Overview
overview
10Static
static
3Ransomware-master.zip
windows10-1703-x64
8Ransomware-master.zip
windows10-2004-x64
1cerber.exe
windows10-1703-x64
10cerber.exe
windows10-2004-x64
10cryptowall.exe
windows10-1703-x64
3cryptowall.exe
windows10-2004-x64
3jigsaw.exe
windows10-1703-x64
10jigsaw.exe
windows10-2004-x64
10Locky.exe
windows10-1703-x64
10Locky.exe
windows10-2004-x64
10131.exe
windows10-1703-x64
3131.exe
windows10-2004-x64
3Matsnu-MBR...3 .exe
windows10-1703-x64
3Matsnu-MBR...3 .exe
windows10-2004-x64
3027cc450ef...d9.dll
windows10-1703-x64
10027cc450ef...d9.dll
windows10-2004-x64
10027cc450ef...ju.dll
windows10-1703-x64
10027cc450ef...ju.dll
windows10-2004-x64
10myguy.hta
windows10-1703-x64
3myguy.hta
windows10-2004-x64
7svchost.exe
windows10-1703-x64
7svchost.exe
windows10-2004-x64
7Analysis
-
max time kernel
93s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2024 16:50
Static task
static1
Behavioral task
behavioral1
Sample
Ransomware-master.zip
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Ransomware-master.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
cerber.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
cerber.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
cryptowall.exe
Resource
win10-20240611-en
Behavioral task
behavioral6
Sample
cryptowall.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
jigsaw.exe
Resource
win10-20240404-en
Behavioral task
behavioral8
Sample
jigsaw.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
Locky.exe
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
Locky.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
131.exe
Resource
win10-20240404-en
Behavioral task
behavioral12
Sample
131.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
027cc450ef5f8c5f653329641ec1fed9.dll
Resource
win10-20240404-en
Behavioral task
behavioral16
Sample
027cc450ef5f8c5f653329641ec1fed9.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll
Resource
win10-20240611-en
Behavioral task
behavioral18
Sample
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
myguy.hta
Resource
win10-20240404-en
Behavioral task
behavioral20
Sample
myguy.hta
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
svchost.exe
Resource
win10-20240404-en
Behavioral task
behavioral22
Sample
svchost.exe
Resource
win10v2004-20240802-en
General
-
Target
cryptowall.exe
-
Size
240KB
-
MD5
47363b94cee907e2b8926c1be61150c7
-
SHA1
ca963033b9a285b8cd0044df38146a932c838071
-
SHA256
45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d
-
SHA512
93dfaafc183360829448887a112dd49c90ec5fe50dcd7c7bbc06c1c8daa206eeea5577f726d906446322c731d0520e93700d5ff9cefd730fba347c72b7325068
-
SSDEEP
3072:xkeyloECBch6ZCGBGSmHJ0y5lj6jdojK7+MGOXpXx8z3Lp7Yoq:xGlnCIwMpj6ijKfxx8z3F0V
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 2540 4820 WerFault.exe 81 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cryptowall.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 4820 cryptowall.exe Token: SeIncBasePriorityPrivilege 4820 cryptowall.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4820 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 4802⤵
- Program crash
PID:2540
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4820 -ip 48201⤵PID:1668