Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3cerber.exe
windows10-2004-x64
10cryptowall.exe
windows10-2004-x64
3jigsaw.exe
windows10-2004-x64
10Locky.exe
windows10-2004-x64
10131.exe
windows10-2004-x64
1Matsnu-MBR...3 .exe
windows10-2004-x64
3027cc450ef...d9.dll
windows10-2004-x64
10027cc450ef...ju.dll
windows10-2004-x64
10myguy.hta
windows10-2004-x64
3svchost.exe
windows10-2004-x64
7Ransomware...oad.sh
windows10-2004-x64
3Ransomware...est.py
windows10-2004-x64
3Ransomware...st2.py
windows10-2004-x64
3Ransomware...rna.py
windows10-2004-x64
3Analysis
-
max time kernel
1325s -
max time network
1160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2023, 15:25 UTC
Static task
static1
Behavioral task
behavioral1
Sample
cerber.exe
Resource
win10v2004-20231130-en
Behavioral task
behavioral2
Sample
cryptowall.exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral3
Sample
jigsaw.exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral4
Sample
Locky.exe
Resource
win10v2004-20231130-en
Behavioral task
behavioral5
Sample
131.exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral6
Sample
Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral7
Sample
027cc450ef5f8c5f653329641ec1fed9.dll
Resource
win10v2004-20231130-en
Behavioral task
behavioral8
Sample
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll
Resource
win10v2004-20231127-en
Behavioral task
behavioral9
Sample
myguy.hta
Resource
win10v2004-20231127-en
Behavioral task
behavioral10
Sample
svchost.exe
Resource
win10v2004-20231130-en
Behavioral task
behavioral11
Sample
Ransomware-master/etc/load.sh
Resource
win10v2004-20231127-en
Behavioral task
behavioral12
Sample
Ransomware-master/test.py
Resource
win10v2004-20231127-en
Behavioral task
behavioral13
Sample
Ransomware-master/test2.py
Resource
win10v2004-20231130-en
Behavioral task
behavioral14
Sample
Ransomware-master/warna.py
Resource
win10v2004-20231130-en
General
-
Target
cryptowall.exe
-
Size
240KB
-
MD5
47363b94cee907e2b8926c1be61150c7
-
SHA1
ca963033b9a285b8cd0044df38146a932c838071
-
SHA256
45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d
-
SHA512
93dfaafc183360829448887a112dd49c90ec5fe50dcd7c7bbc06c1c8daa206eeea5577f726d906446322c731d0520e93700d5ff9cefd730fba347c72b7325068
-
SSDEEP
3072:xkeyloECBch6ZCGBGSmHJ0y5lj6jdojK7+MGOXpXx8z3Lp7Yoq:xGlnCIwMpj6ijKfxx8z3F0V
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 1416 1956 WerFault.exe 85 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 1956 cryptowall.exe Token: SeIncBasePriorityPrivilege 1956 cryptowall.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1956 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 4722⤵
- Program crash
PID:1416
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1956 -ip 19561⤵PID:1392
Network
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request158.240.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request71.121.18.2.in-addr.arpaIN PTRResponse71.121.18.2.in-addr.arpaIN PTRa2-18-121-71deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request9.228.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301480_1GLUO11W92SWCVMG3&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301480_1GLUO11W92SWCVMG3&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 149126
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 058B226441004D7680CB80F523AD45F4 Ref B: DUS30EDGE0908 Ref C: 2023-12-07T16:59:11Z
date: Thu, 07 Dec 2023 16:59:11 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301325_1YMIRALDGCWA4284D&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301325_1YMIRALDGCWA4284D&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 556472
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A5CEF571894843D5BA0F263CB41BCB7F Ref B: DUS30EDGE0908 Ref C: 2023-12-07T16:59:11Z
date: Thu, 07 Dec 2023 16:59:11 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301047_1S8G2IIVJ6Z2H00N1&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301047_1S8G2IIVJ6Z2H00N1&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 489903
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D5A1DA681A6244AA955477C7864A9023 Ref B: DUS30EDGE0908 Ref C: 2023-12-07T16:59:11Z
date: Thu, 07 Dec 2023 16:59:11 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301734_1HIK8LLAATSP6A8ZA&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301734_1HIK8LLAATSP6A8ZA&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 170119
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8A214F24B0654D82B2B0EC9611FD7EF2 Ref B: DUS30EDGE0908 Ref C: 2023-12-07T16:59:11Z
date: Thu, 07 Dec 2023 16:59:11 GMT
-
Remote address:8.8.8.8:53Request88.156.103.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request164.113.222.173.in-addr.arpaIN PTRResponse164.113.222.173.in-addr.arpaIN PTRa173-222-113-164deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request200.197.79.204.in-addr.arpaIN PTRResponse200.197.79.204.in-addr.arpaIN PTRa-0001a-msedgenet
-
Remote address:8.8.8.8:53Request2.136.104.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request44.122.16.96.in-addr.arpaIN PTRResponse44.122.16.96.in-addr.arpaIN PTRa96-16-122-44deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request202.121.18.2.in-addr.arpaIN PTRResponse202.121.18.2.in-addr.arpaIN PTRa2-18-121-202deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.173.189.20.in-addr.arpaIN PTRResponse
-
1.2kB 8.3kB 16 14
-
1.2kB 8.2kB 16 13
-
204.79.197.200:443https://tse1.mm.bing.net/th?id=OADD2.10239317301734_1HIK8LLAATSP6A8ZA&pid=21.2&w=1080&h=1920&c=4tls, http250.0kB 1.4MB 1032 1029
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301480_1GLUO11W92SWCVMG3&pid=21.2&w=1080&h=1920&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301325_1YMIRALDGCWA4284D&pid=21.2&w=1920&h=1080&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301047_1S8G2IIVJ6Z2H00N1&pid=21.2&w=1920&h=1080&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301734_1HIK8LLAATSP6A8ZA&pid=21.2&w=1080&h=1920&c=4HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200 -
1.2kB 8.2kB 16 13
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
158.240.127.40.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
71.121.18.2.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
9.228.82.20.in-addr.arpa
-
62 B 173 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
204.79.197.20013.107.21.200
-
72 B 158 B 1 1
DNS Request
88.156.103.20.in-addr.arpa
-
74 B 141 B 1 1
DNS Request
164.113.222.173.in-addr.arpa
-
73 B 106 B 1 1
DNS Request
200.197.79.204.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
2.136.104.51.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
183.59.114.20.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
55.36.223.20.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
44.122.16.96.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
202.121.18.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
11.227.111.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
13.173.189.20.in-addr.arpa