cerber | 3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567

Analysis

max time kernel
52s
max time network
50s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/01/2025, 04:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
Size

263KB
MD5

5ae42d334a6a5e01298a28be83a18370
SHA1

5dc8ac78b63366f98c9b6cabae585b96674aaacd
SHA256

3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567
SHA512

f575eeef20e9a09de5224522604f00d72c1e79f4f70a8fb934a0b864be0d09321915a216135ad7e233c03687970b20a9f5086557be3413e63549ac696ff3a3fd
SSDEEP

6144:z44qB4hPmyzQ8AEvobJv4c/DWHXUnzabFerCJBhuE21:U4+yylf/DW3UMBh32

Score

10^/10

cerber discovery evasion persistence privilege_escalation ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_READ_THI$_FILE_UKKTMPD_.txt

Ransom Note

CERBER RAN$OMWARE --- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! --- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: --- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://hjhqmbxyinislkkt.onion/D5DA-10F1-1BC1-05C4-0250 Note! This page is available via "Tor Browser" only. --- Also you can use temporary addresses on your personal page without using "Tor Browser". --- 1. http://hjhqmbxyinislkkt.13kn4l.top/D5DA-10F1-1BC1-05C4-0250 2. http://hjhqmbxyinislkkt.14klmz.top/D5DA-10F1-1BC1-05C4-0250 3. http://hjhqmbxyinislkkt.13eymq.top/D5DA-10F1-1BC1-05C4-0250 4. http://hjhqmbxyinislkkt.1eeyaj.top/D5DA-10F1-1BC1-05C4-0250 5. http://hjhqmbxyinislkkt.1eagrj.top/D5DA-10F1-1BC1-05C4-0250 --- Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://hjhqmbxyinislkkt.onion/D5DA-10F1-1BC1-05C4-0250

http://hjhqmbxyinislkkt.13kn4l.top/D5DA-10F1-1BC1-05C4-0250

http://hjhqmbxyinislkkt.14klmz.top/D5DA-10F1-1BC1-05C4-0250

http://hjhqmbxyinislkkt.13eymq.top/D5DA-10F1-1BC1-05C4-0250

http://hjhqmbxyinislkkt.1eeyaj.top/D5DA-10F1-1BC1-05C4-0250

http://hjhqmbxyinislkkt.1eagrj.top/D5DA-10F1-1BC1-05C4-0250

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Cerber family
cerber

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2180	1800	mshta.exe

Contacts a large (1090) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2784	netsh.exe
2896	netsh.exe

Deletes itself 1 IoCs

pid	Process
2636	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpB358.bmp"	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\microsoft sql server	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\program files (x86)\microsoft\excel	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\program files (x86)\the bat!	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\program files (x86)\word	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\program files (x86)\office	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\program files (x86)\outlook	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\program files\	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\program files (x86)\	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\program files (x86)\bitcoin	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\program files (x86)\excel	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\program files (x86)\microsoft\office	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\program files (x86)\powerpoint	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\program files (x86)\steam	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\program files (x86)\thunderbird	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\program files (x86)\microsoft\word	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\program files (x86)\onenote	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\office	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\documents	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\office	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat!	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\word	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\steam	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\office	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\the bat!	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\word	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\excel	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\onenote	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\outlook	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\word	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\desktop	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\desktop	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\documents	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\steam	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2648	PING.EXE

