Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1522733
MD5: 88e6a85ea94ea57fd35704b9b6e67358
SHA1: 61711495e7f95376a0c2465e3cfa947d86383dc7
SHA256: df93b51dfce7f3f780fe6544a2db728672b9df4e76f2e61be21c87d6d782cce0
Tags: exeuser-jstrosch
Infos:

Detection

Cerber
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Cerber ransomware
AI detected suspicious sample
Deletes shadow drive data (may be related to ransomware)
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
May use bcdedit to modify the Windows boot settings
One or more processes crash
PE file contains an invalid checksum
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Cerber A prolific ransomware which originally added ".cerber" as a file extension to encrypted files. Has undergone multiple iterations in which the extension has changed. Uses a very readily identifiable set of of UDP activity to checkin and report infections. Primarily uses TOR for payment information. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cerber

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Found malware configuration
Source: file.exe Malware Configuration Extractor: Cerber {"default": {"tor": "cerberhhyed5frqa", "site_1": "onion.to", "site_2": "onion.cab", "site_3": "onion.nu", "site_4": "onion.link", "site_5": "tor2web.org"}, "blacklist": {"countries": ["am", "az", "by", "ge", "kg", "kz", "md", "ru", "tm", "tj", "ua", "uz"], "files": ["bootsect.bak", "desktop.ini", "iconcache.db", "ntuser.dat", "thumbs.db", "wallet.dat"], "folders": [":\\$recycle.bin\\", ":\\$windows.~bt\\", ":\\boot\\", ":\\drivers\\", ":\\program files\\", ":\\program files (x86)\\", ":\\programdata\\", ":\\users\\all users\\", ":\\windows\\", ":\\windows.old\\", "\\appdata\\local\\", "\\appdata\\locallow\\", "\\appdata\\roaming\\adobe\\flash player\\", "\\appdata\\roaming\\ati\\", "\\appdata\\roaming\\google\\", "\\appdata\\roaming\\identities\\", "\\appdata\\roaming\\installshield\\", "\\appdata\\roaming\\intel\\", "\\appdata\\roaming\\macromedia\\flash player\\", "\\appdata\\roaming\\media center programs\\", "\\appdata\\roaming\\microsoft\\", "\\appdata\\roaming\\mozilla\\", "\\appdata\\roaming\\nvidia\\", "\\appdata\\roaming\\opera\\", "\\public\\music\\sample music\\", "\\public\\pictures\\sample pictures\\", "\\public\\videos\\sample videos\\", "\\tor browser\\"], "languages": [1049, 1058, 1059, 1064, 1067, 1068, 1079, 1087, 1088, 1090, 1091, 2072, 2073, 2092, 2115]}, "whitelist": {"folders": [":\\program files (x86)\\steam\\", "\\appdata\\roaming\\microsoft\\office\\", "\\appdata\\roaming\\microsoft\\outlook\\", "\\program files\\microsoft sql server\\"]}, "close_process": ["outlook.exe", "steam.exe", "thebat.exe", "thebat64.exe", "thunderbird.exe", "winword.exe"], "check": {"activity": 0, "country": 1, "language": 1, "vmware": 0, "av": 1}, "av_blacklist": ["Kaspersky Lab", "AVAST Software", "ESET", "Bitdefender", "Bitdefender Agent"], "debug": 0, "encrypt": {"files": [[".contact", ".dbx", ".doc", ".docx", ".jnt", ".jpg", ".mapimail", ".msg", ".oab", ".ods", ".pdf", ".pps", ".ppsm", ".ppt", ".pptm", ".prf", ".pst", ".rar", ".rtf", ".txt", ".wab", ".xls", ".xlsx", ".xml", ".zip", ".1cd", ".3ds", ".3g2", ".3gp", ".7z", ".7zip", ".accdb", ".aoi", ".asf", ".asp", ".aspx", ".asx", ".avi", ".bak", ".cer", ".cfg", ".class", ".config", ".css", ".csv", ".db", ".dds", ".dwg", ".dxf", ".flf", ".flv", ".html", ".idx", ".js", ".key", ".kwm", ".laccdb", ".ldf", ".lit", ".m3u", ".mbx", ".md", ".mdf", ".mid", ".mlb", ".mov", ".mp3", ".mp4", ".mpg", ".obj", ".odt", ".pages", ".php", ".psd