Overview

overview

10

Static

static

3

cerber.exe

windows7-x64

10

cerber.exe

windows10-2004-x64

10

cryptowall.exe

windows7-x64

9

cryptowall.exe

windows10-2004-x64

3

jigsaw.exe

windows7-x64

10

jigsaw.exe

windows10-2004-x64

10

Locky.exe

windows7-x64

10

Locky.exe

windows10-2004-x64

10

131.exe

windows7-x64

1

131.exe

windows10-2004-x64

3

Matsnu-MBR...3 .exe

windows7-x64

7

Matsnu-MBR...3 .exe

windows10-2004-x64

3

027cc450ef...d9.dll

windows7-x64

10

027cc450ef...d9.dll

windows10-2004-x64

10

027cc450ef...ju.dll

windows7-x64

10

027cc450ef...ju.dll

windows10-2004-x64

10

myguy.hta

windows7-x64

10

myguy.hta

windows10-2004-x64

10

svchost.exe

windows7-x64

7

svchost.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2024 15:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cerber.exe

  • Size

    604KB

  • MD5

    8b6bc16fd137c09a08b02bbe1bb7d670

  • SHA1

    c69a0f6c6f809c01db92ca658fcf1b643391a2b7

  • SHA256

    e67834d1e8b38ec5864cfa101b140aeaba8f1900a6e269e6a94c90fcbfe56678

  • SHA512

    b53d2cc0fe5fa52262ace9f6e6ea3f5ce84935009822a3394bfe49c4d15dfeaa96bfe10ce77ffa93dbf81e5428122aa739a94bc709f203bc346597004fd75a24

  • SSDEEP

    6144:yYghlI5/u8f1mr+4RJ99MpDa52RX5wRDhOOU0qsR:yYKlYmDXEpDHRXP01

Score
10/10
cerberdiscoveryevasionpersistenceprivilege_escalationransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___CXIFPVMR_.txt

Family

cerber

Ransom Note
CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/7A06-6BFE-6C33-0446-9E59 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12hygy.top/7A06-6BFE-6C33-0446-9E59 2. http://p27dokhpz2n7nvgr.14ewqv.top/7A06-6BFE-6C33-0446-9E59 3. http://p27dokhpz2n7nvgr.14vvrc.top/7A06-6BFE-6C33-0446-9E59 4. http://p27dokhpz2n7nvgr.129p1t.top/7A06-6BFE-6C33-0446-9E59 5. http://p27dokhpz2n7nvgr.1apgrn.top/7A06-6BFE-6C33-0446-9E59 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://p27dokhpz2n7nvgr.onion/7A06-6BFE-6C33-0446-9E59

http://p27dokhpz2n7nvgr.12hygy.top/7A06-6BFE-6C33-0446-9E59

http://p27dokhpz2n7nvgr.14ewqv.top/7A06-6BFE-6C33-0446-9E59

http://p27dokhpz2n7nvgr.14vvrc.top/7A06-6BFE-6C33-0446-9E59

http://p27dokhpz2n7nvgr.129p1t.top/7A06-6BFE-6C33-0446-9E59

http://p27dokhpz2n7nvgr.1apgrn.top/7A06-6BFE-6C33-0446-9E59

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Cerber family
    cerber
  • Blocklisted process makes network request 5 IoCs
  • Contacts a large (1098) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cerber.exe
    "C:\Users\Admin\AppData\Local\Temp\cerber.exe"
    1⤵
    • Drops startup file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2856
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2828
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall reset
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2996
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___75WVLOZ_.hta"
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:3012
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://p27dokhpz2n7nvgr.12hygy.top/7A06-6BFE-6C33-0446-9E59
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2632
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2632 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2392
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2632 CREDAT:1192967 /prefetch:2
          4⤵
            PID:2364
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___CXIFPVMR_.txt
        2⤵
        • System Location Discovery: System Language Discovery
        • Opens file in notepad (likely ransom note)
        PID:2800
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:688
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im "cerber.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1880
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 1 127.0.0.1
          3⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2316

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Privilege Escalation

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Network Service Discovery

    1
    T1046

    Remote System Discovery

    1
    T1018

    System Information Discovery

    1
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    System Network Configuration Discovery

    1
    T1016

    Internet Connection Discovery

    1
    T1016.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      f17343e305d560e269f0a75584c431fb

      SHA1

      3819fd3e2d55e840b2550c11f7fa4890edb7758c

      SHA256

      d5758c7aae8df64a13488a8229075d7d0fb373469401f93eacf05413aa6e2c8d

      SHA512

      af6f7ff4de61e50d0d81b6c13b0e8d6c03e51d49032c9e2f9c7c60418e459c960cace3971206c74c502ccf47af2e85ac415f4351cf9328d3db2d19cf4b3ceb22

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      118dd7c1851cddc2f54656ff9c86c76b

      SHA1

      d0993c1a8df10aaa6e466da72f391941e5ddbcb9

      SHA256

      1e603c27e4a5c1b0c7c5422570317a2bb0cc1ec49f09d635ff194a2858966fc1

      SHA512

      eca5ecb0ead0a9d6a0a0359d3c6e1257cd5ccea2536f53275ca75e836d8e616eacb127a650c1f9f06a7c9a8fc542659d3e25f4ac99e7962916c81746e33eab91

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      94a61eb3ea57bac14d93b896e8e71352

      SHA1

      588c02ae11215d52f964667a900963d946768f8f

      SHA256

      4aca5cee9dc2ad3298f280ff7f818c30bf1628b0bdfb205f747e76673aa9cb39

      SHA512

      157c73e663f9fbf4ba93107f743c66828020c94f8028e61f3315db3f1e490b2929aabd92bbc496182da59344f320227b4052df7445762f37e4136c5cf62e61fb

