Analysis
-
max time kernel
85s -
max time network
84s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
04-10-2024 04:20
General
-
Target
https://github.com/kh4sh3i/Ransomware-Samples
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___Q3N8DQ2_.hta
Family
cerber
Ransom Note
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>CERBER RANSOMWARE: Instructions</title>
<HTA:APPLICATION APPLICATIONNAME="OzJZPO" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize">
<style type="text/css">
a {
color: #04a;
text-decoration: none;
}
a:hover {
text-decoration: underline;
}
body {
background-color: #e7e7e7;
color: #222;
font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif;
font-size: 13pt;
line-height: 19pt;
}
body, h1 {
margin: 0;
padding: 0;
}
hr {
color: #bda;
height: 2pt;
margin: 1.5%;
}
h1 {
color: #555;
font-size: 14pt;
}
ol {
padding-left: 2.5%;
}
ol li {
padding-bottom: 13pt;
}
small {
color: #555;
font-size: 11pt;
}
ul {
list-style-type: none;
margin: 0;
padding: 0;
}
.button {
color: #04a;
cursor: pointer;
}
.button:hover {
text-decoration: underline;
}
.container {
background-color: #fff;
border: 2pt solid #c7c7c7;
margin: 5%;
min-width: 850px;
padding: 2.5%;
}
.header {
border-bottom: 2pt solid #c7c7c7;
margin-bottom: 2.5%;
padding-bottom: 2.5%;
}
.h {
display: none;
}
.hr {
background: #bda;
display: block;
height: 2pt;
margin-top: 1.5%;
margin-bottom: 1.5%;
overflow: hidden;
width: 100%;
}
.info {
background-color: #efe;
border: 2pt solid #bda;
display: inline-block;
padding: 1.5%;
text-align: center;
}
.updating {
color: red;
display: none;
padding-left: 35px;
background: url("data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=") left no-repeat;
}
#change_language {
float: right;
}
#change_language, #texts div {
display: none;
}
</style>
</head>
<body>
<div class="container">
<div class="header">
<a id="change_language" href="#" onclick="return changeLanguage1();" title="English">☑ English</a>
<h1>CERBER RANSOMWARE</h1>
<small id="title">Instructions</small>
</div>
<div id="languages">
<p>☑ Select your language</p>
<ul>
<li><a href="#" title="English" onclick="return sh_bl('en');">English</a></li>
<li><a href="#" title="Arabic" onclick="return sh_bl('ar');">العربية</a></li>
<li><a href="#" title="Chinese" onclick="return sh_bl('zh');">中文</a></li>
<li><a href="#" title="Dutch" onclick="return sh_bl('nl');">Nederlands</a></li>
<li><a href="#" title="French" onclick="return sh_bl('fr');">Français</a></li>
<li><a href="#" title="German" onclick="return sh_bl('de');">Deutsch</a></li>
<li><a href="#" title="Italian" onclick="return sh_bl('it');">Italiano</a></li>
<li><a href="#" title="Japanese" onclick="return sh_bl('ja');">日本語</a></li>
<li><a href="#" title="Korean" onclick="return sh_bl('ko');">한국어</a></li>
<li><a href="#" title="Polish" onclick="return sh_bl('pl');">Polski</a></li>
<li><a href="#" title="Portuguese" onclick="return sh_bl('pt');">Português</a></li>
<li><a href="#" title="Spanish" onclick="return sh_bl('es');">Español</a></li>
<li><a href="#" title="Turkish" onclick="return sh_bl('tr');">Türkçe</a></li>
</ul>
</div>
<div id="texts">
<div id="en">
<p>Can't yo<span class="h">Yb5r</span>u find the necessary files?<br>Is the c<span class="h">0oA7ZPs</span>ontent of your files not readable?</p>
<p>It is normal be<span class="h">7RQttM83U</span>cause the files' names and the data in your files have been encryp<span class="h">0bMimJ0</span>ted by "Ce<span class="h">846</span>rber Ransomware".</p>
<p>It me<span class="h">nJA5</span>ans your files are NOT damage<span class="h">j23AdAFYCD</span>d! Your files are modified only. This modification is reversible.<br>F<span class="h">6wHh8oqt5e</span>rom now it is not poss<span class="h">qxIN4</span>ible to use your files until they will be decrypted.</p>
<p>The only way to dec<span class="h">9gSN</span>rypt your files safely is to buy the special decryption software "C<span class="h">RB6ZB</span>erber Decryptor".</p>
<p>Any attempts to rest<span class="h">dX</span>ore your files with the thir<span class="h">Gm2CPP</span>d-party software will be fatal for your files!</p>
<hr>
<p class="w331208">You can proc<span class="h">yluc6</span>eed with purchasing of the decryption softw<span class="h">yVw4</span>are at your personal page:</p>
