Extracted

Extracted

Extracted

Extracted

• • Target

    cerber.exe

  • Size

    604KB

  • MD5

    8b6bc16fd137c09a08b02bbe1bb7d670

  • SHA1

    c69a0f6c6f809c01db92ca658fcf1b643391a2b7

  • SHA256

    e67834d1e8b38ec5864cfa101b140aeaba8f1900a6e269e6a94c90fcbfe56678

  • SHA512

    b53d2cc0fe5fa52262ace9f6e6ea3f5ce84935009822a3394bfe49c4d15dfeaa96bfe10ce77ffa93dbf81e5428122aa739a94bc709f203bc346597004fd75a24

  • SSDEEP

    6144:yYghlI5/u8f1mr+4RJ99MpDa52RX5wRDhOOU0qsR:yYKlYmDXEpDHRXP01

  Score

  10^/10

  cerberdiscoveryevasionpersistenceprivilege_escalationransomware

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber

  • Blocklisted process makes network request

  • Contacts a large (1118) amount of remote hosts

    This may indicate a network scan to discover remotely running services.

    discovery

  • Modifies Windows Firewall

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory

  • Sets desktop wallpaper using registry

    ransomware
  behavioral1behavioral2

• • Target

    cryptowall.bin

  • Size

    240KB

  • MD5

    47363b94cee907e2b8926c1be61150c7

  • SHA1

    ca963033b9a285b8cd0044df38146a932c838071

  • SHA256

    45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d

  • SHA512

    93dfaafc183360829448887a112dd49c90ec5fe50dcd7c7bbc06c1c8daa206eeea5577f726d906446322c731d0520e93700d5ff9cefd730fba347c72b7325068

  • SSDEEP

    3072:xkeyloECBch6ZCGBGSmHJ0y5lj6jdojK7+MGOXpXx8z3Lp7Yoq:xGlnCIwMpj6ijKfxx8z3F0V

  Score

  9^/10

  defense_evasiondiscoveryexecutionimpactpersistenceransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral3behavioral4

• • Target

    jigsaw

  • Size

    283KB

  • MD5

    2773e3dc59472296cb0024ba7715a64e

  • SHA1

    27d99fbca067f478bb91cdbcb92f13a828b00859

  • SHA256

    3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

  • SHA512

    6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

  • SSDEEP

    6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXus:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqX

  Score

  10^/10

  jigsawpersistenceransomwarespywarestealerdiscovery

  • Jigsaw Ransomware

    Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

    ransomwarejigsaw

  • Renames multiple (2008) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  behavioral5behavioral6

• • Target

    Locky

  • Size

    180KB

  • MD5

    b06d9dd17c69ed2ae75d9e40b2631b42

  • SHA1

    b606aaa402bfe4a15ef80165e964d384f25564e4

  • SHA256

    bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3

  • SHA512

    8e54aca4feb51611142c1f2bf303200113604013c2603eea22d72d00297cb1cb40a2ef11f5129989cd14f90e495db79bffd15bd6282ff564c4af7975b1610c1c

  • SSDEEP

    3072:gzWgfLlUc7CIJ1tkZaQyjhOosc8MKi6KDXnLCtyAR0u1cZ86:gdLl4wkZa/UDiD7ukst1H6

  Score

  10^/10

  lockydiscoveryransomware

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  behavioral7behavioral8

• • Target

    131.exe

  • Size

    2.3MB

  • MD5

    409d80bb94645fbc4a1fa61c07806883

  • SHA1

    4080bb3a28c2946fd9b72f6b51fe15de74cbb1e1

  • SHA256

    2ecc525177ed52c74ddaaacd47ad513450e85c01f2616bf179be5b576164bf63

  • SHA512

    a99a2f17d9fbb1da9fb993b976df63afa74317666eca46d1f04e7e6e24149547d1ac7210f673caeae9b23a900528ad6ad0a7b98780eff458d3d505029a06e9ba

  • SSDEEP

    49152:XM16E7qUoM5NWX7DP+1egOhcraQzK6j97V:c16/rM5oW1ZrRz

  Score

  3^/10

  discovery
  behavioral10behavioral9

• • Target

    Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .com_

  • Size

    102KB

  • MD5

    1b2d2a4b97c7c2727d571bbf9376f54f

  • SHA1

    1fc29938ec5c209ba900247d2919069b320d33b0

  • SHA256

    7634433f8fcf4d13fb46d680802e48eeb160e0f51e228cae058436845976381e

  • SHA512

    506fc96423e5e2e38078806591e09a6eb3cf924eb748af528f7315aa0b929890823798a3ef2a5809c14023c3ff8a3db36277bc90c7b099218422aafa4e0c2ee0

  • SSDEEP

    1536:jj+Rj1lGIXKSmE17v97yiqHGMRPtbsLW8/V2k12v1/BDxVyCfCrCAc:jjw6Sf0iqmMnb2W02v3mCf4Nc

  Score

  7^/10

  discoverypersistenceupx

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral11behavioral12

• • Target

    027cc450ef5f8c5f653329641ec1fed9.exe

  • Size

    353KB

  • MD5

    71b6a493388e7d0b40c83ce903bc6b04

  • SHA1

    34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d

  • SHA256

    027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

  • SHA512

    072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f

  • SSDEEP

    6144:y/Bt80VmNTBo/x95ZjAetGDN3VFNq7pC+9OqFoK30b3ni5rdQY/CdUOs2:y/X4NTS/x9jNG+w+9OqFoK323qdQYKUG

  Score

  10^/10

  mimikatzbootkitdiscoverypersistencespywarestealer

  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz

  • mimikatz is an open source tool to dump credentials on Windows

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  behavioral13behavioral14

• • Target

    027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.bin

  • Size

    353KB

  • MD5

    71b6a493388e7d0b40c83ce903bc6b04

  • SHA1

    34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d

  • SHA256

    027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

  • SHA512

    072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f

  • SSDEEP

    6144:y/Bt80VmNTBo/x95ZjAetGDN3VFNq7pC+9OqFoK30b3ni5rdQY/CdUOs2:y/X4NTS/x9jNG+w+9OqFoK323qdQYKUG

  Score

  10^/10

  mimikatzbootkitdiscoverypersistencespywarestealer

  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz

  • mimikatz is an open source tool to dump credentials on Windows

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  behavioral15behavioral16

• • Target

    myguy.hta

  • Size

    13KB

  • MD5

    0487382a4daf8eb9660f1c67e30f8b25

  • SHA1

    736752744122a0b5ee4b95ddad634dd225dc0f73

  • SHA256

    ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6

  • SHA512

    e1e7d81d54efd526139ea8ac792ed2035c8e70f040319c0b65f723431d31077c7a6927553890c99151f2354f51c4020ed94e0e2e5d56386c2fc4828e95869106

  • SSDEEP

    192:ScIsmNvaHz65bP/U/njs3NH0Z0UvDVE6Az6XVHBycT6iLMUpJ2seCYHlfeb:SPXTmnjs3BU9A27BNLMUTb

  Score

  10^/10

  discoveryexecution

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  behavioral17behavioral18

• • Target

    svchost.exe

  • Size

    704KB

  • MD5

    d2ec63b63e88ece47fbaab1ca22da1ef

  • SHA1

    dd52fcc042a44a2af9e43c15a8e520b54128cdc8

  • SHA256

    e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5

  • SHA512

    89d9e63d5f3b34be3d25317933031815a42c039fbee30ce8c86f8b1b7c6ca9ccfc8731da99b9246381a2c05a95ada423f4944ff72111eb0451a44e9dcb3e053e

  • SSDEEP

    12288:rue4X2Uz0DsetgxLdsCHvX8XYJWs6XS1bFLDw1P86jZpMV7uikFg:v+2UzSgxLdsCHmQb6XSbFLDs06jZulus

  Score

  7^/10

  discovery

  • Drops startup file

  • Creates a large amount of network flows

    This may indicate a network scan to discover remotely running services.

    discovery

  • Drops desktop.ini file(s)

  behavioral19behavioral20