77aca4282fed414d70959186372251565abbd29f261219e544d778224dd3a7d.exe" > NUL2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "d77aca4282fed414d70959186372251565abbd29f261219e544d778224dd3a7d.exe"3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2284 CREDAT:275457 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x17c1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5b3e696a2aa756b9b15652745662850b6
SHA1955af5b135a0629938790b116fdad9fe89223b05
SHA256920ff3ab9938ef090d6fe5c07a3d93dfb03c4407dd1a1b95abc9abe15c891c2c
SHA512a2853c41e28f235fb237b72073ba61984d533fa9afc8f783655d27c0d1dcc3dec72cf48971bb606c89438d673e24b8c385d3c16611f49f71a3bb0d18dec00f22
-
Filesize
10KB
MD501fc4e3c18c069ead24d709da155724a
SHA123875b3262f6cd2c4076e6099afba0242c95ba9c
SHA256a0fdd78d8c0835429519abebaa27c558ba9d882abd21554ef0d3cfa541f834c0
SHA512714376a2a5c42dc113e562be1ddc239b1055e277a1fc7a8878f6470f49b0707e3dde5c77064290dd0bcdfc829d92c1cd61d9975f5fb644b9d405a749b7c3bb74
-
Filesize
90B
MD5f0ec40e7c2cf6e9f5311744efcfb2bbe
SHA15e56bff3ef18067d80a97c602de397b759b56740
SHA256ed362abc35add278e8d6b4b0eee21a90804bf800eabbd877d3e0a93b74ed86eb
SHA51235f203267dbbac50c7ea2a0f3a0213f39d64ca45b4dbe9228d07d6bf068baf93fcde4612bd20e5408971bc35979729f360677479437ab3aa1377a032f5c87b01
-
Filesize
234B
MD56f84dbf74ef41dc3d861f5fb3e0f45ff
SHA13e5f17e9b9589f33ce6add7f2518a666ff2253a4
SHA256df5f432d7e0d2bd1c4dddb1fabbf1e77bd1065b9020f71abaf1a45fbb950bbb8
SHA5129f9ec25b815be7b20df26244d31848c9a4896b130241b63636d63511a290eaad78d289a9bb04592c0ba31492064671351b4c7359310f03469e27764132a20a5a
-
Filesize
342B
MD58d12acbc263eaeaf98dcfb4cca793c4c
SHA16a5cc1529a9715f5370def3c469f7a6e25326fd0
SHA256326f160c82ea5eeda1fac3a1debc1464152b374ce64997ddf39d8080c167a060
SHA512ef821d0e51b10ae4a2a7dbb0bf71947a7c4219ec03e1cf7dfc8acb5a689232bb832c790602cd02c48c020ab273de9a43dfd07d2aac702a7a407195661b5f0183
-
Filesize
342B
MD5c556de43b8804c45eb26ca2e0d253c5c
SHA1a05cd4b5ab2a5e73c3c4ca01a2a98a2349b6f3f3
SHA2561bfe1a85fa1b4c068e56c368394e03ccc9a34e312dc0b085948cf79bdd70396b
SHA51259c6fc2a09c793a355faa04d039a7daecbb80e1ce91f7fa46cea323fb5754512703f8095e3131930978a7f24328034736a258e4a1281affebf77b3e5642b7947
-
Filesize
342B
MD5ebf3925a6b6a6a342c65dc272cec050d
SHA1289ab0f381fda7d53741840e311a0f6529100a92
SHA25629a16ce4b3d991b5cf620914b3f0ce428f93b93786494ee297175dba9070f21c
SHA5122aa728ffd33f24ab2d690ca354dd8fb5b70512bc9cba41bbd9de4bab345bbb1aad7ce1dc93945cbfca05a93a9428df77bea8e3ac8ecf407405187c1a6f8856e8
-
Filesize
342B
MD54e4d7ea7764c31d1b6f764d64fd87fd0
SHA1e99fcb59f0a13a7d3d9ed47216e3eb3afb6dcaf4
SHA2568bbb4b889eefee106581cc9beb7bb389d9c42921e1cca6ac9a5601c7e5c6b7b4
SHA5124c2680628de94525444d39a2226f3782eb9354da539c61eba8c5c686911c9eac34e21b9db8408536669133cbafe1ba9a70e1ec284440d234681b2278d94c099a
-
Filesize
342B
MD56cb5003ec7970f20bba96ce661fff2e6
SHA1ff84c858808cd1428d5aac8ec6a4a463e9e34f75
SHA25618a473ff9b66b2d7210da2342d23f7f7eeece3cf764e9c80c463dc720ce1e0c3
SHA5124ddc741f335dc00c9951b5dc8a8c34acfbe39f587d429c306cf3fe6a5a7e2c9b91cba53b33300eb31b0b964d457d1b3efdbbde9f81774274a3a7b1f1d13e6448
-
Filesize
342B
MD558f30e50c1d439ccf0c1b4267f5308c4
SHA14d01ceb0239cfde5567bc19d8401d54ee34249d6
SHA25615b4158740eb9a74128251ecc3667e2d16d0ba8e44a2d3a74fbaf837f6de7cc4
SHA5125191be8894ca0c35f0ed35cc0a8fb7c9e617f72fdc4b8a52d4a65d3f00550998976864435ca380806fd7faa1b93d9d5e79d10df99b18e01bd913223092d20e53
-
Filesize
342B
MD507429e656024e675b37fe0b79ecc2598
SHA1f9c9d02435e7dbc55cb8845317450107ed4a7a92
SHA256692188b61d5c017369cd5fc91964a417fda1b92a50ae165bec643fc86150951f
SHA512ec8c89c957813bb627bf40aeb35f3c68abd3d60e9a61826f750a7d0c7831e41f9e350d50cac371a0bdff843d4397cb62f64706ade8a2088b39654e7ce30ef4a9
-
Filesize
342B
MD5626c211d035d918df554af17b9cbb88f
SHA1a0159d752e796d78cac89a5d468cc122181b25b5
SHA2565cf7442111cb126df958124f67d13bac25a4ee46376fc87161b1e6236aca76db
SHA512f0ac25a009de54eb90547802c99fcd9b658fd4e7a51ffef266de16f89aaf5b418419cf2419c643fb6ad315c64be7c8f100aaee624c7432766c1e78c531ccac6d
-
Filesize
342B
MD52568b983157d4f63eb3b00cf63a8481f
SHA10102fce4bcd1e687b16ce10efceed91e215fd700
SHA2566a1c0418dc87ac2d01a1c4b661f162436af115cb556c6dc183d46ee467a7aec5
SHA512782c065b1912e40778be8cd5c518d94e44161d0e7f1854384039a29df8e1b84b9c1f2b84ae918082d25cd3a646186d16af87b39373134295c4e2af0e35f679e6
-
Filesize
342B
MD545a96f2f3740c279cedf797e12e261cb
SHA170480907b7e4742d4122ebee5c74cc2a5d578397
SHA2568b25935e9400b8d44c113e071c01cb31a6f669b82d27793403a1d615bde7be76
SHA51260ac836396bde86e581926aa75868c75fb31315c2519098b94d1c065199284ede05c8f3939e254d669f1389bf5d2abb149cc784866afb6af0deac914d00f2063
-
Filesize
5KB
MD5d4ef87bf330ed646c4062f8b1bb19bc9
SHA1ca82c79e7c292aea116eeb13851f71c150f72be3
SHA25698d1dc7874f6f76ca5e609f6e721f582da8065cde99be6e2b9d347bd18810451
SHA5122c7ba858197f549f2e0a3df6c1ed51f86cee56fbb5674c442c9f8479e7aea96a5f2badea3dfdb148a3fdb63437fc54635d81c17c56e401c940408a3b441de2e0
-
Filesize
3KB
MD5978741a7ef52754de6bd1c9d397794ce
SHA1dc2049f5c4b607b0dfb38d40d09ccae1f78710ae
SHA2561d655c41a828ae1de4f9e7b3edfd0c694921d04a2b3e1fa5d37ee94eaa5f4dd1
SHA5128d4a34427f495ce29cd44ecec62dd1428b4c70c0eb77ed6feacf10713737a82b7a4eab0dd3643f11626457431406a30287d75badf4aa2bc8eb6c63ae2b434b40
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1KB
MD5cf2d493308d8ad324f384ce0c88c9556
SHA1d0426feeeb68dd35bc4eb891bbc649ce4eecf51e
SHA256783d4d7e3c00fde79e1f30f84a7d150d08a4c419fb2477deb97c84548c2ce86c
SHA512c3e7eef8afeb7bcf1d39829a4af636fc6b22d226728c9cfa1ac616e75401c01a04b34e294e0a7ffc777cf940d3b39b8985c8724f4f1a673ea8724afcdd740197
-
Filesize
231KB
MD55b2c1302039d496f0f970f559b201dfe
SHA1796d10701e5d1dc3e49119322cabc46c5619d272
SHA256d77aca4282fed414d70959186372251565abbd29f261219e544d778224dd3a7d
SHA5125a685fe98463e7150dbd23cd5ad01c12ccadb03d5eab16099bc0e34d04cd524dcf5be2d2e41a0b0f525242d0539a95d9fcb93dae140291a1ee994c478768e708
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
8KB
-
Filesize
608KB
-
Filesize
248KB
-
Filesize
608KB
-
Filesize
248KB
-
Filesize
608KB
-
Filesize
4KB
-
Filesize
248KB
-
Filesize
608KB
-
Filesize
608KB
-
Filesize
4KB