Analysis
-
max time kernel
387s -
max time network
438s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-12-2024 01:06
General
-
Target
cerber.exe
-
Size
604KB
-
MD5
8b6bc16fd137c09a08b02bbe1bb7d670
-
SHA1
c69a0f6c6f809c01db92ca658fcf1b643391a2b7
-
SHA256
e67834d1e8b38ec5864cfa101b140aeaba8f1900a6e269e6a94c90fcbfe56678
-
SHA512
b53d2cc0fe5fa52262ace9f6e6ea3f5ce84935009822a3394bfe49c4d15dfeaa96bfe10ce77ffa93dbf81e5428122aa739a94bc709f203bc346597004fd75a24
-
SSDEEP
6144:yYghlI5/u8f1mr+4RJ99MpDa52RX5wRDhOOU0qsR:yYKlYmDXEpDHRXP01
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___KLPVQ_.txt
Family
cerber
Ransom Note
CERBER RANSOMWARE
-----
YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED!
-----
The only way to decrypt y0ur files is to receive the private key and decryption program.
To receive the private key and decryption program go to any decrypted folder,
inside there is the special file (*_READ_THIS_FILE_*) with complete instructions
how to decrypt your files.
If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below:
-----
1. Download "Tor Browser" from https://www.torproject.org/ and install it.
2. In the "Tor Browser" open your personal page here:
http://p27dokhpz2n7nvgr.onion/66CD-5D50-A89A-0446-93ED
Note! This page is available via "Tor Browser" only.
-----
Also you can use temporary addresses on your personal page without using "Tor Browser".
-----
1. http://p27dokhpz2n7nvgr.12hygy.top/66CD-5D50-A89A-0446-93ED
2. http://p27dokhpz2n7nvgr.14ewqv.top/66CD-5D50-A89A-0446-93ED
3. http://p27dokhpz2n7nvgr.14vvrc.top/66CD-5D50-A89A-0446-93ED
4. http://p27dokhpz2n7nvgr.129p1t.top/66CD-5D50-A89A-0446-93ED
5. http://p27dokhpz2n7nvgr.1apgrn.top/66CD-5D50-A89A-0446-93ED
-----
Note! These are temporary addresses! They will be available for a limited amount of time!
-----
URLs
http://p27dokhpz2n7nvgr.onion/66CD-5D50-A89A-0446-93ED
http://p27dokhpz2n7nvgr.12hygy.top/66CD-5D50-A89A-0446-93ED
http://p27dokhpz2n7nvgr.14ewqv.top/66CD-5D50-A89A-0446-93ED
http://p27dokhpz2n7nvgr.14vvrc.top/66CD-5D50-A89A-0446-93ED
http://p27dokhpz2n7nvgr.129p1t.top/66CD-5D50-A89A-0446-93ED
http://p27dokhpz2n7nvgr.1apgrn.top/66CD-5D50-A89A-0446-93ED
Extracted
Path
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___WNSPMU_.hta
Family
cerber
Ransom Note
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>CERBER RANSOMWARE: Instructions</title>
<HTA:APPLICATION APPLICATIONNAME="QA8" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize">
<style type="text/css">
a {
color: #04a;
text-decoration: none;
}
a:hover {
text-decoration: underline;
}
body {
background-color: #e7e7e7;
color: #222;
font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif;
font-size: 13pt;
line-height: 19pt;
}
body, h1 {
margin: 0;
padding: 0;
}
hr {
color: #bda;
height: 2pt;
margin: 1.5%;
}
h1 {
color: #555;
font-size: 14pt;
}
ol {
padding-left: 2.5%;
}
ol li {
padding-bottom: 13pt;
}
small {
color: #555;
font-size: 11pt;
}
ul {
list-style-type: none;
margin: 0;
padding: 0;
}
.button {
color: #04a;
cursor: pointer;
}
.button:hover {
text-decoration: underline;
}
.container {
background-color: #fff;
border: 2pt solid #c7c7c7;
margin: 5%;
min-width: 850px;
padding: 2.5%;
}
.header {
border-bottom: 2pt solid #c7c7c7;
margin-bottom: 2.5%;
padding-bottom: 2.5%;
}
.h {
display: none;
}
.hr {
background: #bda;
display: block;
height: 2pt;
margin-top: 1.5%;
margin-bottom: 1.5%;
overflow: hidden;
width: 100%;
}
.info {
background-color: #efe;
border: 2pt solid #bda;
display: inline-block;
padding: 1.5%;
text-align: center;
}
.updating {
color: red;
display: none;
padding-left: 35px;
background: url("data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=") left no-repeat;
}
#change_language {
float: right;
}
#change_language, #texts div {
display: none;
}
</style>
</head>
<body>
<div class="container">
<div class="header">
<a id="change_language" href="#" onclick="return changeLanguage1();" title="English">☑ English</a>
<h1>CERBER RANSOMWARE</h1>
<small id="title">Instructions</small>
</div>
<div id="languages">
<p>☑ Select your language</p>
<ul>
<li><a href="#" title="English" onclick="return sh_bl('en');">English</a></li>
<li><a href="#" title="Arabic" onclick="return sh_bl('ar');">العربية</a></li>
<li><a href="#" title="Chinese" onclick="return sh_bl('zh');">中文</a></li>
<li><a href="#" title="Dutch" onclick="return sh_bl('nl');">Nederlands</a></li>
<li><a href="#" title="French" onclick="return sh_bl('fr');">Français</a></li>
<li><a href="#" title="German" onclick="return sh_bl('de');">Deutsch</a></li>
<li><a href="#" title="Italian" onclick="return sh_bl('it');">Italiano</a></li>
<li><a href="#" title="Japanese" onclick="return sh_bl('ja');">日本語</a></li>
<li><a href="#" title="Korean" onclick="return sh_bl('ko');">한국어</a></li>
<li><a href="#" title="Polish" onclick="return sh_bl('pl');">Polski</a></li>
<li><a href="#" title="Portuguese" onclick="return sh_bl('pt');">Português</a></li>
<li><a href="#" title="Spanish" onclick="return sh_bl('es');">Español</a></li>
<li><a href="#" title="Turkish" onclick="return sh_bl('tr');">Türkçe</a></li>
</ul>
</div>
<div id="texts">
<div id="en">
<p>Can't yo<span class="h">6OJEpVfz</span>u find the necessary files?<br>Is the c<span class="h">R</span>ontent of your files not readable?</p>
<p>It is normal be<span class="h">tsyiEQK8</span>cause the files' names and the data in your files have been encryp<span class="h">CSeg</span>ted by "Ce<span class="h">jAQO</span>rber Ransomware".</p>
<p>It me<span class="h">Oh5kTmNiSz</span>ans your files are NOT damage<span class="h">H8DPioX</span>d! Your files are modified only. This modification is reversible.<br>F<span class="h">IRaw</span>rom now it is not poss<span class="h">zXk</span>ible to use your files until they will be decrypted.</p>
<p>The only way to dec<span class="h">aLeRILZ93b</span>rypt your files safely is to buy the special decryption software "C<span class="h">jCA7h47Y</span>erber Decryptor".</p>
<p>Any attempts to rest<span class="h">w</span>ore your files with the thir<span class="h">L</span>d-party software will be fatal for your files!</p>
<hr>
<p class="w331208">You can proc<span class="h">8wCY71n</span>eed with purchasing of the decryption softw<span class="h">QIzEHw99U0</span>are at your personal page:</p>
<p><span class="info"><span class="updating">Ple<span class="h">1Ah9l</span>ase wait...</span><a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/66CD-5D50-A89A-0446-93ED" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/66CD-5D50-A89A-0446-93ED</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/66CD-5D50-A89A-0446-93ED" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/66CD-5D50-A89A-0446-93ED</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/66CD-5D50-A89A-0446-93ED" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/66CD-5D50-A89A-0446-93ED</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/66CD-5D50-A89A-0446-93ED" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/66CD-5D50-A89A-0446-93ED</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/66CD-5D50-A89A-0446-93ED" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/66CD-5D50-A89A-0446-93ED</a></span></p>
<p>If t<span class="h">boL4</span>his page cannot be opened <span class="button" onclick="return _url_upd_('en');">cli<span class="h">Ra7LaTQK1</span>ck here</span> to get a new addr<span class="h">2grGsbX9Q</span>ess of your personal page.<br><br>If the addre<span class="h">SUIW</span>ss of your personal page is the same as befo<span class="h">0eg1w</span>re after you tried to get a new one,<br>you c<span class="h">CBdo</span>an try to get a new address in one hour.</p>
<p>At th<span class="h">1</span>is page you will receive the complete instr<span class="h">rBwou</span>uctions how to buy the decrypti<span class="h">tULjt1HsS</span>on software for restoring all your files.</p>
<p>Also at this page you will be able to res<span class="h">h2</span>tore any one file for free to be sure "Cerbe<span class="h">Zz1FSZaaJ</span>r Decryptor" will help you.</p>
<hr>
<p>If your per<span class="h">DYY1ouUVo</span>sonal page is not availa<span class="h">oGuXO</span>ble for a long period there is another way to open your personal page - insta<span class="h">OeQfA</span>llation and use of Tor Browser:</p>
<ol>
<li>run your Inte<span class="h">i8On2uSa</span>rnet browser (if you do not know what it is run the Internet Explorer);</li>
<li>ent<span class="h">l</span>er or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li>
<li>wait for the site load<span class="h">63tnTL</span>ing;</li>
<li>on the site you will be offered to do<span class="h">hTwLXj</span>wnload Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li>
<li>ru<span class="h">hUD0Eafu</span>n Tor Browser;</li>
<li>connect with the butt<span class="h">K7EAJCIn</span>on "Connect" (if you use the English version);</li>
<li>a normal Internet bro<span class="h">oASklpd</span>wser window will be opened after the initialization;</li>
<li>type or copy the add<span class="h">EHyJ</span>ress <br><span class="info">http://p27dokhpz2n7nvgr.onion/66CD-5D50-A89A-0446-93ED</span><br> in this browser address bar;</li>
<li>pre<span class="h">eZc</span>ss ENTER;</li>
<li>the site sho<span class="h">TBn58Ic9R0</span>uld be loaded; if for some reason the site is not lo<span class="h">ZWP8d8Ct</span>ading wait for a moment and try again.</li>
</ol>
<p>If you have any pr<span class="h">f27JFG</span>oblems during installation or use of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searc<span class="h">lHFFU</span>h bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use.</p>
<hr>
<p><strong>Addit<span class="h">9PYLWO</span>ional information:</strong></p>
<p>You will fi<span class="h">SZhDD</span>nd the instru<span class="h">97wk1feKS</span>ctions ("*_READ_THIS_FILE_*.hta") for re<span class="h">uFy18</span>storing your files in any f<span class="h">VVK9</span>older with your enc<span class="h">N7x</span>rypted files.</p>
<p>The instr<span class="h">9vT</span>uctions "*_READ_THIS_FILE_*.hta" in the f<span class="h">hYfAUTgK</span>older<span class="h">yoeKnU</span>s with your encry<span class="h">3rzN</span>pted files are not vir<span class="h">pRhG18IM</span>uses! The instruc<span class="h">EjmdJ</span>tions "*_READ_THIS_FILE_*.hta" will he<span class="h">Xw5xYo9ap</span>lp you to dec<span class="h">v</span>rypt your files.</p>
<p>Remembe<span class="h">xwOEk</span>r! The worst si<span class="h">batC</span>tuation already happ<span class="h">vQT73zAP2u</span>ened and now the future of your files de<span class="h">eS</span>pends on your determ<span class="h">wgqJmtk</span>ination and speed of your actions.</p>
</div>
<div id="ar" style="direction: rtl;">
<p>لا يمكنك العثور على الملفات الضرورية؟<br>هل محتوى الملفات غير قابل للقراءة؟</p>
<p>هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cerber Ransomware".</p>
<p>وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا.<br>ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها.</p>
<p>الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cerber Decryptor".</p>
<p>إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك!</p>
<hr>
<p>يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية:</p>
