Overview

overview

10

Static

static

3

a73d7acb96...fd.exe

windows7-x64

10

a73d7acb96...fd.exe

windows10-2004-x64

8

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

8

gift.dll

windows7-x64

3

gift.dll

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a73d7acb96ac7fa41ab009baaa19f7c0b9c818d395f24ea66734aa7406fd37fd.exe

  • Size

    263KB

  • Sample

    250217-fjr5ca1mgq

  • MD5

    0b6b9e4676a713e7c226801b5fc87315

  • SHA1

    167cf657d7b9e56ac4a43d326aa51ed8c5429fd3

  • SHA256

    a73d7acb96ac7fa41ab009baaa19f7c0b9c818d395f24ea66734aa7406fd37fd

  • SHA512

    2df8cec1fb9491aec3518218fc48871702f5a1f2207503f3ad9d9758fdc39729606c5b3d228cc53a813c9bceb8ff92638b6fac3787a0cf68e57f039df6c3c4f4

  • SSDEEP

    6144:SAsBZoikJTvZqKan+Jjj8tjsioCKZ9JqKvryubSquKeqpMM+Ir2:ZDN7a+l8tjsioPZ2Kv2JxZqpxhr2

Score
10/10
cerberdefense_evasiondiscoverypersistenceprivilege_escalationransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_READ_THIS_FILE_RAQ3QLM_.txt

Ransom Note
CERBER RANSOMWARE --- YOUR D0CUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! --- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: --- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/120C-CCC2-D140-0006-42BF Note! This page is available via "Tor Browser" only. --- Also you can use temporary addresses on your personal page without using "Tor Browser". --- 1. http://p27dokhpz2n7nvgr.tor2web.org/120C-CCC2-D140-0006-42BF 2. http://p27dokhpz2n7nvgr.onion.link/120C-CCC2-D140-0006-42BF 3. http://p27dokhpz2n7nvgr.onion.nu/120C-CCC2-D140-0006-42BF 4. http://p27dokhpz2n7nvgr.onion.cab/120C-CCC2-D140-0006-42BF 5. http://p27dokhpz2n7nvgr.onion.to/120C-CCC2-D140-0006-42BF --- Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://p27dokhpz2n7nvgr.onion/120C-CCC2-D140-0006-42BF

http://p27dokhpz2n7nvgr.tor2web.org/120C-CCC2-D140-0006-42BF

http://p27dokhpz2n7nvgr.onion.link/120C-CCC2-D140-0006-42BF

http://p27dokhpz2n7nvgr.onion.nu/120C-CCC2-D140-0006-42BF

http://p27dokhpz2n7nvgr.onion.cab/120C-CCC2-D140-0006-42BF

http://p27dokhpz2n7nvgr.onion.to/120C-CCC2-D140-0006-42BF

Targets

    • Target

      a73d7acb96ac7fa41ab009baaa19f7c0b9c818d395f24ea66734aa7406fd37fd.exe

    • Size

      263KB

    • MD5

      0b6b9e4676a713e7c226801b5fc87315

    • SHA1

      167cf657d7b9e56ac4a43d326aa51ed8c5429fd3

    • SHA256

      a73d7acb96ac7fa41ab009baaa19f7c0b9c818d395f24ea66734aa7406fd37fd

    • SHA512

      2df8cec1fb9491aec3518218fc48871702f5a1f2207503f3ad9d9758fdc39729606c5b3d228cc53a813c9bceb8ff92638b6fac3787a0cf68e57f039df6c3c4f4

    • SSDEEP

      6144:SAsBZoikJTvZqKan+Jjj8tjsioCKZ9JqKvryubSquKeqpMM+Ir2:ZDN7a+l8tjsioPZ2Kv2JxZqpxhr2

    Score
    10/10
    cerberdefense_evasiondiscoverypersistenceprivilege_escalationransomware

    • Cerber

      Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

      ransomwarecerber

    • Cerber family

      cerber

    • Blocklisted process makes network request

    • Contacts a large (1098) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      defense_evasion

    • Deletes itself

    • Drops startup file

    • Loads dropped DLL

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      b8992e497d57001ddf100f9c397fcef5

    • SHA1

      e26ddf101a2ec5027975d2909306457c6f61cfbd

    • SHA256

      98bcd1dd88642f4dd36a300c76ebb1ddfbbbc5bfc7e3b6d7435dc6d6e030c13b

    • SHA512

      8823b1904dccfaf031068102cb1def7958a057f49ff369f0e061f1b4db2090021aa620bb8442a2a6ac9355bb74ee54371dc2599c20dc723755a46ede81533a3c

    • SSDEEP

      192:PPtkumJX7zB22kGwfy0mtVgkCPOs81un:E702k5qpds8Qn

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral3behavioral4

    • Target

      gift.dll

    • Size

      63KB

    • MD5

      0f24042f66d3e5d89cc6e21068f765a9

    • SHA1

      8f27a5e556ab83ff5d35a58aa0e0dfd72bb78477

    • SHA256

      00e8df1c5ded11cc861ce46a553cd8c66828bb2ad51241bf6cd0e0d575bb5442

    • SHA512

      30464da8d18bd569fbbfaca7ce5a86eb89accd8f6c6939fc4af4ef3b67d13b57b1db6c77df213ffc19789bbbf86fac1e76c5805c191d34d06776d76217a21e7e

    • SSDEEP

      768:9Y6C4+O8N1d/siAAKVhlKs9Zf6c9AJNMPWgitvP5DWOuDyuajZ+xwfgOp/KhO:eL4+LvdAznr368KNM7itvhDoA+Mp/K

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Credential Access

Discovery

Network Service Discovery

1
T1046

Remote System Discovery

1
T1018

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Tasks