Overview
overview
10Static
static
3cerber.exe
windows7-x64
10cerber.exe
windows10-2004-x64
10cryptowall.exe
windows7-x64
9cryptowall.exe
windows10-2004-x64
3jigsaw.exe
windows7-x64
10jigsaw.exe
windows10-2004-x64
10Locky.exe
windows7-x64
10Locky.exe
windows10-2004-x64
10131.exe
windows7-x64
1131.exe
windows10-2004-x64
3Matsnu-MBR...3 .exe
windows7-x64
7Matsnu-MBR...3 .exe
windows10-2004-x64
3027cc450ef...d9.dll
windows7-x64
10027cc450ef...d9.dll
windows10-2004-x64
10027cc450ef...ju.dll
windows7-x64
10027cc450ef...ju.dll
windows10-2004-x64
10myguy.hta
windows7-x64
10myguy.hta
windows10-2004-x64
10svchost.exe
windows7-x64
7svchost.exe
windows10-2004-x64
7Analysis
-
max time kernel
132s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-11-2024 15:24
Static task
static1
Behavioral task
behavioral1
Sample
cerber.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cerber.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
cryptowall.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
cryptowall.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
jigsaw.exe
Resource
win7-20241023-en
Behavioral task
behavioral6
Sample
jigsaw.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Locky.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Locky.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
131.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
131.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
027cc450ef5f8c5f653329641ec1fed9.dll
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
027cc450ef5f8c5f653329641ec1fed9.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
myguy.hta
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
myguy.hta
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
svchost.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
svchost.exe
Resource
win10v2004-20241007-en
General
-
Target
cryptowall.exe
-
Size
240KB
-
MD5
47363b94cee907e2b8926c1be61150c7
-
SHA1
ca963033b9a285b8cd0044df38146a932c838071
-
SHA256
45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d
-
SHA512
93dfaafc183360829448887a112dd49c90ec5fe50dcd7c7bbc06c1c8daa206eeea5577f726d906446322c731d0520e93700d5ff9cefd730fba347c72b7325068
-
SSDEEP
3072:xkeyloECBch6ZCGBGSmHJ0y5lj6jdojK7+MGOXpXx8z3Lp7Yoq:xGlnCIwMpj6ijKfxx8z3F0V
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
Processes:
explorer.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2fddd325.exe explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*fddd325 = "C:\\Users\\Admin\\AppData\\Roaming\\2fddd325.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\2fddd32 = "C:\\2fddd325\\2fddd325.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*fddd32 = "C:\\2fddd325\\2fddd325.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\2fddd325 = "C:\\Users\\Admin\\AppData\\Roaming\\2fddd325.exe" explorer.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ip-addr.es 5 myexternalip.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cryptowall.exedescription pid Process procid_target PID 2236 set thread context of 2568 2236 cryptowall.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
svchost.exevssadmin.execryptowall.execryptowall.exeexplorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cryptowall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cryptowall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid Process 2668 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
cryptowall.exepid Process 2236 cryptowall.exe 2236 cryptowall.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
cryptowall.exeexplorer.exepid Process 2568 cryptowall.exe 2976 explorer.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
cryptowall.exevssvc.exedescription pid Process Token: 33 2236 cryptowall.exe Token: SeIncBasePriorityPrivilege 2236 cryptowall.exe Token: SeBackupPrivilege 2860 vssvc.exe Token: SeRestorePrivilege 2860 vssvc.exe Token: SeAuditPrivilege 2860 vssvc.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
cryptowall.execryptowall.exeexplorer.exedescription pid Process procid_target PID 2236 wrote to memory of 2568 2236 cryptowall.exe 31 PID 2236 wrote to memory of 2568 2236 cryptowall.exe 31 PID 2236 wrote to memory of 2568 2236 cryptowall.exe 31 PID 2236 wrote to memory of 2568 2236 cryptowall.exe 31 PID 2236 wrote to memory of 2568 2236 cryptowall.exe 31 PID 2236 wrote to memory of 2568 2236 cryptowall.exe 31 PID 2236 wrote to memory of 2568 2236 cryptowall.exe 31 PID 2236 wrote to memory of 2568 2236 cryptowall.exe 31 PID 2236 wrote to memory of 2568 2236 cryptowall.exe 31 PID 2236 wrote to memory of 2568 2236 cryptowall.exe 31 PID 2568 wrote to memory of 2976 2568 cryptowall.exe 32 PID 2568 wrote to memory of 2976 2568 cryptowall.exe 32 PID 2568 wrote to memory of 2976 2568 cryptowall.exe 32 PID 2568 wrote to memory of 2976 2568 cryptowall.exe 32 PID 2976 wrote to memory of 2972 2976 explorer.exe 33 PID 2976 wrote to memory of 2972 2976 explorer.exe 33 PID 2976 wrote to memory of 2972 2976 explorer.exe 33 PID 2976 wrote to memory of 2972 2976 explorer.exe 33 PID 2976 wrote to memory of 2668 2976 explorer.exe 34 PID 2976 wrote to memory of 2668 2976 explorer.exe 34 PID 2976 wrote to memory of 2668 2976 explorer.exe 34 PID 2976 wrote to memory of 2668 2976 explorer.exe 34 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\syswow64\explorer.exe"C:\Windows\syswow64\explorer.exe"3⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\syswow64\svchost.exe-k netsvcs4⤵
- System Location Discovery: System Language Discovery
PID:2972
-
-
C:\Windows\syswow64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2668
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2860