cerber

General

Target

3e6aed34833aa5354beceaa6b6a3180b831344f3c1d37fd7e3e947f2fdded63c
Size

3.1MB
Sample

241110-s6tynssrar
MD5

8b691a8961e3f204ebe13855f69649b7
SHA1

fec122cc8e46261629da8ac838018cfa98cb093c
SHA256

3e6aed34833aa5354beceaa6b6a3180b831344f3c1d37fd7e3e947f2fdded63c
SHA512

25d4ab3a2ba7998f699e4ee3a70d6ad1f0d7497914172ca394556577b58567be0df7c793eea062071714a5ff4a48c6789081f46a3ca71bc39596941f7051d817
SSDEEP

49152:zulB+LF2pkwRBn6+SlLAzS45uEY2zmbJbRMn3Mnkir:WUZ4hkXlLsS5EJ5n3Mnkir

Score

10^/10

Malware Config

Targets

- Target
  
  3e6aed34833aa5354beceaa6b6a3180b831344f3c1d37fd7e3e947f2fdded63c
- Size
  
  3.1MB
- MD5
  
  8b691a8961e3f204ebe13855f69649b7
- SHA1
  
  fec122cc8e46261629da8ac838018cfa98cb093c
- SHA256
  
  3e6aed34833aa5354beceaa6b6a3180b831344f3c1d37fd7e3e947f2fdded63c
- SHA512
  
  25d4ab3a2ba7998f699e4ee3a70d6ad1f0d7497914172ca394556577b58567be0df7c793eea062071714a5ff4a48c6789081f46a3ca71bc39596941f7051d817
- SSDEEP
  
  49152:zulB+LF2pkwRBn6+SlLAzS45uEY2zmbJbRMn3Mnkir:WUZ4hkXlLsS5EJ5n3Mnkir
Score

10^/10

cerber defense_evasion discovery evasion execution persistence privilege_escalation ransomware trojan upx
- Cerber
  Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
  ransomware cerber
- Cerber family
  cerber
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- UAC bypass
  evasion trojan
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Modifies Security services
  Modifies the startup behavior of a security service.
  defense_evasion
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2