Overview
overview
10Static
static
3cerber.exe
windows7-x64
10cryptowall.exe
windows7-x64
9jigsaw.exe
windows7-x64
10Locky.exe
windows7-x64
10131.exe
windows7-x64
1Matsnu-MBR...3 .exe
windows7-x64
7027cc450ef...d9.dll
windows7-x64
10027cc450ef...ju.dll
windows7-x64
10myguy.hta
windows7-x64
10svchost.exe
windows7-x64
7Resubmissions
05-08-2024 22:23
240805-2ba2rathle 1027-04-2024 00:38
240427-ay3xhafc53 1020-04-2024 05:28
240420-f6ht7aad5w 10Analysis
-
max time kernel
131s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-04-2024 00:38
Static task
static1
Behavioral task
behavioral1
Sample
cerber.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
cryptowall.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
jigsaw.exe
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
Locky.exe
Resource
win7-20240220-en
Behavioral task
behavioral5
Sample
131.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
Resource
win7-20240221-en
Behavioral task
behavioral7
Sample
027cc450ef5f8c5f653329641ec1fed9.dll
Resource
win7-20240215-en
Behavioral task
behavioral8
Sample
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll
Resource
win7-20240220-en
Behavioral task
behavioral9
Sample
myguy.hta
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
svchost.exe
Resource
win7-20240221-en
General
-
Target
cryptowall.exe
-
Size
240KB
-
MD5
47363b94cee907e2b8926c1be61150c7
-
SHA1
ca963033b9a285b8cd0044df38146a932c838071
-
SHA256
45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d
-
SHA512
93dfaafc183360829448887a112dd49c90ec5fe50dcd7c7bbc06c1c8daa206eeea5577f726d906446322c731d0520e93700d5ff9cefd730fba347c72b7325068
-
SSDEEP
3072:xkeyloECBch6ZCGBGSmHJ0y5lj6jdojK7+MGOXpXx8z3Lp7Yoq:xGlnCIwMpj6ijKfxx8z3F0V
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
Processes:
explorer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\53328312.exe explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\5332831 = "C:\\53328312\\53328312.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*332831 = "C:\\53328312\\53328312.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\53328312 = "C:\\Users\\Admin\\AppData\\Roaming\\53328312.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*3328312 = "C:\\Users\\Admin\\AppData\\Roaming\\53328312.exe" explorer.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ip-addr.es 5 myexternalip.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cryptowall.exedescription pid process target process PID 2276 set thread context of 1656 2276 cryptowall.exe cryptowall.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2620 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
cryptowall.exepid process 2276 cryptowall.exe 2276 cryptowall.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
cryptowall.exeexplorer.exepid process 1656 cryptowall.exe 2488 explorer.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
cryptowall.exevssvc.exedescription pid process Token: 33 2276 cryptowall.exe Token: SeIncBasePriorityPrivilege 2276 cryptowall.exe Token: SeBackupPrivilege 2028 vssvc.exe Token: SeRestorePrivilege 2028 vssvc.exe Token: SeAuditPrivilege 2028 vssvc.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
cryptowall.execryptowall.exeexplorer.exedescription pid process target process PID 2276 wrote to memory of 1656 2276 cryptowall.exe cryptowall.exe PID 2276 wrote to memory of 1656 2276 cryptowall.exe cryptowall.exe PID 2276 wrote to memory of 1656 2276 cryptowall.exe cryptowall.exe PID 2276 wrote to memory of 1656 2276 cryptowall.exe cryptowall.exe PID 2276 wrote to memory of 1656 2276 cryptowall.exe cryptowall.exe PID 2276 wrote to memory of 1656 2276 cryptowall.exe cryptowall.exe PID 2276 wrote to memory of 1656 2276 cryptowall.exe cryptowall.exe PID 2276 wrote to memory of 1656 2276 cryptowall.exe cryptowall.exe PID 2276 wrote to memory of 1656 2276 cryptowall.exe cryptowall.exe PID 2276 wrote to memory of 1656 2276 cryptowall.exe cryptowall.exe PID 1656 wrote to memory of 2488 1656 cryptowall.exe explorer.exe PID 1656 wrote to memory of 2488 1656 cryptowall.exe explorer.exe PID 1656 wrote to memory of 2488 1656 cryptowall.exe explorer.exe PID 1656 wrote to memory of 2488 1656 cryptowall.exe explorer.exe PID 2488 wrote to memory of 2584 2488 explorer.exe svchost.exe PID 2488 wrote to memory of 2584 2488 explorer.exe svchost.exe PID 2488 wrote to memory of 2584 2488 explorer.exe svchost.exe PID 2488 wrote to memory of 2584 2488 explorer.exe svchost.exe PID 2488 wrote to memory of 2620 2488 explorer.exe vssadmin.exe PID 2488 wrote to memory of 2620 2488 explorer.exe vssadmin.exe PID 2488 wrote to memory of 2620 2488 explorer.exe vssadmin.exe PID 2488 wrote to memory of 2620 2488 explorer.exe vssadmin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\syswow64\explorer.exe"C:\Windows\syswow64\explorer.exe"3⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\syswow64\svchost.exe-k netsvcs4⤵PID:2584
-
C:\Windows\syswow64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
PID:2620
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028