", ".pwm", ".rm", ".safe", ".sav", ".save", ".sql", ".srt", ".swf", ".thm", ".vob", ".wav", ".wma", ".wmv", ".xlsb", ".3dm", ".aac", ".ai", ".arw", ".c", ".cdr", ".cls", ".cpi", ".cpp", ".cs", ".db3", ".docm", ".dot", ".dotm", ".dotx", ".drw", ".dxb", ".eps", ".fla", ".flac", ".fxg", ".java", ".m", ".m4v", ".max", ".mdb", ".pcd", ".pct", ".pl", ".potm", ".potx", ".ppam", ".ppsm", ".ppsx", ".pptm", ".ps", ".pspimage", ".r3d", ".rw2", ".sldm", ".sldx", ".svg", ".tga", ".wps", ".xla", ".xlam", ".xlm", ".xlr", ".xlsm", ".xlt", ".xltm", ".xltx", ".xlw", ".act", ".adp",
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 97%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 90.8% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Amcache.hve.3.dr String found in binary or memory: http://upx.sf.net

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected Cerber ransomware
Source: Yara match File source: file.exe, type: SAMPLE
Deletes shadow drive data (may be related to ransomware)
Source: file.exe, 00000000.00000000.1669255607.0000000000931000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: truerequestedExecutionLevelrequireAdministrator%s\%S"%s""%s\explorer.exe"SHCreateItemFromParsingNameshell32.dll*.execopywriteregnetstatftp.exefindattriblookupdiskwinlogonmsiexecresetlogoffnotepadnetshpingwinminetelnettaskroutentbackupmsheartsfreecellcmd.execalcspidersol.exeinstallsetupupdate\x*x.exeCERBER_CORE_PROTECTION_MUTEXshell.%sCERBER_EVALUATED_CORE_PROTECTION_EVENT"%s\%s"CERBER_BODY_PLACE\%sSeDebugPrivilegeStop reason: %sComponent_02%02x%02x%02x%02x%02x%02x%05xcerber%02X%02X%02X%02X%02X%02X%05X%03X%c%c%c%c-%c%c%c%c-%c%c%c%c-%c%c%c%c-%c%c%c%c\data len: %d, trash len: %d, overlay: %sopdefaulttorsite_%dserversstatisticstimeout%02x%[^/]%[/]%dipportSending stat %s, %sknockdata_startdata_finish{IS_ADMIN}%d{IS_X64}{COUNTRY}{PARTNER_ID}%05x{OS}%x{PC_ID}{STOP_REASON}{MD5_KEY}%02X%02X%02X%02X%02X%02X{COUNT_FILES}{SITE_{TOR}0checkavav_blacklistProgramFilesDir (x86)SOFTWARE\Microsoft\Windows\CurrentVersionProgramFilesDir%s\%s\kernel32.dllblacklistlanguagesGETip_geourlproperty_name--countriesC:\test\cerber_debug.txtdebugnetworkvmwarecountrylanguageactivitysend_stat321InstalledCOMSPEC/d /c taskkill /t /f /im "%s" > NUL & ping -n 1 127.0.0.1 > NUL & del "%s" > NUL%s\vssadmin.exedelete shadows /all /quiet%s\wbem\wmic.exeshadowcopy delete/set {default} recoveryenabled nobcdedit.exe/set {default} bootstatuspolicy ignoreallfailuresSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUAwallpapertextsizeConsolasbackgroundcolor.bmpopenhelp_filesfiles_namefilesfile_extensionfile_body.vbs%S%S*%S*new_extensionfolderswhitelistSoftware\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDrives\??\*CERBER_KEY_PLACEPrinters\Defaults\%sIsWow64Processkernel32{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}D:Papi-ms-win-\KnownDlls32\KnownDllstmp\VarFileInfo\TranslationFileDescription\StringFileInfo\%04x%04x\%s
Source: file.exe, 00000000.00000002.1813702461.0000000000931000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: truerequestedExecutionLevelrequireAdministrator%s\%S"%s""%s\explorer.exe"SHCreateItemFromParsingNameshell32.dll*.execopywriteregnetstatftp.exefindattriblookupdiskwinlogonmsiexecresetlogoffnotepadnetshpingwinminetelnettaskroutentbackupmsheartsfreecellcmd.execalcspidersol.exeinstallsetupupdate\x*x.exeCERBER_CORE_PROTECTION_MUTEXshell.%sCERBER_EVALUATED_CORE_PROTECTION_EVENT"%s\%s"CERBER_BODY_PLACE\%sSeDebugPrivilegeStop reason: %sComponent_02%02x%02x%02x%02x%02x%02x%05xcerber%02X%02X%02X%02X%02X%02X%05X%03X%c%c%c%c-%c%c%c%c-%c%c%c%c-%c%c%c%c-%c%c%c%c\data len: %d, trash len: %d, overlay: %sopdefaulttorsite_%dserversstatisticstimeout%02x%[^/]%[/]%dipportSending stat %s, %sknockdata_startdata_finish{IS_ADMIN}%d{IS_X64}{COUNTRY}{PARTNER_ID}%05x{OS}%x{PC_ID}{STOP_REASON}{MD5_KEY}%02X%02X%02X%02X%02X%02X{COUNT_FILES}{SITE_{TOR}0checkavav_blacklistProgramFilesDir (x86)SOFTWARE\Microsoft\Windows\CurrentVersionProgramFilesDir%s\%s\kernel32.dllblacklistlanguagesGETip_geourlproperty_name--countriesC:\test\cerber_debug.txtdebugnetworkvmwarecountrylanguageactivitysend_stat321InstalledCOMSPEC/d /c taskkill /t /f /im "%s" > NUL & ping -n 1 127.0.0.1 > NUL & del "%s" > NUL%s\vssadmin.exedelete shadows /all /quiet%s\wbem\wmic.exeshadowcopy delete/set {default} recoveryenabled nobcdedit.exe/set {default} bootstatuspolicy ignoreallfailuresSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUAwallpapertextsizeConsolasbackgroundcolor.bmpopenhelp_filesfiles_namefilesfile_extensionfile_body.vbs%S%S*%S*new_extensionfolderswhitelistSoftware\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDrives\??\*CERBER_KEY_PLACEPrinters\Defaults\%sIsWow64Processkernel32{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}D:Papi-ms-win-\KnownDlls32\KnownDllstmp\VarFileInfo\TranslationFileDescription\StringFileInfo\%04x%04x\%s
Source: file.exe Binary or memory string: truerequestedExecutionLevelrequireAdministrator%s\%S"%s""%s\explorer.exe"SHCreateItemFromParsingNameshell32.dll*.execopywriteregnetstatftp.exefindattriblookupdiskwinlogonmsiexecresetlogoffnotepadnetshpingwinminetelnettaskroutentbackupmsheartsfreecellcmd.execalcspidersol.exeinstallsetupupdate\x*x.exeCERBER_CORE_PROTECTION_MUTEXshell.%sCERBER_EVALUATED_CORE_PROTECTION_EVENT"%s\%s"CERBER_BODY_PLACE\%sSeDebugPrivilegeStop reason: %sComponent_02%02x%02x%02x%02x%02x%02x%05xcerber%02X%02X%02X%02X%02X%02X%05X%03X%c%c%c%c-%c%c%c%c-%c%c%c%c-%c%c%c%c-%c%c%c%c\data len: %d, trash len: %d, overlay: %sopdefaulttorsite_%dserversstatisticstimeout%02x%[^/]%[/]%dipportSending stat %s, %sknockdata_startdata_finish{IS_ADMIN}%d{IS_X64}{COUNTRY}{PARTNER_ID}%05x{OS}%x{PC_ID}{STOP_REASON}{MD5_KEY}%02X%02X%02X%02X%02X%02X{COUNT_FILES}{SITE_{TOR}0checkavav_blacklistProgramFilesDir (x86)SOFTWARE\Microsoft\Windows\CurrentVersionProgramFilesDir%s\%s\kernel32.dllblacklistlanguagesGETip_geourlproperty_name--countriesC:\test\cerber_debug.txtdebugnetworkvmwarecountrylanguageactivitysend_stat321InstalledCOMSPEC/d /c taskkill /t /f /im "%s" > NUL & ping -n 1 127.0.0.1 > NUL & del "%s" > NUL%s\vssadmin.exedelete shadows /all /quiet%s\wbem\wmic.exeshadowcopy delete/set {default} recoveryenabled nobcdedit.exe/set {default} bootstatuspolicy ignoreallfailuresSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUAwallpapertextsizeConsolasbackgroundcolor.bmpopenhelp_filesfiles_namefilesfile_extensionfile_body.vbs%S%S*%S*new_extensionfolderswhitelistSoftware\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDrives\??\*CERBER_KEY_PLACEPrinters\Defaults\%sIsWow64Processkernel32{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}D:Papi-ms-win-\KnownDlls32\KnownDllstmp\VarFileInfo\TranslationFileDescription\StringFileInfo\%04x%04x\%s
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0092D49E 0_2_0092D49E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0092F4B8 0_2_0092F4B8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009288BC 0_2_009288BC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009309C8 0_2_009309C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0092D54C 0_2_0092D54C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0092F16E 0_2_0092F16E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00927B3F 0_2_00927B3F
