cerber | 67ffa1359e24ff0e26a960a0efe58fd0b218aff60bd6feeaadf7570466064821

Analysis

max time kernel
122s
max time network
137s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/02/2025, 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
Size

250KB
MD5

5ddee36b4e3482ac77fbf39f70911fa4
SHA1

91305f4634b5334728314068f963d28fce4bc648
SHA256

67ffa1359e24ff0e26a960a0efe58fd0b218aff60bd6feeaadf7570466064821
SHA512

858de253cbdf3a64a7c5f56cdf4aca8cdcae60d8dcd0fd802998335117bd97f33bc31cf50da9ef62995ef9d60f7fb8e7f6e5ffbb8c4f9a75beb11e28e7f4c8bb
SSDEEP

6144:iDkdqLBjoa+n8XyI2LPboxczPJSL0pvsdvOnxrZ5ZvdUGB8ZoBAk+Q:iDkdqm3xI+bo6jAndvOxrDNa07dh

Score

10^/10

cerber defense_evasion discovery persistence privilege_escalation ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_READ_THI$_FILE_2RH0_.txt

Ransom Note

CERBER RAN$OMWARE --- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! --- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: --- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://hjhqmbxyinislkkt.onion/DCA1-288A-2518-0502-02AA Note! This page is available via "Tor Browser" only. --- Also you can use temporary addresses on your personal page without using "Tor Browser". --- 1. http://hjhqmbxyinislkkt.1fy93v.top/DCA1-288A-2518-0502-02AA 2. http://hjhqmbxyinislkkt.13kn4l.top/DCA1-288A-2518-0502-02AA 3. http://hjhqmbxyinislkkt.14klmz.top/DCA1-288A-2518-0502-02AA 4. http://hjhqmbxyinislkkt.13eymq.top/DCA1-288A-2518-0502-02AA 5. http://hjhqmbxyinislkkt.1eeyaj.top/DCA1-288A-2518-0502-02AA --- Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://hjhqmbxyinislkkt.onion/DCA1-288A-2518-0502-02AA

http://hjhqmbxyinislkkt.1fy93v.top/DCA1-288A-2518-0502-02AA

http://hjhqmbxyinislkkt.13kn4l.top/DCA1-288A-2518-0502-02AA

http://hjhqmbxyinislkkt.14klmz.top/DCA1-288A-2518-0502-02AA

http://hjhqmbxyinislkkt.13eymq.top/DCA1-288A-2518-0502-02AA

http://hjhqmbxyinislkkt.1eeyaj.top/DCA1-288A-2518-0502-02AA

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Cerber family
cerber

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2181	2948	mshta.exe

Contacts a large (1090) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2476	netsh.exe
2388	netsh.exe

Deletes itself 1 IoCs

pid	Process
612	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpBBD0.bmp"	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\program files (x86)\excel	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\program files (x86)\microsoft\excel	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\program files (x86)\steam	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\program files (x86)\	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\program files (x86)\microsoft\word	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\program files (x86)\office	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\program files (x86)\outlook	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\program files (x86)\bitcoin	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\program files (x86)\powerpoint	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\program files (x86)\the bat!	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\program files (x86)\onenote	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\program files (x86)\microsoft\office	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\program files (x86)\thunderbird	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\program files (x86)\word	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\steam	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\desktop	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\onenote	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\excel	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\office	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat!	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\office	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\desktop	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\the bat!	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\word	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat!	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\office	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\documents	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\documents	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\outlook	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat!	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2992	PING.EXE

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
2692	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2992	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2372	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
Token: SeDebugPrivilege	2692	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2580	DllHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2580	DllHost.exe
2580	DllHost.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2476	2372	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe	30
PID 2372 wrote to memory of 2476	2372	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe	30
PID 2372 wrote to memory of 2476	2372	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe	30
PID 2372 wrote to memory of 2476	2372	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe	30
PID 2372 wrote to memory of 2388	2372	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe	32
PID 2372 wrote to memory of 2388	2372	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe	32
PID 2372 wrote to memory of 2388	2372	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe	32
PID 2372 wrote to memory of 2388	2372	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe	32
PID 2372 wrote to memory of 2948	2372	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe	36
PID 2372 wrote to memory of 2948	2372	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe	36
PID 2372 wrote to memory of 2948	2372	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe	36
PID 2372 wrote to memory of 2948	2372	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe	36
PID 2372 wrote to memory of 2568	2372	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe	37
PID 2372 wrote to memory of 2568	2372	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe	37
PID 2372 wrote to memory of 2568	2372	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe	37
PID 2372 wrote to memory of 2568	2372	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe	37
PID 2372 wrote to memory of 612	2372	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe	41
PID 2372 wrote to memory of 612	2372	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe	41
PID 2372 wrote to memory of 612	2372	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe	41
PID 2372 wrote to memory of 612	2372	2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe	41
PID 612 wrote to memory of 2692	612	cmd.exe	43
PID 612 wrote to memory of 2692	612	cmd.exe	43
PID 612 wrote to memory of 2692	612	cmd.exe	43
PID 612 wrote to memory of 2692	612	cmd.exe	43
PID 612 wrote to memory of 2992	612	cmd.exe	45
PID 612 wrote to memory of 2992	612	cmd.exe	45
PID 612 wrote to memory of 2992	612	cmd.exe	45
PID 612 wrote to memory of 2992	612	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe"
1⤵
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2476
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2388
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_READ_THI$_FILE_3MEPJRE_.hta"
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  PID:2948
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_READ_THI$_FILE_2RH0_.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:612
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "2025-02-28_5ddee36b4e3482ac77fbf39f70911fa4_spora.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2992

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2580

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\_READ_THI$_FILE_2RH0_.txt

Filesize
1KB

MD5
2f232eddb1a10b20fc69bdc9f2b4f8f4

SHA1
ba5d199787a84881741219ef5d621d49f64f41b0

SHA256
deafef6ec329ddf32450e3fe5d8ea7b95ef9fb190a60d1f6541692ded8e19083

SHA512
9bd6dbb79882530ceb749bc3de3b260082fb1c3fd1abd29a6d979029ebd678e980c37d98fafff48ffd07498e0ffa3559e29ef271103bc325ef36338b18bdbfa9

Download Submit
C:\Users\Admin\Desktop\_READ_THI$_FILE_32SMRLEJ_.jpeg

Filesize
150KB

MD5
001ed0880f86ecbe5b27acbaa1f3145e

SHA1
dfbf186947248c395f52a61dce91abad9f1555d8

SHA256
eeda99fbbf475541e0d3df9e7f103a342323926dfa7f060f444d60616426e3ee

SHA512
0bbc6f332c8ea39492d54ab5e6b5c5ce3f6abf573a187cbd5f282389193911d8c7f3d55a8deefac4ee936ad151b0e656e3ffe38442662212c0006029f59e53e3

Download Submit
C:\Users\Admin\Desktop\_READ_THI$_FILE_3MEPJRE_.hta

Filesize
75KB

MD5
b24564f67430aa2a5c10c001838be4ee

SHA1
167f84a66bcbdd666d9396361418c4b57ef20027

SHA256
95ce3903f1d1f0e419c185133e201275b40cfac85a7844c3dd37ccd0f1aaf628

SHA512
71061a7eb5bd4315045a36260eb7bd8059d89bae665f1d765f15de787c930c7898919d795c7756395e3d7b21b057ae4f6f200d03fe540e578462060062d82838

Download Submit
memory/2372-71-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2372-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2372-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2372-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2372-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2372-3-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2372-75-0x0000000003540000-0x0000000003542000-memory.dmp

Filesize
8KB

Download
memory/2372-1-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2372-98-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2580-76-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2992-104-0x0000000077940000-0x0000000077A3A000-memory.dmp

Filesize
1000KB

Download
memory/2992-103-0x0000000077820000-0x000000007793F000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads