Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1522733
MD5:	88e6a85ea94ea57fd35704b9b6e67358
SHA1:	61711495e7f95376a0c2465e3cfa947d86383dc7
SHA256:	df93b51dfce7f3f780fe6544a2db728672b9df4e76f2e61be21c87d6d782cce0
Tags:	exeuser-jstrosch
Infos:

Detection

Cerber

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Cerber ransomware

AI detected suspicious sample

Deletes shadow drive data (may be related to ransomware)

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

May use bcdedit to modify the Windows boot settings

One or more processes crash

PE file contains an invalid checksum

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 6704 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 88E6A85EA94EA57FD35704B9B6E67358)

WerFault.exe (PID: 6904 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6704 -s 520 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cerber	A prolific ransomware which originally added ".cerber" as a file extension to encrypted files. Has undergone multiple iterations in which the extension has changed. Uses a very readily identifiable set of of UDP activity to checkin and report infections. Primarily uses TOR for payment information.	No Attribution	http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/ https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/ https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus https://i.blackhat.com/asia-21/Thursday-Handouts/as21-Taniguchi-How-Did-The-Adversaries-Abusing-The-Bitcoin-Blockchain-Evade-Our-Takeover.pdf https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cerber

Malware Configuration

Threatname: Cerber

{"default": {"tor": "cerberhhyed5frqa", "site_1": "onion.to", "site_2": "onion.cab", "site_3": "onion.nu", "site_4": "onion.link", "site_5": "tor2web.org"}, "blacklist": {"countries": ["am", "az", "by", "ge", "kg", "kz", "md", "ru", "tm", "tj", "ua", "uz"], "files": ["bootsect.bak", "desktop.ini", "iconcache.db", "ntuser.dat", "thumbs.db", "wallet.dat"], "folders": [":\\$recycle.bin\\", ":\\$windows.~bt\\", ":\\boot\\", ":\\drivers\\", ":\\program files\\", ":\\program files (x86)\\", ":\\programdata\\", ":\\users\\all users\\", ":\\windows\\", ":\\windows.old\\", "\\appdata\\local\\", "\\appdata\\locallow\\", "\\appdata\\roaming\\adobe\\flash player\\", "\\appdata\\roaming\\ati\\", "\\appdata\\roaming\\google\\", "\\appdata\\roaming\\identities\\", "\\appdata\\roaming\\installshield\\", "\\appdata\\roaming\\intel\\", "\\appdata\\roaming\\macromedia\\flash player\\", "\\appdata\\roaming\\media center programs\\", "\\appdata\\roaming\\microsoft\\", "\\appdata\\roaming\\mozilla\\", "\\appdata\\roaming\\nvidia\\", "\\appdata\\roaming\\opera\\", "\\public\\music\\sample music\\", "\\public\\pictures\\sample pictures\\", "\\public\\videos\\sample videos\\", "\\tor browser\\"], "languages": [1049, 1058, 1059, 1064, 1067, 1068, 1079, 1087, 1088, 1090, 1091, 2072, 2073, 2092, 2115]}, "whitelist": {"folders": [":\\program files (x86)\\steam\\", "\\appdata\\roaming\\microsoft\\office\\", "\\appdata\\roaming\\microsoft\\outlook\\", "\\program files\\microsoft sql server\\"]}, "close_process": ["outlook.exe", "steam.exe", "thebat.exe", "thebat64.exe", "thunderbird.exe", "winword.exe"], "check": {"activity": 0, "country": 1, "language": 1, "vmware": 0, "av": 1}, "av_blacklist": ["Kaspersky Lab", "AVAST Software", "ESET", "Bitdefender", "Bitdefender Agent"], "debug": 0, "encrypt": {"files": [[".contact", ".dbx", ".doc", ".docx", ".jnt", ".jpg", ".mapimail", ".msg", ".oab", ".ods", ".pdf", ".pps", ".ppsm", ".ppt", ".pptm", ".prf", ".pst", ".rar", ".rtf", ".txt", ".wab", ".xls", ".xlsx", ".xml", ".zip", ".1cd", ".3ds", ".3g2", ".3gp", ".7z", ".7zip", ".accdb", ".aoi", ".asf", ".asp", ".aspx", ".asx", ".avi", ".bak", ".cer", ".cfg", ".class", ".config", ".css", ".csv", ".db", ".dds", ".dwg", ".dxf", ".flf", ".flv", ".html", ".idx", ".js", ".key", ".kwm", ".laccdb", ".ldf", ".lit", ".m3u", ".mbx", ".md", ".mdf", ".mid", ".mlb", ".mov", ".mp3", ".mp4", ".mpg", ".obj", ".odt", ".pages", ".php", ".psd", ".pwm", ".rm", ".safe", ".sav", ".save", ".sql", ".srt", ".swf", ".thm", ".vob", ".wav", ".wma", ".wmv", ".xlsb", ".3dm", ".aac", ".ai", ".arw", ".c", ".cdr", ".cls", ".cpi", ".cpp", ".cs", ".db3", ".docm", ".dot", ".dotm", ".dotx", ".drw", ".dxb", ".eps", ".fla", ".flac", ".fxg", ".java", ".m", ".m4v", ".max", ".mdb", ".pcd", ".pct", ".pl", ".potm", ".potx", ".ppam", ".ppsm", ".ppsx", ".pptm", ".ps", ".pspimage", ".r3d", ".rw2", ".sldm", ".sldx", ".svg", ".tga", ".wps", ".xla", ".xlam", ".xlm", ".xlr", ".xlsm", ".xlt", ".xltm", ".xltx", ".xlw", ".act", ".adp", ".al", ".bkp", ".blend", ".cdf", ".cdx", ".cgm", ".cr2", ".crt", ".dac", ".dbf", ".dcr", ".ddd", ".design", ".dtd", ".fdb", ".fff", ".fpx", ".h", ".iif", ".indd", ".jpeg", ".mos", ".nd", ".nsd", ".nsf", ".nsg", ".nsh", ".odc", ".odp", ".oil", ".pas", ".pat", ".pef", ".pfx", ".ptx", ".qbb", ".qbm", ".sas7bdat", ".say", ".st4", ".st6", ".stc", ".sxc", ".sxw", ".tlg", ".wad", ".xlk", ".aiff", ".bin", ".bmp", ".cmt", ".dat", ".dit", ".edb", ".flvv", ".gif", ".groups", ".hdd", ".hpp", ".log", ".m2ts", ".m4p", ".mkv", ".mpeg", ".ndf", ".nvram", ".ogg", ".ost", ".pab", ".pdb", ".pif", ".png", ".qed", ".qcow", ".qcow2", ".rvt", ".st7", ".stm", ".vbox", ".vdi", ".vhd", ".vhdx", ".vmdk", ".vmsd", ".vmx", ".vmxf", ".3fr", ".3pr", ".ab4", ".accde", ".accdr", ".accdt", ".ach", ".acr", ".adb", ".ads", ".agdl", ".ait", ".apj", ".asm", ".awg", ".back", ".backup", ".backupdb", ".bank", ".bay", ".bdb", ".bgt", ".bik", ".bpw", ".cdr3", ".cdr4", ".cdr5", ".cdr6", ".cdrw", ".ce1", ".ce2", ".cib", ".craw", ".crw", ".csh", ".csl", ".db_journal", ".dc2", ".dcs", ".ddoc", ".ddrw", ".der", ".des", ".dgc", ".djvu", ".dng", ".drf", ".dxg", ".eml", ".erbsql", ".erf", ".exf", ".ffd", ".fh", ".fhd", ".gray", ".grey", ".gry", ".hbk", ".ibank", ".ibd", ".ibz", ".iiq", ".incpas", ".jpe", ".kc2", ".kdbx", ".kdc", ".kpdx", ".lua", ".mdc", ".mef", ".mfw", ".mmw", ".mny", ".moneywell", ".mrw", ".myd", ".ndd", ".nef", ".nk2", ".nop", ".nrw", ".ns2", ".ns3", ".ns4", ".nwb", ".nx2", ".nxl", ".nyf", ".odb", ".odf", ".odg", ".odm", ".orf", ".otg", ".oth", ".otp", ".ots", ".ott", ".p12", ".p7b", ".p7c", ".pdd", ".pem", ".plus_muhd", ".plc", ".pot", ".pptx", ".psafe3", ".py", ".qba", ".qbr", ".qbw", ".qbx", ".qby", ".raf", ".rat", ".raw", ".rdb", ".rwl", ".rwz", ".s3db", ".sd0", ".sda", ".sdf", ".sqlite", ".sqlite3", ".sqlitedb", ".sr2", ".srf", ".srw", ".st5", ".st8", ".std", ".sti", ".stw", ".stx", ".sxd", ".sxg", ".sxi", ".sxm", ".tex", ".wallet", ".wb2", ".wpd", ".x11", ".x3f", ".xis", ".ycbcra", ".yuv", ".mab", ".json", ".ini", ".sdb", ".sqlite-shm", ".sqlite-wal", ".msf", ".jar", ".cdb", ".srb", ".abd", ".qtb", ".cfn", ".info", ".info_", ".flb", ".def", ".atb", ".tbn", ".tbb", ".tlx", ".pml", ".pmo", ".pnx", ".pnc", ".pmi", ".pmm", ".lck", ".pm!", ".pmr", ".usr", ".pnd", ".pmj", ".pm", ".lock", ".srs", ".pbf", ".omg", ".wmf", ".sh", ".war", ".ascx", ".tif", ".k2p", ".apk", ".asset", ".bsa", ".d3dbsp", ".das", ".forge", ".iwi", ".lbf", ".litemod", ".litesql", ".ltx", ".m4a", ".re4", ".slm", ".tiff", ".upk", ".xxx", ".money", ".cash"]], "network": 1, "new_extension": ".cerber", "max_block_size": 2, "max_blocks": 5, "min_file_size": 6, "multithread": 1, "rsa_key_size": 576}, "global_public_key": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF2a3R5NXFocUV5ZFI5MDc2RmV2cAowdU1QN0laTm1zMUFBN0dQUVVUaE1XYllpRVlJaEJLY1QwL253WXJCcTBPZ3Y3OUsxdHRhMDRFSFRyWGdjQXAvCk9KZ0JoejlONThhZXdkNHlaQm0yY29lYURHdmNHUkFjOWU3Mk9iRlEvVE1FL0lvN0xaNXFYRFd6RGFmSThMQTgKSlFtU3owTCsvRytMUFRXZzdrUE9wSlQ3V1NrUmI5VDh3NVFnWlJKdXZ2aEVySE04M2tPM0VMVEgrU29FSTUzcAo0RU5Wd2ZOTkVwT3BucE9PU0tRb2J0SXc1NkNzUUZyaGFjMHNRbE9qZWsvbXVWbHV4amlFbWMwZnN6azJXTFNuCnFyeWlNeXphSTVEV0JEallLWEExdHAyaC95Z2JrWWRGWVJiQUVxd3RMeFQyd01mV1BRSTVPa2hUYTl0WnFEMEgKblFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==", "help_files": {"files": [{"file_body": "<!DOCTYPE html>\r\n<html lang=\"en\">\r\n   <head>\r\n      <meta charset=\"utf-8\">\r\n      <title>&#067;erber Ransomware</title>\r\n      <style>\r\n      a {\r\n         color: #47c;\r\n         text-decoration: none;\r\n      }\r\n      a:hover {\r\n         text-decoration: underline;\r\n      }\r\n      body {\r\n         background-color: #e7e7e7;\r\n         color: #333;\r\n         font-family: \"Helvetica Neue\", Helvetica, \"Segoe UI\", Arial, freesans, sans-serif, \"Apple Color Emoji\", \"Segoe UI Emoji\", \"Segoe UI Symbol\";\r\n         font-size: 16px;\r\n         line-height: 1.6;\r\n         margin: 0;\r\n         padding: 0;\r\n      }\r\n      hr {\r\n         background-color: #e7e7e7;\r\n         border: 0 none;\r\n         border-bottom: 1px solid #c7c7c7;\r\n         height: 5px;\r\n         margin: 30px 0;\r\n      }\r\n      li {\r\n         padding: 0 0 7px 7px;\r\n      }\r\n      ol {\r\n         padding-left: 3em;\r\n      }\r\n      .container {\r\n         background-color: #fff;\r\n         border: 1px solid #c7c7c7;\r\n         margin: 40px;\r\n         padding: 40px 40px 20px 40px;\r\n      }\r\n      .info, .tor {\r\n         background-color: #efe;\r\n         border: 1px solid #bda;\r\n         display: block;\r\n         padding: 0px 20px;\r\n      }\r\n      .logo {\r\n         font-size: 12px;\r\n         font-weight: bold;\r\n         line-height: 1;\r\n         margin: 0;\r\n      }\r\n      .tor {\r\n         padding: 10px 0;\r\n         text-align: center;\r\n      }\r\n      .warning {\r\n         background-color: #f5e7e7;\r\n         border: 1px solid #ebccd1;\r\n         color: #a44;\r\n         display: block;\r\n         padding: 15px 10px;\r\n         text-align: center;\r\n      }\r\n      </style>\r\n   </head>\r\n   <body>\r\n      <div class=\"container\">\r\n         <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3>\r\n         <hr>\r\n         <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p>\r\n         <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p>\r\n         <p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p>\r\n         <hr>\r\n         <p><span class=\"warning\">If you are reading this message it means the software \"Cerber Ransomware\" has been removed from your computer.