cryptolocker | 5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9

General

Target

5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9.exe
Size

208KB
MD5

12bc78e07cb69dd6ec32729240dbe537
SHA1

7b7d9b115ec10074f7166ec3379fead6e816da59
SHA256

5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9
SHA512

c974592671b081d0af48c1aab9f9f02243773a081d9fadf70e3caa7454dca657b45bece27852397e74f601df1abdf5db496c821a5df624057355fd15c807e15a
SSDEEP

3072:GXbUMNAwQ2Jpo/AkQCUyevi8xRpz81NADJ2:ibUMKwQ2J4ReviSjeKN

Score

10^/10

cryptolocker ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\decrypt_instructions.txt

Ransom Note

Welcome to Wizard Ransomware... Admin, here's what happened... All files are encrypted with Advanced Encryption Standard 256. Maybe you noticed something? Your documents are now unreadable and corrupted. You can wonder how to decrypt it, but... No chance of that, sorry. So, what can you do now? You only have one option to decrypt your files, lets see... If you want your important files back you will need $100 in Bitcoin. However, we are able to discuss this price, maybe we can talk it down, we aren't evil. Want to start the process? You should e-mail us at: [email protected] Include your ID in the e-mail, your ID is: wpVRbZGxJ33o8YtcD7GV41x1q What if I don't pay? Nothing, meaning your files will just be encrypted forever... Bad outcome, right? However, we recommend you be quick, because our operations get shut down fast. Have fun, we're out... Sincerely, Wizard Ransomware.

Emails

[email protected]

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\BackupHide.png => C:\Users\Admin\Pictures\BackupHide.png.wizard	5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9.exe
File renamed	C:\Users\Admin\Pictures\ConvertReceive.png => C:\Users\Admin\Pictures\ConvertReceive.png.wizard	5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9.exe
File renamed	C:\Users\Admin\Pictures\RevokeDisconnect.png => C:\Users\Admin\Pictures\RevokeDisconnect.png.wizard	5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9.exe
File renamed	C:\Users\Admin\Pictures\StepDisconnect.png => C:\Users\Admin\Pictures\StepDisconnect.png.wizard	5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1544 vssadmin.exe

pid	process
1544	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

WMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1752	WMIC.exe
Token: SeSecurityPrivilege	1752	WMIC.exe
Token: SeTakeOwnershipPrivilege	1752	WMIC.exe
Token: SeLoadDriverPrivilege	1752	WMIC.exe
Token: SeSystemProfilePrivilege	1752	WMIC.exe
Token: SeSystemtimePrivilege	1752	WMIC.exe
Token: SeProfSingleProcessPrivilege	1752	WMIC.exe
Token: SeIncBasePriorityPrivilege	1752	WMIC.exe
Token: SeCreatePagefilePrivilege	1752	WMIC.exe
Token: SeBackupPrivilege	1752	WMIC.exe
Token: SeRestorePrivilege	1752	WMIC.exe
Token: SeShutdownPrivilege	1752	WMIC.exe
Token: SeDebugPrivilege	1752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1752	WMIC.exe
Token: SeRemoteShutdownPrivilege	1752	WMIC.exe
Token: SeUndockPrivilege	1752	WMIC.exe
Token: SeManageVolumePrivilege	1752	WMIC.exe
Token: 33	1752	WMIC.exe
Token: 34	1752	WMIC.exe
Token: 35	1752	WMIC.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9.execmd.execmd.exe

description	pid	process	target process
PID 1212 wrote to memory of 916	1212	5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9.exe	cmd.exe
PID 1212 wrote to memory of 916	1212	5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9.exe	cmd.exe
PID 1212 wrote to memory of 916	1212	5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9.exe	cmd.exe
PID 1212 wrote to memory of 988	1212	5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9.exe	cmd.exe
PID 1212 wrote to memory of 988	1212	5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9.exe	cmd.exe
PID 1212 wrote to memory of 988	1212	5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9.exe	cmd.exe
PID 916 wrote to memory of 1752	916	cmd.exe	WMIC.exe
PID 916 wrote to memory of 1752	916	cmd.exe	WMIC.exe
PID 916 wrote to memory of 1752	916	cmd.exe	WMIC.exe
PID 988 wrote to memory of 1544	988	cmd.exe	vssadmin.exe
PID 988 wrote to memory of 1544	988	cmd.exe	vssadmin.exe
PID 988 wrote to memory of 1544	988	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9.exe
"C:\Users\Admin\AppData\Local\Temp\5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9.exe"
1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic.exe SHADOWCOPY /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All/ Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /All/ Quiet
    3⤵
    - Interacts with shadow copies
    PID:1544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/916-56-0x0000000000000000-mapping.dmp

Download
memory/988-57-0x0000000000000000-mapping.dmp

Download
memory/1212-54-0x0000000000890000-0x00000000008CA000-memory.dmp

Filesize
232KB

Download
memory/1212-55-0x000007FEFC581000-0x000007FEFC583000-memory.dmp

Filesize
8KB

Download
memory/1212-60-0x0000000002006000-0x0000000002025000-memory.dmp

Filesize
124KB

Download
memory/1544-59-0x0000000000000000-mapping.dmp

Download
memory/1752-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads