File name:

CryptoWall.exe

Full analysis: https://app.any.run/tasks/dfa4d9ac-b767-4045-9093-147dbd9721a7
Verdict: Malicious activity
Analysis date: October 01, 2024, 16:17:09
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

919034C8EFB9678F96B47A20FA6199F2

SHA1:

747070C74D0400CFFEB28FBEA17B64297F14CFBD

SHA256:

E036D68B8F8B7AFC6C8B6252876E1E290F11A26D4AD18AC6F310662845B2C734

SSDEEP:

3072:g+MaP6ghoGAi6WCqGcnzlLBmX96Gep2pr9anUUxYZ5axIVmmSnEv98NeyPpBSBDS:lRoqoY7AmRliBAF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • explorer.exe (PID: 1332)

    • Create files in the Startup directory

      • explorer.exe (PID: 1332)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • explorer.exe (PID: 1332)

    • Checks for external IP

      • svchost.exe (PID: 5724)

    • Connects to unusual port

      • svchost.exe (PID: 5724)

  • INFO

    • Reads the machine GUID from the registry

      • CryptoWall.exe (PID: 6668)

    • Checks supported languages

      • CryptoWall.exe (PID: 6668)

    • Creates files or folders in the user directory

      • explorer.exe (PID: 1332)

    • Reads security settings of Internet Explorer

      • svchost.exe (PID: 5724)

    • Checks proxy server information

      • svchost.exe (PID: 5724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:01:09 19:13:02+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 91136
InitializedDataSize: 44544
UninitializedDataSize: -
EntryPoint: 0x170b0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
3
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start cryptowall.exe no specs explorer.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1332"C:\WINDOWS\syswow64\explorer.exe"C:\Windows\SysWOW64\explorer.exe
CryptoWall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcp_win.dll
5724-k netsvcsC:\Windows\SysWOW64\svchost.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
6668"C:\Users\admin\AppData\Local\Temp\CryptoWall.exe" C:\Users\admin\AppData\Local\Temp\CryptoWall.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\cryptowall.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
759
Read events
755
Write events
4
Delete events
0

Modification events

(PID) Process:(1332) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:81dfcd3
Value:
C:\81dfcd3e\81dfcd3e.exe
(PID) Process:(1332) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:*1dfcd3
Value:
C:\81dfcd3e\81dfcd3e.exe
(PID) Process:(1332) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:81dfcd3e
Value:
C:\Users\admin\AppData\Roaming\81dfcd3e.exe
(PID) Process:(1332) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:*1dfcd3e
Value:
C:\Users\admin\AppData\Roaming\81dfcd3e.exe
Executable files
3
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1332explorer.exeC:\Users\admin\AppData\Roaming\81dfcd3e.exeexecutable
MD5:919034C8EFB9678F96B47A20FA6199F2
SHA256:E036D68B8F8B7AFC6C8B6252876E1E290F11A26D4AD18AC6F310662845B2C734
5724svchost.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:3DFCA46E00FFA4795C72A41375F159D3
SHA256:DCBA1A505396539BAC40A7253C9F5DCCF06CBB79957E21D56305E1FC3AF5F40E
1332explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81dfcd3e.exeexecutable
MD5:919034C8EFB9678F96B47A20FA6199F2
SHA256:E036D68B8F8B7AFC6C8B6252876E1E290F11A26D4AD18AC6F310662845B2C734
1332explorer.exeC:\81dfcd3e\81dfcd3e.exeexecutable
MD5:919034C8EFB9678F96B47A20FA6199F2
SHA256:E036D68B8F8B7AFC6C8B6252876E1E290F11A26D4AD18AC6F310662845B2C734
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
83
DNS requests
25
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5000
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5724
svchost.exe
GET
308
188.165.164.184:80
http://ip-addr.es/
unknown
shared
1132
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3508
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
1008
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1008
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2968
svchost.exe
GET
304
69.192.161.44:80
http://x1.c.lencr.org/
unknown
whitelisted
5724
svchost.exe
GET
308
188.165.164.184:80
http://ip-addr.es/
unknown
shared
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5000
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
5724
svchost.exe
188.165.164.184:80
ip-addr.es
OVH SAS
FR
shared
5724
svchost.exe
188.165.164.184:443
ip-addr.es
OVH SAS
FR
shared
5724
svchost.exe
91.121.12.127:4141
OVH SAS
FR
unknown
5000
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4324
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 88.221.169.152
whitelisted
google.com
  • 142.250.186.110
whitelisted
ip-addr.es
  • 188.165.164.184
shared
login.live.com
  • 40.126.31.73
  • 20.190.159.71
  • 40.126.31.69
  • 40.126.31.67
  • 20.190.159.0
  • 20.190.159.68
  • 20.190.159.2
  • 20.190.159.4
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
fd.api.iris.microsoft.com
  • 20.199.58.43
whitelisted

Threats

PID
Process
Class
Message
5724
svchost.exe
Device Retrieving External IP Address Detected
ET INFO HTTP Request for External IP Check (ip-addr .es)
5724
svchost.exe
Device Retrieving External IP Address Detected
ET INFO HTTP Request for External IP Check (ip-addr .es)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CryptoWall.exe