</span></p>\r\n         <hr>\r\n         <h3>What is encryption?</h3>\r\n         <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p>\r\n         <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p>\r\n         <p>But not only it.</p>\r\n         <p>It is required also to have the special decryption software (in your case \"Cerber Decryptor\" software) for safe and complete decryption of all your files and data.</p>\r\n         <hr>\r\n         <h3>Everything is clear for me but what should I do?</h3>\r\n         <p>The first step is reading these instructions to the end.</p>\r\n         <p>Your files have been encrypted with the \"Cerber Ransomware\" software; the instructions (\"# DECRYPT MY FILES #.html\" and \"# DECRYPT MY FILES #.txt\") in the folders with your encrypted files are not viruses, they will help you.</p>\r\n         <p>After reading this text the most part of people start searching in the Internet the words the \"Cerber Ransomware\" where they find a lot of ideas, recommendations and instructions.</p>\r\n         <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p>\r\n         <p><span class=\"warning\">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p>\r\n         <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p>\r\n         <p>Finally it will be impossible to decrypt your files.</p>\r\n         <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p>\r\n         <p>You should realize that any intervention of the third-party software to restore files encrypted with the \"Cerber Ransomware\" software may be fatal for your files.</p>\r\n         <hr>\r\n         <p><span class=\"warning\">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p>\r\n         <hr>\r\n         <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p>\r\n         <p>After purchase of the software package you will be able to:</p>\r\n         <ol>\r\n         <li>decrypt all your files;</li>\r\n         <li>work with your documents;</li>\r\n         <li>view your photos and other media;</li>\r\n         <li>continue your usual and comfortable work at the computer.</li>\r\n         </ol>\r\n         <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p>\r\n         <hr>\r\n         <div class=\"info\">\r\n         <p>There is a list of temporary addresses to go on your personal page below:</p>\r\n         <ol>\r\n         <li><a href=\"http://{TOR}.{SITE_1}/{PC_ID}\" target=\"_blank\">http://{TOR}.{SITE_1}/{PC_ID}</a></li>\r\n         <li><a href=\"http://{TOR}.{SITE_2}/{PC_ID}\" target=\"_blank\">http://{TOR}.{SITE_2}/{PC_ID}</a></li>\r\n         <li><a href=\"http://{TOR}.{SITE_3}/{PC_ID}\" target=\"_blank\">http://{TOR}.{SITE_3}/{PC_ID}</a></li>\r\n         <li><a href=\"http://{TOR}.{SITE_4}/{PC_ID}\" target=\"_blank\">http://{TOR}.{SITE_4}/{PC_ID}</a></li>\r\n         <li><a href=\"http://{TOR}.{SITE_5}/{PC_ID}\" target=\"_blank\">http://{TOR}.{SITE_5}/{PC_ID}</a></li>\r\n         </ol>\r\n         </div>\r\n         <hr>\r\n         <h3>What should you do with these addresses?</h3>\r\n         <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p>\r\n         <ol>\r\n         <li>take a look at the first address (in this case it is <a href=\"http://{TOR}.{SITE_1}/{PC_ID}\" target=\"_blank\">http://{TOR}.{SITE_1}/{PC_ID}</a>);</li>\r\n         <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li>\r\n         <li>release the left mouse button and press the right one;</li>\r\n         <li>select \"Copy\" in the appeared menu;</li>\r\n         <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li>\r\n         <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li>\r\n         <li>click the right mouse button in the field where the site address is written;</li>\r\n         <li>select the button \"Insert\" in the appeared menu;</li>\r\n         <li>then you will see the address <a href=\"http://{TOR}.{SITE_1}/{PC_ID}\" target=\"_blank\">http://{TOR}.{SITE_1}/{PC_ID}</a> appeared there;</li>\r\n         <li>press ENTER;</li>\r\n         <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li>\r\n         </ol>\r\n         <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p>\r\n         <p>If you browse the instructions in HTML format:</p>\r\n         <ol>\r\n         <li>click the left mouse button on the first address (in this case it is <a href=\"http://{TOR}.{SITE_1}/{PC_ID}\" target=\"_blank\">http://{TOR}.{SITE_1}/{PC_ID}</a>);</li>\r\n         <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li>\r\n         </ol>\r\n         <p>If for some reason the site cannot be opened check the connection to the Internet.</p>\r\n         <hr>\r\n         <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p>\r\n         <p>Unlike them we are ready to help you always.</p>\r\n         <p>If you need our help but the temporary sites are not available:</p>\r\n         <ol>\r\n         <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li>\r\n         <li>enter or copy the address <a href=\"https://www.torproject.org/download/download-easy.html.en\" target=\"_blank\">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li>\r\n         <li>wait for the site loading;</li>\r\n         <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li>\r\n         <li>run Tor Browser;</li>\r\n         <li>connect with the button \"Connect\" (if you use the English version);</li>\r\n         <li>a normal Internet browser window will be opened after the initialization;</li>\r\n         <li>type or copy the address <span class=\"tor\">http://{TOR}.onion/{PC_ID}</span> in this browser address bar;</li>\r\n         <li>press ENTER;</li>\r\n\t\t <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li>\r\n         </ol>\r\n         <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href=\"https://www.youtube.com/results?search_query=install+tor+browser+windows\" target=\"_blank\">https://www.youtube.com/</a> and type request in the search bar \"install tor browser windows\" and you will find a lot of training videos about Tor Browser installation and operation.</p>\r\n         <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p>\r\n         <hr>\r\n         <h3>Additional information:</h3>\r\n         <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p>\r\n         <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p>\r\n         <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p>\r\n         <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p>\r\n         <hr>\r\n         <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p>\r\n         <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p>\r\n         <p>Together we make the Internet a better and safer place.</p>\r\n         <hr>\r\n         <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p>\r\n         <hr>\r\n         <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p>\r\n      </div>\r\n   </body>\r\n</html>", "file_extension": ".html"}, {"file_body": "  \r\n  \r\n  C E R B E R   R A N S O M W A R E\r\n  \r\n  \r\n  #########################################################################\r\n  \r\n  \r\n  Cannot you find the files you need?\r\n  Is the content of the files that you looked for not readable?\r\n  \r\n  It is normal because the files' names, as well as the data in your files\r\n  have been encrypted.\r\n  \r\n  Great!!!\r\n  You have turned to be a part of a big community #Cerber_Ransomware.\r\n  \r\n  \r\n  #########################################################################\r\n  \r\n  \r\n  !!!  If you are reading this message it means the software\r\n  !!!  \"Cerber Ransomware\" has been removed from your computer.\r\n  \r\n  \r\n  #########################################################################\r\n  \r\n  \r\n  What is encryption?\r\n  -------------------\r\n  \r\n  Encryption is a reversible modification of information for security\r\n  reasons but providing full access to it for authorized users.\r\n  \r\n  To become an authorized user and keep the modification absolutely\r\n  reversible (in other words to have a possibility to decrypt your files)\r\n  you should have an individual private key.\r\n  \r\n  But not only it.\r\n  \r\n  It is required also to have the special decryption software\r\n  (in your case \"Cerber Decryptor\" software) for safe and complete\r\n  decryption of all your files and data.\r\n  \r\n  \r\n  #########################################################################\r\n  \r\n  \r\n  Everything is clear for me but what should I do?\r\n  ------------------------------------------------\r\n  \r\n  The first step is reading these instructions to the end.\r\n  \r\n  Your files have been encrypted with the \"Cerber Ransomware\" software; the\r\n  instructions (\"# DECRYPT MY FILES #.html\" and \"# DECRYPT MY FILES #.txt\")\r\n  in the folders with your encrypted files are not viruses, they will\r\n  help you.\r\n  \r\n  After reading this text the most part of people start searching in the\r\n  Internet the words the \"Cerber Ransomware\" where they find a lot of\r\n  ideas, recommendations and instructions.\r\n  \r\n  It is necessary to realize that we are the ones who closed the lock on\r\n  your files and we are the only ones who have this secret key to\r\n  open them.\r\n  \r\n  !!!  Any attempts to get back your files with the third-party tools can\r\n  !!!  be fatal for your encrypted files.\r\n  \r\n  The most part of the third-party software change data within the\r\n  encrypted file to restore it but this causes damage to the files.\r\n  \r\n  Finally it will be impossible to decrypt your files.\r\n  \r\n  When you make a puzzle but some items are lost, broken or not put in its\r\n  place - the puzzle items will never match, the same way the third-party\r\n  software will ruin your files completely and irreversibly.\r\n  \r\n  You should realize that any intervention of the third-party software to\r\n  restore files encrypted with the \"Cerber Ransomware\" software may be\r\n  fatal for your files.\r\n  \r\n  \r\n  #########################################################################\r\n  \r\n  \r\n  !!!  There are several plain steps to restore your files but if you do\r\n  !!!  not follow them we will not be able to help you, and we will not try\r\n  !!!  since you have read this warning already.\r\n  \r\n  \r\n  #########################################################################\r\n  \r\n  \r\n  For your information the software to decrypt your files (as well as the\r\n  private key provided together) are paid products.\r\n  \r\n  After purchase of the software package you will be able to:\r\n  \r\n  1.  decrypt all your files;\r\n  \r\n  2.  work with your documents;\r\n  \r\n  3.  view your photos and other media;\r\n  \r\n  4.  continue your usual and comfortable work at the computer.\r\n  \r\n  If you understand all importance of the situation then we propose to you\r\n  to go directly to your personal page where you will receive the complete\r\n  instructions and guarantees to restore your files.\r\n  \r\n  \r\n  #########################################################################\r\n  \r\n  \r\n  There is a list of temporary addresses to go on your personal page below:\r\n   _______________________________________________________________________\r\n  |\r\n  |  1.  http://{TOR}.{SITE_1}/{PC_ID}\r\n  |\r\n  |  2.  http://{TOR}.{SITE_2}/{PC_ID}\r\n  |\r\n  |  3.  http://{TOR}.{SITE_3}/{PC_ID}\r\n  |\r\n  |  4.  http://{TOR}.{SITE_4}/{PC_ID}\r\n  |\r\n  |  5.  http://{TOR}.{SITE_5}/{PC_ID}\r\n  |_______________________________________________________________________\r\n  \r\n  \r\n  #########################################################################\r\n  \r\n  \r\n  What should you do with these addresses?\r\n  ----------------------------------------\r\n  \r\n  If you read the instructions in TXT format (if you have instruction in\r\n  HTML (the file with an icon of your Internet browser) then the easiest\r\n  way is to run it):\r\n  \r\n  1.  take a look at the first address (in this case it is\r\n      http://{TOR}.{SITE_1}/{PC_ID});\r\n  \r\n  2.  select it with the mouse cursor holding the left mouse button and\r\n      moving the cursor to the right;\r\n  \r\n  3.  release the left mouse button and press the right one;\r\n  \r\n  4.  select \"Copy\" in the appeared menu;\r\n  \r\n  5.  run your Internet browser (if you do not know what it is run the\r\n      Internet Explorer);\r\n  \r\n  6.  move the mouse cursor to the address bar of the browser (this is the\r\n      place where the site address is written);\r\n  \r\n  7.  click the right mouse button in the field where the site address\r\n      is written;\r\n  \r\n  8.  select the button \"Insert\" in the appeared menu;\r\n  \r\n  9.  then you will see the address\r\n      http://{TOR}.{SITE_1}/{PC_ID}\r\n      appeared there;\r\n  \r\n  10. press ENTER;\r\n  \r\n  11. the site should be loaded; if it is not loaded repeat the same\r\n      instructions with the second address and continue until the last\r\n      address if falling.\r\n  \r\n  If for some reason the site cannot be opened check the connection to the\r\n  Internet; if the site still cannot be opened take a look at the\r\n  instructions on omitting the point about working with the addresses in\r\n  the HTML instructions.\r\n  \r\n  If you browse the instructions in HTML format:\r\n  \r\n  1.  click the left mouse button on the first address (in this case it is\r\n      http://{TOR}.{SITE_1}/{PC_ID});\r\n  \r\n  2.  in a new tab or window of your web browser the site should be loaded;\r\n      if it is not loaded repeat the same instructions with the second\r\n      address and continue until the last address.\r\n  \r\n  If for some reason the site cannot be opened check the connection to\r\n  the Internet.\r\n  \r\n  \r\n  #########################################################################\r\n  \r\n  \r\n  Unfortunately these sites are short-term since the antivirus companies\r\n  are interested in you do not have a chance to restore your files but\r\n  continue to buy their products.\r\n  \r\n  Unlike them we are ready to help you always.\r\n  \r\n  If you need our help but the temporary sites are not available:\r\n  \r\n  1.  run your Internet browser (if you do not know what it is run the\r\n      Internet Explorer);\r\n  \r\n  2.  enter or copy the address\r\n      https://www.torproject.org/download/download-easy.html.en into the\r\n      address bar of your browser and press ENTER;\r\n  \r\n  3.  wait for the site loading;\r\n  \r\n  4.  on the site you will be offered to download Tor Browser; download and\r\n      run it, follow the installation instructions, wait until the\r\n      installation is completed;\r\n  \r\n  5.  run Tor Browser;\r\n  \r\n  6.  connect with the button \"Connect\" (if you use the English version);\r\n  \r\n  7.  a normal Internet browser window will be opened after\r\n      the initialization;\r\n  \r\n  8.  type or copy the address\r\n       ________________________________________________________\r\n      |                                                        |\r\n      | http://{TOR}.onion/{PC_ID} |\r\n      |________________________________________________________|\r\n  \r\n      in this browser address bar;\r\n  \r\n  9.  press ENTER;\r\n  \r\n  10. the site should be loaded; if for some reason the site is not loading\r\n      wait for a moment and try again.\r\n  \r\n  If you have any problems during installation or operation of Tor Browser,\r\n  please, visit https://www.youtube.com/ and type request in the search bar\r\n  \"install tor browser windows\" and you will find a lot of training videos\r\n  about Tor Browser installation and operation.\r\n  \r\n  If TOR address is not available for a long period (2-3 days) it means you\r\n  are late; usually you have about 2-3 weeks after reading the instructions\r\n  to restore your files.\r\n  \r\n  \r\n  #########################################################################\r\n  \r\n  \r\n  Additional information:\r\n  \r\n  You will find the instructions for restoring your files in those folders\r\n  where you have your encrypted files only.\r\n  \r\n  The instructions are made in two file formats - HTML and TXT for\r\n  your convenience.\r\n  \r\n  Unfortunately antivirus companies cannot protect or restore your files\r\n  but they can make the situation worse removing the instructions how to\r\n  restore your encrypted files.\r\n  \r\n  The instructions are not viruses; they have informative nature only, so\r\n  any claims on the absence of any instruction files you can send to your\r\n  antivirus company.\r\n  \r\n  \r\n  #########################################################################\r\n  \r\n  \r\n  Cerber Ransomware Project is not malicious and is not intended to harm a\r\n  person and his/her information data.\r\n  \r\n  The project is created for the sole purpose of instruction regarding\r\n  information security, as well as certification of antivirus software for\r\n  their suitability for data protection.\r\n  \r\n  Together we make the Internet a better and safer place.\r\n  \r\n  \r\n  #########################################################################\r\n  \r\n  \r\n  If you look through this text in the Internet and realize that something\r\n  is wrong with your files but you do not have any instructions to restore\r\n  your files, please, contact your antivirus support.\r\n  \r\n  \r\n  #########################################################################\r\n  \r\n  \r\n  Remember that the worst situation already happened and now it depends on\r\n  your determination and speed of your actions the further life of\r\n  your files.\r\n  \r\n  ", "file_extension": ".txt"}, {"file_body": "[InternetShortcut]\r\nURL=http://{TOR}.{SITE_1}/{PC_ID}\r\n", "file_extension": ".url"}, {"file_body": "Set SAPI = CreateObject(\"SAPI.SpVoice\")\r\nSAPI.Speak \"Att\"+\"ention! A\"+\"ttention! Attention!\"\r\nFor i = 1 to 10\r\nSAPI.Speak \"Your docum\"+\"ents, photos, databas\"+\"es and other im\"+\"portant files have been encrypted!\"\r\nNext", "file_extension": ".vbs"}], "files_name": "# DECRYPT MY FILES #"}, "ip_geo": [{"property_name": "country", "url": "http://ipinfo.io/json"}, {"property_name": "country_code", "url": "http://freegeoip.net/json/"}, {"property_name": "countryCode", "url": "http://ip-api.com/json"}], "servers": {"statistics": {"knock": "hi{PARTNER_ID}", "data_finish": "{MD5_KEY}", "data_start": "{MD5_KEY}{PARTNER_ID}{OS}{IS_X64}{IS_ADMIN}{COUNT_FILES}{STOP_REASON}", "ip": "85.93.0.0/18", "port": 6892, "send_stat": 1, "timeout": 1020}}, "wallpaper": {"background": 0, "color": 16777215, "size": 11, "text": " Your documents, photos, databases and other important files \r\n have been encrypted! \r\n\r\n If you understand all importance of the situation then we propose to you \r\n to go directly to your personal page where you will receive the complete \r\n instructions and guarantees to restore your files. \r\n\r\n There is a list of temporary addresses to go on your personal page below: \r\n\r\n ---------------------------------------------------------------------- \r\n\r\n 1.  http://{TOR}.{SITE_1}/{PC_ID} \r\n\r\n 2.  http://{TOR}.{SITE_2}/{PC_ID} \r\n\r\n 3.  http://{TOR}.{SITE_3}/{PC_ID} \r\n\r\n 4.  http://{TOR}.{SITE_4}/{PC_ID} \r\n\r\n 5.  http://{TOR}.{SITE_5}/{PC_ID} \r\n\r\n 6.  http://{TOR}.onion/{PC_ID} (TOR) "}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
file.exe	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Found malware configuration

Source: file.exe

Malware Configuration Extractor: Cerber {"default": {"tor": "cerberhhyed5frqa", "site_1": "onion.to", "site_2": "onion.cab", "site_3": "onion.nu", "site_4": "onion.link", "site_5": "tor2web.org"}, "blacklist": {"countries": ["am", "az", "by", "ge", "kg", "kz", "md", "ru", "tm", "tj", "ua", "uz"], "files": ["bootsect.bak", "desktop.ini", "iconcache.db", "ntuser.dat", "thumbs.db", "wallet.dat"], "folders": [":\\$recycle.bin\\", ":\\$windows.~bt\\", ":\\boot\\", ":\\drivers\\", ":\\program files\\", ":\\program files (x86)\\", ":\\programdata\\", ":\\users\\all users\\", ":\\windows\\", ":\\windows.old\\", "\\appdata\\local\\", "\\appdata\\locallow\\", "\\appdata\\roaming\\adobe\\flash player\\", "\\appdata\\roaming\\ati\\", "\\appdata\\roaming\\google\\", "\\appdata\\roaming\\identities\\", "\\appdata\\roaming\\installshield\\", "\\appdata\\roaming\\intel\\", "\\appdata\\roaming\\macromedia\\flash player\\", "\\appdata\\roaming\\media center programs\\", "\\appdata\\roaming\\microsoft\\", "\\appdata\\roaming\\mozilla\\", "\\appdata\\roaming\\nvidia\\", "\\appdata\\roaming\\opera\\", "\\public\\music\\sample music\\", "\\public\\pictures\\sample pictures\\", "\\public\\videos\\sample videos\\", "\\tor browser\\"], "languages": [1049, 1058, 1059, 1064, 1067, 1068, 1079, 1087, 1088, 1090, 1091, 2072, 2073, 2092, 2115]}, "whitelist": {"folders": [":\\program files (x86)\\steam\\", "\\appdata\\roaming\\microsoft\\office\\", "\\appdata\\roaming\\microsoft\\outlook\\", "\\program files\\microsoft sql server\\"]}, "close_process": ["outlook.exe", "steam.exe", "thebat.exe", "thebat64.exe", "thunderbird.exe", "winword.exe"], "check": {"activity": 0, "country": 1, "language": 1, "vmware": 0, "av": 1}, "av_blacklist": ["Kaspersky Lab", "AVAST Software", "ESET", "Bitdefender", "Bitdefender Agent"], "debug": 0, "encrypt": {"files": [[".contact", ".dbx", ".doc", ".docx", ".jnt", ".jpg", ".mapimail", ".msg", ".oab", ".ods", ".pdf", ".pps", ".ppsm", ".ppt", ".pptm", ".prf", ".pst", ".rar", ".rtf", ".txt", ".wab", ".xls", ".xlsx", ".xml", ".zip", ".1cd", ".3ds", ".3g2", ".3gp", ".7z", ".7zip", ".accdb", ".aoi", ".asf", ".asp", ".aspx", ".asx", ".avi", ".bak", ".cer", ".cfg", ".class", ".config", ".css", ".csv", ".db", ".dds", ".dwg", ".dxf", ".flf", ".flv", ".html", ".idx", ".js", ".key", ".kwm", ".laccdb", ".ldf", ".lit", ".m3u", ".mbx", ".md", ".mdf", ".mid", ".mlb", ".mov", ".mp3", ".mp4", ".mpg", ".obj", ".odt", ".pages", ".php", ".psd", ".pwm", ".rm", ".safe", ".sav", ".save", ".sql", ".srt", ".swf", ".thm", ".vob", ".wav", ".wma", ".wmv", ".xlsb", ".3dm", ".aac", ".ai", ".arw", ".c", ".cdr", ".cls", ".cpi", ".cpp", ".cs", ".db3", ".docm", ".dot", ".dotm", ".dotx", ".drw", ".dxb", ".eps", ".fla", ".flac", ".fxg", ".java", ".m", ".m4v", ".max", ".mdb", ".pcd", ".pct", ".pl", ".potm", ".potx", ".ppam", ".ppsm", ".ppsx", ".pptm", ".ps", ".pspimage", ".r3d", ".rw2", ".sldm", ".sldx", ".svg", ".tga", ".wps", ".xla", ".xlam", ".xlm", ".xlr", ".xlsm", ".xlt", ".xltm", ".xltx", ".xlw", ".act", ".adp",

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 97%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 90.8% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Amcache.hve.3.dr

String found in binary or memory: http://upx.sf.net

Spam, unwanted Advertisements and Ransom Demands

Yara detected Cerber ransomware

Source: Yara match

File source: file.exe, type: SAMPLE

Deletes shadow drive data (may be related to ransomware)

Source: file.exe, 00000000.00000000.1669255607.0000000000931000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: truerequestedExecutionLevelrequireAdministrator%s\%S"%s""%s\explorer.exe"SHCreateItemFromParsingNameshell32.dll.execopywriteregnetstatftp.exefindattriblookupdiskwinlogonmsiexecresetlogoffnotepadnetshpingwinminetelnettaskroutentbackupmsheartsfreecellcmd.execalcspidersol.exeinstallsetupupdate\xx.exeCERBER_CORE_PROTECTION_MUTEXshell.%sCERBER_EVALUATED_CORE_PROTECTION_EVENT"%s\%s"CERBER_BODY_PLACE\%sSeDebugPrivilegeStop reason: %sComponent_02%02x%02x%02x%02x%02x%02x%05xcerber%02X%02X%02X%02X%02X%02X%05X%03X%c%c%c%c-%c%c%c%c-%c%c%c%c-%c%c%c%c-%c%c%c%c\data len: %d, trash len: %d, overlay: %sopdefaulttorsite_%dserversstatisticstimeout%02x%[^/]%[/]%dipportSending stat %s, %sknockdata_startdata_finish{IS_ADMIN}%d{IS_X64}{COUNTRY}{PARTNER_ID}%05x{OS}%x{PC_ID}{STOP_REASON}{MD5_KEY}%02X%02X%02X%02X%02X%02X{COUNT_FILES}{SITE_{TOR}0checkavav_blacklistProgramFilesDir (x86)SOFTWARE\Microsoft\Windows\CurrentVersionProgramFilesDir%s\%s\kernel32.dllblacklistlanguagesGETip_geourlproperty_name--countriesC:\test\cerber_debug.txtdebugnetworkvmwarecountrylanguageactivitysend_stat321InstalledCOMSPEC/d /c taskkill /t /f /im "%s" > NUL & ping -n 1 127.0.0.1 > NUL & del "%s" > NUL%s\vssadmin.exedelete shadows /all /quiet%s\wbem\wmic.exeshadowcopy delete/set {default} recoveryenabled nobcdedit.exe/set {default} bootstatuspolicy ignoreallfailuresSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUAwallpapertextsizeConsolasbackgroundcolor.bmpopenhelp_filesfiles_namefilesfile_extensionfile_body.vbs%S%S%Snew_extensionfolderswhitelistSoftware\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDrives\??\*CERBER_KEY_PLACEPrinters\Defaults\%sIsWow64Processkernel32{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}D:Papi-ms-win-\KnownDlls32\KnownDllstmp\VarFileInfo\TranslationFileDescription\StringFileInfo\%04x%04x\%s
Source: file.exe, 00000000.00000002.1813702461.0000000000931000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: truerequestedExecutionLevelrequireAdministrator%s\%S"%s""%s\explorer.exe"SHCreateItemFromParsingNameshell32.dll.execopywriteregnetstatftp.exefindattriblookupdiskwinlogonmsiexecresetlogoffnotepadnetshpingwinminetelnettaskroutentbackupmsheartsfreecellcmd.execalcspidersol.exeinstallsetupupdate\xx.exeCERBER_CORE_PROTECTION_MUTEXshell.%sCERBER_EVALUATED_CORE_PROTECTION_EVENT"%s\%s"CERBER_BODY_PLACE\%sSeDebugPrivilegeStop reason: %sComponent_02%02x%02x%02x%02x%02x%02x%05xcerber%02X%02X%02X%02X%02X%02X%05X%03X%c%c%c%c-%c%c%c%c-%c%c%c%c-%c%c%c%c-%c%c%c%c\data len: %d, trash len: %d, overlay: %sopdefaulttorsite_%dserversstatisticstimeout%02x%[^/]%[/]%dipportSending stat %s, %sknockdata_startdata_finish{IS_ADMIN}%d{IS_X64}{COUNTRY}{PARTNER_ID}%05x{OS}%x{PC_ID}{STOP_REASON}{MD5_KEY}%02X%02X%02X%02X%02X%02X{COUNT_FILES}{SITE_{TOR}0checkavav_blacklistProgramFilesDir (x86)SOFTWARE\Microsoft\Windows\CurrentVersionProgramFilesDir%s\%s\kernel32.dllblacklistlanguagesGETip_geourlproperty_name--countriesC:\test\cerber_debug.txtdebugnetworkvmwarecountrylanguageactivitysend_stat321InstalledCOMSPEC/d /c taskkill /t /f /im "%s" > NUL & ping -n 1 127.0.0.1 > NUL & del "%s" > NUL%s\vssadmin.exedelete shadows /all /quiet%s\wbem\wmic.exeshadowcopy delete/set {default} recoveryenabled nobcdedit.exe/set {default} bootstatuspolicy ignoreallfailuresSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUAwallpapertextsizeConsolasbackgroundcolor.bmpopenhelp_filesfiles_namefilesfile_extensionfile_body.vbs%S%S%Snew_extensionfolderswhitelistSoftware\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDrives\??\*CERBER_KEY_PLACEPrinters\Defaults\%sIsWow64Processkernel32{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}D:Papi-ms-win-\KnownDlls32\KnownDllstmp\VarFileInfo\TranslationFileDescription\StringFileInfo\%04x%04x\%s
Source: file.exe	Binary or memory string: truerequestedExecutionLevelrequireAdministrator%s\%S"%s""%s\explorer.exe"SHCreateItemFromParsingNameshell32.dll.execopywriteregnetstatftp.exefindattriblookupdiskwinlogonmsiexecresetlogoffnotepadnetshpingwinminetelnettaskroutentbackupmsheartsfreecellcmd.execalcspidersol.exeinstallsetupupdate\xx.exeCERBER_CORE_PROTECTION_MUTEXshell.%sCERBER_EVALUATED_CORE_PROTECTION_EVENT"%s\%s"CERBER_BODY_PLACE\%sSeDebugPrivilegeStop reason: %sComponent_02%02x%02x%02x%02x%02x%02x%05xcerber%02X%02X%02X%02X%02X%02X%05X%03X%c%c%c%c-%c%c%c%c-%c%c%c%c-%c%c%c%c-%c%c%c%c\data len: %d, trash len: %d, overlay: %sopdefaulttorsite_%dserversstatisticstimeout%02x%[^/]%[/]%dipportSending stat %s, %sknockdata_startdata_finish{IS_ADMIN}%d{IS_X64}{COUNTRY}{PARTNER_ID}%05x{OS}%x{PC_ID}{STOP_REASON}{MD5_KEY}%02X%02X%02X%02X%02X%02X{COUNT_FILES}{SITE_{TOR}0checkavav_blacklistProgramFilesDir (x86)SOFTWARE\Microsoft\Windows\CurrentVersionProgramFilesDir%s\%s\kernel32.dllblacklistlanguagesGETip_geourlproperty_name--countriesC:\test\cerber_debug.txtdebugnetworkvmwarecountrylanguageactivitysend_stat321InstalledCOMSPEC/d /c taskkill /t /f /im "%s" > NUL & ping -n 1 127.0.0.1 > NUL & del "%s" > NUL%s\vssadmin.exedelete shadows /all /quiet%s\wbem\wmic.exeshadowcopy delete/set {default} recoveryenabled nobcdedit.exe/set {default} bootstatuspolicy ignoreallfailuresSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUAwallpapertextsizeConsolasbackgroundcolor.bmpopenhelp_filesfiles_namefilesfile_extensionfile_body.vbs%S%S%Snew_extensionfolderswhitelistSoftware\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDrives\??\*CERBER_KEY_PLACEPrinters\Defaults\%sIsWow64Processkernel32{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}D:Papi-ms-win-\KnownDlls32\KnownDllstmp\VarFileInfo\TranslationFileDescription\StringFileInfo\%04x%04x\%s

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0092D49E	0_2_0092D49E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0092F4B8	0_2_0092F4B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009288BC	0_2_009288BC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009309C8	0_2_009309C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0092D54C	0_2_0092D54C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0092F16E	0_2_0092F16E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00927B3F	0_2_00927B3F

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6704 -s 520

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal88.rans.evad.winEXE@2/5@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6704

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\91547f3a-71cc-4153-934c-7dd0680be7bb

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 97%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6704 -s 520

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior

Source: file.exe

Static PE information: real checksum: 0x64 should be: 0x286da

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009309B7 push ecx; ret

0_2_009309C7

Source: file.exe

Binary or memory string: truerequestedExecutionLevelrequireAdministrator%s\%S"%s""%s\explorer.exe"SHCreateItemFromParsingNameshell32.dll*.execopywriteregnetstatftp.exefindattriblookupdiskwinlogonmsiexecresetlogoffnotepadnetshpingwinminetelnettaskroutentbackupmsheartsfreecellcmd.execalcspidersol.exeinstallsetupupdate\x*x.exeCERBER_CORE_PROTECTION_MUTEXshell.%sCERBER_EVALUATED_CORE_PROTECTION_EVENT"%s\%s"CERBER_BODY_PLACE\%sSeDebugPrivilegeStop reason: %sComponent_02%02x%02x%02x%02x%02x%02x%05xcerber%02X%02X%02X%02X%02X%02X%05X%03X%c%c%c%c-%c%c%c%c-%c%c%c%c-%c%c%c%c-%c%c%c%c\data len: %d, trash len: %d, overlay: %sopdefaulttorsite_%dserversstatisticstimeout%02x%[^/]%[/]%dipportSending stat %s, %sknockdata_startdata_finish{IS_ADMIN}%d{IS_X64}{COUNTRY}{PARTNER_ID}%05x{OS}%x{PC_ID}{STOP_REASON}{MD5_KEY}%02X%02X%02X%02X%02X%02X{COUNT_FILES}{SITE_{TOR}0checkavav_blacklistProgramFilesDir (x86)SOFTWARE\Microsoft\Windows\CurrentVersionProgramFilesDir%s\%s\kernel32.dllblacklistlanguagesGETip_geourlproperty_name--countriesC:\test\cerber_debug.txtdebugnetworkvmwarecountrylanguageactivitysend_stat321InstalledCOMSPEC/d /c taskkill /t /f /im "%s" > NUL & ping -n 1 127.0.0.1 > NUL & del "%s" > NUL%s\vssadmin.exedelete shadows /all /quiet%s\wbem\wmic.exeshadowcopy delete/set {default} recoveryenabled nobcdedit.exe/set {default} bootstatuspolicy ignoreallfailuresSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUAwallpapertextsizeConsolasbackgroundcolor.bmpopenhelp_filesfiles_namefilesfile_extensionfile_body.vbs%S%S*%S*new_extensionfolderswhitelistSoftware\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDrives\??\*CERBER_KEY_PLACEPrinters\Defaults\%sIsWow64Processkernel32{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}D:Papi-ms-win-\KnownDlls32\KnownDllstmp\VarFileInfo\TranslationFileDescription\StringFileInfo\%04x%04x\%s

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file.exe	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: file.exe	Binary or memory string: FCERBERSBIEDLL.DLLDIR_WATCH.DLLAPI_LOG.DLLTEST_ITEM.EXEDBGHELP.DLLFRZ_STATEC:\POPUPKILLER.EXEC:\STIMULATOR.EXEC:\TOOLS\EXECUTE.EXE\SAND-BOX\\CWSANDBOX\\SANDBOX\\\.\NPF_NDISWANIP\\.\CV2K1WIRESHARK.EXEDUMPCAP.EXEOLLYDBG.EXEIDAG.EXESYSANALYZER.EXESNIFF_HIT.EXESCKTOOL.EXEPROC_ANALYZER.EXEHOOKEXPLORER.EXEMULTI_POT.EXEVEN_%XSYSTEM\CURRENTCONTROLSET\ENUM\PCISYSTEMBIOSVERSIONHARDWARE\DESCRIPTION\SYSTEMPARALLELSVIDEOBIOSVERSIONIDENTIFIERHARDWARE\DEVICEMAP\SCSI\SCSI PORT 0\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0QEMUVBOXVIRTUALBOXSOFTWARE\ORACLE\VIRTUALBOX GUEST ADDITIONS\DRIVERS\VBOXMOUSE.SYSVMWAREWMWARESOFTWARE\VMWARE, INC.\VMWARE TOOLSVMMOUSE.SYSVMHGFS.SYSWINE_GET_UNIX_FILE_NAMEKERNEL32.DLLCLOSE_PROCESS%S\%S%SENCRYPTING FILE %S...

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00927BDF rdtsc

0_2_00927BDF

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: file.exe	Binary or memory string: Fcerbersbiedll.dlldir_watch.dllapi_log.dlltest_item.exedbghelp.dllFrz_StateC:\popupkiller.exeC:\stimulator.exeC:\TOOLS\execute.exe\sand-box\\cwsandbox\\sandbox\\\.\NPF_NdisWanIp\\.\cv2k1wireshark.exedumpcap.exeollydbg.exeidag.exesysanalyzer.exesniff_hit.exescktool.exeproc_analyzer.exehookexplorer.exemulti_pot.exeVEN_%xSYSTEM\CurrentControlSet\Enum\PCISystemBiosVersionHARDWARE\Description\SystemPARALLELSVideoBiosVersionIdentifierHARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0QEMUVBOXVIRTUALBOXSOFTWARE\Oracle\VirtualBox Guest Additions\drivers\VBoxMouse.sysVMWAREWMWARESOFTWARE\VMware, Inc.\VMware Toolsvmmouse.sysvmhgfs.syswine_get_unix_file_namekernel32.dllclose_process%s\%s%SEncrypting file %s...
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: file.exe	Binary or memory string: truerequestedExecutionLevelrequireAdministrator%s\%S"%s""%s\explorer.exe"SHCreateItemFromParsingNameshell32.dll.execopywriteregnetstatftp.exefindattriblookupdiskwinlogonmsiexecresetlogoffnotepadnetshpingwinminetelnettaskroutentbackupmsheartsfreecellcmd.execalcspidersol.exeinstallsetupupdate\xx.exeCERBER_CORE_PROTECTION_MUTEXshell.%sCERBER_EVALUATED_CORE_PROTECTION_EVENT"%s\%s"CERBER_BODY_PLACE\%sSeDebugPrivilegeStop reason: %sComponent_02%02x%02x%02x%02x%02x%02x%05xcerber%02X%02X%02X%02X%02X%02X%05X%03X%c%c%c%c-%c%c%c%c-%c%c%c%c-%c%c%c%c-%c%c%c%c\data len: %d, trash len: %d, overlay: %sopdefaulttorsite_%dserversstatisticstimeout%02x%[^/]%[/]%dipportSending stat %s, %sknockdata_startdata_finish{IS_ADMIN}%d{IS_X64}{COUNTRY}{PARTNER_ID}%05x{OS}%x{PC_ID}{STOP_REASON}{MD5_KEY}%02X%02X%02X%02X%02X%02X{COUNT_FILES}{SITE_{TOR}0checkavav_blacklistProgramFilesDir (x86)SOFTWARE\Microsoft\Windows\CurrentVersionProgramFilesDir%s\%s\kernel32.dllblacklistlanguagesGETip_geourlproperty_name--countriesC:\test\cerber_debug.txtdebugnetworkvmwarecountrylanguageactivitysend_stat321InstalledCOMSPEC/d /c taskkill /t /f /im "%s" > NUL & ping -n 1 127.0.0.1 > NUL & del "%s" > NUL%s\vssadmin.exedelete shadows /all /quiet%s\wbem\wmic.exeshadowcopy delete/set {default} recoveryenabled nobcdedit.exe/set {default} bootstatuspolicy ignoreallfailuresSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUAwallpapertextsizeConsolasbackgroundcolor.bmpopenhelp_filesfiles_namefilesfile_extensionfile_body.vbs%S%S%Snew_extensionfolderswhitelistSoftware\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDrives\??\*CERBER_KEY_PLACEPrinters\Defaults\%sIsWow64Processkernel32{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}D:Papi-ms-win-\KnownDlls32\KnownDllstmp\VarFileInfo\TranslationFileDescription\StringFileInfo\%04x%04x\%s
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: file.exe	Binary or memory string: vmware
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\file.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00927BDF rdtsc

0_2_00927BDF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00923EC5 EntryPoint,LdrInitializeThunk,

0_2_00923EC5

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Bootkit	1 Process Injection	1 Bootkit	OS Credential Dumping	131 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	97%	ReversingLabs	Win32.Ransomware.Cerber
file.exe	100%	Avira	TR/Dropper.Gen
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.3.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522733
Start date and time:	2024-09-30 16:11:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal88.rans.evad.winEXE@2/5@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 1 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target file.exe, PID 6704 because it is empty
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
10:12:17	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_a3d2258dd7969a98ba3ffe4cc5f20a6deb668e7_1d9720ee_9b1d1114-6c0a-4a15-a1fb-4e389113c795\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.802963803311734
Encrypted:	false
SSDEEP:	192:5xaALeyvFPj8Lv0BU/fI3jKqqzuiFlZ24IO8TVB:PI8FtBU/YjKfzuiFlY4IO8X
MD5:	821D75E8BBE328BEA21E386BA5AFA6CA
SHA1:	E1B903C2328C233D36D358DC0A85B45EBC5F7984
SHA-256:	BC1D8242350CD79914B0DFD62396471B5BEE06780A86E4D80002446DB3DB8F6C
SHA-512:	D538BAAF1F2E1BED29575403061C1EB4AB17BD2E7B5B30C787DE500B9EA9510FD38A0321A82A5B6A7E48844F9AA5940BCE3A863EFBF71B967C37AFFFE0F7C789
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.1.7.9.1.2.3.1.8.5.4.5.4.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.1.7.9.1.2.3.6.2.2.9.4.6.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.b.1.d.1.1.1.4.-.6.c.0.a.-.4.a.1.5.-.a.1.f.b.-.4.e.3.8.9.1.1.3.c.7.9.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.b.a.1.a.2.1.3.-.c.1.4.0.-.4.e.4.3.-.8.9.c.1.-.2.d.e.2.3.b.5.0.5.4.a.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.3.0.-.0.0.0.1.-.0.0.1.4.-.f.9.2.b.-.d.d.b.8.4.2.1.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.6.1.7.1.1.4.9.5.e.7.f.9.5.3.7.6.a.0.c.2.4.6.5.e.3.c.f.a.9.4.7.d.8.6.3.8.3.d.c.7.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.6././.0.6.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D71.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Sep 30 14:12:03 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	37776
Entropy (8bit):	1.973954892380292
Encrypted:	false
SSDEEP:	192:GJUQDrXNX/pAstOxJmu4il+g2g0HC38+ZYjC7W:WUs7ArLkC2g0HCfYf
MD5:	0BD1B1DBB842E4ECCA5FE8E68B9ED68B
SHA1:	D3C44F22A9DADFFFB8D5AAA706BCFDBE21601534
SHA-256:	E3ECB0FDC19E8BED8A95E5592A6B404641DCA4A6AE17843DE9982A4CA6C2099F
SHA-512:	EF31CBA1FC86846B8AC7265ABEA22B6DF6A15AE7CC917DC42999AB6FA918E492A710EBE058C9B2880DC0AF5D2C6B626B8E90C9F301635600ABDDB6AA793E9A79
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........f.........................................%..........T.......8...........T................~......................................................................................................eJ......8.......GenuineIntel............T.......0......f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9DEF.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8256
Entropy (8bit):	3.692761202975226
Encrypted:	false
SSDEEP:	192:R6l7wVeJLzCX6tjL6Y9JSUWgmfBtqplUprt89bpgsfu0Dm:R6lXJ66l6YTSUWgmfybpzfut
MD5:	A10223E61D1644F82676A33B79094B64
SHA1:	9BBA9E01420114CF6FE499BC667E23A5A6BE16BE
SHA-256:	97F301B8B5E7497E590AC27075DAD951446F496A8E4BB41C8D6A6F759CD67748
SHA-512:	0AE056D666CCB9502A99DD5792A6C2024BFFA66DAB98C1A624A1FD6C553F7DB629F4CAE9518B2D71CF9C345991A103E67C383458203A84DE02BE95CE30325CAB
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.0.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E2F.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4538
Entropy (8bit):	4.4254302358991975
Encrypted:	false
SSDEEP:	48:cvIwWl8zsVJg77aI9M/VWpW8VYbpYm8M4JnOF9+q82HDquh9d:uIjfvI7kk7Va4JS/Dquh9d
MD5:	2F17BF52A9B6366C64A11EDF597A926F
SHA1:	B5A1F5BAD69D4C48937640D24E7708FB5DCAF83E
SHA-256:	400A9377A2FCDAE487067A327AD71BE8DBC2460FD5C22CFA3DABCDEF846667AC
SHA-512:	6F562B613410FDAF11C0F2ECC8296B13ED69D2FA3D8A6893BEE7DB7FA5D363FC9DB567BD7B7F84107D6F9A720F9A7151AFB0F10C667E1A7CC604B6C6B3A850B2
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="523034" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465295924550344
Encrypted:	false
SSDEEP:	6144:QIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNPdwBCswSb5:1XD94+WlLZMM6YFH1+5
MD5:	3BD91C1DF03AADBDB7EBC45DA5ACE8F8
SHA1:	D6D86295820BBBB718B8946553B122F95C2D02A7
SHA-256:	E55A5F67D68037B42838490E124E84FFBC84F6818C00C7B2522B1D1A8D763F2F
SHA-512:	D7242D08E6C3DA18FCF1488AB53B80463E560AFAB20CFDDF1A32E7A36930EA4290D14B384368AA9A690A94DA952423217333A49480E9B82C72CA677770B284DD
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm:I..B...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.128003527328208
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	116'224 bytes
MD5:	88e6a85ea94ea57fd35704b9b6e67358
SHA1:	61711495e7f95376a0c2465e3cfa947d86383dc7
SHA256:	df93b51dfce7f3f780fe6544a2db728672b9df4e76f2e61be21c87d6d782cce0
SHA512:	0d741cd42c4efa160ebcf4d8601bc80193b00112226ac70f24c0c5a1a1430b7d723b32cb39804959e80402fe01818f4f1b1e6d75a669db51fde9d4fbffeb2834
SSDEEP:	3072:x+PkbTWYtBzNgnbRh6JuB/fFDkjjdqxEIe8mXbdMP73:Is2cBCbRdB/fFDkjXIHj3
TLSH:	4EB3CF63B9E16073D5E61CF197715DB2CBBAFD351D76840B839406090EB0A83EA3B287
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I.........................................G.......W..............Lk.^....LY.....Rich............PE..L...:.XW...................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x923ec5
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x920000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5758013A [Wed Jun 8 11:27:54 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	ae80b4ecb14ba8e602aaba0e2180c87d

