Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09-07-2024 22:00

General

  • Target

    cryptowall.exe

  • Size

    240KB

  • MD5

    47363b94cee907e2b8926c1be61150c7

  • SHA1

    ca963033b9a285b8cd0044df38146a932c838071

  • SHA256

    45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d

  • SHA512

    93dfaafc183360829448887a112dd49c90ec5fe50dcd7c7bbc06c1c8daa206eeea5577f726d906446322c731d0520e93700d5ff9cefd730fba347c72b7325068

  • SSDEEP

    3072:xkeyloECBch6ZCGBGSmHJ0y5lj6jdojK7+MGOXpXx8z3Lp7Yoq:xGlnCIwMpj6ijKfxx8z3F0V

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 1 IoCs
  • Program crash 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
    "C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4776
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 516
      2⤵
      • Program crash
      PID:1416
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3560
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffbe5449758,0x7ffbe5449768,0x7ffbe5449778
      2⤵
        PID:1356
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1836,i,7280999985373852761,6844350815484382205,131072 /prefetch:2
        2⤵
          PID:4584
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1832 --field-trial-handle=1836,i,7280999985373852761,6844350815484382205,131072 /prefetch:8
          2⤵
            PID:1512
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2072 --field-trial-handle=1836,i,7280999985373852761,6844350815484382205,131072 /prefetch:8
            2⤵
              PID:2144
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2868 --field-trial-handle=1836,i,7280999985373852761,6844350815484382205,131072 /prefetch:1
              2⤵
                PID:1528
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2876 --field-trial-handle=1836,i,7280999985373852761,6844350815484382205,131072 /prefetch:1
                2⤵
                  PID:3800
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4492 --field-trial-handle=1836,i,7280999985373852761,6844350815484382205,131072 /prefetch:1
                  2⤵
                    PID:2884
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 --field-trial-handle=1836,i,7280999985373852761,6844350815484382205,131072 /prefetch:8
                    2⤵
                      PID:2108
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1836,i,7280999985373852761,6844350815484382205,131072 /prefetch:8
                      2⤵
                        PID:512
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4984 --field-trial-handle=1836,i,7280999985373852761,6844350815484382205,131072 /prefetch:8
                        2⤵
                          PID:4780
                      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                        1⤵
                          PID:2420
                        • C:\Windows\System32\SystemSettingsBroker.exe
                          C:\Windows\System32\SystemSettingsBroker.exe -Embedding
                          1⤵
                            PID:2492
                          • \??\c:\windows\system32\svchost.exe
                            c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc
                            1⤵
                              PID:2520
                            • \??\c:\windows\system32\svchost.exe
                              c:\windows\system32\svchost.exe -k localservice -s SstpSvc
                              1⤵
                                PID:376
                              • \??\c:\windows\system32\svchost.exe
                                c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
                                1⤵
                                • Drops file in Windows directory
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1576
                              • \??\c:\windows\system32\svchost.exe
                                c:\windows\system32\svchost.exe -k netsvcs -s RasMan
                                1⤵
                                  PID:3740

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                  Filesize

                                  371B

                                  MD5

                                  976781b8f1e06bad4c8600ddb14e1b37

                                  SHA1

                                  07d1894dffcb5e81b76d4acd8b17b8f11b2e225c

                                  SHA256

                                  657a401c2bb2db0595594c37bf85be01fb4ec8f2f6ea45aceeb05d84ed20901d

                                  SHA512

                                  8a6b32336ea012d44fc5a44aeda282aa3eb74084ee89fb54e7db1fcb95eebcba74a6735f4425890074949edbf62b41dcf3c9adb9bd9b01aa0e86dfd84e398884

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                  Filesize

                                  5KB

                                  MD5

                                  d5ee7be2185c8a47c789ceebbaf8930b

                                  SHA1

                                  0f64993003b21c8ef14409bdbc2109f8f6379d1b

                                  SHA256

                                  174b60a1d8460945f2a7dee4dcafcb215aed89b9a5ebc1f6243f5c13e21934e9

                                  SHA512

                                  5cc88c027b6b6b2a72ea6061307f2e440361e2eaf020462e4b1349eea59744ffcc91c83726501b3ea116f54c47d9bdb070af7d4fd5b242a987a3cf65b10f08d6

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                  Filesize

                                  12KB

                                  MD5

                                  5a495dbd96221d654eb45038ede33d76

                                  SHA1

                                  9270faf602489c14c9710f39d72440021e9b5859

                                  SHA256

                                  79806dbbe84b847f72cb2ae2701026bb8224d2ac4c925925cf80820cf3032858

                                  SHA512

                                  2acc47c05683cb51d3b9c161be11d5b3b2d96f35e07c15ad74d031becb3d148b9b056adc9b291d0937801d9f3bdfaf9c2fd2050a58e679de9af69b1d70a14143

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                  Filesize

                                  286KB

                                  MD5

                                  bbdc6f59693503b002841a92c22afc9e

                                  SHA1

                                  10bd9ce6c9b5348a41ff5cd22925b78cbbd8ce1f

                                  SHA256

                                  a44065710a4287f7a7992e04fc9fff96cd69467baede1826992574a2941c3431

                                  SHA512

                                  60f34c19dffc7ef1cf50388bd492ced16d5d15ca54693aab74fff7ca9a8f42155f997bf2c5b0e7cdee2be014ef42a8a41f79a917225939648ae3b97d2331f07f

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

                                  Filesize

                                  2B

                                  MD5

                                  99914b932bd37a50b983c5e7c90ae93b

                                  SHA1

                                  bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                  SHA256

                                  44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                  SHA512

                                  27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                • C:\Windows\INF\netrasa.PNF

                                  Filesize

                                  22KB

                                  MD5

                                  80648b43d233468718d717d10187b68d

                                  SHA1

                                  a1736e8f0e408ce705722ce097d1adb24ebffc45

                                  SHA256

                                  8ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380

                                  SHA512

                                  eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9