<p><span class="info"><span class="updating">أرجو الإنتظار...</span><a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/66CD-5D50-A89A-0446-93ED" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/66CD-5D50-A89A-0446-93ED</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/66CD-5D50-A89A-0446-93ED" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/66CD-5D50-A89A-0446-93ED</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/66CD-5D50-A89A-0446-93ED" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/66CD-5D50-A89A-0446-93ED</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/66CD-5D50-A89A-0446-93ED" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/66CD-5D50-A89A-0446-93ED</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/66CD-5D50-A89A-0446-93ED" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/66CD-5D50-A89A-0446-93ED</a></span></p>
<p>في حالة تعذر فتح هذه الصفحة <span class="button" onclick="return _url_upd_('ar');">انقر هنا</span> لإنشاء عنوان جديد لصفحتك الشخصية.</p>
<p>في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك.</p>
<p>في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cerber Decryptor" سوف يساعدك.</p>
<hr>
<p>إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor:</p>
<ol>
<li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li>
<li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li>
<li>انتظر لتحميل الموقع;</li>
<li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li>
<li>قم بتشغيل متصفح Tor;</li>
<li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li>
<li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li>
<li>قم بكتابة أو نسخ العنوان <br><span class="info">http://p27dokhpz2n7nvgr.onion/66CD-5D50-A89A-0446-93ED</span><br> في شريط العنوان في المتصفح;</li>
<li>اضغط ENTER;</li>
<li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li>
</ol>
<p>إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه.</p>
<hr>
<p><strong>معلومات إض<span class="h">Ca2E3vXR</span>افية:</strong></p>
<p>س<span class="h">Iq</span>وف تجد إرشادات استعادة الملفات الخاصة بك ("*_READ_THIS_FILE_*") في أي مجلد مع ملفاتك المشفرة.</p>
<p>الإرش<span class="h">X</span>ادات ("*_READ_THIS_FILE_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_READ_THIS_FILE_*") سوف تساعدك على فك تشفير الملفات الخاصة بك.</p>
<p>تذكر أن أسوأ مو<span class="h">v9jcWaqX</span>قف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك.</p>
</div>
<div id="zh">
<p>您找不到所需的文件?<br>您文件的内容无法阅读?</p>
<p>这是正常的,因为您文件的文件名和数据已经被“Cerber Ransomware”加密了。</p>
<p>这意味着您的文件并没有损坏!您的文件只是被修�
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Cerber family
-
Contacts a large (1105) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Drops file in System32 directory 38 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 20 IoCs
-
Drops file in Windows directory 64 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious behavior: LoadsDriver 6 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 57 IoCs
-
Suspicious use of SendNotifyMessage 55 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cerber.exe"C:\Users\Admin\AppData\Local\Temp\cerber.exe"1⤵
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___0C46TXZ_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___ST6U_.txt2⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "cerber.exe"3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc0a2d46f8,0x7ffc0a2d4708,0x7ffc0a2d47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,6344900707832389799,58609180480486661,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,6344900707832389799,58609180480486661,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,6344900707832389799,58609180480486661,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6344900707832389799,58609180480486661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6344900707832389799,58609180480486661,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6344900707832389799,58609180480486661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6344900707832389799,58609180480486661,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,6344900707832389799,58609180480486661,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3636 