Kills process with taskkill 1 IoCs

evasion

pid	Process
2532	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2648	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3040	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
Token: SeDebugPrivilege	2532	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
828	DllHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
828	DllHost.exe
828	DllHost.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2784	3040	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe	30
PID 3040 wrote to memory of 2784	3040	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe	30
PID 3040 wrote to memory of 2784	3040	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe	30
PID 3040 wrote to memory of 2784	3040	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe	30
PID 3040 wrote to memory of 2896	3040	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe	32
PID 3040 wrote to memory of 2896	3040	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe	32
PID 3040 wrote to memory of 2896	3040	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe	32
PID 3040 wrote to memory of 2896	3040	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe	32
PID 3040 wrote to memory of 1800	3040	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe	34
PID 3040 wrote to memory of 1800	3040	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe	34
PID 3040 wrote to memory of 1800	3040	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe	34
PID 3040 wrote to memory of 1800	3040	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe	34
PID 3040 wrote to memory of 2396	3040	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe	35
PID 3040 wrote to memory of 2396	3040	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe	35
PID 3040 wrote to memory of 2396	3040	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe	35
PID 3040 wrote to memory of 2396	3040	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe	35
PID 3040 wrote to memory of 2636	3040	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe	40
PID 3040 wrote to memory of 2636	3040	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe	40
PID 3040 wrote to memory of 2636	3040	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe	40
PID 3040 wrote to memory of 2636	3040	3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe	40
PID 2636 wrote to memory of 2532	2636	cmd.exe	42
PID 2636 wrote to memory of 2532	2636	cmd.exe	42
PID 2636 wrote to memory of 2532	2636	cmd.exe	42
PID 2636 wrote to memory of 2532	2636	cmd.exe	42
PID 2636 wrote to memory of 2648	2636	cmd.exe	44
PID 2636 wrote to memory of 2648	2636	cmd.exe	44
PID 2636 wrote to memory of 2648	2636	cmd.exe	44
PID 2636 wrote to memory of 2648	2636	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe
"C:\Users\Admin\AppData\Local\Temp\3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe"
1⤵
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2784
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2896
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_READ_THI$_FILE_P4WH74K_.hta"
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  PID:1800
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_READ_THI$_FILE_UKKTMPD_.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2396
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "3e066c8b166096cab6beceff9919a42bd98f46fa4d6efcb3b497067e792b2567N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2648

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:828

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\_READ_THI$_FILE_0M6FH9_.jpeg

Filesize
150KB

MD5
6623eb454fdd59e9ef7a8546c2bafb31

SHA1
3b6805da5d2bfdf242d35d1d595175884e261364

SHA256
51d82fc15fca56fd8227ee33a3172ae0593e527339df202a10429047caade8a1

SHA512
f9622c4c18713e50f2c9895885965df7d21be6f81f42ee5d400df9db4b44649e692ea9bcbfb549ee2af2b4a0ae356c54ad68b0a924ad1a5e99caecb104902209

Download Submit
C:\Users\Admin\Desktop\_READ_THI$_FILE_P4WH74K_.hta

Filesize
75KB

MD5
967281dadca567ea9860fb25f52716bb

SHA1
9480e1e849dcbbdeebd754b420276a1ba685d26a

SHA256
2891d3ba208f7b909dffcbc479c8db3c9c6de3dcf6d2e63611221c7563097f23

SHA512
dae6c4cfdeba39932cc6af3fece87cd4ab199dae7eaed4c1c98a8f347359a92393f2a5195b89a750ac92059b93e0675a2343cfb918dd2ba2af457f0723991604

Download Submit
C:\Users\Admin\Desktop\_READ_THI$_FILE_UKKTMPD_.txt

Filesize
1KB

MD5
3422adfaeb35a4e760e0801f51c4615b

SHA1
67887c735d789fe9654ac24054cd3de4dd295a42

SHA256
272219f4bf59e19b4946bbd2d33c4c4fb90f012eca349083e46c47dcb6f9e87e

SHA512
b60d84da87942ed4ea40fd0432b81ce8307a37ed76d56378b4c024266876fd39eb90de9508f4e75bcbc1162b907b1d0d8e3d9a9858535ca2a88594e9eafaaea6

Download Submit
memory/828-82-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/3040-1-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/3040-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3040-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3040-2-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/3040-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3040-74-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/3040-81-0x0000000003420000-0x0000000003422000-memory.dmp

Filesize
8KB

Download
memory/3040-105-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads