cerber | be8ac2b53a5fbe04d599dd8c05cd7c29ef77bfd77d000982c04208954fceb27e | Triage

Submit
Reports

Overview

overview

Static

static

3

nebula.exe

windows11-21h2-x64

Sharing

General

Target

nebula.exe
Size

1.5MB
Sample

241030-rrc6yawqfk
MD5

aa84466da5167860bd89a6d2e233e742
SHA1

74032d059df6b905a8dd910a81bf9bd6b7f0f4a2
SHA256

be8ac2b53a5fbe04d599dd8c05cd7c29ef77bfd77d000982c04208954fceb27e
SHA512

a9f4128f5470c2ed92d491f5e7506a8246ac41aed90e5cceabe608979ae708056c12e0806688396e0798c1c0bca1c953f68d845f49465dcde8fbbf7f35408ea7
SSDEEP

24576:XRiOcwpQZ3/G7PMuKn2vyedkShQb06qnu7PReN/IAUqNOmNAFwa/k:YOcwYPne1dvQbwnurA3s/

Score

10^/10

cerber defense_evasion discovery evasion execution persistence privilege_escalation ransomware

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

nebula.exe

Resource

win11-20241007-en

cerber defense_evasion discovery evasion execution persistence privilege_escalation ransomware

windows11-21h2-x64

37 signatures

600 seconds

Malware Config

Targets

- Target
  
  nebula.exe
- Size
  
  1.5MB
- MD5
  
  aa84466da5167860bd89a6d2e233e742
- SHA1
  
  74032d059df6b905a8dd910a81bf9bd6b7f0f4a2
- SHA256
  
  be8ac2b53a5fbe04d599dd8c05cd7c29ef77bfd77d000982c04208954fceb27e
- SHA512
  
  a9f4128f5470c2ed92d491f5e7506a8246ac41aed90e5cceabe608979ae708056c12e0806688396e0798c1c0bca1c953f68d845f49465dcde8fbbf7f35408ea7
- SSDEEP
  
  24576:XRiOcwpQZ3/G7PMuKn2vyedkShQb06qnu7PReN/IAUqNOmNAFwa/k:YOcwYPne1dvQbwnurA3s/
Score

10^/10

cerber defense_evasion discovery evasion execution persistence privilege_escalation ransomware
- Cerber
  Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
  ransomware cerber
- Cerber family
  cerber
- Sets service image path in registry
  persistence
- Stops running service(s)
  evasion execution
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Component Object Model Hijacking

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Component Object Model Hijacking

Defense Evasion

Impair Defenses

Modify Registry

Subvert Trust Controls

SIP and Trust Provider Hijacking

Credential Access

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

cerberdefense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationransomware

© 2018-2024

Terms | Privacy