Overview

overview

10

Static

static

3

c28e77b154...dN.exe

windows7-x64

10

c28e77b154...dN.exe

windows10-2004-x64

8

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

8

gift.dll

windows7-x64

3

gift.dll

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c28e77b154384b98e67384b0a5e1ac821e0741761affe88299b329895947362dN.exe

  • Size

    262KB

  • Sample

    250216-jstajszkdv

  • MD5

    1eacbc706d48f602eef6b5a364149bc0

  • SHA1

    21da3bcd11076232ace66e4586d2ae9b810aae1d

  • SHA256

    c28e77b154384b98e67384b0a5e1ac821e0741761affe88299b329895947362d

  • SHA512

    33ce7cd483e26fe9e1729a6be90f5818304742420087b9a94d273779f4e5871a77f77ecd6a365ac3032e690ca303c6eb0b63eacfec1733324a67eabc65bbc159

  • SSDEEP

    6144:SAsBZoikJTvZqKan+Jjj8tjsioCKZ9JqKvryubSquKeqpMM+Ir2:ZDN7a+l8tjsioPZ2Kv2JxZqpxhr2

Score
10/10
cerberadwaredefense_evasiondiscoverypersistenceprivilege_escalationransomwarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_READ_THIS_FILE_PSYUOP_.txt

Ransom Note
CERBER RANSOMWARE --- YOUR D0CUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! --- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: --- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://hjhqmbxyinislkkt.onion/CBAB-0728-8FDE-05C4-2B46 Note! This page is available via "Tor Browser" only. --- Also you can use temporary addresses on your personal page without using "Tor Browser". --- 1. http://hjhqmbxyinislkkt.1gu5um.top/CBAB-0728-8FDE-05C4-2B46 2. http://hjhqmbxyinislkkt.1w5iy8.top/CBAB-0728-8FDE-05C4-2B46 3. http://hjhqmbxyinislkkt.1aajb7.top/CBAB-0728-8FDE-05C4-2B46 4. http://hjhqmbxyinislkkt.1nm62r.top/CBAB-0728-8FDE-05C4-2B46 5. http://hjhqmbxyinislkkt.1efxa8.top/CBAB-0728-8FDE-05C4-2B46 --- Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://hjhqmbxyinislkkt.onion/CBAB-0728-8FDE-05C4-2B46

http://hjhqmbxyinislkkt.1gu5um.top/CBAB-0728-8FDE-05C4-2B46

http://hjhqmbxyinislkkt.1w5iy8.top/CBAB-0728-8FDE-05C4-2B46

http://hjhqmbxyinislkkt.1aajb7.top/CBAB-0728-8FDE-05C4-2B46

http://hjhqmbxyinislkkt.1nm62r.top/CBAB-0728-8FDE-05C4-2B46

http://hjhqmbxyinislkkt.1efxa8.top/CBAB-0728-8FDE-05C4-2B46

Targets

    • Target

      c28e77b154384b98e67384b0a5e1ac821e0741761affe88299b329895947362dN.exe

    • Size

      262KB

    • MD5

      1eacbc706d48f602eef6b5a364149bc0

    • SHA1

      21da3bcd11076232ace66e4586d2ae9b810aae1d

    • SHA256

      c28e77b154384b98e67384b0a5e1ac821e0741761affe88299b329895947362d

    • SHA512

      33ce7cd483e26fe9e1729a6be90f5818304742420087b9a94d273779f4e5871a77f77ecd6a365ac3032e690ca303c6eb0b63eacfec1733324a67eabc65bbc159

    • SSDEEP

      6144:SAsBZoikJTvZqKan+Jjj8tjsioCKZ9JqKvryubSquKeqpMM+Ir2:ZDN7a+l8tjsioPZ2Kv2JxZqpxhr2

    Score
    10/10
    cerberdefense_evasiondiscoverypersistenceprivilege_escalationransomware

    • Cerber

      Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

      ransomwarecerber

    • Cerber family

      cerber

    • Blocklisted process makes network request

    • Contacts a large (1090) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      defense_evasion

    • Deletes itself

    • Drops startup file

    • Loads dropped DLL

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      b8992e497d57001ddf100f9c397fcef5

    • SHA1

      e26ddf101a2ec5027975d2909306457c6f61cfbd

    • SHA256

      98bcd1dd88642f4dd36a300c76ebb1ddfbbbc5bfc7e3b6d7435dc6d6e030c13b

    • SHA512

      8823b1904dccfaf031068102cb1def7958a057f49ff369f0e061f1b4db2090021aa620bb8442a2a6ac9355bb74ee54371dc2599c20dc723755a46ede81533a3c

    • SSDEEP

      192:PPtkumJX7zB22kGwfy0mtVgkCPOs81un:E702k5qpds8Qn

    Score
    8/10
    discoveryadwarepersistenceprivilege_escalationstealer

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Downloads MZ/PE file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Drops file in System32 directory

    behavioral3behavioral4

    • Target

      gift.dll

    • Size

      63KB

    • MD5

      0f24042f66d3e5d89cc6e21068f765a9

    • SHA1

      8f27a5e556ab83ff5d35a58aa0e0dfd72bb78477

    • SHA256

      00e8df1c5ded11cc861ce46a553cd8c66828bb2ad51241bf6cd0e0d575bb5442

    • SHA512

      30464da8d18bd569fbbfaca7ce5a86eb89accd8f6c6939fc4af4ef3b67d13b57b1db6c77df213ffc19789bbbf86fac1e76c5805c191d34d06776d76217a21e7e

    • SSDEEP

      768:9Y6C4+O8N1d/siAAKVhlKs9Zf6c9AJNMPWgitvP5DWOuDyuajZ+xwfgOp/KhO:eL4+LvdAznr368KNM7itvhDoA+Mp/K

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Browser Extensions

1
T1176

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

5
T1112

Credential Access

Discovery

Network Service Discovery

1
T1046

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Tasks