cerber | a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307f

Analysis

max time kernel
47s
max time network
46s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-02-2025 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
Size

863KB
MD5

3b04620c595f056953d8a69f7df50890
SHA1

a081df0cb394ef9b7d7d36e9df30a35d56d326dd
SHA256

a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307f
SHA512

50be59e6d82590d47fa0eb3e95d4493b59576ec21c821ee6cf4d671687f38767e6d24b97df87c60197d014ce412a9c95c68e9938715485a88080514db4912bda
SSDEEP

6144:aLghm3ma0IcIIY9Y3urjY0MxecINPBPSsHo0wlTyXc4t+/qemoNNozPs:akh0marcc9RANINPB9oeMhq0

Score

10^/10

cerber defense_evasion discovery persistence privilege_escalation ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_READ_THIS_FILE_LIO7_.txt

Ransom Note

CERBER RANS0MWARE --- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! --- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: --- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://hjhqmbxyinislkkt.onion/8800-77F8-B4E0-0501-F9B5 Note! This page is available via "Tor Browser" only. --- Also you can use temporary addresses on your personal page without using "Tor Browser". --- 1. http://hjhqmbxyinislkkt.1cdqfv.top/8800-77F8-B4E0-0501-F9B5 2. http://hjhqmbxyinislkkt.13eymq.top/8800-77F8-B4E0-0501-F9B5 3. http://hjhqmbxyinislkkt.1eeyaj.top/8800-77F8-B4E0-0501-F9B5 4. http://hjhqmbxyinislkkt.1eagrj.top/8800-77F8-B4E0-0501-F9B5 5. http://hjhqmbxyinislkkt.1a2xx3.top/8800-77F8-B4E0-0501-F9B5 --- Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://hjhqmbxyinislkkt.onion/8800-77F8-B4E0-0501-F9B5

http://hjhqmbxyinislkkt.1cdqfv.top/8800-77F8-B4E0-0501-F9B5

http://hjhqmbxyinislkkt.13eymq.top/8800-77F8-B4E0-0501-F9B5

http://hjhqmbxyinislkkt.1eeyaj.top/8800-77F8-B4E0-0501-F9B5

http://hjhqmbxyinislkkt.1eagrj.top/8800-77F8-B4E0-0501-F9B5

http://hjhqmbxyinislkkt.1a2xx3.top/8800-77F8-B4E0-0501-F9B5

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Cerber family
cerber

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2181	1648	mshta.exe

Contacts a large (1090) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2060	netsh.exe
1384	netsh.exe

Deletes itself 1 IoCs

pid	Process
1896	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpBCE9.bmp"	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\onenote	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\program files (x86)\thunderbird	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\program files (x86)\microsoft\word	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\program files (x86)\excel	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\program files (x86)\office	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\program files\	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\program files (x86)\microsoft\office	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\program files (x86)\outlook	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\program files (x86)\microsoft\excel	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\program files (x86)\powerpoint	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\program files (x86)\steam	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\program files (x86)\the bat!	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\program files (x86)\	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\program files (x86)\bitcoin	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\program files (x86)\word	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\onenote	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\word	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\desktop	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\excel	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\documents	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\excel	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\documents	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\word	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\the bat!	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\office	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\outlook	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\steam	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\office	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat!	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\desktop	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\office	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2292	PING.EXE

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
888	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2664	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2292	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3016	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
Token: SeDebugPrivilege	888	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1788	DllHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1788	DllHost.exe
1788	DllHost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3016	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 1384	3016	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe	30
PID 3016 wrote to memory of 1384	3016	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe	30
PID 3016 wrote to memory of 1384	3016	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe	30
PID 3016 wrote to memory of 1384	3016	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe	30
PID 3016 wrote to memory of 2060	3016	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe	32
PID 3016 wrote to memory of 2060	3016	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe	32
PID 3016 wrote to memory of 2060	3016	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe	32
PID 3016 wrote to memory of 2060	3016	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe	32
PID 3016 wrote to memory of 1648	3016	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe	35
PID 3016 wrote to memory of 1648	3016	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe	35
PID 3016 wrote to memory of 1648	3016	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe	35
PID 3016 wrote to memory of 1648	3016	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe	35
PID 3016 wrote to memory of 2664	3016	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe	36
PID 3016 wrote to memory of 2664	3016	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe	36
PID 3016 wrote to memory of 2664	3016	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe	36
PID 3016 wrote to memory of 2664	3016	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe	36
PID 3016 wrote to memory of 1896	3016	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe	40
PID 3016 wrote to memory of 1896	3016	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe	40
PID 3016 wrote to memory of 1896	3016	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe	40
PID 3016 wrote to memory of 1896	3016	a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe	40
PID 1896 wrote to memory of 888	1896	cmd.exe	42
PID 1896 wrote to memory of 888	1896	cmd.exe	42
PID 1896 wrote to memory of 888	1896	cmd.exe	42
PID 1896 wrote to memory of 888	1896	cmd.exe	42
PID 1896 wrote to memory of 2292	1896	cmd.exe	44
PID 1896 wrote to memory of 2292	1896	cmd.exe	44
PID 1896 wrote to memory of 2292	1896	cmd.exe	44
PID 1896 wrote to memory of 2292	1896	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe
"C:\Users\Admin\AppData\Local\Temp\a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe"
1⤵
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1384
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2060
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_READ_THIS_FILE_V2OTF4_.hta"
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  PID:1648
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_READ_THIS_FILE_LIO7_.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:2664
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "a98577b632bf0c7f52e0ad630deb142f025548e11742c722edfc1aa7e451307fN.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:888
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2292

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1788

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\_READ_THIS_FILE_8DWZISW_.jpeg

Filesize
150KB

MD5
831892a4b29ce8f4cf5c068493af3afe

SHA1
d92b9e1ffbeb2c698c74961ad014d360c4851d3f

SHA256
fc4dd6839e4cbfb8af50b15ca26f7c8a9727d100deaf161b23ce31266bef20a9

SHA512
08e704a2f126acc0bd41fbb2d6274a01402d5bb45a6402ede157c075b11a50ddd641e653cae1d027c1dfa8ad70ffad44c919d542deadbfaf1774f2d09052daa9

Download Submit
C:\Users\Admin\Desktop\_READ_THIS_FILE_LIO7_.txt

Filesize
1KB

MD5
3fc1dd96ad516360633a50d224207e90

SHA1
be63c71312a67e0760e73eee42aebde230f7b030

SHA256
b863c08941759c26deedaf0c1e5b036896db0b7b79db0bf3e304424d3d395943

SHA512
11896646f42bd27fc4cda0c760de268df9eb860be6489668e343a6a648dbc69fc227b32c7ebfd5c365350312fc273758f2c5032418d49103034ded062a74ac0c

Download Submit
C:\Users\Admin\Desktop\_READ_THIS_FILE_V2OTF4_.hta

Filesize
74KB

MD5
b1c08642de1b66cb6931753e94c8e2ab

SHA1
fcb35bf2ed88a6568d760bff39adbad61f3c63e5

SHA256
74e9ef946cecc64616088829453ec477ae779426ec3e495f99a69a5b631befc4

SHA512
87e166c5087a0194c3e44be69f60c9feb2a8e0385b6a8821c7f881103beeaad11ee533a606ad39735f8c025a01e4a2febae0a2cf3f1b037750cdd2574aaf3a4c

Download Submit
memory/1788-95-0x0000000000130000-0x0000000000132000-memory.dmp

Filesize
8KB

Download
memory/3016-5-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3016-73-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3016-87-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3016-9-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3016-1-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3016-2-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3016-94-0x0000000003B90000-0x0000000003B92000-memory.dmp

Filesize
8KB

Download
memory/3016-0-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/3016-118-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads