Overview
overview
10Static
static
3cerber.exe
windows10-2004-x64
10cryptowall.exe
windows10-2004-x64
3jigsaw.exe
windows10-2004-x64
10Locky.exe
windows10-2004-x64
10131.exe
windows10-2004-x64
1Matsnu-MBR...3 .exe
windows10-2004-x64
3027cc450ef...d9.dll
windows10-2004-x64
10027cc450ef...ju.dll
windows10-2004-x64
10myguy.hta
windows10-2004-x64
3svchost.exe
windows10-2004-x64
7Ransomware...oad.sh
windows10-2004-x64
3Ransomware...est.py
windows10-2004-x64
3Ransomware...st2.py
windows10-2004-x64
3Ransomware...rna.py
windows10-2004-x64
3Analysis
-
max time kernel
1325s -
max time network
1160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2023 15:25
Static task
static1
Behavioral task
behavioral1
Sample
cerber.exe
Resource
win10v2004-20231130-en
Behavioral task
behavioral2
Sample
cryptowall.exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral3
Sample
jigsaw.exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral4
Sample
Locky.exe
Resource
win10v2004-20231130-en
Behavioral task
behavioral5
Sample
131.exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral6
Sample
Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral7
Sample
027cc450ef5f8c5f653329641ec1fed9.dll
Resource
win10v2004-20231130-en
Behavioral task
behavioral8
Sample
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll
Resource
win10v2004-20231127-en
Behavioral task
behavioral9
Sample
myguy.hta
Resource
win10v2004-20231127-en
Behavioral task
behavioral10
Sample
svchost.exe
Resource
win10v2004-20231130-en
Behavioral task
behavioral11
Sample
Ransomware-master/etc/load.sh
Resource
win10v2004-20231127-en
Behavioral task
behavioral12
Sample
Ransomware-master/test.py
Resource
win10v2004-20231127-en
Behavioral task
behavioral13
Sample
Ransomware-master/test2.py
Resource
win10v2004-20231130-en
Behavioral task
behavioral14
Sample
Ransomware-master/warna.py
Resource
win10v2004-20231130-en
General
-
Target
cryptowall.exe
-
Size
240KB
-
MD5
47363b94cee907e2b8926c1be61150c7
-
SHA1
ca963033b9a285b8cd0044df38146a932c838071
-
SHA256
45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d
-
SHA512
93dfaafc183360829448887a112dd49c90ec5fe50dcd7c7bbc06c1c8daa206eeea5577f726d906446322c731d0520e93700d5ff9cefd730fba347c72b7325068
-
SSDEEP
3072:xkeyloECBch6ZCGBGSmHJ0y5lj6jdojK7+MGOXpXx8z3Lp7Yoq:xGlnCIwMpj6ijKfxx8z3F0V
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 1416 1956 WerFault.exe 85 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 1956 cryptowall.exe Token: SeIncBasePriorityPrivilege 1956 cryptowall.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1956 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 4722⤵
- Program crash
PID:1416
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1956 -ip 19561⤵PID:1392