<p><span class="info"><span class="updating">Ple<span class="h">8TLGY5s</span>ase wait...</span><a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/19B0-806B-FCC6-0446-9701" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/19B0-806B-FCC6-0446-9701</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/19B0-806B-FCC6-0446-9701" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/19B0-806B-FCC6-0446-9701</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/19B0-806B-FCC6-0446-9701" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/19B0-806B-FCC6-0446-9701</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/19B0-806B-FCC6-0446-9701" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/19B0-806B-FCC6-0446-9701</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/19B0-806B-FCC6-0446-9701" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/19B0-806B-FCC6-0446-9701</a></span></p>
<p>If t<span class="h">fFP0RE</span>his page cannot be opened <span class="button" onclick="return _url_upd_('en');">cli<span class="h">FoK4q2</span>ck here</span> to get a new addr<span class="h">zslF10BS</span>ess of your personal page.<br><br>If the addre<span class="h">hap2kp3d</span>ss of your personal page is the same as befo<span class="h">L</span>re after you tried to get a new one,<br>you c<span class="h">iKGYgb</span>an try to get a new address in one hour.</p>
<p>At th<span class="h">rdgqc0EJ</span>is page you will receive the complete instr<span class="h">bHk6yDXU30</span>uctions how to buy the decrypti<span class="h">rIQuH</span>on software for restoring all your files.</p>
<p>Also at this page you will be able to res<span class="h">Wy</span>tore any one file for free to be sure "Cerbe<span class="h">p</span>r Decryptor" will help you.</p>
<hr>
<p>If your per<span class="h">38eQLepw06</span>sonal page is not availa<span class="h">HrDG</span>ble for a long period there is another way to open your personal page - insta<span class="h">WDrR7</span>llation and use of Tor Browser:</p>
<ol>
<li>run your Inte<span class="h">M</span>rnet browser (if you do not know what it is run the Internet Explorer);</li>
<li>ent<span class="h">5PqIm</span>er or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li>
<li>wait for the site load<span class="h">DjwPWOta</span>ing;</li>
<li>on the site you will be offered to do<span class="h">6ov</span>wnload Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li>
<li>ru<span class="h">5yTgXEBxx</span>n Tor Browser;</li>
<li>connect with the butt<span class="h">RS</span>on "Connect" (if you use the English version);</li>
<li>a normal Internet bro<span class="h">WBBh</span>wser window will be opened after the initialization;</li>
<li>type or copy the add<span class="h">iWu4usYUD</span>ress <br><span class="info">http://p27dokhpz2n7nvgr.onion/19B0-806B-FCC6-0446-9701</span><br> in this browser address bar;</li>
<li>pre<span class="h">Nl0TO57D</span>ss ENTER;</li>
<li>the site sho<span class="h">S6</span>uld be loaded; if for some reason the site is not lo<span class="h">ZN77wf4o</span>ading wait for a moment and try again.</li>
</ol>
<p>If you have any pr<span class="h">6XMhY</span>oblems during installation or use of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searc<span class="h">Wl7cqtb</span>h bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use.</p>
<hr>
<p><strong>Addit<span class="h">zCCqlGYrf</span>ional information:</strong></p>
<p>You will fi<span class="h">fj6c</span>nd the instru<span class="h">SJFKVjz</span>ctions ("*_READ_THIS_FILE_*.hta") for re<span class="h">BKkBn</span>storing your files in any f<span class="h">kCvDLS0</span>older with your enc<span class="h">SVhTiQwJ</span>rypted files.</p>
<p>The instr<span class="h">ZKAxR9</span>uctions "*_READ_THIS_FILE_*.hta" in the f<span class="h">JoN72AjKmW</span>older<span class="h">khr</span>s with your encry<span class="h">TIiJXc</span>pted files are not vir<span class="h">bYe</span>uses! The instruc<span class="h">Cy3URt6z5</span>tions "*_READ_THIS_FILE_*.hta" will he<span class="h">2SesmtP</span>lp you to dec<span class="h">EqM</span>rypt your files.</p>