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,6344900707832389799,58609180480486661,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3636 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6344900707832389799,58609180480486661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3772 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6344900707832389799,58609180480486661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6344900707832389799,58609180480486661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6344900707832389799,58609180480486661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6344900707832389799,58609180480486661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6344900707832389799,58609180480486661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___0C46TXZ_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Discovery
Browser Information Discovery
1Network Service Discovery
1Peripheral Device Discovery
1Query Registry
3Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e443ee4336fcf13c698b8ab5f3c173d0
SHA19bf70b16f03820cbe3158e1f1396b07b8ac9d75a
SHA25679e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b
SHA512cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd
-
Filesize
152B
MD556a4f78e21616a6e19da57228569489b
SHA121bfabbfc294d5f2aa1da825c5590d760483bc76
SHA256d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb
SHA512c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b
-
Filesize
180B
MD500a455d9d155394bfb4b52258c97c5e5
SHA12761d0c955353e1982a588a3df78f2744cfaa9df
SHA25645a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed
SHA5129553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f
-
Filesize
6KB
MD5ab17f55ea799cfdc92c0754eb390ab8e
SHA19f359cf270583b0c1bd1a5f662a20657ee216450
SHA256e1fb6847974babea52966c4223acaca1f1315ee9c2a5d8799f2749aaf0a0a897
SHA51296ded6f6e4e73a1f10375b473ba3a7d7f969e01f4e71485a7e1bdf4d7956713ad25ff1ebbecb3f58972a828ef5caeaf5769e881178c2da62c718b0194653712f
-
Filesize
5KB
MD5db0d7280431265238936218233a52f1f
SHA1bd89305688f3a6115f1c31165be7d295988cd870
SHA256117e62a9ed8ac1cbe10a2a20a44fcedd743ef70689e58eca059533a7f7fae81b
SHA512be08dfd28c15cc1bd0dd64229b4f3c943cc60d2c8841992947cae9ea6627121479f613d5d32db173edd9b6f351f4dcf30fbfd43742b259d23403ba52469b3239
-
Filesize
6KB
MD568fc6bc3e6f20fbbe40e32422f7244ec
SHA1d1bac2d0172e2df9a5786f533eefe9e52623c7f7
SHA256389d78f940c847669f26bd8e7ce011f7e56ebc55d73c30ee9ec8bfa98861bdca
SHA5125aa67cef5c6c875e78af0ba21dcd4377d89777744b28ad68edc5d7567b250303824148c02cc6196586437d100aa81c1e2118479f7cec7b9ae18b9b5dc3d5f679
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD57e2ea7e39620663d9fc76976ff0b63ac
SHA193b597d778047cff6a8203115a70e41be5e2deca
SHA256388aaa0452ce4ef363fc6721a386cfb9589d51cc177742e654c0273592ef194e
SHA512a65ed091142f0c8f69f4fa27a9c357688eebd7bedbd2e55624bc9e7c2c765a8b90ce21902c1490c2a1d86da65fde18d1252d4cafec16d9c7c1c3bccb77bceb35
-
Filesize
10KB
MD5f8202e074c06ca6dba4af0360a3b72ab
SHA1099c8ec4fe413eba36fd4eb2ff5a906f00449018
SHA256592456bad8831e6b3cce9cd9905a7da6c2f25865c0378fc70200760da261998e
SHA512762afcc1b7f76896e77bb9b2f1672d0e925c17f4c51239069ebf29c7c15301869020a0b28026e2099a427e075c6f194288a8c158a3886136a34e6a32f023b0d5
-
Filesize
1KB
MD5072cf8f0b673a8aa14c157793e47c9b6
SHA1191176828aea22a24386855b90c7469ee4fd952e
SHA256dd33d6ebf79c6a1e6f5f5697f7c68e7f00d7625768feadea34a00f15810994f2
SHA51256c16a7bc4d71f3e3a11d1ce5e670290ba48bb4872d789b0046f9770e41cd93a708f76bd5896e1ad7d243e186effede256155c1b51f4dc0f6b7af5d418aae51a
-
Filesize
75KB
MD5bb5ddd9d47b8d2a19666ddacbc9b236e
SHA149438b338e946ef31f6146d9a0c136805363b52a
SHA256bf1c2333a0eab1f612b7056d8c1349352a31c39bc00c449679894d65ab5a222a
SHA5129b62c6f05f5bdbba9e8a93e070ab54ed8f1a995a112da768ecc2ac811424caeabc41b0185e3978e50c7a944064b42d3788d874cb2d7afdf087ec3c1d65858ca6
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
196KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB