Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
45s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/03/2025, 23:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cerber.exe
Resource
win7-20240903-en
windows7-x64
22 signatures
150 seconds
Behavioral task
behavioral2
Sample
cerber.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
20 signatures
150 seconds
General
-
Target
cerber.exe
-
Size
604KB
-
MD5
8b6bc16fd137c09a08b02bbe1bb7d670
-
SHA1
c69a0f6c6f809c01db92ca658fcf1b643391a2b7
-
SHA256
e67834d1e8b38ec5864cfa101b140aeaba8f1900a6e269e6a94c90fcbfe56678
-
SHA512
b53d2cc0fe5fa52262ace9f6e6ea3f5ce84935009822a3394bfe49c4d15dfeaa96bfe10ce77ffa93dbf81e5428122aa739a94bc709f203bc346597004fd75a24
-
SSDEEP
6144:yYghlI5/u8f1mr+4RJ99MpDa52RX5wRDhOOU0qsR:yYKlYmDXEpDHRXP01
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___OCHF3JSV_.txt
Family
cerber
Ransom Note
CERBER RANSOMWARE
-----
YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED!
-----
The only way to decrypt y0ur files is to receive the private key and decryption program.
To receive the private key and decryption program go to any decrypted folder,
inside there is the special file (*_READ_THIS_FILE_*) with complete instructions
how to decrypt your files.
If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below:
-----
1. Download "Tor Browser" from https://www.torproject.org/ and install it.
2. In the "Tor Browser" open your personal page here:
http://p27dokhpz2n7nvgr.onion/D370-B738-F826-0446-936E
Note! This page is available via "Tor Browser" only.
-----
Also you can use temporary addresses on your personal page without using "Tor Browser".
-----
1. http://p27dokhpz2n7nvgr.12hygy.top/D370-B738-F826-0446-936E
2. http://p27dokhpz2n7nvgr.14ewqv.top/D370-B738-F826-0446-936E
3. http://p27dokhpz2n7nvgr.14vvrc.top/D370-B738-F826-0446-936E
4. http://p27dokhpz2n7nvgr.129p1t.top/D370-B738-F826-0446-936E
5. http://p27dokhpz2n7nvgr.1apgrn.top/D370-B738-F826-0446-936E
-----
Note! These are temporary addresses! They will be available for a limited amount of time!
-----
URLs
http://p27dokhpz2n7nvgr.onion/D370-B738-F826-0446-936E
http://p27dokhpz2n7nvgr.12hygy.top/D370-B738-F826-0446-936E
http://p27dokhpz2n7nvgr.14ewqv.top/D370-B738-F826-0446-936E
http://p27dokhpz2n7nvgr.14vvrc.top/D370-B738-F826-0446-936E
http://p27dokhpz2n7nvgr.129p1t.top/D370-B738-F826-0446-936E
http://p27dokhpz2n7nvgr.1apgrn.top/D370-B738-F826-0446-936E
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Cerber family
-
Blocklisted process makes network request 5 IoCs
flow pid Process 2181 2320 mshta.exe 2184 2320 mshta.exe 2186 2320 mshta.exe 2188 2320 mshta.exe 2190 2320 mshta.exe -
Contacts a large (1098) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 2788 netsh.exe 2696 netsh.exe -
Deletes itself 1 IoCs
pid Process 2212 cmd.exe -
Drops startup file 1 IoCs
description ioc Process File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\ cerber.exe -
Drops file in System32 directory 38 IoCs
description ioc Process File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat! cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\documents cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\desktop cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat! cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint cerber.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp75FB.bmp" cerber.exe -
Drops file in Program Files directory 20 IoCs
description ioc Process File opened for modification \??\c:\program files (x86)\outlook cerber.exe File opened for modification \??\c:\program files (x86)\word cerber.exe File opened for modification \??\c:\program files (x86)\ cerber.exe File opened for modification \??\c:\program files (x86)\bitcoin cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\office cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\onenote cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\powerpoint cerber.exe File opened for modification \??\c:\program files\ cerber.exe File opened for modification \??\c:\program files (x86)\excel cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\excel cerber.exe File opened for modification \??\c:\program files (x86)\powerpoint cerber.exe File opened for modification \??\c:\program files (x86)\microsoft sql server cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\outlook cerber.exe File opened for modification \??\c:\program files (x86)\onenote cerber.exe File opened for modification \??\c:\program files (x86)\steam cerber.exe File opened for modification \??\c:\program files (x86)\the bat! cerber.exe File opened for modification \??\c:\program files (x86)\thunderbird cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\word cerber.exe File opened for modification \??\c:\program files (x86)\office cerber.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\the bat! cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat! cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\desktop cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat! cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\steam cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\documents cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\desktop cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\ cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\documents cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint cerber.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cerber.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1604 PING.EXE -
Kills process with taskkill 1 IoCs
pid Process 1216 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2392 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1604 PING.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 2780 cerber.exe Token: SeDebugPrivilege 1216 taskkill.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2780 cerber.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2780 wrote to memory of 2696 2780 cerber.exe 30 PID 2780 wrote to memory of 2696 2780 cerber.exe 30 PID 2780 wrote to memory of 2696 2780 cerber.exe 30 PID 2780 wrote to memory of 2696 2780 cerber.exe 30 PID 2780 wrote to memory of 2788 2780 cerber.exe 32 PID 2780 wrote to memory of 2788 2780 cerber.exe 32 PID 2780 wrote to memory of 2788 2780 cerber.exe 32 PID 2780 wrote to memory of 2788 2780 cerber.exe 32 PID 2780 wrote to memory of 2320 2780 cerber.exe 35 PID 2780 wrote to memory of 2320 2780 cerber.exe 35 PID 2780 wrote to memory of 2320 2780 cerber.exe 35 PID 2780 wrote to memory of 2320 2780 cerber.exe 35 PID 2780 wrote to memory of 2392 2780 cerber.exe 36 PID 2780 wrote to memory of 2392 2780 cerber.exe 36 PID 2780 wrote to memory of 2392 2780 cerber.exe 36 PID 2780 wrote to memory of 2392 2780 cerber.exe 36 PID 2780 wrote to memory of 2212 2780 cerber.exe 37 PID 2780 wrote to memory of 2212 2780 cerber.exe 37 PID 2780 wrote to memory of 2212 2780 cerber.exe 37 PID 2780 wrote to memory of 2212 2780 cerber.exe 37 PID 2212 wrote to memory of 1216 2212 cmd.exe 39 PID 2212 wrote to memory of 1216 2212 cmd.exe 39 PID 2212 wrote to memory of 1216 2212 cmd.exe 39 PID 2212 wrote to memory of 1216 2212 cmd.exe 39 PID 2212 wrote to memory of 1604 2212 cmd.exe 41 PID 2212 wrote to memory of 1604 2212 cmd.exe 41 PID 2212 wrote to memory of 1604 2212 cmd.exe 41 PID 2212 wrote to memory of 1604 2212 cmd.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\cerber.exe"C:\Users\Admin\AppData\Local\Temp\cerber.exe"1⤵
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2696
-
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2788
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___KC9NG_.hta"2⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:2320
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___OCHF3JSV_.txt2⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2392
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "cerber.exe"3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1216
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1604
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD583142242e97b8953c386f988aa694e4a
SHA1833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10
-
Filesize
183KB
MD5109cab5505f5e065b63d01361467a83b
SHA14ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc
-
Filesize
75KB
MD5b5521e89ef2b08d6bfdf9f0babe346d3
SHA1331ef4de038cb06ec4de1edc8b9ddd323eae7617
SHA25695f0ec6f3159a6142b356d5e3d7fb83518f1a5ba99209643ee5dbd91f3fc432f
SHA512daf2677fae36dc76d08949cff37b2b56a8932968cfa571b96d0d488cb27900be22797013edcc0c1cdb4ee1a9baa2051a5cd76fde0bd71d2f29d0e9ca28e6d1b0
-
Filesize
1KB
MD5ddf5636a3f9ee8e7415a75d38bfc18d2
SHA1a33d443ed3daf4ad340136471dcdc61c18bf2458
SHA2560c6128b5a6359d769e89254449eaede310f90a47bf350a88fe385f51f05e0644
SHA512b877136a866a6c7fe2dbe7c8db0e60236b60a34ffe567ef391092814e8dd9b288d07d00090ab4737dc482f31728e624168a1e6daf3f77664e123bd46dd791ea0