<p>Remembe<span class="h">FYxXYe</span>r! The worst si<span class="h">5</span>tuation already happ<span class="h">bTr</span>ened and now the future of your files de<span class="h">rq</span>pends on your determ<span class="h">bV</span>ination and speed of your actions.</p>
</div>
<div id="ar" style="direction: rtl;">
<p>لا يمكنك العثور على الملفات الضرورية؟<br>هل محتوى الملفات غير قابل للقراءة؟</p>
<p>هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cerber Ransomware".</p>
<p>وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا.<br>ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها.</p>
<p>الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cerber Decryptor".</p>
<p>إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك!</p>
<hr>
<p>يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية:</p>
<p><span class="info"><span class="updating">أرجو الإنتظار...</span><a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/19B0-806B-FCC6-0446-9701" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/19B0-806B-FCC6-0446-9701</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/19B0-806B-FCC6-0446-9701" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/19B0-806B-FCC6-0446-9701</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/19B0-806B-FCC6-0446-9701" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/19B0-806B-FCC6-0446-9701</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/19B0-806B-FCC6-0446-9701" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/19B0-806B-FCC6-0446-9701</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/19B0-806B-FCC6-0446-9701" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/19B0-806B-FCC6-0446-9701</a></span></p>
<p>في حالة تعذر فتح هذه الصفحة <span class="button" onclick="return _url_upd_('ar');">انقر هنا</span> لإنشاء عنوان جديد لصفحتك الشخصية.</p>
<p>في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك.</p>
<p>في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cerber Decryptor" سوف يساعدك.</p>
<hr>
<p>إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor:</p>
<ol>
<li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li>
<li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li>
<li>انتظر لتحميل الموقع;</li>
<li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li>
<li>قم بتشغيل متصفح Tor;</li>
<li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li>
<li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li>
<li>قم بكتابة أو نسخ العنوان <br><span class="info">http://p27dokhpz2n7nvgr.onion/19B0-806B-FCC6-0446-9701</span><br> في شريط العنوان في المتصفح;</li>
<li>اضغط ENTER;</li>
<li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li>
</ol>
<p>إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه.</p>
<hr>
<p><strong>معلومات إض<span class="h">hA7p</span>افية:</strong></p>
<p>س<span class="h">9MbhCL</span>وف تجد إرشادات استعادة الملفات الخاصة بك ("*_READ_THIS_FILE_*") في أي مجلد مع ملفاتك المشفرة.</p>
<p>الإرش<span class="h">09I</span>ادات ("*_READ_THIS_FILE_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_READ_THIS_FILE_*") سوف تساعدك على فك تشفير الملفات الخاصة بك.</p>
<p>تذكر أن أسوأ مو<span class="h">DnKfOIo5Ze</span>قف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك.</p>
</div>
<div id="zh">
<p>您找不到所需的文件?<br>您文件的内容无法阅读?</p>
<p>这是正常的,因为您文件的文件名和数据已经被“Cerber Ransomware”加密了。</p>
<p>这意味着您的文件并没有损坏!您的文件只是被修改��
Extracted
Path
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___4QPIC_.txt
Family
cerber
Ransom Note
CERBER RANSOMWARE
-----
YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED!
-----
The only way to decrypt y0ur files is to receive the private key and decryption program.
To receive the private key and decryption program go to any decrypted folder,
inside there is the special file (*_READ_THIS_FILE_*) with complete instructions
how to decrypt your files.
If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below:
-----
1. Download "Tor Browser" from https://www.torproject.org/ and install it.
2. In the "Tor Browser" open your personal page here:
http://p27dokhpz2n7nvgr.onion/19B0-806B-FCC6-0446-9701
Note! This page is available via "Tor Browser" only.
-----
Also you can use temporary addresses on your personal page without using "Tor Browser".
-----
1. http://p27dokhpz2n7nvgr.12hygy.top/19B0-806B-FCC6-0446-9701
2. http://p27dokhpz2n7nvgr.14ewqv.top/19B0-806B-FCC6-0446-9701
3. http://p27dokhpz2n7nvgr.14vvrc.top/19B0-806B-FCC6-0446-9701
4. http://p27dokhpz2n7nvgr.129p1t.top/19B0-806B-FCC6-0446-9701
5. http://p27dokhpz2n7nvgr.1apgrn.top/19B0-806B-FCC6-0446-9701
-----
Note! These are temporary addresses! They will be available for a limited amount of time!
-----
URLs
http://p27dokhpz2n7nvgr.onion/19B0-806B-FCC6-0446-9701
http://p27dokhpz2n7nvgr.12hygy.top/19B0-806B-FCC6-0446-9701
http://p27dokhpz2n7nvgr.14ewqv.top/19B0-806B-FCC6-0446-9701
http://p27dokhpz2n7nvgr.14vvrc.top/19B0-806B-FCC6-0446-9701
http://p27dokhpz2n7nvgr.129p1t.top/19B0-806B-FCC6-0446-9701
http://p27dokhpz2n7nvgr.1apgrn.top/19B0-806B-FCC6-0446-9701
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (1107) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Drops startup file 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 38 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 20 IoCs
-
Drops file in Windows directory 64 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies registry class 2 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 42 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/kh4sh3i/Ransomware-Samples1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff5a8746f8,0x7fff5a874708,0x7fff5a8747182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,12986429778236402334,4223412447293489319,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,12986429778236402334,4223412447293489319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,12986429778236402334,4223412447293489319,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12986429778236402334,4223412447293489319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12986429778236402334,4223412447293489319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,12986429778236402334,4223412447293489319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,12986429778236402334,4223412447293489319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2040,12986429778236402334,4223412447293489319,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5600 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12986429778236402334,4223412447293489319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,12986429778236402334,4223412447293489319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6140 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12986429778236402334,4223412447293489319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12986429778236402334,4223412447293489319,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12986429778236402334,4223412447293489319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12986429778236402334,4223412447293489319,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Ransomware-Samples-main\" -spe -an -ai#7zMap30011:108:7zEvent114421⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Cerber.zip\cerber.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Cerber.zip\cerber.exe"1⤵
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___NFG3VW_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___U4TBRXY_.txt2⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "cerber.exe"3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Discovery
Browser Information Discovery
1Network Service Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD59e3fc58a8fb86c93d19e1500b873ef6f
SHA1c6aae5f4e26f5570db5e14bba8d5061867a33b56
SHA256828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4
SHA512e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e
-
Filesize
152B
MD527304926d60324abe74d7a4b571c35ea
SHA178b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1
SHA2567039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de
SHA512f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd
-
Filesize
1KB
MD5e458e6c1654c8ec488f74f106025ec31
SHA105c7f0f2d848370c6ecb54ab74b2bace7c13c6d8
SHA25670442409efcbef3fbe39640efdcc13518cbd38dfa7d9acbe37030146c356f6a0
SHA5126dd37af4ede1131d05ea893c621ab2fad28dedc8727418965b122913027de5b3c270cc2cd65e0ea41a67d79390822accb47cbfe5f3a212d06e6de5c57875ba88
-
Filesize
656B
MD5e09f50c426b6e354f7ea0f9ead6b0ec3
SHA110cd76c3ef4ea22131591ee507f6969d0935d573
SHA2560ba6cbde1ad97e8ead859315bd543eed2ab49621662d58d386bf5734d88e3a56
SHA51223c7d8fea74d4c28d99d179df92ed4de0aa76f0bac834bce9db173a54460184119ddcea72ee70786ebb5cd61d381d2dc9173edf50d4437aac31a3710bb4f7fa2
-
Filesize
6KB
MD5644d10ef9046b5f90beb7593cdbb31d2
SHA137b543b217e5773053f458b463309768b6f15b81
SHA25612bcc80f5e8ef8def44a105dacb0b66c068cb73ecb52e18159936ffe0c634c7c
SHA5129ce53db83b550ecfad9f83a62daa3b0f8c151f2b2159f24250ec5ce0365e98802bcd5bea484b956f0954eba2556984e3134ccd03ba829f1700b4cbe7a7209e03
-
Filesize
6KB
MD59ca9ecf8d251d8c5abfd0b16cce2e4ad
SHA1a1137e5173fa3aa2ae3782c5df928210d20678c7
SHA256acbf66520790ba9eb85c18ce6b7367724f154f84f36c64d319c1948784d8a02e
SHA5129c27494e1f809fefc4e4831691c294567eac0dee42bbb98e8653dccf6f0633d4dc584bae75d30f843fe036411fa1e727ee6ca8b153742b54730e443d4f766534
-
Filesize
1KB
MD58b24ce9c4047f352b9c5a861ad0baab1
SHA12ee180d64789fc36267d7dbc81a6aafb993f19c0
SHA2561bbfb764fef1eda73445e20090cf247eeb661ebe00036a1158624660b5ec6354
SHA5125ddd8ef51d09c89f5efdf287c2e98e1740a3c5c5d571e472b8551c83adf7e79d82e34562d950a52956838f226c8a851e4744b679adb4f78c052d6f5826804d97
-
Filesize
1KB
MD5673bae983c0dc058b942243cf10e09f8
SHA1e377dd7d151bbd580db9c4df04d825017fe3c5a1
SHA256b4ce36d076f1a420efa16a16d314a849b452cf4e1a7b898887964ab55ab67779
SHA5128e9fa4cae03bef1138332d667aa009a829b6081945fe71d652598c6631aa07946b631993aa36b88696758c54df4ae937d002924b783394b60f4c1eaddeb53f58
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD589245c0eff57cb91f49bbeb6ee5bcad7
SHA1d533434bb8a163e9e233aee6ac5d69d2c00ddba8
SHA2560304be2d42d3b7f1637b96f5656a407eb54f46cd554f196dd94f4bf1874fd659
SHA512db4201071ecf86ada552fccebe51b5eb85d1e40c81236051d40dd9b715034ba4358eed04be28095f0a82d0d9ea7b03228fbf18a191c4d0000368ff763852bb70
-
Filesize
10KB
MD59921acaeb93d0ff7c170efb142381351
SHA193e1edccae438e03d40704101c553e310851b715
SHA256b5baeb91306e50dcfb7d5d75c29a6c1c0b32bcda65c7c235d94cf5e89a59b419
SHA512d93c0297f87b309d24f45dc0e8a4cb9f02f4ddac66c4715f97899e735ffc15f3d9919a629e33330b86e9293abf0269eeaec16288679dc022b123c62026599c39
-
Filesize
10KB
MD57a5dee93f3a718124594a0a0e13d3269
SHA18ed790ce1a52ad8175360adaa41762f411dd760d
SHA2565641447a6b9b0f14664c1226f5f302a5e1a340e882e912f4ce612961e3713a2d
SHA512da0a810e889be9cd415e98d9fc1f601a5f68a3de43da574db845aaa7ac18bef07761c12fd4dfc8cea477c44c0a709bf1ad69106643fe12c5f948a4ffac0b460b
-
Filesize
1KB
MD5829b811b6f7c5b664152d0138ca52409
SHA153bcf1187a42fdf4ae31d04daa647eee387d7649
SHA2565f548373daa8ad0d81d743f5e72b34b47dc057b56bd9270cd664f78549d81547
SHA5128fc39e4c9cfc85b74fbedd1472358d7675999d631a59827815df9b359707d3c0e13a762f2cf2cbd208c8c2fa49d1daa0d02d473337cabca36c28adedeb783c6b
-
Filesize
75KB
MD5c3cc1db67a79b0ca1608bb128bbba33b
SHA1afa227078d9a3106a6f57d8ec8d8d86deab313e1
SHA25604128010aedd811624b713b5e75d55ca1c7c213db452c92c000f268663ef8bc7
SHA5120e13c1595e7bfbc4d0b2fbd04a72c8665b1702d200047f829adc00dc18c9607cd984bb077a11a2b19d054114d043a11896d50c4869529fb1f96aab862f027304
-
Filesize
15.1MB
MD5e88a0140466c45348c7b482bb3e103df
SHA1c59741da45f77ed2350c72055c7b3d96afd4bfc1
SHA256bab1853454ca6fdd3acd471254101db1b805b601e309a49ec7b4b1fbcfc47ad7
SHA5122dc9682f4fb6ea520acc505bdbe7671ab7251bf9abd25a5275f0c543a6157d7fa5325b9dce6245e035641ab831d646f0e14f6649f9464f5e97431ab1bf7da431
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
68KB
-
Filesize
212KB
-
Filesize
212KB