Cerber Ransomware | VTI by Category
Try VMRay Analyzer
VTI Information
VTI Score
91 / 100
VTI Database Version2.5
VTI Rule Match Count14
VTI Rule TypeDefault (PE, ...)
Detected Threats
ArrowAnti Analysis
Arrow
Illegitimate API usage
Internal API "CreateProcessInternalA" was used to start "C:\Windows\system32\netsh.exe advfirewall set allprofiles state on".
Arrow
Dynamic API usage
Resolve above average number of APIs.
ArrowFile System
Arrow
Rename user files
Rename multiple user files. This is an indicator for an encryption attempt.
ArrowInjection
Arrow
Write into memory of a process running from a created or modified executable
"c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe" modifies memory of "c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe"
Arrow
Modify control flow of a process running from a created or modified executable
"c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe" alters context of "c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe"
ArrowPE
Arrow
Drop PE file
Drop file "c:\users\hjrd1k~1\appdata\local\temp\nsx1ae1.tmp\system.dll".
Drop file "c:\users\hjrd1k~1\appdata\local\temp\underglaze.dll".
ArrowProcess
Arrow
Allocate a page with write and execute permissions
Change the protection of a page from writable ("PAGE_READWRITE") to executable ("PAGE_EXECUTE_READWRITE").
Allocate a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
Arrow
Create process with hidden window
The process ""C:\Users\hJrD1KOKY DS8lUjv\Desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe" " starts with hidden window.
The process "C:\Windows\system32\netsh.exe advfirewall set allprofiles state on" starts with hidden window.
Arrow
Read from memory of an other process
"c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe" reads from ""C:\Users\hJrD1KOKY DS8lUjv\Desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe" ".
Arrow
Create system object
Create mutex with name "shell.{0835FA03-68AC-09B6-0CE4-703246A746AB}".
Create mutex with name "Local\!PrivacIE!SharedMemory!Mutex".
-Browser
-Device
-Hide Tracks
-Information Stealing
-Kernel
-Masquerade
-Network
-OS
-Persistence
-VBA Macro
-YARA
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy". 
































Screenshot



Expand-Icon


Exit-Icon






icon_left




icon_left








image