Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 10:57
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe
-
Size
351KB
-
MD5
fafad4c198b4e3d9e9891831ac7ad02e
-
SHA1
02753fbf7af6f695cb48cb49d94479a7fe2077a6
-
SHA256
059266e6c33368fba9c4725220d92fd0599cf7c9e412611c87e3e4234bfeb40a
-
SHA512
4c419bd95b06a2de83579773989657ad1d2e843eae7f2b99e63dffd51918b860950b5d0991ff3e2966283366abbc51d421d64990bca41a8b33a98b1d3e048927
-
SSDEEP
6144:p8LgSffeUGspMOystWrPDdntFlY/nfskKoJdW7VVTcCgzF6:pefflGspMOyst4PJtjUnfsk9JdhCgz4
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_HELP_DECRYPT_A9UM9MV_.hta
cerber
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Cerber family
-
Contacts a large (588) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe -
Drops startup file 1 IoCs
description ioc Process File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\ 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp1F99.bmp" 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1388 set thread context of 5028 1388 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe 95 -
Drops file in Program Files directory 20 IoCs
description ioc Process File opened for modification \??\c:\program files (x86)\bitcoin 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe File opened for modification \??\c:\program files (x86)\microsoft sql server 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe File opened for modification \??\c:\program files (x86)\microsoft\outlook 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe File opened for modification \??\c:\program files (x86)\office 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe File opened for modification \??\c:\program files (x86)\outlook 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe File opened for modification \??\c:\program files (x86)\powerpoint 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe File opened for modification \??\c:\program files (x86)\the bat! 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe File opened for modification \??\c:\program files (x86)\word 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe File opened for modification \??\c:\program files\ 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe File opened for modification \??\c:\program files (x86)\ 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe File opened for modification \??\c:\program files (x86)\excel 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe File opened for modification \??\c:\program files (x86)\microsoft\excel 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe File opened for modification \??\c:\program files (x86)\microsoft\word 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe File opened for modification \??\c:\program files (x86)\onenote 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe File opened for modification \??\c:\program files (x86)\steam 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe File opened for modification \??\c:\program files (x86)\microsoft\office 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe File opened for modification \??\c:\program files (x86)\microsoft\onenote 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe File opened for modification \??\c:\program files (x86)\microsoft\powerpoint 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe File opened for modification \??\c:\program files (x86)\thunderbird 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification \??\c:\windows\ 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3672 PING.EXE -
Kills process with taskkill 1 IoCs
pid Process 2452 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3672 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5028 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe 5028 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeShutdownPrivilege 5028 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe Token: SeCreatePagefilePrivilege 5028 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe Token: 33 4152 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4152 AUDIODG.EXE Token: SeDebugPrivilege 2452 taskkill.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1388 wrote to memory of 5028 1388 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe 95 PID 1388 wrote to memory of 5028 1388 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe 95 PID 1388 wrote to memory of 5028 1388 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe 95 PID 1388 wrote to memory of 5028 1388 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe 95 PID 1388 wrote to memory of 5028 1388 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe 95 PID 1388 wrote to memory of 5028 1388 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe 95 PID 1388 wrote to memory of 5028 1388 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe 95 PID 1388 wrote to memory of 5028 1388 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe 95 PID 5028 wrote to memory of 2820 5028 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe 101 PID 5028 wrote to memory of 2820 5028 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe 101 PID 5028 wrote to memory of 2820 5028 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe 101 PID 5028 wrote to memory of 1664 5028 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe 106 PID 5028 wrote to memory of 1664 5028 2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe 106 PID 1664 wrote to memory of 2452 1664 cmd.exe 108 PID 1664 wrote to memory of 2452 1664 cmd.exe 108 PID 1664 wrote to memory of 3672 1664 cmd.exe 109 PID 1664 wrote to memory of 3672 1664 cmd.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Users\Admin\AppData\Local\Temp\2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe"2⤵
- Checks computer location settings
- Drops startup file
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_HELP_DECRYPT_VKYHX_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- System Location Discovery: System Language Discovery
PID:2820
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\system32\taskkill.exetaskkill /f /im "2024-12-20_fafad4c198b4e3d9e9891831ac7ad02e_karagany_mafia.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3672
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x338 0x4101⤵
- Suspicious use of AdjustPrivilegeToken
PID:4152
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150KB
MD5d6db2e298a9d6153987699a5ffe171c1
SHA1cdc1a71bd8b5519a318eebe4992a8983ac1ad9f6
SHA256fb9281cde6ccf5fd36f305bd1ec46cb687aabf4d5c0fdd698e0d1ec18d531faf
SHA5125ec231756ccfe1b8c463fad229a6bffbb2b3f322fcfff8db8710875acc1683e7a5be2b464013f68e03f1f0aa22c34fecec667fdfd72421737c881d55794713d7
-
Filesize
66KB
MD5073f984393920e1665c9a0cfc062e2ef
SHA17e5bf1f91ba5969ae0a85862eaa72222aea9c6f9
SHA25637fc3113f604bb542c32712de1b973b8927ed4f23fef6ef86ea2b0ce2afce974
SHA51226dc84f6f87a719c53771da2f881ef25e4cc402f97d63ce55d44a88e3063562f9e7f1f5497246598a5117ec9fa62492e2b1a27c778e2597b5519e99e0b62a3ed