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
and esp, FFFFFFF8h
sub esp, 00000190h
push ebx
push ebp
push esi
push edi
call 00007F2C148E23D2h
push eax
call 00007F2C148E2526h
pop ecx
test eax, eax
je 00007F2C148DF75Ch
call 00007F2C148E0FF0h
call 00007F2C148DF71Bh
xor ebx, ebx
push ebx
call dword ptr [00411224h]
push 00000104h
mov esi, 00417038h
push esi
push ebx
mov dword ptr [00416D0Ch], eax
call dword ptr [0041119Ch]
push esi
call dword ptr [0041131Ch]
sub eax, esi
sar eax, 1
inc eax
push eax
push esi
push 00416D10h
call dword ptr [0041132Ch]
push dword ptr [00416D0Ch]
call 00007F2C148DC89Dh
mov ebp, eax
pop ecx
cmp ebp, ebx
je 00007F2C148DF7FDh
push ebp
call 00007F2C148E06AAh
pop ecx
test al, al
jne 00007F2C148DF7E9h
push ebp
call 00007F2C148DFA7Ch
pop ecx
push ebp
call 00007F2C148DDA99h
pop ecx
test al, al
je 00007F2C148DF7D8h
lea eax, dword ptr [esp+10h]
push eax
push 00000202h
call dword ptr [004113F4h]
call 00007F2C148DEF21h
push ebx
push ebx
push 00000001h
push ebx
call dword ptr [004110FCh]
mov dword ptr [00416D08h], eax
call 00007F2C148E34AEh

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x13194	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x18000	0x7804	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11000	0x480	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xfe34	0x10000	08a0eae2c6afe8e767bf68ec4553f14c	False	0.628143310546875	data	6.584064760608121	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x11000	0x3a34	0x3c00	deefff7788393cde82164eb3e06e8b46	False	0.5225260416666667	data	5.4626752157505	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x15000	0x2860	0xc00	7221dfff5b2906711d4912fdced01660	False	0.3447265625	data	4.274790696831096	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x18000	0x7804	0x7a00	63f627536c437ab82f4f36539c79b67d	False	0.9857838114754098	data	7.987914916263045	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_RCDATA	0x18058	0x77aa	data			1.0005222954886728

Imports

DLL	Import
CRYPT32.dll	CryptBinaryToStringA, CryptImportPublicKeyInfo, CryptStringToBinaryA, CryptDecodeObjectEx
WININET.dll	InternetCloseHandle, InternetConnectA, HttpOpenRequestA, InternetReadFile, InternetCrackUrlA, InternetOpenA, HttpSendRequestA
SHLWAPI.dll	PathRemoveExtensionW, StrCmpNIA, StrToIntA, StrChrA, StrToInt64ExA, StrSpnA, PathFindFileNameW, StrStrIA, StrCmpNW, StrChrIA, StrCpyNW, PathMatchSpecW, StrCmpNIW, StrPBrkA, PathCombineW, PathSkipRootW, StrStrIW, PathUnquoteSpacesW, StrChrW
VERSION.dll	VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeA, VerQueryValueA, GetFileVersionInfoSizeW, GetFileVersionInfoA
MPR.dll	WNetOpenEnumW, WNetCloseEnum, WNetEnumResourceW
imagehlp.dll	CheckSumMappedFile
WS2_32.dll	htons, sendto, socket, WSAStartup, inet_ntoa, inet_addr, htonl, shutdown, closesocket, gethostbyname
KERNEL32.dll	WaitForSingleObject, SetEvent, OutputDebugStringW, SetFileTime, WriteFile, InitializeCriticalSection, Sleep, LeaveCriticalSection, GetTimeFormatW, GetFileAttributesW, FileTimeToSystemTime, ReadFile, GetFileSizeEx, MoveFileW, EnterCriticalSection, CreateEventW, SizeofResource, GetFileTime, DeleteCriticalSection, CloseHandle, FileTimeToLocalFileTime, lstrcpyW, CreateThread, LoadResource, FindResourceW, FreeResource, LocalFree, ExitProcess, lstrcpynA, MultiByteToWideChar, GetTempFileNameW, GetFileSize, MapViewOfFile, UnmapViewOfFile, FreeLibrary, CreateProcessW, LoadLibraryExW, LoadLibraryW, CopyFileW, ReadProcessMemory, GetSystemWow64DirectoryW, lstrcpynW, TerminateProcess, FlushInstructionCache, SetFilePointerEx, GetTempPathW, VirtualAllocEx, CreateFileMappingW, OpenEventW, WinExec, GetWindowsDirectoryW, DeleteFileW, WriteProcessMemory, ResumeThread, FindFirstFileW, GetModuleFileNameW, FindClose, SetFileAttributesW, WideCharToMultiByte, CreateMutexW, GetCurrentProcess, GetCurrentThreadId, SetFilePointer, SetThreadPriority, WaitForMultipleObjects, SetCurrentDirectoryW, OutputDebugStringA, SetProcessShutdownParameters, GetFileAttributesA, lstrlenA, SearchPathW, lstrcpyA, GetEnvironmentVariableW, IsBadWritePtr, TlsAlloc, GetVersionExW, lstrcmpiA, GetTickCount, GetModuleFileNameA, GetDateFormatW, GetProcAddress, lstrlenW, lstrcatW, MulDiv, GetSystemDirectoryW, CreateToolhelp32Snapshot, LockResource, SetErrorMode, GetSystemWindowsDirectoryW, GetModuleHandleW, GetVolumeInformationW, GetLastError, OpenMutexW, VirtualProtect, GetNativeSystemInfo, GetDriveTypeW, GetLogicalDrives, VirtualFree, VirtualAlloc, GetModuleHandleA, QueryDosDeviceW, FindNextFileW, HeapReAlloc, HeapAlloc, HeapFree, HeapCreate, HeapValidate, SetLastError, GetProcessHeaps, HeapSetInformation, GetCurrentProcessId, GetComputerNameA, lstrcmpiW, ExpandEnvironmentStringsW, CreateDirectoryW, Process32NextW, GetSystemInfo, OpenProcess, GetCurrentThread, IsBadStringPtrA, GetHandleInformation, IsBadCodePtr, IsBadStringPtrW, RtlUnwind, CreateFileW, FlushFileBuffers, Process32FirstW, IsBadReadPtr
ADVAPI32.dll	RegOpenKeyExW, RegCloseKey, ConvertStringSecurityDescriptorToSecurityDescriptorW, SetKernelObjectSecurity, LookupPrivilegeValueW, CreateWellKnownSid, CheckTokenMembership, FreeSid, AllocateAndInitializeSid, DuplicateToken, GetTokenInformation, OpenProcessToken, ConvertSidToStringSidW, GetLengthSid, RegSetValueExW, RegFlushKey, RegOpenKeyW, AdjustTokenPrivileges, RegCreateKeyExW, RegEnumValueW, RegEnumKeyW, CryptDestroyKey, CryptAcquireContextW, CryptGetKeyParam, RegDeleteValueW, CryptEncrypt, RegQueryValueExW
USER32.dll	wsprintfW, DispatchMessageW, DefWindowProcW, RegisterClassW, CreateWindowExW, PeekMessageW, TranslateMessage, wsprintfA, CharLowerBuffA, GetSystemMetrics, GetKeyboardLayoutList, ReleaseDC, SystemParametersInfoW, GetDC, DrawTextA, FillRect, GetLastInputInfo, RegisterClassExW, UnregisterClassW, GetForegroundWindow
ole32.dll	CoCreateInstance, CoInitializeSecurity, CoInitialize, CoInitializeEx, CoUninitialize
SHELL32.dll	ShellExecuteW, ShellExecuteExW, SHGetFolderPathW, SHChangeNotify
ntdll.dll	ZwOpenSection, RtlFreeUnicodeString, NtDeleteFile, isspace, RtlDosPathNameToNtPathName_U, memmove, ZwOpenProcess, ZwClose, ZwOpenDirectoryObject, ZwQuerySystemInformation, _chkstk, ZwQueryInformationProcess, _allmul, memcpy, _alldiv, memset, _aulldvrm, NtQueryVirtualMemory
OLEAUT32.dll	SysAllocString, SysFreeString
GDI32.dll	SetTextColor, DeleteDC, GetDeviceCaps, GetDIBits, SetBkColor, SetPixel, DeleteObject, SelectObject, CreateCompatibleDC, CreateCompatibleBitmap, CreateFontW, GetObjectW, GetStockObject
NETAPI32.dll	NetUserEnum, NetUserGetInfo, NetApiBufferFree

Target ID:	0
Start time:	10:12:02
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x920000
File size:	116'224 bytes
MD5 hash:	88E6A85EA94EA57FD35704B9B6E67358
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:12:03
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6704 -s 520
Imagebase:	0xae0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00923EC5 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

8pA, xrefs: 00923EFD

Memory Dump Source

Source File: 00000000.00000002.1813686570.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true

Associated: 00000000.00000002.1813671136.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813702461.0000000000931000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813714560.0000000000935000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813726249.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_file.jbxd

Similarity

API ID:
String ID: 8pA
API String ID: 0-4225590730
Opcode ID: 93641488cf24e76eb886a7f93e2aa01fb285a5781e37bbedc4c91157bf14959e
Instruction ID: ba435084f707d258d8922c9efbe46f886688881b3b550a33fb6e20fc6e2370f7
Opcode Fuzzy Hash: 93641488cf24e76eb886a7f93e2aa01fb285a5781e37bbedc4c91157bf14959e
Instruction Fuzzy Hash: 17212D715043246FE610BBF0BD4BFEA7B6CEF85360B00C036FA54961EADE399C048664

Non-executed Functions

Function 00927B3F Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

8pA, xrefs: 00927B42

Memory Dump Source

Source File: 00000000.00000002.1813686570.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true

Associated: 00000000.00000002.1813671136.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813702461.0000000000931000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813714560.0000000000935000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813726249.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_file.jbxd

Similarity

API ID:
String ID: 8pA
API String ID: 0-4225590730
Opcode ID: ef50185a61cb7dde4070916301904161020498fd6b3cab06a40a93126ede73ee
Instruction ID: 909756fdfcbd5d02c1cdde40c016d720d7bc2559fe9cfe0237a0a2885fc12401
Opcode Fuzzy Hash: ef50185a61cb7dde4070916301904161020498fd6b3cab06a40a93126ede73ee
Instruction Fuzzy Hash: 80016823B285350A5B7DA03D2D17073E6CBC3C528034E95ABEC86EF1C9E811CE0381D1

Function 009288BC Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1813686570.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true

Associated: 00000000.00000002.1813671136.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813702461.0000000000931000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813714560.0000000000935000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813726249.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6611ec535b56d38d682342b0ee567e7898610d2e297283abfb6283b62c1a0b09
Instruction ID: 9505d88d5431b7919c60d05694df2b7a4bad8f5726a99ce3b99e007d8285fd27
Opcode Fuzzy Hash: 6611ec535b56d38d682342b0ee567e7898610d2e297283abfb6283b62c1a0b09
Instruction Fuzzy Hash: 3A22757BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Function 0092F4B8 Relevance: .6, Instructions: 551COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1813686570.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true

Associated: 00000000.00000002.1813671136.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813702461.0000000000931000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813714560.0000000000935000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813726249.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 957f1956b7d471640189013b95c9da22bca501319e109b8917a2e0cf56e37875
Instruction ID: 0677c24970c6f9232cf31f15df7d58b26b78aa97b09d4dfe7b21cfda01a13e49
Opcode Fuzzy Hash: 957f1956b7d471640189013b95c9da22bca501319e109b8917a2e0cf56e37875
Instruction Fuzzy Hash: B042CC72A116158FD748CF69C899BA6B3E3BFCC310F5B81FA851A5F265CA706811CE84

Function 0092F16E Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1813686570.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true

Associated: 00000000.00000002.1813671136.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813702461.0000000000931000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813714560.0000000000935000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813726249.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bc21e0462e738203852ae265d26f0d353636900db5a752e339e77ef8c3c9d91
Instruction ID: 67abc844bf01c4dee35324f98fd263e924009530cdff93c0598685351acff5e5
Opcode Fuzzy Hash: 1bc21e0462e738203852ae265d26f0d353636900db5a752e339e77ef8c3c9d91
Instruction Fuzzy Hash: BCB19E31D01229EBCF15EFA4EC91AEEBBB5FF88300F200479E815A6229D7759E51DB50

Function 0092D54C Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1813686570.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true

Associated: 00000000.00000002.1813671136.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813702461.0000000000931000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813714560.0000000000935000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813726249.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 867d7b0b2c836e17da2087647db17d634d96449415164282c48cd38b416e0f46
Instruction ID: 5f34b8a5e1ce76b3d5a2a43b6fe15df99b3d0a7ff6fed3eb30a3c4837dfee077
Opcode Fuzzy Hash: 867d7b0b2c836e17da2087647db17d634d96449415164282c48cd38b416e0f46
Instruction Fuzzy Hash: E031F632A022299BCB09CE7CD4E45FEB7F5FB81304B18816ED84697348DB705E44DB80

Function 009309C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1813686570.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true

Associated: 00000000.00000002.1813671136.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813702461.0000000000931000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813714560.0000000000935000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813726249.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055ce3a16072e11c5b5b43c4deef216cb34a050bfe9534eea9d89275913ec06d
Instruction ID: 39617aaf0ec4a7f5555907de66290afce097528674735cc6c655ec38dc68f19f
Opcode Fuzzy Hash: 055ce3a16072e11c5b5b43c4deef216cb34a050bfe9534eea9d89275913ec06d
Instruction Fuzzy Hash: C321C4729002049FCB10DFA8D8959ABBBA9FF84310F06C569E916CB246D730F915CBE0

Function 0092D49E Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1813686570.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true

Associated: 00000000.00000002.1813671136.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813702461.0000000000931000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813714560.0000000000935000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813726249.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef819db6a0147cbdd56d17e60cd4e093d2cdac7bf5ba2aaa423cf1ffa09d155b
Instruction ID: 117001e01bb935e7ec87120f0b626fc12ceefde0a2ba1836ab4b780a552d142e
Opcode Fuzzy Hash: ef819db6a0147cbdd56d17e60cd4e093d2cdac7bf5ba2aaa423cf1ffa09d155b
Instruction Fuzzy Hash: 7211E373B1532A4FE7489E69DC8036AF3D5EBC4340F1A497ED5A9D7281DAF0981987C0

Function 00927BDF Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1813686570.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true

Associated: 00000000.00000002.1813671136.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813702461.0000000000931000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813714560.0000000000935000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813726249.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4d211196f370cd8bb6c2234290449697ca74aa388301e236f6f9bb8ec2923ed
Instruction ID: 5857d262aeadb118b6e1a730cc053fc306f1192e0efbb1ab825dfaae4f37f032
Opcode Fuzzy Hash: f4d211196f370cd8bb6c2234290449697ca74aa388301e236f6f9bb8ec2923ed
Instruction Fuzzy Hash: FCF03A32B94932CB9758CB69BC856C637D7ABD4290355C33AE809DBA54D630DC518B84

Function 0092A846 Relevance: 10.4, Strings: 8, Instructions: 437COMMON

Download Yara Rule

Strings

1UA, xrefs: 0092AA76
, xrefs: 0092AC57
IUA, xrefs: 0092AA7B
, xrefs: 0092AD14
IUA, xrefs: 0092AA6A
jUA, xrefs: 0092AB10
[UA, xrefs: 0092AA54
jUA, xrefs: 0092AB02

Memory Dump Source

Source File: 00000000.00000002.1813686570.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true

Associated: 00000000.00000002.1813671136.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813702461.0000000000931000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813714560.0000000000935000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813726249.0000000000938000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_file.jbxd

Similarity

API ID:
String ID: $ $1UA$IUA$IUA$[UA$jUA$jUA
API String ID: 0-1070103170
Opcode ID: d2648ce9a4c7866faf27c6c98847a7dd99b6c6d5d1d4834fd2129a29bb69b879
Instruction ID: 87f0fca04e59f41872a3594c21ba5a8436531ba4db7e0aa4c3d15e3d06ae2303
Opcode Fuzzy Hash: d2648ce9a4c7866faf27c6c98847a7dd99b6c6d5d1d4834fd2129a29bb69b879
Instruction Fuzzy Hash: A1029762C082E9ABDB16CB6891553EDFFB56F12304F1C81C9C4D15B28BC2794AC9D793

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Cerber

Yara Signatures

Initial Sample

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_a3d2258dd7969a98ba3ffe4cc5f20a6deb668e7_1d9720ee_9b1d1114-6c0a-4a15-a1fb-4e389113c795\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D71.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9DEF.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E2F.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
file.exe