Analysis
-
max time kernel
587s -
max time network
597s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
15-09-2024 08:55
General
-
Target
cryptowall.exe
-
Size
240KB
-
MD5
47363b94cee907e2b8926c1be61150c7
-
SHA1
ca963033b9a285b8cd0044df38146a932c838071
-
SHA256
45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d
-
SHA512
93dfaafc183360829448887a112dd49c90ec5fe50dcd7c7bbc06c1c8daa206eeea5577f726d906446322c731d0520e93700d5ff9cefd730fba347c72b7325068
-
SSDEEP
3072:xkeyloECBch6ZCGBGSmHJ0y5lj6jdojK7+MGOXpXx8z3Lp7Yoq:xGlnCIwMpj6ijKfxx8z3F0V
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\explorer.exe"C:\Windows\syswow64\explorer.exe"3⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\svchost.exe-k netsvcs4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\syswow64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1120-6-0x00000000003B0000-0x00000000003C6000-memory.dmpFilesize
88KB
-
memory/2236-2-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2236-14-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2236-9-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2236-7-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2236-4-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2236-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2236-13-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2236-0-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2236-18-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2784-22-0x00000000000C0000-0x00000000000E5000-memory.dmpFilesize
148KB
-
memory/3068-15-0x0000000000080000-0x00000000000A5000-memory.dmpFilesize
148KB
-
memory/3068-23-0x0000000000080000-0x00000000000A5000-memory.dmpFilesize
148KB