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      e367fb2366f0022e46a11f91b0183c48

      SHA1

      77e45c3d4fabb032cf8f2bc1bf09a69a7e3ae193

      SHA256

      e5e681ab6ac93f50ec8c0789888e37ea474c6dd9a6e475fa95d6649981f06618

      SHA512

      735305dc6a26c33bf1e0598af370c4c004b59f417ac64481c38ab49fdd08e6dc98ac40b0e2a694644124366e3ca6215aa7493372a499b248be154c9a7e651e1d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      00e8a2b076e55ceba8027320b9b94ea6

      SHA1

      8b72c705abb4e5443dc4c88cf52443b0c3a7fa3d

      SHA256

      fa010ca070681ad0318beb0cd7d218232df59bcfec0cdac8fa11311ab2da0817

      SHA512

      ddebb9a14d70b20fc8fa40c0974b13084bbed784fbe8254347809be64a1e21f5485f1eb336db8e494260131f263760044987859df2bcf74a0a891e8e0dfcb5a9

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      0f764dab30698f8afa94c52c93fc5a5e

      SHA1

      6480fe0ef7830f3ac67391a3bb1b17fd0ce12eef

      SHA256

      cf9bb3e012d54e45858239c657482f7b394ab4c56c7122013b93d50e6620168e

      SHA512

      e1e87e9c346c250d3195cefea932f6153141a6d6326157283b8ad45a508ed3e9432acfc8e6f740b623fddc9732e80a370c6ca0b0414aab99a31cfced95f5ed48

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      3ca8982e75c334d14e0fca74ff690080

      SHA1

      9fdae0e82daaf0dcbbf0861df08eff74301f3ba7

      SHA256

      900b2a3dac826b4a97760db6c859230d43fe849f744bec45ce877db436b3a50a

      SHA512

      b2adb041d208934e7f600d500754031310c3403a8e93262f015789350d4c69a6b01d4e302d33f3d0e013b3459cd37f9c44efef92140e8e8b5ead44f7eebe8fa5

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      0de72c1290c5b9d0fe1b32fe811c5705

      SHA1

      de277f5426b1d5940d72670c1e8a89be31bc11b4

      SHA256

      b2aa4efa1ea6eb71c894bdb118ee2f05b8f5823985167e5b42050cd3c6bc02de

      SHA512

      07c32d3d7faa5e00edfda2bcf46adecbffa23b8b14f4d662e3c0f4d77e3dcb85569d030204c01a8988e09f5f29b57fad423044af7d1d9d7d0327d86916a50ec5

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      2fc6aaea1b993ea49e3461fa9fca6ff9

      SHA1

      dcf09801d0b0dad83ec06486ce47c2e3b9409f65

      SHA256

      2267a0227a1566f00af01a9dae8ded66f5059de3ec0917c8e6846222778e201d

      SHA512

      495edaa81b5223c045f0fdee8d02fdcc46c978a6b8717a35c553d3f6d3b61c469fa611745e0d945b92e67a728fc3b900f24034e8fc0e863056af83b41ddb0388

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      ab2605a431b118a8f43904653d3c921e

      SHA1

      010c6dfaa8adc1b8f2711ce379063d95139d13e6

      SHA256

      ff8737a457b2a0ba4040a71b0b15b345c2fbc5e92fb5402ac27a88e0dd3e40ae

      SHA512

      968af762b462b09c143b404ecd2f6c74a28e31a63da586a024f836d2793fd0e699181b9aa180f6bc3b4c0f09fd2641cc68cada6c161584a5d40a90ac012f3e64

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab982C.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar983F.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DF5F72849F0C42E09F.TMP
      Filesize

      16KB

      MD5

      93dc455d219cd8cfad0590ac4c9c6119

      SHA1

      8b201e2effe811c03f4c8e23942725de12a001cf

      SHA256

      1499fe469a0ab3edd3ad0f65060ca41e567ad12943f1957ce09af00b87cf8740

      SHA512

      01f9bb499f2df83a80833ac6305fcaebe6205be896b8f380d514fb28c342ff57f6510e80922ae9d37216a259d70b71ffb54f5e9b3371c62805cf9b313cf10911

      Download Submit

    • C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___75WVLOZ_.hta
      Filesize

      75KB

      MD5

      d5791064a756a563d36675d9018c8b37

      SHA1

      cfcc3520c34f2d6b2ffa0c2e18232a703c857718

      SHA256

      76fef31abd1a3d2173e1015f02717890681238e9f955787c5ea93ae9022b4b42

      SHA512

      f701eff8066781904203e294ee6c37dfcd2d120539ee5a1a2c204dfb134c276b88e43483a6e566bf6d1246ac88ec9d2634cd7da655d552ac44cac7d2a62b09e9

      Download Submit

    • C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___CXIFPVMR_.txt
      Filesize

      1KB

      MD5

      9be9af5fc5859149ce42464b4d60551a

      SHA1

      52ca768486b1e3ee6acfbbe4534b20f4555ce30b

      SHA256

      071195840ee87b148a23049d93570807b72932dbe0cecb49a1f0a510c3a30f95

      SHA512

      9499ee236a01935aff0abfb5dc959c9d2cbe698f5f68c992d3fd1dec659b66297b899aa25d5f5f0e12226bcee3ca217a1cf7d119fa6bb48fa3b589eec6ccdc5c

      Download Submit

    • memory/2856-0-0x0000000000220000-0x0000000000251000-memory.dmp

      Filesize

      196KB

      Download

    • memory/2856-89-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2856-72-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2856-48-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2856-9-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2856-5-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2856-2-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2856-1-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download