Analysis
-
max time kernel
144s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 10:48
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-23_c51de76d4b76551b45b6d17ff98bc5c8_bugat_cryptowall.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-05-23_c51de76d4b76551b45b6d17ff98bc5c8_bugat_cryptowall.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-23_c51de76d4b76551b45b6d17ff98bc5c8_bugat_cryptowall.exe
-
Size
204KB
-
MD5
c51de76d4b76551b45b6d17ff98bc5c8
-
SHA1
7bf11e084fde315d0988ce75da516e65d7f7bb27
-
SHA256
b0fb4a362e7c5899bc1e9721f21823e97b15568705e5609161967785c364554b
-
SHA512
f5da5e97c9dabca49eb50048ffd1ebdf0f4f2a88d00c4d5d0e5153dfef412ca37bac2c1e1cc12b60ca91943f229775f6f3a8aace9fb917749f16b65b51625421
-
SSDEEP
3072:mm15oSsRuU9Q/gksAgaerqmKz5G8gubkowlFt5vSBZ8gWo9QU4Heea:GR2gkkaerqmKE9oCvsZ8g3+eea
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b11730a = "C:\\Users\\Admin\\AppData\\Roaming\\b11730a\\df987aa2.exe" explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
2024-05-23_c51de76d4b76551b45b6d17ff98bc5c8_bugat_cryptowall.exeexplorer.exepid process 996 2024-05-23_c51de76d4b76551b45b6d17ff98bc5c8_bugat_cryptowall.exe 4660 explorer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2996 vssvc.exe Token: SeRestorePrivilege 2996 vssvc.exe Token: SeAuditPrivilege 2996 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2024-05-23_c51de76d4b76551b45b6d17ff98bc5c8_bugat_cryptowall.exeexplorer.exedescription pid process target process PID 996 wrote to memory of 4660 996 2024-05-23_c51de76d4b76551b45b6d17ff98bc5c8_bugat_cryptowall.exe explorer.exe PID 996 wrote to memory of 4660 996 2024-05-23_c51de76d4b76551b45b6d17ff98bc5c8_bugat_cryptowall.exe explorer.exe PID 996 wrote to memory of 4660 996 2024-05-23_c51de76d4b76551b45b6d17ff98bc5c8_bugat_cryptowall.exe explorer.exe PID 4660 wrote to memory of 5040 4660 explorer.exe svchost.exe PID 4660 wrote to memory of 5040 4660 explorer.exe svchost.exe PID 4660 wrote to memory of 5040 4660 explorer.exe svchost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-23_c51de76d4b76551b45b6d17ff98bc5c8_bugat_cryptowall.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-23_c51de76d4b76551b45b6d17ff98bc5c8_bugat_cryptowall.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\syswow64\explorer.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe-k netsvcs3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken