Overview
overview
10Static
static
3cerber.exe
windows7-x64
10cerber.exe
windows10-2004-x64
10cryptowall.exe
windows7-x64
9cryptowall.exe
windows10-2004-x64
3jigsaw.exe
windows7-x64
10jigsaw.exe
windows10-2004-x64
10Locky.exe
windows7-x64
10Locky.exe
windows10-2004-x64
10131.exe
windows7-x64
1131.exe
windows10-2004-x64
1Matsnu-MBR...3 .exe
windows7-x64
7Matsnu-MBR...3 .exe
windows10-2004-x64
3027cc450ef...d9.dll
windows7-x64
10027cc450ef...d9.dll
windows10-2004-x64
10027cc450ef...ju.dll
windows7-x64
10027cc450ef...ju.dll
windows10-2004-x64
10myguy.hta
windows7-x64
10myguy.hta
windows10-2004-x64
10svchost.exe
windows7-x64
7svchost.exe
windows10-2004-x64
7Resubmissions
21-02-2024 14:33
240221-rw8hmsha2y 1021-02-2024 14:31
240221-rvtm4agh7w 1021-02-2024 11:52
240221-n1xedseg6t 10Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
21-02-2024 14:31
Static task
static1
Behavioral task
behavioral1
Sample
cerber.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
cerber.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral3
Sample
cryptowall.exe
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
cryptowall.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral5
Sample
jigsaw.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
jigsaw.exe
Resource
win10v2004-20240220-en
Behavioral task
behavioral7
Sample
Locky.exe
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
Locky.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral9
Sample
131.exe
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
131.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral11
Sample
Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral13
Sample
027cc450ef5f8c5f653329641ec1fed9.dll
Resource
win7-20231129-en
Behavioral task
behavioral14
Sample
027cc450ef5f8c5f653329641ec1fed9.dll
Resource
win10v2004-20240221-en
Behavioral task
behavioral15
Sample
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll
Resource
win7-20240220-en
Behavioral task
behavioral16
Sample
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll
Resource
win10v2004-20240221-en
Behavioral task
behavioral17
Sample
myguy.hta
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
myguy.hta
Resource
win10v2004-20240220-en
Behavioral task
behavioral19
Sample
svchost.exe
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
svchost.exe
Resource
win10v2004-20240221-en
General
-
Target
cryptowall.exe
-
Size
240KB
-
MD5
47363b94cee907e2b8926c1be61150c7
-
SHA1
ca963033b9a285b8cd0044df38146a932c838071
-
SHA256
45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d
-
SHA512
93dfaafc183360829448887a112dd49c90ec5fe50dcd7c7bbc06c1c8daa206eeea5577f726d906446322c731d0520e93700d5ff9cefd730fba347c72b7325068
-
SSDEEP
3072:xkeyloECBch6ZCGBGSmHJ0y5lj6jdojK7+MGOXpXx8z3Lp7Yoq:xGlnCIwMpj6ijKfxx8z3F0V
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 3124 3572 WerFault.exe 40 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2144 msedge.exe 2144 msedge.exe 2300 msedge.exe 2300 msedge.exe 4260 identity_helper.exe 4260 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 3572 cryptowall.exe Token: SeIncBasePriorityPrivilege 3572 cryptowall.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe 2300 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2300 wrote to memory of 3896 2300 msedge.exe 97 PID 2300 wrote to memory of 3896 2300 msedge.exe 97 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 5052 2300 msedge.exe 98 PID 2300 wrote to memory of 2144 2300 msedge.exe 99 PID 2300 wrote to memory of 2144 2300 msedge.exe 99 PID 2300 wrote to memory of 4996 2300 msedge.exe 100 PID 2300 wrote to memory of 4996 2300 msedge.exe 100 PID 2300 wrote to memory of 4996 2300 msedge.exe 100 PID 2300 wrote to memory of 4996 2300 msedge.exe 100 PID 2300 wrote to memory of 4996 2300 msedge.exe 100 PID 2300 wrote to memory of 4996 2300 msedge.exe 100 PID 2300 wrote to memory of 4996 2300 msedge.exe 100 PID 2300 wrote to memory of 4996 2300 msedge.exe 100 PID 2300 wrote to memory of 4996 2300 msedge.exe 100 PID 2300 wrote to memory of 4996 2300 msedge.exe 100 PID 2300 wrote to memory of 4996 2300 msedge.exe 100 PID 2300 wrote to memory of 4996 2300 msedge.exe 100 PID 2300 wrote to memory of 4996 2300 msedge.exe 100 PID 2300 wrote to memory of 4996 2300 msedge.exe 100 PID 2300 wrote to memory of 4996 2300 msedge.exe 100 PID 2300 wrote to memory of 4996 2300 msedge.exe 100 PID 2300 wrote to memory of 4996 2300 msedge.exe 100 PID 2300 wrote to memory of 4996 2300 msedge.exe 100 PID 2300 wrote to memory of 4996 2300 msedge.exe 100 PID 2300 wrote to memory of 4996 2300 msedge.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3572 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 4762⤵
- Program crash
PID:3124
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3572 -ip 35721⤵PID:3540
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe0f5346f8,0x7ffe0f534708,0x7ffe0f5347182⤵PID:3896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,14068403161832008428,1263124737037490356,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:22⤵PID:5052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,14068403161832008428,1263124737037490356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,14068403161832008428,1263124737037490356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:82⤵PID:4996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14068403161832008428,1263124737037490356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:12⤵PID:3644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14068403161832008428,1263124737037490356,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:12⤵PID:2636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14068403161832008428,1263124737037490356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:12⤵PID:2548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14068403161832008428,1263124737037490356,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:12⤵PID:4048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14068403161832008428,1263124737037490356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:12⤵PID:4536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14068403161832008428,1263124737037490356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:12⤵PID:1256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14068403161832008428,1263124737037490356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:12⤵PID:1636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,14068403161832008428,1263124737037490356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 /prefetch:82⤵PID:1724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,14068403161832008428,1263124737037490356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4260
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1128
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4500
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD51af9fbc1d4655baf2df9e8948103d616
SHA1c58d5c208d0d5aab5b6979b64102b0086799b0bf
SHA256e83daa7b2af963dbb884d82919710164e2337f0f9f5e5c56ee4b7129d160c135
SHA512714d0ff527a8a24ec5d32a0a2b74e402ee933ea86e42d3e2fb5615c8345e6c09aa1c2ddf2dea53d71c5a666483a3b494b894326fea0cc1d8a06d3b32ec9397d3
-
Filesize
152B
MD5aa6f46176fbc19ccf3e361dc1135ece0
SHA1cb1f8c693b88331e9513b77efe47be9e43c43b12
SHA2562f5ba493c7c4192e9310cea3a96cfec4fd14c6285af6e3659627ab177e560819
SHA5125d26fdffebeb1eb5adde9f7da19fe7069e364d3f68670013cb0cc3e2b40bf1fbcb9bdebbfe999747caf141c88ccd53bd4acf2074283e4bde46b8c28fbae296f5
-
Filesize
6KB
MD5dbc757eeb24cf476c4b4a0dc21538729
SHA19e152c763accfe45d68db1aea5c9123f97bb5f75
SHA2562ed633d96063b3087bf684930ba75d201dabfd9145242f326ed94dcafcc84457
SHA512fd942bebb6a4d063bb90ef0de99fc640b206ba9e0db14266b3a532f17c502fc19f0830be5f4c23db8e0f58d7786333d1151024f1684dfaa872009347742d2adf
-
Filesize
6KB
MD5cf5dcae2a37f64e77fc5f840247afb3d
SHA14ab15ee31cecbb2f0068366c1f11b8e44065a47f
SHA256648531e20d3ffcc767d4e725376e0ef97169fb2e55487c49cc3f65f92bb2254a
SHA5126e2131dbdcc694e8dece343534b380c7bf6236ed6c62a77ecda496b8e40752640edcf4091964d39fce4b234606ce9e7912b42ae87ed73dd3b86226d9165534dd
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
9KB
MD54d48cd1baa3514b044ed1ca75edba350
SHA1c4cdae1c5c7a233e622c7c583740c5bad76b5c60
SHA2563a700e7ceaa07686b3a572a205c2c27b80f2a41fb15e634ed6a8e9476680cb81
SHA512e90897ac166c8676f877d4b2a5be6858f77b86f76dbf3f2d6d5b5ef024937a1aa1eb14540651f54f23106c8657fe5bf082bee7af10d3aac5c13d39584e13c8bd
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58