Overview
overview
10Static
static
7Documents/...er.exe
windows7-x64
10Documents/...er.exe
windows10-2004-x64
10Documents/...ll.exe
windows7-x64
9Documents/...ll.exe
windows10-2004-x64
3Documents/...aw.exe
windows7-x64
10Documents/...aw.exe
windows10-2004-x64
10Documents/...ky.exe
windows7-x64
1Documents/...ky.exe
windows10-2004-x64
1Documents/...31.exe
windows7-x64
1Documents/...31.exe
windows10-2004-x64
1Documents/...3 .exe
windows7-x64
7Documents/...3 .exe
windows10-2004-x64
3Documents/...d9.dll
windows7-x64
10Documents/...d9.dll
windows10-2004-x64
10027cc450ef...ju.dll
windows7-x64
10027cc450ef...ju.dll
windows10-2004-x64
10ee29b9c013...bc6.js
windows7-x64
3ee29b9c013...bc6.js
windows10-2004-x64
3fe2e5d0543...L9.rtf
windows7-x64
1fe2e5d0543...L9.rtf
windows10-2004-x64
1Documents/...uy.hta
windows7-x64
10Documents/...uy.hta
windows10-2004-x64
10Documents/...st.exe
windows7-x64
7Documents/...st.exe
windows10-2004-x64
7Documents/...39.exe
windows7-x64
6Documents/...39.exe
windows10-2004-x64
Documents/...5c.exe
windows7-x64
6Documents/...5c.exe
windows10-2004-x64
6Documents/...00.exe
windows7-x64
7Documents/...00.exe
windows10-2004-x64
7Supplement...16.scr
windows7-x64
3Supplement...16.scr
windows10-2004-x64
3Resubmissions
22-08-2024 18:43
240822-xc563asamh 1021-08-2024 17:16
240821-vtjnaathnq 1030-06-2024 00:59
240630-bcjr6svbkk 1020-06-2024 02:02
240620-cf43ysxbnk 1020-06-2024 01:44
240620-b5v1xawemk 1019-06-2024 01:10
240619-bjmseavfmp 1018-06-2024 20:40
240618-zfwsxawdpa 1018-06-2024 13:45
240618-q2vcjawdle 10Analysis
-
max time kernel
23s -
max time network
28s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 02:02
Behavioral task
behavioral1
Sample
Documents/Ransomware.Cerber/cerber.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Documents/Ransomware.Cerber/cerber.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Documents/Ransomware.Cryptowall/cryptowall.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
Documents/Ransomware.Cryptowall/cryptowall.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Documents/Ransomware.Jigsaw/jigsaw.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
Documents/Ransomware.Jigsaw/jigsaw.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
Documents/Ransomware.Locky/Locky.exe
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
Documents/Ransomware.Locky/Locky.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
Documents/Ransomware.Mamba/131.exe
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
Documents/Ransomware.Mamba/131.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
Documents/Ransomware.Matsnu/Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
Documents/Ransomware.Matsnu/Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/027cc450ef5f8c5f653329641ec1fed9.dll
Resource
win7-20240419-en
Behavioral task
behavioral14
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/027cc450ef5f8c5f653329641ec1fed9.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll
Resource
win7-20240611-en
Behavioral task
behavioral16
Sample
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral17
Sample
ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6.js
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6.js
Resource
win10v2004-20240611-en
Behavioral task
behavioral19
Sample
fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206_OFkNP1kKL9.rtf
Resource
win7-20240611-en
Behavioral task
behavioral20
Sample
fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206_OFkNP1kKL9.rtf
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/myguy.hta
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/myguy.hta
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/svchost.exe
Resource
win7-20240220-en
Behavioral task
behavioral24
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/svchost.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
Documents/Ransomware.Petya/Ransomware.Petya/26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe
Resource
win7-20240419-en
Behavioral task
behavioral26
Sample
Documents/Ransomware.Petya/Ransomware.Petya/26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral27
Sample
Documents/Ransomware.Petya/Ransomware.Petya/4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
Documents/Ransomware.Petya/Ransomware.Petya/4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
Documents/Ransomware.Radamant/Ransomware.Radamant/DUMP_00A10000-00A1D000.exe
Resource
win7-20240611-en
Behavioral task
behavioral30
Sample
Documents/Ransomware.Radamant/Ransomware.Radamant/DUMP_00A10000-00A1D000.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral31
Sample
Supplementary Agreement 26_01_2016.scr
Resource
win7-20240611-en
Behavioral task
behavioral32
Sample
Supplementary Agreement 26_01_2016.scr
Resource
win10v2004-20240611-en
General
-
Target
Documents/Ransomware.Cryptowall/cryptowall.exe
-
Size
240KB
-
MD5
47363b94cee907e2b8926c1be61150c7
-
SHA1
ca963033b9a285b8cd0044df38146a932c838071
-
SHA256
45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d
-
SHA512
93dfaafc183360829448887a112dd49c90ec5fe50dcd7c7bbc06c1c8daa206eeea5577f726d906446322c731d0520e93700d5ff9cefd730fba347c72b7325068
-
SSDEEP
3072:xkeyloECBch6ZCGBGSmHJ0y5lj6jdojK7+MGOXpXx8z3Lp7Yoq:xGlnCIwMpj6ijKfxx8z3F0V
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
Processes:
explorer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f9d5da8.exe explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\f9d5da8 = "C:\\Users\\Admin\\AppData\\Roaming\\f9d5da8.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*9d5da8 = "C:\\Users\\Admin\\AppData\\Roaming\\f9d5da8.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\f9d5da = "C:\\f9d5da8\\f9d5da8.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*9d5da = "C:\\f9d5da8\\f9d5da8.exe" explorer.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ip-addr.es 5 myexternalip.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cryptowall.exedescription pid process target process PID 912 set thread context of 1468 912 cryptowall.exe cryptowall.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2784 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
cryptowall.exepid process 912 cryptowall.exe 912 cryptowall.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
cryptowall.exeexplorer.exepid process 1468 cryptowall.exe 2532 explorer.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
cryptowall.exevssvc.exedescription pid process Token: 33 912 cryptowall.exe Token: SeIncBasePriorityPrivilege 912 cryptowall.exe Token: SeBackupPrivilege 2608 vssvc.exe Token: SeRestorePrivilege 2608 vssvc.exe Token: SeAuditPrivilege 2608 vssvc.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
cryptowall.execryptowall.exeexplorer.exedescription pid process target process PID 912 wrote to memory of 1468 912 cryptowall.exe cryptowall.exe PID 912 wrote to memory of 1468 912 cryptowall.exe cryptowall.exe PID 912 wrote to memory of 1468 912 cryptowall.exe cryptowall.exe PID 912 wrote to memory of 1468 912 cryptowall.exe cryptowall.exe PID 912 wrote to memory of 1468 912 cryptowall.exe cryptowall.exe PID 912 wrote to memory of 1468 912 cryptowall.exe cryptowall.exe PID 912 wrote to memory of 1468 912 cryptowall.exe cryptowall.exe PID 912 wrote to memory of 1468 912 cryptowall.exe cryptowall.exe PID 912 wrote to memory of 1468 912 cryptowall.exe cryptowall.exe PID 912 wrote to memory of 1468 912 cryptowall.exe cryptowall.exe PID 1468 wrote to memory of 2532 1468 cryptowall.exe explorer.exe PID 1468 wrote to memory of 2532 1468 cryptowall.exe explorer.exe PID 1468 wrote to memory of 2532 1468 cryptowall.exe explorer.exe PID 1468 wrote to memory of 2532 1468 cryptowall.exe explorer.exe PID 2532 wrote to memory of 1880 2532 explorer.exe svchost.exe PID 2532 wrote to memory of 1880 2532 explorer.exe svchost.exe PID 2532 wrote to memory of 1880 2532 explorer.exe svchost.exe PID 2532 wrote to memory of 1880 2532 explorer.exe svchost.exe PID 2532 wrote to memory of 2784 2532 explorer.exe vssadmin.exe PID 2532 wrote to memory of 2784 2532 explorer.exe vssadmin.exe PID 2532 wrote to memory of 2784 2532 explorer.exe vssadmin.exe PID 2532 wrote to memory of 2784 2532 explorer.exe vssadmin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe"2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\syswow64\explorer.exe"C:\Windows\syswow64\explorer.exe"3⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\syswow64\svchost.exe-k netsvcs4⤵PID:1880
-
-
C:\Windows\syswow64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
PID:2784
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2608