Overview

overview

10

Static

static

3

2025-01-10...er.exe

windows7-x64

10

2025-01-10...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-01-2025 13:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-10_cf1e5739e38d05964c529a5cd7a627d7_cerber.exe

  • Size

    650KB

  • MD5

    cf1e5739e38d05964c529a5cd7a627d7

  • SHA1

    f20ec960cae50a8093e60d01d5d730a6ccf85ab2

  • SHA256

    11e3f0ff5df320791a49be0a02a398a406d95bcc528732d0ff2b72ba13ec5959

  • SHA512

    18e9f348dd87eea80f1c0f977716fd3fe5bdd698489bce1b461215ae08af4fe3a1a94e483c8a44b1842c67f8e4e936d747194f4ade6808a88c1c012bbcc77689

  • SSDEEP

    12288:LeySOCn73uSYcAEDCNBcXBuEE8SzoeMhqyfjt:5SOC7uSnAEDJXTEb6X5

Score
10/10
cerberdiscoveryevasionpersistenceprivilege_escalationransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_READ_THIS_FILE_SI3L3RU_.txt

Ransom Note
CERBER RANSOMWARE --- YOUR D0CUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! --- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: --- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://hjhqmbxyinislkkt.onion/A93C-CEAD-52F2-0501-FDFC Note! This page is available via "Tor Browser" only. --- Also you can use temporary addresses on your personal page without using "Tor Browser". --- 1. http://hjhqmbxyinislkkt.1gu5um.top/A93C-CEAD-52F2-0501-FDFC 2. http://hjhqmbxyinislkkt.1w5iy8.top/A93C-CEAD-52F2-0501-FDFC 3. http://hjhqmbxyinislkkt.1aajb7.top/A93C-CEAD-52F2-0501-FDFC 4. http://hjhqmbxyinislkkt.1nm62r.top/A93C-CEAD-52F2-0501-FDFC 5. http://hjhqmbxyinislkkt.1efxa8.top/A93C-CEAD-52F2-0501-FDFC --- Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://hjhqmbxyinislkkt.onion/A93C-CEAD-52F2-0501-FDFC

http://hjhqmbxyinislkkt.1gu5um.top/A93C-CEAD-52F2-0501-FDFC

http://hjhqmbxyinislkkt.1w5iy8.top/A93C-CEAD-52F2-0501-FDFC

http://hjhqmbxyinislkkt.1aajb7.top/A93C-CEAD-52F2-0501-FDFC

http://hjhqmbxyinislkkt.1nm62r.top/A93C-CEAD-52F2-0501-FDFC

http://hjhqmbxyinislkkt.1efxa8.top/A93C-CEAD-52F2-0501-FDFC

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Cerber family
    cerber
  • Blocklisted process makes network request 1 IoCs
  • Contacts a large (1090) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-10_cf1e5739e38d05964c529a5cd7a627d7_cerber.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-10_cf1e5739e38d05964c529a5cd7a627d7_cerber.exe"
    1⤵
    • Drops startup file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2720
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall reset
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2804
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_READ_THIS_FILE_Q3WLHF_.hta"
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      PID:2628
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_READ_THIS_FILE_SI3L3RU_.txt
      2⤵
      • System Location Discovery: System Language Discovery
      • Opens file in notepad (likely ransom note)
      PID:2976
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2900
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im "2025-01-10_cf1e5739e38d05964c529a5cd7a627d7_cerber.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2656
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 1 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1964
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:468
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Credential Access

Discovery

Network Service Discovery

1
T1046

Remote System Discovery

1
T1018

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Desktop\_READ_THIS_FILE_AL7IBDQ_.jpeg
    Filesize

    150KB

    MD5

    fd1d428a6962d0e323993e572d03f0ba

    SHA1

    7c3c5c2c31b3008cc888b0d81a942be80a81153b

    SHA256

    135e007c4376bfa2f07f7f8b56ab501cbe35b71ce81cfb1ef99f689d8f096fd5

    SHA512

    b56030900cb8a577d7d8b9a4437c5563a43c3b6c2e12762334f224735459a5846d880ce0ab0a4c3a57509ac4561b95ee1704f8ffe724f00ad48bb9b78685defb

    Download Submit

  • C:\Users\Admin\Desktop\_READ_THIS_FILE_Q3WLHF_.hta
    Filesize

    74KB

    MD5

    e9463e2984ad3ed0baa7543d65a41d88

    SHA1

    d1398a22231517a9f23fb065cc1d7583d11a0f1b

    SHA256

    6ef4a314c7b8233450ce802a7335e9c5614a1f58e134f5f8385790d0d226181e

    SHA512

    87b5bbba0b941a73423c59ced6f6b38b73aa5d5f46d00538d5583c4244db8c2bca0a0fb6bbf65d46f16e883853d86cfa3c68f2f6727b864423e123d789bbbaf8

    Download Submit

  • C:\Users\Admin\Desktop\_READ_THIS_FILE_SI3L3RU_.txt
    Filesize

    1KB

    MD5

    b0dcad000968062aa3898626c7c2631a

    SHA1

    41551995b1f372e37b03a6e0a5ab1a1ab31e352e

    SHA256

    b77d87035364ce64cca2a8b38891d3cc80ec90029fd0a7b3f3205138ac2023f7

    SHA512

    fca46acd45bd3681558a29606737be2cc90b2bc96ee1133c2826bc2bc7177b7cf477f3ca15a9125ed8b24ba0c3c9c6ab0208223fc6232d244fbea4250d7d06b6

    Download Submit

  • memory/468-77-0x00000000001F0000-0x00000000001F2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2888-5-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2888-51-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2888-69-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2888-9-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2888-1-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2888-2-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2888-76-0x0000000004650000-0x0000000004652000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2888-0-0x0000000000120000-0x0000000000157000-memory.dmp

    Filesize

    220KB

    Download

  • memory/2888-100-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download