Cerber Ransomware | VTI by Score
Try VMRay Analyzer
VTI Information
VTI Score
91 / 100
VTI Database Version2.5
VTI Rule Match Count14
VTI Rule TypeDefault (PE, ...)
Detected Threats
ArrowFile SystemRename user files
Rename multiple user files. This is an indicator for an encryption attempt.
ArrowAnti AnalysisIllegitimate API usage
Internal API "CreateProcessInternalA" was used to start "C:\Windows\system32\netsh.exe advfirewall set allprofiles state on".
ArrowProcessAllocate a page with write and execute permissions
Change the protection of a page from writable ("PAGE_READWRITE") to executable ("PAGE_EXECUTE_READWRITE").
Allocate a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
ArrowProcessCreate process with hidden window
The process ""C:\Users\hJrD1KOKY DS8lUjv\Desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe" " starts with hidden window.
The process "C:\Windows\system32\netsh.exe advfirewall set allprofiles state on" starts with hidden window.
ArrowProcessRead from memory of an other process
"c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe" reads from ""C:\Users\hJrD1KOKY DS8lUjv\Desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe" ".
ArrowProcessCreate system object
Create mutex with name "shell.{0835FA03-68AC-09B6-0CE4-703246A746AB}".
Create mutex with name "Local\!PrivacIE!SharedMemory!Mutex".
ArrowAnti AnalysisDynamic API usage
Resolve above average number of APIs.
ArrowInjectionWrite into memory of a process running from a created or modified executable
"c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe" modifies memory of "c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe"
ArrowInjectionModify control flow of a process running from a created or modified executable
"c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe" alters context of "c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe"
ArrowPEDrop PE file
Drop file "c:\users\hjrd1k~1\appdata\local\temp\nsx1ae1.tmp\system.dll".
Drop file "c:\users\hjrd1k~1\appdata\local\temp\underglaze.dll".
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy". 
































Screenshot



Expand-Icon


Exit-Icon






icon_left




icon_left








image