b0fb4a362e7c5899bc1e9721f21823e97b15568705e5609161967785c364554b

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_c51de76d4b76551b45b6d17ff98bc5c8_bugat_cryptowall.exe
Size

204KB
MD5

c51de76d4b76551b45b6d17ff98bc5c8
SHA1

7bf11e084fde315d0988ce75da516e65d7f7bb27
SHA256

b0fb4a362e7c5899bc1e9721f21823e97b15568705e5609161967785c364554b
SHA512

f5da5e97c9dabca49eb50048ffd1ebdf0f4f2a88d00c4d5d0e5153dfef412ca37bac2c1e1cc12b60ca91943f229775f6f3a8aace9fb917749f16b65b51625421
SSDEEP

3072:mm15oSsRuU9Q/gksAgaerqmKz5G8gubkowlFt5vSBZ8gWo9QU4Heea:GR2gkkaerqmKE9oCvsZ8g3+eea

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b11730a = "C:\\Users\\Admin\\AppData\\Roaming\\b11730a\\df987aa2.exe"	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

2024-05-23_c51de76d4b76551b45b6d17ff98bc5c8_bugat_cryptowall.exeexplorer.exe

pid process

996 2024-05-23_c51de76d4b76551b45b6d17ff98bc5c8_bugat_cryptowall.exe
4660 explorer.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2996 vssvc.exe
Token: SeRestorePrivilege 2996 vssvc.exe
Token: SeAuditPrivilege 2996 vssvc.exe

pid	process
996	2024-05-23_c51de76d4b76551b45b6d17ff98bc5c8_bugat_cryptowall.exe
4660	explorer.exe

description	pid	process
Token: SeBackupPrivilege	2996	vssvc.exe
Token: SeRestorePrivilege	2996	vssvc.exe
Token: SeAuditPrivilege	2996	vssvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2024-05-23_c51de76d4b76551b45b6d17ff98bc5c8_bugat_cryptowall.exeexplorer.exe

description	pid	process	target process
PID 996 wrote to memory of 4660	996	2024-05-23_c51de76d4b76551b45b6d17ff98bc5c8_bugat_cryptowall.exe	explorer.exe
PID 996 wrote to memory of 4660	996	2024-05-23_c51de76d4b76551b45b6d17ff98bc5c8_bugat_cryptowall.exe	explorer.exe
PID 996 wrote to memory of 4660	996	2024-05-23_c51de76d4b76551b45b6d17ff98bc5c8_bugat_cryptowall.exe	explorer.exe
PID 4660 wrote to memory of 5040	4660	explorer.exe	svchost.exe
PID 4660 wrote to memory of 5040	4660	explorer.exe	svchost.exe
PID 4660 wrote to memory of 5040	4660	explorer.exe	svchost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-23_c51de76d4b76551b45b6d17ff98bc5c8_bugat_cryptowall.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_c51de76d4b76551b45b6d17ff98bc5c8_bugat_cryptowall.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\syswow64\explorer.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\SysWOW64\svchost.exe
-k netsvcs
3⤵
PID:5040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4660-0-0x0000000000AF0000-0x0000000000B23000-memory.dmp

Filesize
204KB

Download
memory/5040-2-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download
memory/5040-9-0x0000000000B10000-0x0000000000B43000-memory.dmp

Filesize
204KB

Download