Analysis
-
max time kernel
141s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
19-12-2024 14:58
General
-
Target
2024-12-19_9f31951792a258b5181a02a6ccb6bba8_cerber.exe
-
Size
440KB
-
MD5
9f31951792a258b5181a02a6ccb6bba8
-
SHA1
b92b54cf848590ed827e6927fb99b8bfdaf9c2db
-
SHA256
03280896d436d8f027168a2bbfdcb6c0ed58f4410bfafd471905b9c5394b1384
-
SHA512
e4b60b71c002e2f1b6baf718ece6c36e3f8637fc783735225742a2511d36d6b28e0cdc78cff6606877bb2af9f6f2bfb3fe3afe3daef9f858d1d90fcba0139a51
-
SSDEEP
6144:Wm7VLm9avt6YL0YAatyIwxSv1X793VvrFvFn/13JPT9f13dHj9vlf7dHVnDFPVP8:v7Rm9GjQ9
Score
10/10
Malware Config
Extracted
Path
C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\@[email protected]
Ransom Note
C_E_R_B_E_R R_A_N_S_O_M_W_A_R_E
#########################################################################
Cannot you find the files you need?
Is the content of the files that you looked for not readable???
It is normal because the files' names, as well as the data in your files
have been encrypted.
Great!
You have turned to be a part of a big community "#Cerb3r Ransomware".
#########################################################################
!!! If you are reading this message it means the software "Cerber" has
!!! been removed from your computer.
!!! HTML instruction ("# DECRYPT MY FILES #.html") always contains a
!!! working domain of your personal page!
#########################################################################
What is encryption?
-------------------
Encryption is a reversible modification of information for security
reasons but providing full access to it for authorized users.
To become an authorized user and keep the modification absolutely
reversible (in other words to have a possibility to decrypt your files)
you should have an individual private key.
But not only it.
It is required also to have the special decryption software
(in your case "Cerber Decryptor" software) for safe and complete
decryption of all your files and data.
#########################################################################
Everything is clear for me but what should I do?
------------------------------------------------
The first step is reading these instructions to the end.
Your files have been encrypted with the "Cerber Ransomware" software; the
instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt")
in the folders with your encrypted files are not viruses, they will
help you.
After reading this text the most part of people start searching in the
Internet the words the "Cerber Ransomware" where they find a lot of
ideas, recommendations and instructions.
It is necessary to realize that we are the ones who closed the lock on
your files and we are the only ones who have this secret key to
open them.
!!! Any attempts to return your files with the third-party tools can
!!! be fatal for your encrypted files.
The most part of the third-party software change data within the
encrypted file to restore it but this causes damage to the files.
Finally it will be impossible to decrypt your files.
When you make a puzzle, but some items are lost, broken or not put in its
place - the puzzle items will never match, the same way the third-party
software will ruin your files completely and irreversibly.
You should realize that any intervention of the third-party software to
restore files encrypted with the "Cerber Ransomware" software may be
fatal for your files.
#########################################################################
!!! There are several plain steps to restore your files but if you do
!!! not follow them we will not be able to help you, and we will not try
!!! since you have read this warning already.
#########################################################################
For your information the software to decrypt your files (as well as the
private key provided together) are paid products.
After purchase of the software package you will be able to:
1. decrypt all your files;
2. work with your documents;
3. view your photos and other media;
4. continue your usual and comfortable work at the computer.
If you understand all importance of the situation then we propose to you
to go directly to your personal page where you will receive the complete
instructions and guarantees to restore your files.
#########################################################################
There is a list of temporary addresses to go on your personal page below:
_______________________________________________________________________
|
| 1. http://4kqd3hmqgptupi3p.asfall.in/F49B-562C-DE11-0080-630E
|
| 2. http://4kqd3hmqgptupi3p.choiceher.win/F49B-562C-DE11-0080-630E
|
| 3. http://4kqd3hmqgptupi3p.aredark.mobi/F49B-562C-DE11-0080-630E
|
| 4. http://4kqd3hmqgptupi3p.foodtopic.mobi/F49B-562C-DE11-0080-630E
|
| 5. http://4kqd3hmqgptupi3p.onion.to/F49B-562C-DE11-0080-630E
|_______________________________________________________________________
#########################################################################
What should you do with these addresses?
----------------------------------------
If you read the instructions in TXT format (if you have instruction in
HTML (the file with an icon of your Internet browser) then the easiest
way is to run it):
1. take a look at the first address (in this case it is
http://4kqd3hmqgptupi3p.asfall.in/F49B-562C-DE11-0080-630E);
2. select it with the mouse cursor holding the left mouse button and
moving the cursor to the right;
3. release the left mouse button and press the right one;
4. select "Copy" in the appeared menu;
5. run your Internet browser (if you do not know what it is run the
Internet Explorer);
6. move the mouse cursor to the address bar of the browser (this is the
place where the site address is written);
7. click the right mouse button in the field where the site address
is written;
8. select the button "Insert" in the appeared menu;
9. then you will see the address
http://4kqd3hmqgptupi3p.asfall.in/F49B-562C-DE11-0080-630E
appeared there;
10. press ENTER;
11. the site should be loaded; if it is not loaded repeat the same
instructions with the second address and continue until the last
address if falling.
If for some reason the site cannot be opened check the connection to the
Internet; if the site still cannot be opened take a look at the
instructions on omitting the point about working with the addresses in
the HTML instructions.
If you browse the instructions in HTML format:
1. click the left mouse button on the first address (in this case it is
http://4kqd3hmqgptupi3p.asfall.in/F49B-562C-DE11-0080-630E);
2. in a new tab or window of your web browser the site should be loaded;
if it is not loaded repeat the same instructions with the second
address and continue until the last address.
If for some reason the site cannot be opened check the connection to
the Internet.
#########################################################################
Unfortunately these sites are short-term since the antivirus companies
are interested in you do not have a chance to restore your files but
continue to buy their products.
Unlike them we are ready to help you always.
If you need our help but the temporary sites are not available:
1. run your Internet browser (if you do not know what it is run the
Internet Explorer);
2. enter or copy the address
https://www.torproject.org/download/download-easy.html.en into the
address bar of your browser and press ENTER;
3. wait for the site loading;
4. on the site you will be offered to download Tor Browser; download and
run it, follow the installation instructions, wait until the
installation is completed;
5. run Tor Browser;
6. connect with the button "Connect" (if you use the English version);
7. a normal Internet browser window will be opened after
the initialization;
8. type or copy the address
________________________________________________________
| |
| http://4kqd3hmqgptupi3p.onion/F49B-562C-DE11-0080-630E |
|________________________________________________________|
in this browser address bar;
9. press ENTER;
10. the site should be loaded; if for some reason the site is not loading
wait for a moment and try again.
If you have any problems during installation or operation of Tor Browser,
please, visit https://www.youtube.com/ and type request in the search bar
"install tor browser windows" and you will find a lot of training videos
about Tor Browser installation and operation.
If TOR address is not available for a long period (2-3 days) it means you
are late; usually you have about 2-3 weeks after reading the instructions
to restore your files.
#########################################################################
Additional information:
You will find the instructions for restoring your files in those folders
where you have your encrypted files only.
The instructions are made in two file formats - HTML and TXT for
your convenience.
Unfortunately antivirus companies cannot protect or restore your files
but they can make the situation worse removing the instructions how to
restore your encrypted files.
The instructions are not viruses; they have informative nature only, so
any claims on the absence of any instruction files you can send to your
antivirus company.
#########################################################################
Cerber Ransomware Project is not malicious and is not intended to harm a
person and his/her information data.
The project is created for the sole purpose of instruction regarding
information security, as well as certification of antivirus software for
their suitability for data protection.
Together we make the Internet a better and safer place.
#########################################################################
If you look through this text in the Internet and realize that something
is wrong with your files but you do not have any instructions to restore
your files, please, contact your antivirus support.
#########################################################################
Remember that the worst situation already happened and now it depends on
your determination and speed of your actions the further life of
your files.
URLs
http://4kqd3hmqgptupi3p.asfall.in/F49B-562C-DE11-0080-630E
http://4kqd3hmqgptupi3p.choiceher.win/F49B-562C-DE11-0080-630E
http://4kqd3hmqgptupi3p.aredark.mobi/F49B-562C-DE11-0080-630E
http://4kqd3hmqgptupi3p.foodtopic.mobi/F49B-562C-DE11-0080-630E
http://4kqd3hmqgptupi3p.onion.to/F49B-562C-DE11-0080-630E
http://4kqd3hmqgptupi3p.onion/F49B-562C-DE11-0080-630E
Extracted
Path
C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\@[email protected]
Ransom Note
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Cerber Ransomware</title>
<style>
a {
color: #47c;
text-decoration: none;
}
a:hover {
text-decoration: underline;
}
body {
background-color: #e7e7e7;
color: #333;
font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";
font-size: 16px;
line-height: 1.6;
margin: 0;
padding: 0;
}
hr {
background-color: #e7e7e7;
border: 0 none;
border-bottom: 1px solid #c7c7c7;
height: 5px;
margin: 30px 0;
}
li {
padding: 0 0 7px 7px;
}
ol {
padding-left: 3em;
}
.container {
background-color: #fff;
border: 1px solid #c7c7c7;
margin: 40px;
padding: 40px 40px 20px 40px;
}
.info, .tor {
background-color: #efe;
border: 1px solid #bda;
display: block;
padding: 0px 20px;
}
.logo {
font-size: 12px;
font-weight: bold;
line-height: 1;
margin: 0;
}
.upd_on {
color: red;
display: block;
}
.upd_off {
display: none;
float: left;
}
.tor {
padding: 10px 0;
text-align: center;
}
.url {
margin-right: 5px;
}
.warning {
background-color: #f5e7e7;
border: 1px solid #ebccd1;
color: #a44;
display: block;
padding: 15px 10px;
text-align: center;
}
</style>
</head>
<body>
<div class="container">
<h3>C E R B E R R A N S O M W A R E</h3>
<hr>
<p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p>
<p>It is normal because the files' names, as well as the data in your files have been encrypted.</p>
<p>Great!<br>You have turned to be a part of a big community "#C3rber Ransomware".</p>
<hr>
<p><span class="warning">If you are reading this message it means the software "Cerber" has been removed from your computer.</span></p>
<hr>
<h3>What is encryption?</h3>
<p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p>
<p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p>
<p>But not only it.</p>
<p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p>
<hr>
<h3>Everything is clear for me but what should I do?</h3>
<p>The first step is reading these instructions to the end.</p>
<p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p>
<p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p>
<p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p>
<p><span class="warning">!Any attempts to get back your files with the third-party tools can be fatal for your encrypted files!</span></p>
<p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p>
<p>Finally it will be impossible to decrypt your files!</p>
<p>When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p>
<p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p>
<hr>
<p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p>
<hr>
<p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p>
<p>After purchase of the software package you will be able to:</p>
<ol>
<li>decrypt all your files;</li>
<li>work with your documents;</li>
<li>view your photos and other media;</li>
<li>continue your usual and comfortable work at the computer.</li>
</ol>
<p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p>
<hr>
<div class="info">
<p>There is a list of temporary addresses to go on your personal page below:</p>
<ol>
<li><span class="upd_off" id="upd_1">Please wait...</span><a class="url" href="http://4kqd3hmqgptupi3p.asfall.in/F49B-562C-DE11-0080-630E" id="url_1" target="_blank">http://4kqd3hmqgptupi3p.asfall.in/F49B-562C-DE11-0080-630E</a>(<a href="#updateUrl" onClick="return updateUrl();" style="color: red;">Get a NEW address!</a>)</li>
