analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Ransomware.Cryptowall.zip

Full analysis: https://app.any.run/tasks/343c9e97-6df1-493e-a0a4-4bf6c10a0294
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Analysis date: November 29, 2020, 11:34:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
trojan
ransomware
cryptowall
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

8710EA46C2DB18965A3F13C5FB7C5BE8

SHA1:

24978C79B5B4B3796ADCEFFE06A3A39B33DDA41D

SHA256:

60D574055AE164CC32DF9E5C9402DEEFA9D07E5034328D7B41457D35B7312A0E

SSDEEP:

3072:OCDc19avf1fHqOhdzVD/9Ae7RT5f6IiL+WfXS21o4D:OCD0QvlqGRlAlX+sXjo4D

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • cryptowall.exe (PID: 2700)
      • cryptowall.exe (PID: 2116)
    • Drops executable file immediately after starts

      • explorer.exe (PID: 2748)
    • Deletes shadow copies

      • explorer.exe (PID: 2748)
    • Uses SVCHOST.EXE for hidden code execution

      • explorer.exe (PID: 2748)
    • Writes to a start menu file

      • explorer.exe (PID: 2748)
    • Starts BCDEDIT.EXE to disable recovery

      • explorer.exe (PID: 2748)
    • Changes the autorun value in the registry

      • explorer.exe (PID: 2748)
    • CRYPTOWALL was detected

      • svchost.exe (PID: 2496)
    • Connects to CnC server

      • svchost.exe (PID: 2496)
  • SUSPICIOUS

    • Application launched itself

      • cryptowall.exe (PID: 2116)
    • Executable content was dropped or overwritten

      • explorer.exe (PID: 2748)
    • Checks for external IP

      • svchost.exe (PID: 2496)
    • Creates files in the user directory

      • explorer.exe (PID: 2748)
  • INFO

    • Manual execution by user

      • cryptowall.exe (PID: 2116)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: cryptowall.bin
ZipUncompressedSize: 246272
ZipCompressedSize: 102838
ZipCRC: 0x6baaab1e
ZipModifyDate: 2015:02:09 22:05:26
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs cryptowall.exe no specs cryptowall.exe no specs explorer.exe #CRYPTOWALL svchost.exe vssadmin.exe no specs bcdedit.exe no specs bcdedit.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2784"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Ransomware.Cryptowall.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2116"C:\Users\admin\Desktop\cryptowall.exe" C:\Users\admin\Desktop\cryptowall.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2700"C:\Users\admin\Desktop\cryptowall.exe" C:\Users\admin\Desktop\cryptowall.execryptowall.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2748"C:\Windows\explorer.exe"C:\Windows\explorer.exe
cryptowall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2496-k netsvcsC:\Windows\system32\svchost.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2668vssadmin.exe Delete Shadows /All /QuietC:\Windows\system32\vssadmin.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2232bcdedit /set {default} recoveryenabled NoC:\Windows\system32\bcdedit.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Boot Configuration Data Editor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2872bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\system32\bcdedit.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Boot Configuration Data Editor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
501
Read events
458
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
4
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
2784WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2784.4430\cryptowall.bin
MD5:
SHA256:
2496svchost.exeC:\Users\admin\AppData\Local\Temp\CabD53.tmp
MD5:
SHA256:
2496svchost.exeC:\Users\admin\AppData\Local\Temp\TarD54.tmp
MD5:
SHA256:
2496svchost.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_70D49E8A408648C635FB6B9F5D8BA72Cbinary
MD5:0E7045F548BB07ADDC447F101876AA40
SHA256:B4ED7070235930F11321CB2052CD069F4C77ACFA789375C029E9A5DC51F1D5FD
2496svchost.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6332EF8BBDB37EF2CA5EA9175CD80A6A_96E040B7FA0A26C2800B770C7981DBD8binary
MD5:662473B3E73A58AE73F535242712EC4C
SHA256:7B253A91ED713BDC9609FDE77965D91D4A0D77F95B3CFC2F4DD236E1D7FEB5CC
2496svchost.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_70D49E8A408648C635FB6B9F5D8BA72Cder
MD5:DA85759E6261DF13FE39AA498B8321F0
SHA256:FBB738995741C6485D085705C784E90AB062BBC0B92F00B9BCFADF581EE7A13D
2496svchost.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6332EF8BBDB37EF2CA5EA9175CD80A6A_96E040B7FA0A26C2800B770C7981DBD8der
MD5:0F51E4B79C5BDDCD1842A28EC05A3F6B
SHA256:1E9716DA68759DF6734B328FA95A80C852DE7B61CAB665897E4B008774B68EE4
2748explorer.exeC:\46695237\46695237.exeexecutable
MD5:47363B94CEE907E2B8926C1BE61150C7
SHA256:45317968759D3E37282CEB75149F627D648534C5B4685F6DA3966D8F6FCA662D
2748explorer.exeC:\Users\admin\AppData\Roaming\46695237.exeexecutable
MD5:47363B94CEE907E2B8926C1BE61150C7
SHA256:45317968759D3E37282CEB75149F627D648534C5B4685F6DA3966D8F6FCA662D
2748explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\46695237.exeexecutable
MD5:47363B94CEE907E2B8926C1BE61150C7
SHA256:45317968759D3E37282CEB75149F627D648534C5B4685F6DA3966D8F6FCA662D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
7
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2496
svchost.exe
GET
302
216.239.32.21:80
http://myexternalip.com/raw
US
text
50 b
shared
2496
svchost.exe
POST
94.247.31.19:8080
http://proxy1-1-1.i2p/dvjc7br1e6
ES
malicious
2496
svchost.exe
GET
200
216.58.212.163:80
http://ocsp.pki.goog/gts1d2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBT4YwNSyUnwC88de5a5l4eUO%2BLQewQUsd0yXei3N3LSzlzOJv5HeeIBCOkCEQDCboWbTJwJUwoAAAAAgeZS
US
der
472 b
whitelisted
2496
svchost.exe
POST
94.247.31.19:8080
http://proxy2-2-2.i2p/dvjc7br1e6
ES
malicious
2496
svchost.exe
GET
200
216.58.212.163:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJ13zfQMBhkWtuM%3D
US
der
468 b
whitelisted
2496
svchost.exe
GET
308
188.165.164.184:80
http://ip-addr.es/
FR
html
180 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2496
svchost.exe
188.165.164.184:80
ip-addr.es
OVH SAS
FR
suspicious
2496
svchost.exe
216.239.32.21:443
myexternalip.com
Google Inc.
US
whitelisted
2496
svchost.exe
216.239.32.21:80
myexternalip.com
Google Inc.
US
whitelisted
2496
svchost.exe
94.247.31.19:8080
ELB Multimedia SARL
ES
malicious
2496
svchost.exe
216.58.212.163:80
ocsp.pki.goog
Google Inc.
US
whitelisted
94.247.31.19:8080
ELB Multimedia SARL
ES
malicious

DNS requests

Domain
IP
Reputation
ip-addr.es
  • 188.165.164.184
shared
myexternalip.com
  • 216.239.32.21
  • 216.239.34.21
  • 216.239.38.21
  • 216.239.36.21
shared
ocsp.pki.goog
  • 216.58.212.163
whitelisted

Threats

PID
Process
Class
Message
2496
svchost.exe
A Network Trojan was detected
ET POLICY Possible IP Check ip-addr.es
2496
svchost.exe
Potential Corporate Privacy Violation
ET POLICY External IP Check myexternalip.com
2496
svchost.exe
A Network Trojan was detected
ET TROJAN CryptoWall Check-in
2496
svchost.exe
A Network Trojan was detected
ET TROJAN CryptoWall CryptoWall 3.0 Check-in
No debug info