Resubmissions
01-03-2024 20:38
240301-ze5pesdb79 301-03-2024 20:03
240301-ysybtsce5x 301-03-2024 18:44
240301-xdmfcabg67 301-03-2024 17:56
240301-wjhhxabb92 10Analysis
-
max time kernel
133s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
01-03-2024 17:56
General
-
Target
cryptowall.exe
-
Size
240KB
-
MD5
47363b94cee907e2b8926c1be61150c7
-
SHA1
ca963033b9a285b8cd0044df38146a932c838071
-
SHA256
45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d
-
SHA512
93dfaafc183360829448887a112dd49c90ec5fe50dcd7c7bbc06c1c8daa206eeea5577f726d906446322c731d0520e93700d5ff9cefd730fba347c72b7325068
-
SSDEEP
3072:xkeyloECBch6ZCGBGSmHJ0y5lj6jdojK7+MGOXpXx8z3Lp7Yoq:xGlnCIwMpj6ijKfxx8z3F0V
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\explorer.exe"C:\Windows\syswow64\explorer.exe"3⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\svchost.exe-k netsvcs4⤵
-
C:\Windows\syswow64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2128-1-0x00000000001C0000-0x00000000001D6000-memory.dmpFilesize
88KB
-
memory/2512-23-0x00000000000E0000-0x0000000000105000-memory.dmpFilesize
148KB
-
memory/2512-22-0x00000000000E0000-0x0000000000105000-memory.dmpFilesize
148KB
-
memory/2512-25-0x00000000000E0000-0x0000000000105000-memory.dmpFilesize
148KB
-
memory/2516-18-0x0000000000370000-0x0000000000395000-memory.dmpFilesize
148KB
-
memory/2516-15-0x0000000000370000-0x0000000000395000-memory.dmpFilesize
148KB
-
memory/2952-13-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2952-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2952-9-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2952-7-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2952-5-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2952-3-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2952-14-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2952-0-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2952-16-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB