Cerber Ransomware | VMRay Analyzer Report
Try VMRay Analyzer
| Creation Time | 2017-04-25 12:19 (UTC+2) |
| VM Analysis Duration Time | 00:02:34 |
| Execution Successful |
|
| Sample Filename | 199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe |
| Command Line Parameters |
|
| Prescript |
|
| Number of Processes | 13 |
| Termination Reason | Timeout |
| Download | Archive Function Logfile Generic Logfile PCAP STIX/CybOX |
|
VTI Score
91 / 100
|
|
| VTI Database Version | 2.5 |
| VTI Rule Match Count | 14 |
| VTI Rule Type | Default (PE, ...) |
| The tags feature is only available in the fully licensed version of VMRay Analyzer. |
| ID | PID | Monitor Reason | Integrity Level | Image Name | Command Line | Origin ID |
|---|---|---|---|---|---|---|
| #1 | 0x9c4 | Analysis Target | High (Elevated) | 199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe | "C:\Users\hJrD1KOKY DS8lUjv\Desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe" | |
| #2 | 0x9e0 | Child Process | High (Elevated) | 199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe | "C:\Users\hJrD1KOKY DS8lUjv\Desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe" | #1 |
| #3 | 0xa00 | Child Process | High (Elevated) | netsh.exe | C:\Windows\system32\netsh.exe advfirewall set allprofiles state on | #2 |
| #4 | 0x35c | RPC Server | System (Elevated) | svchost.exe | C:\Windows\system32\svchost.exe -k netsvcs | #3 |
| #5 | 0xa2c | Child Process | High (Elevated) | netsh.exe | C:\Windows\system32\netsh.exe advfirewall reset | #2 |
| #6 | 0xa70 | Child Process | High (Elevated) | netsh.exe | C:\Windows\system32\netsh.exe advfirewall firewall add rule name="00EYALeZGh" dir=out action=block program="C:\Program Files (x86)\Windows Defender\boxed.exe" | #2 |
| #7 | 0xa9c | Child Process | High (Elevated) | netsh.exe | C:\Windows\system32\netsh.exe advfirewall firewall add rule name="BmhPp0CJ13" dir=out action=block program="C:\Program Files (x86)\Windows Defender\eyes-mali-mistress-winter.exe" | #2 |
| #8 | 0xac8 | Child Process | High (Elevated) | netsh.exe | C:\Windows\system32\netsh.exe advfirewall firewall add rule name="XyHyb1NtXB" dir=out action=block program="C:\Program Files (x86)\Windows Defender\pst-mine.exe" | #2 |
| #9 | 0xbd0 | Child Process | High (Elevated) | mshta.exe | "C:\Windows\SysWOW64\mshta.exe" "C:\Users\hJrD1KOKY DS8lUjv\Desktop\_READ_THIS_FILE_SOESZC_.hta" | #2 |
| #10 | 0xbdc | Child Process | High (Elevated) | notepad.exe | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\hJrD1KOKY DS8lUjv\Desktop\_READ_THIS_FILE_6LJV87LC_.txt | #2 |
| #11 | 0x808 | RPC Server | High (Elevated) | dllhost.exe | C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | #2 |
| #12 | 0x8ec | RPC Server | High (Elevated) | dllhost.exe | C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E} | #2 |
| #13 | 0x3ec | RPC Server | System (Elevated) | svchost.exe | C:\Windows\system32\svchost.exe -k LocalService | #9 |
| ID | #1779496 |
| MD5 Hash Value | 037a8be0c33ab5f34c150de153402048 |
| SHA1 Hash Value | 494d86520bd7c1c4553fa4ad0e1c2f06232ec889 |
| SHA256 Hash Value | 199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6 |
| Filename | 199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe |
| File Size | 262.37 KB (268666 bytes) |
| File Type | Windows Exe (x86-32) |
| Analyzer Version | 2.1.0 |
| Analyzer Build Date | 2017-04-25 12:09 (UTC+2) |
| Internet Explorer Version | 8.0.7601.17514 |
| Firefox Version | 39.0 |
| VM Name | win7_64_sp1 |
| VM Architecture | x86 64-bit |
| VM OS | Windows 7 |
| VM Kernel Version | 6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa) |
