Overview

overview

10

Static

static

5e902a1381...c9.exe

windows7-x64

10

5e902a1381...c9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-09-2022 11:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9.exe

  • Size

    208KB

  • MD5

    12bc78e07cb69dd6ec32729240dbe537

  • SHA1

    7b7d9b115ec10074f7166ec3379fead6e816da59

  • SHA256

    5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9

  • SHA512

    c974592671b081d0af48c1aab9f9f02243773a081d9fadf70e3caa7454dca657b45bece27852397e74f601df1abdf5db496c821a5df624057355fd15c807e15a

  • SSDEEP

    3072:GXbUMNAwQ2Jpo/AkQCUyevi8xRpz81NADJ2:ibUMKwQ2J4ReviSjeKN

Score
10/10
cryptolockerransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\decrypt_instructions.txt

Ransom Note
Welcome to Wizard Ransomware... Admin, here's what happened... All files are encrypted with Advanced Encryption Standard 256. Maybe you noticed something? Your documents are now unreadable and corrupted. You can wonder how to decrypt it, but... No chance of that, sorry. So, what can you do now? You only have one option to decrypt your files, lets see... If you want your important files back you will need $100 in Bitcoin. However, we are able to discuss this price, maybe we can talk it down, we aren't evil. Want to start the process? You should e-mail us at: [email protected] Include your ID in the e-mail, your ID is: EzYxsCjB6Si75V4V1a3rkWQsN What if I don't pay? Nothing, meaning your files will just be encrypted forever... Bad outcome, right? However, we recommend you be quick, because our operations get shut down fast. Have fun, we're out... Sincerely, Wizard Ransomware.

Signatures

  • CryptoLocker

    Ransomware family with multiple variants.

    ransomwarecryptolocker
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9.exe
    "C:\Users\Admin\AppData\Local\Temp\5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:212
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic.exe SHADOWCOPY /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1924
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All/ Quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe Delete Shadows /All/ Quiet
        3⤵
        • Interacts with shadow copies
        PID:4644

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/212-134-0x0000000000000000-mapping.dmp

    Download

  • memory/1312-132-0x00000000004E0000-0x000000000051A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/1312-133-0x00007FFE943A0000-0x00007FFE94E61000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1312-138-0x00007FFE943A0000-0x00007FFE94E61000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1924-136-0x0000000000000000-mapping.dmp

    Download

  • memory/2320-135-0x0000000000000000-mapping.dmp

    Download

  • memory/4644-137-0x0000000000000000-mapping.dmp

    Download