Overview

overview

9

Static

static

3

cryptowall.exe

windows7-x64

9

cryptowall.exe

windows10-1703-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Ransomware.Cryptowall (1).zip

  • Size

    100KB

  • Sample

    240905-ahmwcaygjk

  • MD5

    8710ea46c2db18965a3f13c5fb7c5be8

  • SHA1

    24978c79b5b4b3796adceffe06a3a39b33dda41d

  • SHA256

    60d574055ae164cc32df9e5c9402deefa9d07e5034328d7b41457d35b7312a0e

  • SHA512

    c71de7a60e7edeedbdd7843a868b6f5a95f2718f0f35d274cf85951ee565ef3ba1e087881f12aeede686ce6d016f3fd533b7ef21d878a03d2455acc161abf583

  • SSDEEP

    3072:OCDc19avf1fHqOhdzVD/9Ae7RT5f6IiL+WfXS21o4D:OCD0QvlqGRlAlX+sXjo4D

Score
9/10
defense_evasiondiscoveryexecutionimpactpersistenceransomware

Malware Config

Targets

    • Target

      cryptowall.bin

    • Size

      240KB

    • MD5

      47363b94cee907e2b8926c1be61150c7

    • SHA1

      ca963033b9a285b8cd0044df38146a932c838071

    • SHA256

      45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d

    • SHA512

      93dfaafc183360829448887a112dd49c90ec5fe50dcd7c7bbc06c1c8daa206eeea5577f726d906446322c731d0520e93700d5ff9cefd730fba347c72b7325068

    • SSDEEP

      3072:xkeyloECBch6ZCGBGSmHJ0y5lj6jdojK7+MGOXpXx8z3Lp7Yoq:xGlnCIwMpj6ijKfxx8z3F0V

    Score
    9/10
    defense_evasiondiscoveryexecutionimpactpersistenceransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks