Overview

overview

10

Static

static

Company Sc...ow.exe

windows7-x64

10

Company Sc...ow.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    43s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    09-10-2022 17:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Company Schedules New - Image Slideshow.exe

  • Size

    208KB

  • MD5

    12bc78e07cb69dd6ec32729240dbe537

  • SHA1

    7b7d9b115ec10074f7166ec3379fead6e816da59

  • SHA256

    5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9

  • SHA512

    c974592671b081d0af48c1aab9f9f02243773a081d9fadf70e3caa7454dca657b45bece27852397e74f601df1abdf5db496c821a5df624057355fd15c807e15a

  • SSDEEP

    3072:GXbUMNAwQ2Jpo/AkQCUyevi8xRpz81NADJ2:ibUMKwQ2J4ReviSjeKN

Score
10/10
cryptolockerransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\decrypt_instructions.txt

Ransom Note
Welcome to Wizard Ransomware... Admin, here's what happened... All files are encrypted with Advanced Encryption Standard 256. Maybe you noticed something? Your documents are now unreadable and corrupted. You can wonder how to decrypt it, but... No chance of that, sorry. So, what can you do now? You only have one option to decrypt your files, lets see... If you want your important files back you will need $100 in Bitcoin. However, we are able to discuss this price, maybe we can talk it down, we aren't evil. Want to start the process? You should e-mail us at: [email protected] Include your ID in the e-mail, your ID is: PIzQjWdOA8X2k4InjwICYYyor What if I don't pay? Nothing, meaning your files will just be encrypted forever... Bad outcome, right? However, we recommend you be quick, because our operations get shut down fast. Have fun, we're out... Sincerely, Wizard Ransomware.

Signatures

  • CryptoLocker

    Ransomware family with multiple variants.

    ransomwarecryptolocker
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Company Schedules New - Image Slideshow.exe
    "C:\Users\Admin\AppData\Local\Temp\Company Schedules New - Image Slideshow.exe"
    1⤵
    • Modifies extensions of user files
    • Suspicious use of WriteProcessMemory
    PID:948
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic.exe SHADOWCOPY /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2040
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All/ Quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:972
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe Delete Shadows /All/ Quiet
        3⤵
        • Interacts with shadow copies
        PID:1224
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1560
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x508
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1744

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/948-54-0x0000000000090000-0x00000000000CA000-memory.dmp

      Filesize

      232KB

      Download

    • memory/948-55-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/948-58-0x000000001B406000-0x000000001B425000-memory.dmp

      Filesize

      124KB

      Download

    • memory/948-62-0x000000001B406000-0x000000001B425000-memory.dmp

      Filesize

      124KB

      Download