<li><a href="http://4kqd3hmqgptupi3p.choiceher.win/F49B-562C-DE11-0080-630E" target="_blank">http://4kqd3hmqgptupi3p.choiceher.win/F49B-562C-DE11-0080-630E</a></li>
<li><a href="http://4kqd3hmqgptupi3p.aredark.mobi/F49B-562C-DE11-0080-630E" target="_blank">http://4kqd3hmqgptupi3p.aredark.mobi/F49B-562C-DE11-0080-630E</a></li>
<li><a href="http://4kqd3hmqgptupi3p.foodtopic.mobi/F49B-562C-DE11-0080-630E" target="_blank">http://4kqd3hmqgptupi3p.foodtopic.mobi/F49B-562C-DE11-0080-630E</a></li>
<li><a href="http://4kqd3hmqgptupi3p.onion.to/F49B-562C-DE11-0080-630E" target="_blank">http://4kqd3hmqgptupi3p.onion.to/F49B-562C-DE11-0080-630E</a></li>
</ol>
</div>
<hr>
<h3>What should you do with these addresses?</h3>
<p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p>
<ol>
<li>take a look at the first address (in this case it is <span class="upd_off" id="upd_2">Please wait...</span><a class="url" href="http://4kqd3hmqgptupi3p.asfall.in/F49B-562C-DE11-0080-630E" id="url_2" target="_blank">http://4kqd3hmqgptupi3p.asfall.in/F49B-562C-DE11-0080-630E</a>);</li>
<li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li>
<li>release the left mouse button and press the right one;</li>
<li>select "Copy" in the appeared menu;</li>
<li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li>
<li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li>
<li>click the right mouse button in the field where the site address is written;</li>
<li>select the button "Insert" in the appeared menu;</li>
<li>then you will see the address <span class="upd_off" id="upd_3">Please wait...</span><a class="url" href="http://4kqd3hmqgptupi3p.asfall.in/F49B-562C-DE11-0080-630E" id="url_3" target="_blank">http://4kqd3hmqgptupi3p.asfall.in/F49B-562C-DE11-0080-630E</a> appeared there;</li>
<li>press ENTER;</li>
<li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li>
</ol>
<p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p>
<p>If you browse the instructions in HTML format:</p>
<ol>
<li>click the left mouse button on the first address (in this case it is <span class="upd_off" id="upd_4">Please wait...</span><a class="url" href="http://4kqd3hmqgptupi3p.asfall.in/F49B-562C-DE11-0080-630E" id="url_4" target="_blank">http://4kqd3hmqgptupi3p.asfall.in/F49B-562C-DE11-0080-630E</a>);</li>
<li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li>
</ol>
<p>If for some reason the site cannot be opened check the connection to the Internet.</p>
<hr>
<p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p>
<p>Unlike them we are ready to help you always.</p>
<p>If you need our help but the temporary sites are not available:</p>
<ol>
<li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li>
<li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li>
<li>wait for the site loading;</li>
<li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li>
<li>run Tor Browser;</li>
<li>connect with the button "Connect" (if you use the English version);</li>
<li>a normal Internet browser window will be opened after the initialization;</li>
<li>type or copy the address <span class="tor">http://4kqd3hmqgptupi3p.onion/F49B-562C-DE11-0080-630E</span> in this browser address bar;</li>
<li>press ENTER;</li>
<li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li>
</ol>
<p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p>
<p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p>
<hr>
<h3>Additional information:</h3>
<p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p>
<p>The instructions are made in two file formats - HTML and TXT for your convenience.</p>
<p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p>
<p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p>
<hr>
<p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p>
<p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p>
<p>Together we make the Internet a better and safer place.</p>
<hr>
<p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p>
<hr>
<p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p>
</div>
<script>
function getXMLHttpRequest() {
if (window.XMLHttpRequest) {
return new window.XMLHttpRequest;
}
else {
try {
return new ActiveXObject("MSXML2.XMLHTTP.3.0");
}
catch(error) {
return null;
}
}
}
function getUrlContent(url, callback) {
var xhttp = getXMLHttpRequest();
if (xhttp) {
xhttp.onreadystatechange = function() {
if (xhttp.readyState == 4) {
if (xhttp.status == 200) {
return callback(xhttp.responseText.replace(/[\s ]+/gm, ""), null);
}
else {
return callback(null, true);
}
}
};
xhttp.open("GET", url + '?_=' + new Date().getTime(), true);
xhttp.send();
}
else {
return callback(null, true);
}
}
function server1(address, callback) {
getUrlContent("http://btc.blockr.io/api/v1/address/txs/" + address, function(result, error) {
if (!error) {
var tx = /"tx":"([\w]+)","time_utc":"[\w-:]+","confirmations":[\d]+,"amount":-/.exec(result);
if (tx) {
getUrlContent("http://btc.blockr.io/api/v1/tx/info/" + tx[1], function(result, error) {
if (!error) {
var address = /"vouts":\[{"address":"([\w]+)"/.exec(result);
if (address) {
return callback(address[1], null);
}
else {
return callback(null, true);
}
}
else {
return callback(null, true);
}
});
}
else {
return callback(null, true);
}
}
else {
return callback(null, true);
}
});
}
function server2(address, callback) {
getUrlContent("http://api.blockcypher.com/v1/btc/main/addrs/" + address, function(result, error) {
if (!error) {
var tx = /"tx_hash":"([\w]+)","block_height":[\d]+,"tx_input_n":[\d-]+,"tx_output_n":-/.exec(result);
if (tx) {
getUrlContent("http://api.blockcypher.com/v1/btc/main/txs/" + tx[1], function(result, error) {
if (!error) {
var address = /"outputs":\[{"value":[\d]+,"script":"[\w]+","spent_by":"[\w]+","addresses":\["([\w]+)"/.exec(result);
if (address) {
return callback(address[1], null);
}
else {
return callback(null, true);
}
}
else {
return callback(null, true);
}
});
}
else {
return callback(null, true);
}
}
else {
return callback(nu
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Cerber family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Contacts a large (519) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes itself 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Kills process with taskkill 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 59 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 49 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 37 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-19_9f31951792a258b5181a02a6ccb6bba8_cerber.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-19_9f31951792a258b5181a02a6ccb6bba8_cerber.exe"1⤵
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\@[email protected]2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2832 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2832 CREDAT:537601 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\NOTEPAD.EXE
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2024-12-19_9f31951792a258b5181a02a6ccb6bba8_cerber.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1bc1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2260 CREDAT:275457 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD57d6cca310729b241a14835f8f5bbff63
SHA14715c01d8b30e2a11fe6aa3ef7f587e2404aedd9
SHA2569741965f30d958611bf458ca75a5011ef5374b01718f5ccd34176fe6a99bc403
SHA51285a9c25b0e548cda04d7dbaaeb9705f65ea2739df393f35754aaf1be0b90041949a3758c298f589b9a12bc68c8fef223ed7224f620c0b39c77b8a36d2ead99aa
-
Filesize
10KB
MD5fd0361115ec6bef5d1a21a0d5b67bba8
SHA1d314af6ce0608c70b2571290568a6c1fc30f47b0
SHA256a526e7dcedd8b64c08388f9aabb78a987befc59ac384f4cb1ae354355d89ca24
SHA5121cad106a63a63c3c3d84134a9733b2983f1223181b016472505e0a0ee591def45c142f2499cf49e758f6fe6dc838f850b1030c353b5970064b28af3899a012a7
-
Filesize
89B
MD5cdf6f15ff0ab23c3c6727a85abcb2eac
SHA1d4e7e68e208ba60b11e08d7f1e3e11ed39d6da4a
SHA25690a79041ff0ca4dea2fc670bde6709263576b1670e231011e10d6c0a29ff5ddc
SHA512b40c538815f996116068cd370213e83446faa87f99d0691c90eb690a046cda90d811de892cf4cab03e5a8050260a4581f0431121ccff81006708b6581c5ab601
-
Filesize
342B
MD5f32f8e5a30b5e8d8f66f4b8b1424471e
SHA12f76eb44fcde8e36d460293aaec81718f1efdff7
SHA256ddfe39cca5fdfec3c734773daefaa76a33b68cb5c3be6e475526489b6110b8b1
SHA5124f30cf047ff1a936caf737e8c0effd3398edeb14ba984592712411e41c6130b097c0d190c5dcccb0cda2b07c36dfc331c000f797d5ef6dd04070f9deba7835a1
-
Filesize
342B
MD545f864c7a98a2291d2ea74af6783cf4f
SHA1328c31491b4a16578a7d555c0eeea94529cc9b84
SHA256daae5b7df4a880c60f0631947729d357ecdfa19853e817022ad757e48047e897
SHA51290a2f770791569be95b1d20cb0e441adf235b2eaf0a55d7e4fd0e53dbafbd78f689067bc849d4acdca74b69fbf6311beeca84b807567397216e94757598a7155
-
Filesize
342B
MD5b28ebc59e85b2e6179334a2529cb5f3d
SHA159603c0e55379b52ebfdd14d7f389c002a57407a
SHA256c92a13ba8844a698324ccfc4e16fc0dcb868107d388ec29ccafc74478a2d9d47
SHA51203fda6f091a9a6954fafb28103d26e301962f4cf66da248063e2044a37b6e49fdcbbd06266b9ed33374b6e04ce48ab0992c521c5560cae7cb07e31e68a777fda
-
Filesize
342B
MD506e1f5cf55732aa79ab90765949e1730
SHA110f44a5b9cae6f9ede02e6e8a71c5653e77c1376
SHA256550601b98e17c618a0a23226f2295edf4ec15970e69d47e1733de394fc332d6b
SHA5121375e16d82af564a9f20339e535eae63acd5d2faac13a14259bc7a119c0839817b027ecd6afe0d0e5d41b52be578682319209c3f9dc7459e06b56b87199140d2
-
Filesize
342B
MD56bbf532082a9fda4d1da051fb8d76119
SHA148023fc9703055351d201bb1fd718a5bdda09324
SHA256a8cfc2a585d6df827096928f528d5141eb9393cc633218fe5184f59ebaa10260
SHA512667989d6dda0ec4479e0d6e0c04f2cb46eac087fb24beffae8bba2a685b8586330fb68fcb8f3a57b556dc285f678c25604bbcc4b357fc7764af96f841ebc87f3
-
Filesize
342B
MD53803090870b5086daf6a065f942cccb8
SHA1e40730da1989dbb50e87efbb81349ed2a820ea84
SHA25675d6c9d7bbc997647a79076f6aa5e7e6f0456085188fa825113de8ab13623144
SHA51283fcc6280389f4dcf96b0bac935403923f5915a4d14c9647f5f63389cbff8ac3a8841d0e3de5f4685e361bd11b504a3ea3a47b5eaaa8abd73f3d71c1f35b6b8f
-
Filesize
342B
MD504ed95d18c87d65f0e43448246ef5e7a
SHA158c037de3dec5ac78a34db3db545e02c103494b9
SHA25639067ec997baa962f481f4c357fdb14ddae343cd8aa0c5b16bf868fe4f03b7ea
SHA512731635873aa511ec53e0813973a37b85ae69ac69f9d3e51e79b60046c63c5d6e1b6a9b4f49fd23c47a077b34560afac494487cc4f49560d4211802af2991d03f
-
Filesize
342B
MD50cb1310df6062e7fb9565131520d8caf
SHA1dc2f93717bfe5ac574446111947ba93151af05d6
SHA2569dab2937f304b00caa9fdbd77ca61c82d4a57cc4fd549895e3d41e5860676415
SHA512473eb5ddaf54b8b2e0cd6ffcb61a46d3620c752f5bf254df71d53852f9609abb8d45c2aa88a520cb9579ad93376f7eecd2ae17e33a02763471e514bc72fc6422
-
Filesize
5KB
MD5b95a05bd1f2e643f0750e2ca81e125bb
SHA1f24fef1a1fb19b01ec79c10486901ae542403dc0
SHA256f561aa21149eb16e7e54f557bdfc9406f0b7a9e37caa9168d4e3e91757b8b25c
SHA51267147cf4455f18ecf2d4d1c14d74a4e8efd907d80a9bfa9a7e4369c33eb5a0a799a26c6018195d914722f5ec086cd907ec289df0ba40f50141f3eab7ad0b316b
-
Filesize
3KB
MD5360306c7fa2f7cb8c0aa26399aab2993
SHA1e2903d9810d44862f61757c0b8309fad9c5d5ec7
SHA256a0bc989bcd96ac5158837454df5073e6a1efb847609c3df4f8bea7b4e837abd3
SHA512bab4a8611e7f777e964160cda2f9eb70cd0ac5362ac716f343fb29e2c778930d6c6d8b9022e2a2c3d092fcb7ba10e3d8258bf3b70a2dc4a421f24dbb8cc7eabf
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
188KB
-
Filesize
8KB
-
Filesize
188KB
-
Filesize
184KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB