Resubmissions

15-09-2024 09:57

240915-ly8zasyclp 10

15-09-2024 08:55

240915-kveqlswcnk 10

Analysis

  • max time kernel
    587s
  • max time network
    597s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-09-2024 08:55

General

  • Target

    cryptowall.exe

  • Size

    240KB

  • MD5

    47363b94cee907e2b8926c1be61150c7

  • SHA1

    ca963033b9a285b8cd0044df38146a932c838071

  • SHA256

    45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d

  • SHA512

    93dfaafc183360829448887a112dd49c90ec5fe50dcd7c7bbc06c1c8daa206eeea5577f726d906446322c731d0520e93700d5ff9cefd730fba347c72b7325068

  • SSDEEP

    3072:xkeyloECBch6ZCGBGSmHJ0y5lj6jdojK7+MGOXpXx8z3Lp7Yoq:xGlnCIwMpj6ijKfxx8z3F0V

Malware Config

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
    "C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1120
    • C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
      "C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2236
      • C:\Windows\syswow64\explorer.exe
        "C:\Windows\syswow64\explorer.exe"
        3⤵
        • Drops startup file
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3068
        • C:\Windows\syswow64\svchost.exe
          -k netsvcs
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2784
        • C:\Windows\syswow64\vssadmin.exe
          vssadmin.exe Delete Shadows /All /Quiet
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:2920
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2804

Network

  • flag-us
    DNS
    ip-addr.es
    netsvcs
    Remote address:
    8.8.8.8:53
    Request
    ip-addr.es
    IN A
    Response
    ip-addr.es
    IN A
    188.165.164.184
  • flag-fr
    GET
    http://ip-addr.es/
    netsvcs
    Remote address:
    188.165.164.184:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: ip-addr.es
    Cache-Control: no-cache
    Response
    HTTP/1.1 308 Permanent Redirect
    Date: Sun, 15 Sep 2024 08:48:39 GMT
    Content-Type: text/html
    Content-Length: 164
    Connection: keep-alive
    Location: https://ip-addr.es/
    Server: DYNAMIC+
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
  • flag-us
    DNS
    myexternalip.com
    netsvcs
    Remote address:
    8.8.8.8:53
    Request
    myexternalip.com
    IN A
    Response
    myexternalip.com
    IN A
    34.160.111.145
  • flag-us
    GET
    http://myexternalip.com/raw
    netsvcs
    Remote address:
    34.160.111.145:80
    Request
    GET /raw HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: myexternalip.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    date: Sun, 15 Sep 2024 08:55:30 GMT
    content-type: text/plain; charset=utf-8
    Content-Length: 13
    access-control-allow-origin: *
    via: 1.1 google
  • flag-fr
    GET
    http://ip-addr.es/
    netsvcs
    Remote address:
    188.165.164.184:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: ip-addr.es
    Cache-Control: no-cache
    Response
    HTTP/1.1 308 Permanent Redirect
    Date: Sun, 15 Sep 2024 08:50:28 GMT
    Content-Type: text/html
    Content-Length: 164
    Connection: keep-alive
    Location: https://ip-addr.es/
    Server: DYNAMIC+
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
  • flag-us
    GET
    http://myexternalip.com/raw
    netsvcs
    Remote address:
    34.160.111.145:80
    Request
    GET /raw HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: myexternalip.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    date: Sun, 15 Sep 2024 08:57:18 GMT
    content-type: text/plain; charset=utf-8
    Content-Length: 13
    access-control-allow-origin: *
    via: 1.1 google
  • flag-fr
    GET
    http://ip-addr.es/
    netsvcs
    Remote address:
    188.165.164.184:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: ip-addr.es
    Cache-Control: no-cache
    Response
    HTTP/1.1 308 Permanent Redirect
    Date: Sun, 15 Sep 2024 08:52:17 GMT
    Content-Type: text/html
    Content-Length: 164
    Connection: keep-alive
    Location: https://ip-addr.es/
    Server: DYNAMIC+
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
  • flag-us
    GET
    http://myexternalip.com/raw
    netsvcs
    Remote address:
    34.160.111.145:80
    Request
    GET /raw HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: myexternalip.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    date: Sun, 15 Sep 2024 08:59:08 GMT
    content-type: text/plain; charset=utf-8
    Content-Length: 13
    access-control-allow-origin: *
    via: 1.1 google
  • flag-fr
    GET
    http://ip-addr.es/
    netsvcs
    Remote address:
    188.165.164.184:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: ip-addr.es
    Cache-Control: no-cache
    Response
    HTTP/1.1 308 Permanent Redirect
    Date: Sun, 15 Sep 2024 08:54:05 GMT
    Content-Type: text/html
    Content-Length: 164
    Connection: keep-alive
    Location: https://ip-addr.es/
    Server: DYNAMIC+
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
  • flag-us
    GET
    http://myexternalip.com/raw
    netsvcs
    Remote address:
    34.160.111.145:80
    Request
    GET /raw HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: myexternalip.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    date: Sun, 15 Sep 2024 09:00:56 GMT
    content-type: text/plain; charset=utf-8
    Content-Length: 13
    access-control-allow-origin: *
    via: 1.1 google
  • flag-fr
    GET
    http://ip-addr.es/
    netsvcs
    Remote address:
    188.165.164.184:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: ip-addr.es
    Cache-Control: no-cache
    Response
    HTTP/1.1 308 Permanent Redirect
    Date: Sun, 15 Sep 2024 08:55:54 GMT
    Content-Type: text/html
    Content-Length: 164
    Connection: keep-alive
    Location: https://ip-addr.es/
    Server: DYNAMIC+
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
  • flag-us
    GET
    http://myexternalip.com/raw
    netsvcs
    Remote address:
    34.160.111.145:80
    Request
    GET /raw HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: myexternalip.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    date: Sun, 15 Sep 2024 09:02:44 GMT
    content-type: text/plain; charset=utf-8
    Content-Length: 13
    access-control-allow-origin: *
    via: 1.1 google
  • flag-fr
    GET
    http://ip-addr.es/
    netsvcs
    Remote address:
    188.165.164.184:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: ip-addr.es
    Cache-Control: no-cache
    Response
    HTTP/1.1 308 Permanent Redirect
    Date: Sun, 15 Sep 2024 08:57:43 GMT
    Content-Type: text/html
    Content-Length: 164
    Connection: keep-alive
    Location: https://ip-addr.es/
    Server: DYNAMIC+
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
  • flag-us
    GET
    http://myexternalip.com/raw
    netsvcs
    Remote address:
    34.160.111.145:80
    Request
    GET /raw HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: myexternalip.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    date: Sun, 15 Sep 2024 09:04:33 GMT
    content-type: text/plain; charset=utf-8
    Content-Length: 13
    access-control-allow-origin: *
    via: 1.1 google
  • 188.165.164.184:80
    http://ip-addr.es/
    http
    netsvcs
    541 B
    633 B
    6
    5

    HTTP Request

    GET http://ip-addr.es/

    HTTP Response

    308
  • 34.160.111.145:80
    http://myexternalip.com/raw
    http
    netsvcs
    602 B
    570 B
    7
    5

    HTTP Request

    GET http://myexternalip.com/raw

    HTTP Response

    200
  • 94.247.31.19:8080
    netsvcs
    152 B
    3
  • 94.247.28.26:2525
    netsvcs
    152 B
    3
  • 94.247.28.156:8081
    netsvcs
    152 B
    3
  • 91.121.12.127:4141
    netsvcs
    152 B
    3
  • 209.148.85.151:8080
    netsvcs
    152 B
    3
  • 188.165.164.184:80
    http://ip-addr.es/
    http
    netsvcs
    593 B
    1.1kB
    7
    6

    HTTP Request

    GET http://ip-addr.es/

    HTTP Response

    308
  • 34.160.111.145:80
    http://myexternalip.com/raw
    http
    netsvcs
    556 B
    570 B
    6
    5

    HTTP Request

    GET http://myexternalip.com/raw

    HTTP Response

    200
  • 94.247.31.19:8080
    netsvcs
    152 B
    3
  • 94.247.28.26:2525
    netsvcs
    152 B
    3
  • 94.247.28.156:8081
    netsvcs
    152 B
    3
  • 91.121.12.127:4141
    netsvcs
    152 B
    3
  • 209.148.85.151:8080
    netsvcs
    152 B
    3
  • 188.165.164.184:80
    http://ip-addr.es/
    http
    netsvcs
    541 B
    633 B
    6
    5

    HTTP Request

    GET http://ip-addr.es/

    HTTP Response

    308
  • 34.160.111.145:80
    http://myexternalip.com/raw
    http
    netsvcs
    602 B
    570 B
    7
    5

    HTTP Request

    GET http://myexternalip.com/raw

    HTTP Response

    200
  • 94.247.31.19:8080
    netsvcs
    152 B
    3
  • 94.247.28.26:2525
    netsvcs
    152 B
    3
  • 94.247.28.156:8081
    netsvcs
    152 B
    3
  • 91.121.12.127:4141
    netsvcs
    152 B
    3
  • 209.148.85.151:8080
    netsvcs
    152 B
    3
  • 188.165.164.184:80
    http://ip-addr.es/
    http
    netsvcs
    541 B
    633 B
    6
    5

    HTTP Request

    GET http://ip-addr.es/

    HTTP Response

    308
  • 34.160.111.145:80
    http://myexternalip.com/raw
    http
    netsvcs
    602 B
    570 B
    7
    5

    HTTP Request

    GET http://myexternalip.com/raw

    HTTP Response

    200
  • 94.247.31.19:8080
    netsvcs
    152 B
    3
  • 94.247.28.26:2525
    netsvcs
    152 B
    3
  • 94.247.28.156:8081
    netsvcs
    152 B
    3
  • 91.121.12.127:4141
    netsvcs
    152 B
    3
  • 209.148.85.151:8080
    netsvcs
    152 B
    3
  • 188.165.164.184:80
    http://ip-addr.es/
    http
    netsvcs
    593 B
    1.1kB
    7
    6

    HTTP Request

    GET http://ip-addr.es/

    HTTP Response

    308
  • 34.160.111.145:80
    http://myexternalip.com/raw
    http
    netsvcs
    556 B
    570 B
    6
    5

    HTTP Request

    GET http://myexternalip.com/raw

    HTTP Response

    200
  • 94.247.31.19:8080
    netsvcs
    152 B
    3
  • 94.247.28.26:2525
    netsvcs
    152 B
    3
  • 94.247.28.156:8081
    netsvcs
    152 B
    3
  • 91.121.12.127:4141
    netsvcs
    152 B
    3
  • 209.148.85.151:8080
    netsvcs
    152 B
    3
  • 188.165.164.184:80
    http://ip-addr.es/
    http
    netsvcs
    449 B
    553 B
    4
    3

    HTTP Request

    GET http://ip-addr.es/

    HTTP Response

    308
  • 34.160.111.145:80
    http://myexternalip.com/raw
    http
    netsvcs
    510 B
    530 B
    5
    4

    HTTP Request

    GET http://myexternalip.com/raw

    HTTP Response

    200
  • 94.247.31.19:8080
    netsvcs
    152 B
    3
  • 94.247.28.26:2525
    netsvcs
    152 B
    3
  • 94.247.28.156:8081
    netsvcs
    152 B
    3
  • 8.8.8.8:53
    ip-addr.es
    dns
    netsvcs
    56 B
    72 B
    1
    1

    DNS Request

    ip-addr.es

    DNS Response

    188.165.164.184

  • 8.8.8.8:53
    myexternalip.com
    dns
    netsvcs
    62 B
    78 B
    1
    1

    DNS Request

    myexternalip.com

    DNS Response

    34.160.111.145

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1120-6-0x00000000003B0000-0x00000000003C6000-memory.dmp

    Filesize

    88KB

  • memory/2236-2-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2236-14-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2236-9-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2236-7-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2236-4-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2236-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2236-13-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2236-0-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2236-18-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2784-22-0x00000000000C0000-0x00000000000E5000-memory.dmp

    Filesize

    148KB

  • memory/3068-15-0x0000000000080000-0x00000000000A5000-memory.dmp

    Filesize

    148KB

  • memory/3068-23-0x0000000000080000-0x00000000000A5000-memory.dmp

    Filesize

    148KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.