One or more processes crash
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6704 -s 520
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal88.rans.evad.winEXE@2/5@0/0
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6704
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\91547f3a-71cc-4153-934c-7dd0680be7bb Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe ReversingLabs: Detection: 97%
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6704 -s 520
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x64 should be: 0x286da
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009309B7 push ecx; ret 0_2_009309C7
May use bcdedit to modify the Windows boot settings
Source: file.exe Binary or memory string: truerequestedExecutionLevelrequireAdministrator%s\%S"%s""%s\explorer.exe"SHCreateItemFromParsingNameshell32.dll*.execopywriteregnetstatftp.exefindattriblookupdiskwinlogonmsiexecresetlogoffnotepadnetshpingwinminetelnettaskroutentbackupmsheartsfreecellcmd.execalcspidersol.exeinstallsetupupdate\x*x.exeCERBER_CORE_PROTECTION_MUTEXshell.%sCERBER_EVALUATED_CORE_PROTECTION_EVENT"%s\%s"CERBER_BODY_PLACE\%sSeDebugPrivilegeStop reason: %sComponent_02%02x%02x%02x%02x%02x%02x%05xcerber%02X%02X%02X%02X%02X%02X%05X%03X%c%c%c%c-%c%c%c%c-%c%c%c%c-%c%c%c%c-%c%c%c%c\data len: %d, trash len: %d, overlay: %sopdefaulttorsite_%dserversstatisticstimeout%02x%[^/]%[/]%dipportSending stat %s, %sknockdata_startdata_finish{IS_ADMIN}%d{IS_X64}{COUNTRY}{PARTNER_ID}%05x{OS}%x{PC_ID}{STOP_REASON}{MD5_KEY}%02X%02X%02X%02X%02X%02X{COUNT_FILES}{SITE_{TOR}0checkavav_blacklistProgramFilesDir (x86)SOFTWARE\Microsoft\Windows\CurrentVersionProgramFilesDir%s\%s\kernel32.dllblacklistlanguagesGETip_geourlproperty_name--countriesC:\test\cerber_debug.txtdebugnetworkvmwarecountrylanguageactivitysend_stat321InstalledCOMSPEC/d /c taskkill /t /f /im "%s" > NUL & ping -n 1 127.0.0.1 > NUL & del "%s" > NUL%s\vssadmin.exedelete shadows /all /quiet%s\wbem\wmic.exeshadowcopy delete/set {default} recoveryenabled nobcdedit.exe/set {default} bootstatuspolicy ignoreallfailuresSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUAwallpapertextsizeConsolasbackgroundcolor.bmpopenhelp_filesfiles_namefilesfile_extensionfile_body.vbs%S%S*%S*new_extensionfolderswhitelistSoftware\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDrives\??\*CERBER_KEY_PLACEPrinters\Defaults\%sIsWow64Processkernel32{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}D:Papi-ms-win-\KnownDlls32\KnownDllstmp\VarFileInfo\TranslationFileDescription\StringFileInfo\%04x%04x\%s
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: file.exe Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: file.exe Binary or memory string: FCERBERSBIEDLL.DLLDIR_WATCH.DLLAPI_LOG.DLLTEST_ITEM.EXEDBGHELP.DLLFRZ_STATEC:\POPUPKILLER.EXEC:\STIMULATOR.EXEC:\TOOLS\EXECUTE.EXE\SAND-BOX\\CWSANDBOX\\SANDBOX\\\.\NPF_NDISWANIP\\.\CV2K1WIRESHARK.EXEDUMPCAP.EXEOLLYDBG.EXEIDAG.EXESYSANALYZER.EXESNIFF_HIT.EXESCKTOOL.EXEPROC_ANALYZER.EXEHOOKEXPLORER.EXEMULTI_POT.EXEVEN_%XSYSTEM\CURRENTCONTROLSET\ENUM\PCISYSTEMBIOSVERSIONHARDWARE\DESCRIPTION\SYSTEMPARALLELSVIDEOBIOSVERSIONIDENTIFIERHARDWARE\DEVICEMAP\SCSI\SCSI PORT 0\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0QEMUVBOXVIRTUALBOXSOFTWARE\ORACLE\VIRTUALBOX GUEST ADDITIONS\DRIVERS\VBOXMOUSE.SYSVMWAREWMWARESOFTWARE\VMWARE, INC.\VMWARE TOOLSVMMOUSE.SYSVMHGFS.SYSWINE_GET_UNIX_FILE_NAMEKERNEL32.DLLCLOSE_PROCESS%S\%S%SENCRYPTING FILE %S...
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00927BDF rdtsc 0_2_00927BDF
Source: Amcache.hve.3.dr Binary or memory string: VMware
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr Binary or memory string: VMware20,1hbin@
Source: file.exe Binary or memory string: Fcerbersbiedll.dlldir_watch.dllapi_log.dlltest_item.exedbghelp.dllFrz_StateC:\popupkiller.exeC:\stimulator.exeC:\TOOLS\execute.exe\sand-box\\cwsandbox\\sandbox\\\.\NPF_NdisWanIp\\.\cv2k1wireshark.exedumpcap.exeollydbg.exeidag.exesysanalyzer.exesniff_hit.exescktool.exeproc_analyzer.exehookexplorer.exemulti_pot.exeVEN_%xSYSTEM\CurrentControlSet\Enum\PCISystemBiosVersionHARDWARE\Description\SystemPARALLELSVideoBiosVersionIdentifierHARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0QEMUVBOXVIRTUALBOXSOFTWARE\Oracle\VirtualBox Guest Additions\drivers\VBoxMouse.sysVMWAREWMWARESOFTWARE\VMware, Inc.\VMware Toolsvmmouse.sysvmhgfs.syswine_get_unix_file_namekernel32.dllclose_process%s\%s%SEncrypting file %s...
Source: Amcache.hve.3.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: file.exe Binary or memory string: truerequestedExecutionLevelrequireAdministrator%s\%S"%s""%s\explorer.exe"SHCreateItemFromParsingNameshell32.dll*.execopywriteregnetstatftp.exefindattriblookupdiskwinlogonmsiexecresetlogoffnotepadnetshpingwinminetelnettaskroutentbackupmsheartsfreecellcmd.execalcspidersol.exeinstallsetupupdate\x*x.exeCERBER_CORE_PROTECTION_MUTEXshell.%sCERBER_EVALUATED_CORE_PROTECTION_EVENT"%s\%s"CERBER_BODY_PLACE\%sSeDebugPrivilegeStop reason: %sComponent_02%02x%02x%02x%02x%02x%02x%05xcerber%02X%02X%02X%02X%02X%02X%05X%03X%c%c%c%c-%c%c%c%c-%c%c%c%c-%c%c%c%c-%c%c%c%c\data len: %d, trash len: %d, overlay: %sopdefaulttorsite_%dserversstatisticstimeout%02x%[^/]%[/]%dipportSending stat %s, %sknockdata_startdata_finish{IS_ADMIN}%d{IS_X64}{COUNTRY}{PARTNER_ID}%05x{OS}%x{PC_ID}{STOP_REASON}{MD5_KEY}%02X%02X%02X%02X%02X%02X{COUNT_FILES}{SITE_{TOR}0checkavav_blacklistProgramFilesDir (x86)SOFTWARE\Microsoft\Windows\CurrentVersionProgramFilesDir%s\%s\kernel32.dllblacklistlanguagesGETip_geourlproperty_name--countriesC:\test\cerber_debug.txtdebugnetworkvmwarecountrylanguageactivitysend_stat321InstalledCOMSPEC/d /c taskkill /t /f /im "%s" > NUL & ping -n 1 127.0.0.1 > NUL & del "%s" > NUL%s\vssadmin.exedelete shadows /all /quiet%s\wbem\wmic.exeshadowcopy delete/set {default} recoveryenabled nobcdedit.exe/set {default} bootstatuspolicy ignoreallfailuresSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUAwallpapertextsizeConsolasbackgroundcolor.bmpopenhelp_filesfiles_namefilesfile_extensionfile_body.vbs%S%S*%S*new_extensionfolderswhitelistSoftware\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDrives\??\*CERBER_KEY_PLACEPrinters\Defaults\%sIsWow64Processkernel32{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}D:Papi-ms-win-\KnownDlls32\KnownDllstmp\VarFileInfo\TranslationFileDescription\StringFileInfo\%04x%04x\%s
Source: Amcache.hve.3.dr Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr Binary or memory string: vmci.syshbin`
Source: file.exe Binary or memory string: vmware
Source: Amcache.hve.3.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00927BDF rdtsc 0_2_00927BDF
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00923EC5 EntryPoint,LdrInitializeThunk, 0_2_00923EC5
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.3.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1522733 Sample: file.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 88 14 Found malware configuration 2->14 16 Antivirus / Scanner detection for submitted sample 2->16 18 Multi AV Scanner detection for submitted file 2->18 20 5 other signatures 2->20 6 file.exe 2->6         started        process3 signatures4 22 Deletes shadow drive data (may be related to ransomware) 6->22 9 WerFault.exe 21 16 6->9         started        process5 file6 12 C:\ProgramData\Microsoft\...\Report.wer, Unicode 9->12 dropped
No contacted IP infos